SRX

Expand all | Collapse all

Issue(s) with dial-in dynamic VPN clients

Jump to Best Answer
  • 1.  Issue(s) with dial-in dynamic VPN clients

     
    Posted 08-30-2018 07:49

    1. My main issue is, when connected via our dial-in VPN client (NCP Secure Entry Client) I cannot connect to the LAN interface of the SRX340 which handles these connections. I can ping it, but can't gain https access, which I can when connecting via the LAN. The LAN interface is 192.168.1.254. The VPN clients receive 10.0.0.0/24 addresses.  I can access other resources on the 192 subnet, just not the SRX340.

     

    2. An odd issue, which I doubt will be readily solved, is that it can take numerous attempts over a period of time to establish a dial-in connection. The log on the NCP client simply states that the gateway did not respond..... Not sure where to start with this one.



  • 2.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 08-30-2018 19:14

    Hello,

     

    Once connected using VPN and trying to access https, can you collect 'security flow traceoptions' for the traffic from VPN client Assigned IP to IP of the internal resource you are doing https on?

     

    Regards,

     

    Rushi



  • 3.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 08-31-2018 03:07

    Are there any junos-host zone policies configured?

     



  • 4.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 08-31-2018 09:40

    @spuluka wrote:

    Are there any junos-host zone policies configured?

     


    Yes, one, that (supposedly) applies a custom timeout for HTTPS/SSH sessions. This from Trust to junos-host. There is not an equivalent for VPN to junos-host, is this the issue? Seems unconnected, hmmmmm.



  • 5.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 08-31-2018 13:52

    I would add a policy from vpn to junos-host then that matches your trust to junos-host policy.  I have not used this extra restriction much but my recollection is that once you commit to it you have to use it for all host connections.

     



  • 6.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-06-2018 03:10

    Hi Steve. I have now tried your suggestion and also tried removing the Trust rule, but neither allowed me access.



  • 7.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-07-2018 03:10

    Is it just the web interface or is ssh also not working?

     

    On the SRX what is the route for the address in your 10 pool?

     



  • 8.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-07-2018 04:30

    No, it's also SSH.

     

    I think no is the answer to your second question, although I'm not 100% confident. Everything runs on OSPF. I can ping/access around all sites when dialled in, so I assume the routing is fine.



  • 9.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-07-2018 06:56

    As Spuluka said, I would have a look and see where your VPN Pool is being routed to.


    To confirm, you are connecting via the VPN and then running a ping, via the correct interface, from your laptop/desktop/windows/linux machine to get the required echo responses?

     

    Just confirm, from the SRX that you are routing to the correct st interface:

     

    run show route (address in the VPN pool range, the address on your laptop for example)



  • 10.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-08-2018 04:45

    We want to verify the routing path exists and is symetrical between the SRX and the vpn pool address.

     

    Thus the desire to see what route is used by the SRX for the vpn pool address

    And what route on the device to the SRX address when connected to the VPN

     



  • 11.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 02:57

    Here is the output from the laptop that can ping the SRX but not comnunicate via HTTPs or SSH:

     

    > show route 10.0.0.59
    
    inet.0: 182 destinations, 198 routes (182 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 6w5d 03:03:06
                        > to x.x.x.x via ge-0/0/2.0
                        [OSPF/150] 4w4d 02:48:39, metric 0, tag 0
                        > to X.X.X.X via ge-0/0/3.0

     

    where x.x.x.x = the external IP of the site where the SRX is located

    and where X.X.X.X = an internal IP address - this second route is definietly not correct, but I assume doesn't play any part given its higher value.

     

    On the client, the routing table looks correct for a route back.



  • 12.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 03:56

    The VPN pool is 10.0.0.xxx prefix?

     

    This was taken on the SRX?

     

    If so, the address you are looking for appears to be going to the default and via a physical interface.... I would have thought you would have seen the route showing to an st interface, as per mine below:

     

    show route 172.16.10.128 

    172.16.10.128/32   *[Static/5] 00:14:00
                        > via st0.1

     

    The IKE phase 1 resolves against the Physical Interface, but the data, phase 2, should resolve against the logical interface.....

