SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 08:43

    I've managed to get a test dynamic VPN working to some degree.

    A bit about our architecture:
    Two offices - A & B
    Amazon Cloud - Z

    The current static VPNS are:
    A - B
    A - Z
    B - Z


    Eventually I will have dynamic VPN setup on the SRX's serving office A & B. Currently just working on one SRX.

    Currently working on SRX B for initial setup.
    I am able to connect, authenticate, and access resources behind B.
    I cannot access resources behind A & Z.

    The ip settings of the virtual adapter when connected are:
    IPv4    192.168.1.13
    Subnet Mask:  255.255.255.255

    Default Gateway:    

    DNS:   192.168.xx.80|

    I am able to resolve the resources on networks B & Z.

    I feel like I am really close to getting this right but need a nudge in the right direction.

    Below is the current config with non-relevant information removed and IP addresses changed.

    version 15.1X49-D60.7;
    
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface [ ge-0/0/1.0 st0.3 ];
                }
                https {
                    system-generated-certificate;
                    interface [ ge-0/0/1.0 ge-0/0/0.0 ];
                }
            }
        }
    }
    security {
        ike {
            proposal Dynamic-VPN-P1-Proposal {
                description Dynamic_P1_Proposal;
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 1200;
            }
            policy Dynamic-VPN-P2-Policy {
                mode aggressive;
                description Dynamic_P2_Policy;
                proposals Dynamic-VPN-P1-Proposal;
                pre-shared-key ascii-text "$9$KteMWXdb2JGirewg4aHk.P5z9tp01ylvbsaUjkQzEcSeLx7-Vb24W8GD"; ## SECRET-DATA
            }
            gateway Dynamic-VPN-P1-Gateway {
                ike-policy Dynamic-VPN-P2-Policy;
                dynamic {
                    hostname mustbegeek.com;
                    ike-user-type shared-ike-id;
                }
                external-interface ge-0/0/0.0;
                xauth {
                    access-profile Dynamic-XAuth;
                }
            }
        }
        ipsec {
            proposal Dynamic-P2-Proposal {
                description Dynamic-VPN-P2-Proposal;
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 3600;
            }
            policy Dynamic-P2-Policy {
                perfect-forward-secrecy {
                    keys group5;
                }
                proposals Dynamic-P2-Proposal;
            }
            vpn Dynamic-VPN {
                ike {
                    gateway Dynamic-VPN-P1-Gateway;
                    ipsec-policy Dynamic-P2-Policy;
                }
                establish-tunnels immediately;
            }
        }
        dynamic-vpn {
            force-upgrade;
            access-profile Dynamic-XAuth;
            clients {
                all {
                    remote-protected-resources {
                        192.168.26.0/24;												<-- Office B
                        192.168.25.0/24;												<-- Office A
                        192.168.57.0/24;												<-- Amazon 
                    }
                    remote-exceptions {
                        0.0.0.0/0;
                    }
                    ipsec-vpn Dynamic-VPN;
                    user {
                        Jed;
                        Steve;
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy Dynamic-VPN {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn Dynamic-VPN;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                        bgp;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                    st0.3;
                    st0.1;
                    st0.2;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ike;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                https;
                                ping;
                                ike;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 55.55.55.50/30;									<-- Public IP of SRX
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.26.254/24;							<-- Local network
                }
            }
        }
        st0 {
            unit 1 {
                family inet {
                    mtu 1436;
                    address 11.22.33.44/30;									<-- VPN to Amazon
                }
            }
            unit 2 {
                family inet {
                    mtu 1436;
                    address 11.22.33.55/30;									<-- VPN to Amazon
                }
            }
            unit 3 {
                family inet {
                    mtu 1436;
                    address 22.33.44.66/24;									< -- VPN to office A
                }
            }
        }
    }
    routing-options {
        static {
            route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];			<-- Route to Amazon
            route 0.0.0.0/0 next-hop 55.55.55.51;					<-- Route to internet
            route 192.168.25.0/24 next-hop st0.3;					<-- Route to office A 
        }
    }
    access {
        profile Dynamic-XAuth {
            client Jed {
                firewall-user {
                    password "$9$emBKL7N-b2oGdbT3n6AtM8XxNb"; ## SECRET-DATA
                }
            }
            client Steve {
                firewall-user {
                    password "$9$UzDqPf5z6CuTzlMW87Nik.mfz"; ## SECRET-DATA
                }
            }
            address-assignment {
                pool Dynamic-VPN-Pool;
            }
        }
        address-assignment {
            pool Dynamic-VPN-Pool {
                family inet {
                    network 192.168.10.0/24;
                    range Range1 {
                        low 192.168.10.10;
                        high 192.168.10.30;
                    }
                    dhcp-attributes {
                        domain-name stonemountainaccess.com;
                        name-server {
                            192.168.26.80;												<-- Domain controller office B
                        }
                        router {
                            192.168.10.1;
                        }
                    }
                    xauth-attributes {
                        primary-dns 192.168.26.80/32;					<-- Domain controller office B
                        secondary-dns 192.168.25.80/32;				<-- Domain controller office A
                    }
                }
            }
        }
        firewall-authentication {
            web-authentication {
                default-profile Dynamic-XAuth;
            }
        }
    }
    

    #dynamicVPN
    #vpn
    #SRX


  • 2.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 08:58

    You are only allowing access to the following subnets

     

    remote-protected-resources {
                        192.168.26.0/24;												<-- Office B
                        192.168.25.0/24;												<-- Office A
                        192.168.57.0/24;	

    What are the IPs you are trying to reach?



  • 3.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 09:09

    I am able to reach all resources on 192.168.26.0
    I cannot reach anything on the other two subnets.



  • 4.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction
    Best Answer

    Posted 08-10-2017 08:52

    The solution was adding a static route to the routers.

    My pings were reaching the other networks by could not find a return path.

    Example below for two SRX devices prior to solution

     

    SRX-A hosts
    - IP block 192.168.5.0/24

    - Has static routes for Internet, Amazon, and SRX-B internal network
    - Assigns 192.168.10.0/24 to dynamic-vpn

     

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.6.0/24 next-hop st0.3;

     

     

    SRX-B hosts

    - IP block 192.168.6.0/24

    - Has static routes for Internet, Amazon, and SRX-B internal network
    - Assigns 192.168.20.0/24 to dynamic-vpn

     

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.5.0/24 next-hop st0.3;

     

    In the above example dynamic vpn traffic could reach the other networks but there was no return path. SRX-A had no idea how to send traffic to 192.168.20.0.

     


    Below is the solution:

    SRX-A hosts

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.6.0/24 next-hop st0.3;     <-- this is the route to SRX-B

    route 192.168.20.0/24 next hop st0.3;   <-- this is the route to the dynamic-vpn ip-range on SRX-B

     

    SRX-B hosts

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.5.0/24 next-hop st0.3;  <-- this is the route to SRX-A

    route 192.168.10.0/24 next-hop st0.3; <-- this is the route to the dynamic-vpn ip-range on SRX-A