SRX

1. My main issue is, when connected via our dial-in VPN client (NCP Secure Entry Client) I cannot connect to the LAN interface of the SRX340 which handles these connections. I can ping it, but can't gain https access, which I can when connecting via the LAN. The LAN interface is 192.168.1.254. The VPN clients receive 10.0.0.0/24 addresses.  I can access other resources on the 192 subnet, just not the SRX340.

2. An odd issue, which I doubt will be readily solved, is that it can take numerous attempts over a period of time to establish a dial-in connection. The log on the NCP client simply states that the gateway did not respond..... Not sure where to start with this one.

Hello,

Once connected using VPN and trying to access https, can you collect 'security flow traceoptions' for the traffic from VPN client Assigned IP to IP of the internal resource you are doing https on?

Regards,

Rushi

Are there any junos-host zone policies configured?

---

@spuluka wrote:

Are there any junos-host zone policies configured?

 

---

Yes, one, that (supposedly) applies a custom timeout for HTTPS/SSH sessions. This from Trust to junos-host. There is not an equivalent for VPN to junos-host, is this the issue? Seems unconnected, hmmmmm.

I would add a policy from vpn to junos-host then that matches your trust to junos-host policy.  I have not used this extra restriction much but my recollection is that once you commit to it you have to use it for all host connections.

Hi Steve. I have now tried your suggestion and also tried removing the Trust rule, but neither allowed me access.

Is it just the web interface or is ssh also not working?

On the SRX what is the route for the address in your 10 pool?

No, it's also SSH.

I think no is the answer to your second question, although I'm not 100% confident. Everything runs on OSPF. I can ping/access around all sites when dialled in, so I assume the routing is fine.

As Spuluka said, I would have a look and see where your VPN Pool is being routed to.

To confirm, you are connecting via the VPN and then running a ping, via the correct interface, from your laptop/desktop/windows/linux machine to get the required echo responses?

Just confirm, from the SRX that you are routing to the correct st interface:

run show route (address in the VPN pool range, the address on your laptop for example)

We want to verify the routing path exists and is symetrical between the SRX and the vpn pool address.

Thus the desire to see what route is used by the SRX for the vpn pool address

And what route on the device to the SRX address when connected to the VPN

Here is the output from the laptop that can ping the SRX but not comnunicate via HTTPs or SSH:

> show route 10.0.0.59

inet.0: 182 destinations, 198 routes (182 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 6w5d 03:03:06
                    > to x.x.x.x via ge-0/0/2.0
                    [OSPF/150] 4w4d 02:48:39, metric 0, tag 0
                    > to X.X.X.X via ge-0/0/3.0

where x.x.x.x = the external IP of the site where the SRX is located

and where X.X.X.X = an internal IP address - this second route is definietly not correct, but I assume doesn't play any part given its higher value.

On the client, the routing table looks correct for a route back.

The VPN pool is 10.0.0.xxx prefix?

This was taken on the SRX?

If so, the address you are looking for appears to be going to the default and via a physical interface.... I would have thought you would have seen the route showing to an st interface, as per mine below:

show route 172.16.10.128 

172.16.10.128/32   *[Static/5] 00:14:00
                    > via st0.1

The IKE phase 1 resolves against the Physical Interface, but the data, phase 2, should resolve against the logical interface.....

Sounds like you should enter a static route for the pool address range to the correct st interface.... if it's in a routing-instance then make sure it is place there correctly.

The VPN pool is 10.0.0.x

Yes, ran on the SRX.

There is no st0 interface when these clients are connected, so I don't know how I'd create a static route.

Do you have your NCP VPN Configuration please? (Hide addresses you do not want to be seen or change them 🙂  )

The configuration from the SRX I mean, not the client side?

IKE

proposal NCP-client {
            authentication-method X;
            dh-group X;
            authentication-algorithm X;
            encryption-algorithm X;
            lifetime-seconds X;
	    }
			
policy NCP-client {
            mode X;
            proposals NCP-client;
            pre-shared-key ascii-text "SECRET";
            }
		
gateway NCP-client {
            ike-policy NCP-client;
            dynamic {
                user-at-hostname "SECRET";
                connections-limit 10;
                ike-user-type X;
            }
            external-interface ge-0/0/2;
            aaa {
                access-profile remote_access_profile;
             }
            }
		
IPSEC

proposal NCP-client {
            protocol X;
            authentication-algorithm X;
            encryption-algorithm X;
            lifetime-seconds X;
            }
		
policy NCP-client {
            proposals NCP-client;
            }		
		
vpn NCP-client {
            ike {
                gateway NCP-client;
                ipsec-policy NCP-client;
                 }
                }
		

Source NAT

rule-set NCP-client {
                from zone Untrust;
                to zone [ Trust VPN-DMZ ];
                rule NCP {
                    match {
                        source-address-name NCP-VPN;
                        destination-address-name Corporate;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                       }
                      }
		     }
			