     

    Sounds like you should enter a static route for the pool address range to the correct st interface.... if it's in a routing-instance then make sure it is place there correctly.



  • 13.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 05:32

    The VPN pool is 10.0.0.x

     

    Yes, ran on the SRX.

     

    There is no st0 interface when these clients are connected, so I don't know how I'd create a static route.



  • 14.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 05:56

    Do you have your NCP VPN Configuration please? (Hide addresses you do not want to be seen or change them 🙂  )

     

    The configuration from the SRX I mean, not the client side?



  • 15.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 07:39
    IKE
    
    proposal NCP-client {
                authentication-method X;
                dh-group X;
                authentication-algorithm X;
                encryption-algorithm X;
                lifetime-seconds X;
    	    }
    			
    policy NCP-client {
                mode X;
                proposals NCP-client;
                pre-shared-key ascii-text "SECRET";
                }
    		
    gateway NCP-client {
                ike-policy NCP-client;
                dynamic {
                    user-at-hostname "SECRET";
                    connections-limit 10;
                    ike-user-type X;
                }
                external-interface ge-0/0/2;
                aaa {
                    access-profile remote_access_profile;
                 }
                }
    		
    IPSEC
    
    proposal NCP-client {
                protocol X;
                authentication-algorithm X;
                encryption-algorithm X;
                lifetime-seconds X;
                }
    		
    policy NCP-client {
                proposals NCP-client;
                }		
    		
    vpn NCP-client {
                ike {
                    gateway NCP-client;
                    ipsec-policy NCP-client;
                     }
                    }
    		
    
    Source NAT
    
    rule-set NCP-client {
                    from zone Untrust;
                    to zone [ Trust VPN-DMZ ];
                    rule NCP {
                        match {
                            source-address-name NCP-VPN;
                            destination-address-name Corporate;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                           }
                          }
    		     }
    			
    
    Firewall Policy - from-zone Untrust to-zone Trust
    
    policy NCP-client {
                    match {
                        source-address NCP-VPN;
                        destination-address Corporate;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn NCP-client;
                            }
                        }
                        log {
                            session-close;
                          }
                         }
                        } 
    			
    
    Firewall Policy - from-zone Untrust to-zone VPN-DMZ
    
    policy NCP-client {
                    match {
                        source-address any;
                        destination-address Corporate;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn NCP-client;
                            }
                        }
                        log {
                            session-close;
                           }
                          }
                         }  
                        }
    		
    
    Access
    
    address-assignment {
                pool NCP-client;
                }
    		
    pool NCP-client {
                family inet {
                    network 10.0.0.0/24;
                 }
                }


  • 16.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 08:15

    This configuration seems to be missing sections that mine has that works.....

     

    Here is my configuration, with the Physical Interface in one VR and the logical in a separate VR. It may point in the right direction for you to resolve your issue:

     

    set security ike proposal ncp-proposal authentication-method pre-shared-keys

    set security ike proposal ncp-proposal dh-group x

    set security ike proposal ncp-proposal authentication-algorithm x

    set security ike proposal ncp-proposal encryption-algorithm x

    set security ike proposal ncp-proposal lifetime-seconds 10800

     

    set security ike policy ncp-policy mode aggressive

    set security ike policy ncp-policy proposals ncp-proposal

    set security ike policy ncp-policy pre-shared-key ascii-text <Key>

     

    set security ike gateway ncp-gateway ike-policy ncp-policy

    set security ike gateway ncp-gateway dynamic user-at-hostname "test@ncp.juniper.net"

    set security ike gateway ncp-gateway dynamic connections-limit 10

    set security ike gateway ncp-gateway dynamic ike-user-type shared-ike-id

    set security ike gateway ncp-gateway external-interface ge-0/0/1

    set security ike gateway ncp-gateway aaa access-profile radius

    set security ike gateway ncp-gateway version v1-only

    set security ike gateway ncp-gateway tcp-encap-profile NCP

     

