SRX

Expand all | Collapse all

Dynamic VPN IPsec not ping other segment ip

Jump to Best Answer
  • 1.  Dynamic VPN IPsec not ping other segment ip

    Posted 01-26-2020 23:45

    I am having trouble with Dynamic VPN IPsec Juniper SRX , Dynamic VPN IPsec was successfully created but cannot ping other segments' ip, how to solve it? can't ping segments on the vpn dynamic client  192.168.3.0/24, 192.168.2.0/24, 192.168.1.0/24, 10.10.10.0/24

     

    "configuration"

     

    security {
    ike {
    policy ike_pol_wizard_dyn_vpn {
    mode aggressive;
    proposal-set basic;
    pre-shared-key ascii-text "?"; ## SECRET-DATA
    }
    gateway gw_wizard_dyn_vpn {
    ike-policy ike_pol_wizard_dyn_vpn;
    dynamic {
    hostname SRX;
    connections-limit 50;
    ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    aaa {
    access-profile remote_access_profile;
    }
    }
    }
    ipsec {
    policy ipsec_pol_wizard_dyn_vpn {
    proposal-set basic;
    }
    vpn wizard_dyn_vpn {
    ike {
    gateway gw_wizard_dyn_vpn;
    ipsec-policy ipsec_pol_wizard_dyn_vpn;
    }
    }
    }


    }
    dynamic-vpn {
    access-profile remote_access_profile;
    clients {
    wizard-dyn-group {
    remote-protected-resources {
    192.168.3.0/24;
    192.168.2.0/24;
    192.168.1.0/24;
    192.168.0.0/24;
    10.10.10.0/24;
    }
    ipsec-vpn wizard_dyn_vpn;
    user {
    srxuser2;
    }
    }
    }
    }

     

    }
    access {
    profile remote_access_profile {
    client srxuser2 {
    firewall-user {
    password "?"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool dyn-vpn-address-pool;
    }
    pool dyn-vpn-address-pool {
    family inet {
    network 10.20.30.0/24;
    dhcp-attributes {
    name-server {
    192.168.0.1;
    192.168.0.11;
    1.1.1.1;
    }
    router {
    192.168.0.8;
    }
    }
    xauth-attributes {
    primary-dns 192.168.0.11/32;
    }
    }
    }
    }
    firewall-authentication {
    web-authentication {
    default-profile remote_access_profile;
    }
    }
    }


    root@SRX# show security policies

    from-zone untrust to-zone trust {
    }
    policy policy_in_wizard_dyn_vpn {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit {
    tunnel {
    ipsec-vpn wizard_dyn_vpn;
    }

     

    ip obtained by the client

    111.PNG

     

     

     

     

     



  • 2.  RE: Dynamic VPN IPsec not ping other segment ip

    Posted 01-27-2020 06:08

    You have almost no information here so it's difficult for anybody to help you. 

     

    Some things that might help:

     

    - Provide the configs so members here can help troubleshoot.

    - Is the VPN up? (show security ike security-associations & show security ike security-associations)

    - Do you control both ends?

    - What vendor is the remote end?

    - Copy of the routing tables.

    - What are you trying to ping on the remote end? (IP on LAN behind firewall or an interface on he firewall)

     

    Thanks

     

     

     

     



  • 3.  RE: Dynamic VPN IPsec not ping other segment ip

    Posted 01-27-2020 06:51

    Hi Tech_mvt,

    Just some quick easy fixes below?

     

    Have you created the appropriate VPN policies for the zones and the tunnel interface.

    Have you done this and the VPN set up on both ends?

    KR

    Adam



  • 4.  RE: Dynamic VPN IPsec not ping other segment ip

     
    Posted 01-27-2020 12:42

    Hi Tech_mvt,

     

    If the vpn is UP here: show security ipsec sa, please confirm if you have the necessary security policies to allow the individual segments to communicate.

     

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     



  • 5.  RE: Dynamic VPN IPsec not ping other segment ip
    Best Answer

     
    Posted 01-27-2020 12:43

    Hi tech_mvt,

     

    Enabling these flow traceoptions will help us look at the flow of the traffic through the SRX.

     

    https://kb.juniper.net/KB32586

     

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!