SRX

Hi All,

First of all, thank you for taking the time to read my post.

I seem to be having an issue on my SRX220H with moving my Dynamic VPN from my "trusted" zone to a more seperated zone, for obvious security reasons In my VPN_ZONE I have several site-to-site VPN's, where I can control my traffic between zones. Now I want to move my (working, no issues here) dynamic VPN from my LAN_ZONE to my VPN_ZONE. Users connecting via the dynamic VPN are getting an IP-address from the dynamic pool (LAN_DHCP-DYNAMIC), however they cannot reach resources in the LAN_DHCP-STATIC pool. Below an overview of the policies:

from-zone LAN_ZONE to-zone VPN_ZONE {
    policy LAN_POLICY-TO-DYNAMIC_VPN {
        description "POLICY TO ALLOW LAN TRAFFIC TO VPN ZONE";
        match {
            source-address LAN_DHCP-STATIC;
            destination-address LAN_DHCP-DYNAMIC;
            application any;
        }
        then {
            permit;
            count;
        }
    }
}
from-zone VPN_ZONE to-zone LAN_ZONE {
    policy VPN_POLICY_FROM_DYNAMIC_VPN-TO-LAN {
        description "POLICY TO ALLOW LAN_DHCP-DYNAMIC TRAFFIC";
        match {
            source-address LAN_DHCP-DYNAMIC;
            destination-address LAN_DHCP-STATIC;
            application any;
        }
        then {
            permit;
            count;
        }
    }
}
from-zone UNTRUST to-zone VPN_ZONE {
    policy UNTRUST_POLICY-TO-VPN_ZONE {
        description "POLICY TO ALLOW DYNAMIC-VPN TRAFFIC";
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DYNAMIC-VPN_IPSEC-VPN;
                }
            }
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}
from-zone UNTRUST to-zone LAN_ZONE {
    inactive: policy UNTRUST_POLICY-TO-LAN_ZONE-FOR-DYNAMIC_VPN {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn DYNAMIC-VPN_IPSEC-VPN;
                }
            }
        }
    }
    policy UNTRUST_POLICY-TO-LAN_ZONE {
        description "POLICY TO DENY UNTRUSTED TRAFFIC";
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}

The protected resources are set to both subnets, so from the clients perspective - they should be good to go.

show security dynamic-vpn clients DYNAMIC-VPN_CLIENTS 
remote-protected-resources {
    192.168.1.0/25;
    192.168.1.128/25;
}
remote-exceptions {
    0.0.0.0/0;
}

I created a file to verify the denied traffic, and it looks like this:

Nov 19 15:17:16 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54498->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:23 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:26 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:32 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54515->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:34 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54527->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:43 2017  SRX220 last message repeated 2 times
Nov 19 15:17:50 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54544->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny
Nov 19 15:17:53 2017  SRX220 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.1.178/54544->192.168.1.3/6690 None 6(0) UNTRUST_POLICY-TO-LAN_ZONE UNTRUST LAN_ZONE UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN policy deny

Unless i'm overseeing something, the policies should be good? However it seems that the VPN still terminates in the LAN_ZONE rather than the VPN_ZONE. Do I need to reboot the node in order to let the termination happen in a different zone?

Any clues?  Thanks in advance!

Best regards,

Dan

Can you setup policy trace options are outlined in this kb.  Then we can see why the packets are hitting the deny policy and not your allow policy.

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

Thanks Steve, that pointed me in the correct direction. I am trying to achieve something which is probably not possible with policy-based routing.

My idea was to set the tunnel to terminate in the VPN_ZONE, which obviously requires a termination point there. Now the termination point of the dynamic VPN is the SRX itself, so when trying to reach something in the LAN_ZONE it will obviously trigger a destination lookup. The destination is in the LAN_ZONE so it will check corresponding policies. It will allow traffic to the zone as per allowance of the policy, however return traffic will not happen as it is denied.

Thanks again!

Best Regards,

Dan