    set security ipsec proposal ncp-ipsec-proposal protocol x

    set security ipsec proposal ncp-ipsec-proposal authentication-algorithm x

    set security ipsec proposal ncp-ipsec-proposal encryption-algorithm x

    set security ipsec proposal ncp-ipsec-proposal lifetime-seconds 3600

    set security ipsec policy ncp-ipsec-policy perfect-forward-secrecy keys x

    set security ipsec policy ncp-ipsec-policy proposals ncp-ipsec-proposal

    set security ipsec vpn ncp-ipsec-vpn bind-interface st0.1

    set security ipsec vpn ncp-ipsec-vpn ike gateway ncp-gateway

    set security ipsec vpn ncp-ipsec-vpn ike idle-time 900

    set security ipsec vpn ncp-ipsec-vpn ike ipsec-policy ncp-ipsec-policy

    set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 local-ip 0.0.0.0/0

    set security ipsec vpn ncp-ipsec-vpn traffic-selector TS1 remote-ip 0.0.0.0/0

     

    set security tcp-encap profile NCP

     

    set access profile radius address-assignment pool NCP_POOL

    set access address-assignment pool NCP_POOL family inet network 172.16.10.0/24

    set access address-assignment pool NCP_POOL family inet xauth-attributes primary-dns 8.8.8.8/32

    set access address-assignment pool NCP_POOL family inet xauth-attributes secondary-dns 8.8.4.4/32

    set access profile radius client <User-name> firewall-user password <Password>

    set access profile radius address-assignment pool NCP_POOL

     

    From the perspective of policies, I simply have any any any permit as there is no other traffic at this point.

     

    The ge interface is in the VPN-VR and the st0.1 interface is in the customer-VR

     

    set routing-instances Customer-VR interface st0.1

    set routing-instances restapivpn interface ge-0/0/1.0

     

    Routing is held in the customer-vr where the st endpoint resides:

     

    set routing-instances Customer-VR routing-options static route 172.16.10.0/24 next-hop st0.1

     

    When you complete a "traceroute" from your laptop to something that exists at the far end of the VPN (not the SRX), what are the results please?



  • 17.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-10-2018 09:41

    There doesn't appear to be much difference in the config., but I note you use a fixed interface for your NCP clients i.e. st0.1 - how can this work with multiple clients? Critically, we need to remember that my config works without fault with the exception in accessing the SRX, so I want to avoid tweaking the config as much as possible.

     

    When I run a traceroute to any other device at the far end I get a 2 hop response i.e. external IP of SRX followed by the device; if I run a traceroute to the SRX itslef it's a direct response from the device as I'd expect. So the former seems odd.



  • 18.  RE: Issue(s) with dial-in dynamic VPN clients
    Best Answer

     
    Posted 09-10-2018 15:41

    Thanks for posting the configuration.  You have this setup using policy based vpn for the remote access and also using source nat to interface for your internal access to network resources.

     

    This configuration does limit you ability to connect to the srx itself due to the handling of the packets for encryption by policy vpn on the srx.

     

    If you change this from policy to route based and add the return route mentioned by Adgwytc, then you will get full session access to srx self traffic and not just ping.

     

    Totally understand that you would be reluctant to change a configuration with happy customers.

     



  • 19.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-11-2018 03:12

    Thank you Steve. Would you describe this behaviour as a fault with policy based connections or perhaps just a design limitation?



  • 20.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-12-2018 02:33

    Not sure how to classify it.  But self traffic is from a different zone than transit traffic so this is not a match to the policy vpn while the transit traffic will match.

     

    But if you use route vpn the srx no longer depends on the zone to zone policy for the encryption domain and it can route to the tunnel and become encrypted.

     



  • 21.  RE: Issue(s) with dial-in dynamic VPN clients

     
    Posted 09-11-2018 02:25

    As Spuluka has stated, config changes would be required but I, as Spuluka, fully understand and appreciate why you may be reluctant to do this.

     

    I have no problem with multiple clients connecting as long as their credentials are included in the radius configuration assigned to the VPN. (Well, limited currently to the 2 user license)....