SRX

Hello all,

This has me scratching my head: 

I have an IPSec VPN beween local LAN (192.168.10.0/24) and remote site (192.168.171.0/24).

Traffic is moving smoothly between sites, but I recently decided to implement configuration auto-archival to FTP server on remote site.

Sadly, the SRX is unable to talk to the remote site.

After configuring a flow filter, I found out that the SRX is sending pings out of the Untrust ge-0/0/0 interface using the SRX's public IP, and therefore don't go up the VPN tunnel.

Sure enough, if I force a ping to go out with the SRX's local LAN IP, I get replies:

>ping 192.168.171.14 source 192.168.10.1

Anyone has an idea why this is happening and how to remedy it?

Thanks.

Here is my config:

## Last changed: 2018-07-06 10:00:01 EDT
version 17.3R2.10;
system {
host-name location_1-srx;
time-zone America/New_York;
root-authentication {
encrypted-password "...";
}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
message "\n\n === Location_1 Office SRX === \n\n";
user bart {
uid 2000;
class super-user;
authentication {
encrypted-password "...";
}
}
}
services {
ssh;
telnet;
web-management {
http {
port 2346;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
https {
port 2345;
system-generated-certificate;
interface [ ge-0/0/0.0 ge-0/0/2.0 st0.0 ];
}
}
dhcp {
pool 192.168.10.0/24 {
address-range low 192.168.10.100 high 192.168.10.199;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
192.168.171.14;
10.11.17.140;
208.67.222.222;
}
domain-search {
acme.local;
}
router {
192.168.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 6.6.10.0/24 {
address-range low 6.6.10.100 high 6.6.10.150;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
208.67.222.222;
208.67.220.220;
}
router {
6.6.10.1;
}
propagate-settings ge-0/0/0.0;
}
pool 192.168.100.0/24 {
address-range low 192.168.100.50 high 192.168.100.200;
maximum-lease-time 172800;
default-lease-time 86400;
name-server {
192.168.171.14;
10.11.17.140;
}
router {
192.168.100.1;
}
}
}
}
syslog {
file kmd-logs {
daemon info;
match KMD;
}
}
archival {
configuration {
transfer-on-commit;
archive-sites {
ftp://192.168.171.14/SRX;
}
}
}
ntp {
server 104.232.3.3;
server 64.99.80.121;
}
}
security {
ike {
policy ike-location_1-SSG {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
policy ike-policy-location_1-SSG-location_2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "...";
}
gateway ike-gw-location_1-comcast-SSG {
ike-policy ike-location_1-SSG;
address my.remote.ip;
external-interface ge-0/0/0.0;
}
gateway ike-gw-location_2 {
ike-policy ike-policy-location_1-SSG-location_2;
address my.other.remote.ip;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy vpn-policy-std {
proposal-set standard;
}
policy vpn-policy-std-location_2 {
proposal-set standard;
}
vpn ike-vpn-location_1-comcast {
bind-interface st0.0;
ike {
gateway ike-gw-location_1-comcast-SSG;
proxy-identity {
local 192.168.10.0/24;
remote 192.168.171.0/24;
}
ipsec-policy vpn-policy-std;
}
}
vpn ike-vpn-location_2 {
bind-interface st0.1;
ike {
gateway ike-gw-location_2;
proxy-identity {
local 192.168.10.0/24;
remote 10.11.17.0/24;
}
ipsec-policy vpn-policy-std-location_2;
}
}
}
address-book {
global {
address location_1-lan2 192.168.16.0/24;
address location_1-lan 192.168.10.0/24;
address apc-ups 192.168.10.251/32;
address location_1-wlan 192.168.100.0/24;
address PACS_192_168_10_15 192.168.10.15/32;
address location_1-lan 192.168.171.0/24;
address location_2-lan 10.11.17.0/24;
address SRX-routing-addr 10.255.255.16/28;
address loopback 127.0.0.1/32;
}
}
flow {
traceoptions {
file debug.log;
flag basic-datapath;
packet-filter FILTER1 {
protocol icmp;
source-prefix 0.0.0.0/0;
destination-prefix 192.168.171.14/32;
}
}
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
nat {
source {
rule-set nat-out {
from zone trust;
to zone untrust;
rule interface-nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat-192_168_10_251m32 {
address 192.168.10.251/32 port 161;
}
rule-set dest-nat {
from zone untrust;
rule rule-snmp-16100 {
match {
destination-address my.public.ip/32;
destination-port {
16100;
}
}
then {
destination-nat {
pool {
dnat-192_168_10_251m32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
my.public.ip.2/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy all-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy vpn-to-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-to-location_2 {
match {
source-address location_1-lan;
destination-address location_2-lan;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn-from-location_1 {
match {
source-address location_1-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
policy vpn-from-location_2 {
match {
source-address location_2-lan;
destination-address location_1-lan;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy unt-to-trust-snmp-16100 {
match {
source-address any;
destination-address apc-ups;
application snmp-16100;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
snmp;
ping;
ssh;
https;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/5.0;
lo0.0;
}
}
security-zone vpn {
interfaces {
st0.0;
st0.1;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address my.public.ip/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.16.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 6.6.10.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.100.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
filter {
input allow-mgmt-ip-only;
}
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
snmp {
description "Location_1 SRX";
location "Somewhere";
contact "Bart";
community my.community.string {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop my.public.gateway.ip;
route 192.168.171.0/24 next-hop st0.0;
route 10.11.17.0/24 next-hop st0.1;
route 10.255.255.16/28 next-hop st0.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
}
policy-options {
prefix-list mgmt-ip {
10.11.17.0/24;
192.168.171.0/24;
}
}
firewall {
filter allow-mgmt-ip-only {
term block-except-mgmt {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol [ tcp udp ];
destination-port [ ssh http https snmp 16100 2345 2346 ];
}
then {
inactive: log;
discard;
}
}
term block-ping {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
mgmt-ip except;
}
protocol icmp;
icmp-type echo-request;
}
then {
discard;
}
}
term allow-everything-else {
then accept;
}
}
}
applications {
application snmp-16100 {
protocol udp;
destination-port 161;
}
}

Hi ,

Normally the 'system archival' will take the egress interface IP of the pointed route for the SCP server  ( WAN or LAN ) since this is host generated traffic. Or we have to force to take a "default address selection". But since it will break other services in your device, we can try just creating the loopback interface with LAN IP address and see if it take this .

Alternatively check the below article as well:

https://www.juniper.net/documentation/en_US/junos12.2/topics/reference/configuration-statement/default-address-selection-edit-system.html