Firewall Policy - from-zone Untrust to-zone Trust

policy NCP-client {
                match {
                    source-address NCP-VPN;
                    destination-address Corporate;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn NCP-client;
                        }
                    }
                    log {
                        session-close;
                      }
                     }
                    } 
			

Firewall Policy - from-zone Untrust to-zone VPN-DMZ

policy NCP-client {
                match {
                    source-address any;
                    destination-address Corporate;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn NCP-client;
                        }
                    }
                    log {
                        session-close;
                       }
                      }
                     }  
                    }
		

Access

address-assignment {
            pool NCP-client;
            }
		
pool NCP-client {
            family inet {
                network 10.0.0.0/24;
             }
            }

This configuration seems to be missing sections that mine has that works.....

Here is my configuration, with the Physical Interface in one VR and the logical in a separate VR. It may point in the right direction for you to resolve your issue:

set security ike proposal ncp-proposal authentication-method pre-shared-keys

set security ike proposal ncp-proposal dh-group x

set security ike proposal ncp-proposal authentication-algorithm x

set security ike proposal ncp-proposal encryption-algorithm x

set security ike proposal ncp-proposal lifetime-seconds 10800

set security ike policy ncp-policy mode aggressive

set security ike policy ncp-policy proposals ncp-proposal

set security ike policy ncp-policy pre-shared-key ascii-text <Key>

set security ike gateway ncp-gateway ike-policy ncp-policy

set security ike gateway ncp-gateway dynamic user-at-hostname "test@ncp.juniper.net"

set security ike gateway ncp-gateway dynamic connections-limit 10

set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id

set security ike gateway ncp-gateway external-interface ge-0/0/1

set security ike gateway ncp-gateway aaa access-profile radius

set security ike gateway ncp-gateway version v1-only

set security ike gateway ncp-gateway tcp-encap-profile NCP

set security ipsec proposal ncp-ipsec-proposal protocol x

set security ipsec proposal ncp-ipsec-proposal authentication-algorithm x

set security ipsec proposal ncp-ipsec-proposal encryption-algorithm x

set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600

set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys x

set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal

set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1

set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway

set security ipsec vpn ncp-ipsec-vpn ike idle-time 900

set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy

set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0

set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0

set security tcp-encap profile NCP

set access profile radius address-assignment pool NCP_POOL

set access address-assignment pool NCP_POOL family inet network 172.16.10.0/24

set access address-assignment pool NCP_POOL family inet xauth-attributes primary-dns 8.8.8.8/32

set access address-assignment pool NCP_POOL family inet xauth-attributes secondary-dns 8.8.4.4/32

set access profile radius client <User-name> firewall-user password <Password>

set access profile radius address-assignment pool NCP_POOL

From the perspective of policies, I simply have any any any permit as there is no other traffic at this point.

The ge interface is in the VPN-VR and the st0.1 interface is in the customer-VR

set routing-instances Customer-VR interface st0.1

set routing-instances restapivpn interface ge-0/0/1.0

Routing is held in the customer-vr where the st endpoint resides:

set routing-instances Customer-VR routing-options static route 172.16.10.0/24 next-hop st0.1

When you complete a "traceroute" from your laptop to something that exists at the far end of the VPN (not the SRX), what are the results please?

There doesn't appear to be much difference in the config., but I note you use a fixed interface for your NCP clients i.e. st0.1 - how can this work with multiple clients? Critically, we need to remember that my config works without fault with the exception in accessing the SRX, so I want to avoid tweaking the config as much as possible.

When I run a traceroute to any other device at the far end I get a 2 hop response i.e. external IP of SRX followed by the device; if I run a traceroute to the SRX itslef it's a direct response from the device as I'd expect. So the former seems odd.

Thanks for posting the configuration.  You have this setup using policy based vpn for the remote access and also using source nat to interface for your internal access to network resources.

This configuration does limit you ability to connect to the srx itself due to the handling of the packets for encryption by policy vpn on the srx.

If you change this from policy to route based and add the return route mentioned by Adgwytc, then you will get full session access to srx self traffic and not just ping.

Totally understand that you would be reluctant to change a configuration with happy customers.

Thank you Steve. Would you describe this behaviour as a fault with policy based connections or perhaps just a design limitation?

Not sure how to classify it.  But self traffic is from a different zone than transit traffic so this is not a match to the policy vpn while the transit traffic will match.

But if you use route vpn the srx no longer depends on the zone to zone policy for the encryption domain and it can route to the tunnel and become encrypted.

As Spuluka has stated, config changes would be required but I, as Spuluka, fully understand and appreciate why you may be reluctant to do this.

I have no problem with multiple clients connecting as long as their credentials are included in the radius configuration assigned to the VPN. (Well, limited currently to the 2 user license)....