SRX

Expand all | Collapse all

Dynamic VPN (somewhat works) - I need a bump in the right direction

Jump to Best Answer
  • 1.  Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 08:43

    I've managed to get a test dynamic VPN working to some degree.

    A bit about our architecture:
    Two offices - A & B
    Amazon Cloud - Z

    The current static VPNS are:
    A - B
    A - Z
    B - Z


    Eventually I will have dynamic VPN setup on the SRX's serving office A & B. Currently just working on one SRX.

    Currently working on SRX B for initial setup.
    I am able to connect, authenticate, and access resources behind B.
    I cannot access resources behind A & Z.

    The ip settings of the virtual adapter when connected are:
    IPv4    192.168.1.13
    Subnet Mask:  255.255.255.255

    Default Gateway:    

    DNS:   192.168.xx.80|

    I am able to resolve the resources on networks B & Z.

    I feel like I am really close to getting this right but need a nudge in the right direction.

    Below is the current config with non-relevant information removed and IP addresses changed.

    version 15.1X49-D60.7;
    
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                http {
                    interface [ ge-0/0/1.0 st0.3 ];
                }
                https {
                    system-generated-certificate;
                    interface [ ge-0/0/1.0 ge-0/0/0.0 ];
                }
            }
        }
    }
    security {
        ike {
            proposal Dynamic-VPN-P1-Proposal {
                description Dynamic_P1_Proposal;
                authentication-method pre-shared-keys;
                dh-group group2;
                authentication-algorithm sha1;
                encryption-algorithm 3des-cbc;
                lifetime-seconds 1200;
            }
            policy Dynamic-VPN-P2-Policy {
                mode aggressive;
                description Dynamic_P2_Policy;
                proposals Dynamic-VPN-P1-Proposal;
                pre-shared-key ascii-text "$9$KteMWXdb2JGirewg4aHk.P5z9tp01ylvbsaUjkQzEcSeLx7-Vb24W8GD"; ## SECRET-DATA
            }
            gateway Dynamic-VPN-P1-Gateway {
                ike-policy Dynamic-VPN-P2-Policy;
                dynamic {
                    hostname mustbegeek.com;
                    ike-user-type shared-ike-id;
                }
                external-interface ge-0/0/0.0;
                xauth {
                    access-profile Dynamic-XAuth;
                }
            }
        }
        ipsec {
            proposal Dynamic-P2-Proposal {
                description Dynamic-VPN-P2-Proposal;
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 3600;
            }
            policy Dynamic-P2-Policy {
                perfect-forward-secrecy {
                    keys group5;
                }
                proposals Dynamic-P2-Proposal;
            }
            vpn Dynamic-VPN {
                ike {
                    gateway Dynamic-VPN-P1-Gateway;
                    ipsec-policy Dynamic-P2-Policy;
                }
                establish-tunnels immediately;
            }
        }
        dynamic-vpn {
            force-upgrade;
            access-profile Dynamic-XAuth;
            clients {
                all {
                    remote-protected-resources {
                        192.168.26.0/24;												<-- Office B
                        192.168.25.0/24;												<-- Office A
                        192.168.57.0/24;												<-- Amazon 
                    }
                    remote-exceptions {
                        0.0.0.0/0;
                    }
                    ipsec-vpn Dynamic-VPN;
                    user {
                        Jed;
                        Steve;
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy Dynamic-VPN {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn Dynamic-VPN;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                        bgp;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                    st0.3;
                    st0.1;
                    st0.2;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ike;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                https;
                                ping;
                                ike;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 55.55.55.50/30;									<-- Public IP of SRX
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 192.168.26.254/24;							<-- Local network
                }
            }
        }
        st0 {
            unit 1 {
                family inet {
                    mtu 1436;
                    address 11.22.33.44/30;									<-- VPN to Amazon
                }
            }
            unit 2 {
                family inet {
                    mtu 1436;
                    address 11.22.33.55/30;									<-- VPN to Amazon
                }
            }
            unit 3 {
                family inet {
                    mtu 1436;
                    address 22.33.44.66/24;									< -- VPN to office A
                }
            }
        }
    }
    routing-options {
        static {
            route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];			<-- Route to Amazon
            route 0.0.0.0/0 next-hop 55.55.55.51;					<-- Route to internet
            route 192.168.25.0/24 next-hop st0.3;					<-- Route to office A 
        }
    }
    access {
        profile Dynamic-XAuth {
            client Jed {
                firewall-user {
                    password "$9$emBKL7N-b2oGdbT3n6AtM8XxNb"; ## SECRET-DATA
                }
            }
            client Steve {
                firewall-user {
                    password "$9$UzDqPf5z6CuTzlMW87Nik.mfz"; ## SECRET-DATA
                }
            }
            address-assignment {
                pool Dynamic-VPN-Pool;
            }
        }
        address-assignment {
            pool Dynamic-VPN-Pool {
                family inet {
                    network 192.168.10.0/24;
                    range Range1 {
                        low 192.168.10.10;
                        high 192.168.10.30;
                    }
                    dhcp-attributes {
                        domain-name stonemountainaccess.com;
                        name-server {
                            192.168.26.80;												<-- Domain controller office B
                        }
                        router {
                            192.168.10.1;
                        }
                    }
                    xauth-attributes {
                        primary-dns 192.168.26.80/32;					<-- Domain controller office B
                        secondary-dns 192.168.25.80/32;				<-- Domain controller office A
                    }
                }
            }
        }
        firewall-authentication {
            web-authentication {
                default-profile Dynamic-XAuth;
            }
        }
    }
    

    #dynamicVPN
    #vpn
    #SRX


  • 2.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 08:58

    You are only allowing access to the following subnets

     

    remote-protected-resources {
                        192.168.26.0/24;												<-- Office B
                        192.168.25.0/24;												<-- Office A
                        192.168.57.0/24;	

    What are the IPs you are trying to reach?



  • 3.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction

    Posted 08-07-2017 09:09

    I am able to reach all resources on 192.168.26.0
    I cannot reach anything on the other two subnets.



  • 4.  RE: Dynamic VPN (somewhat works) - I need a bump in the right direction
    Best Answer

    Posted 08-10-2017 08:52

    The solution was adding a static route to the routers.

    My pings were reaching the other networks by could not find a return path.

    Example below for two SRX devices prior to solution

     

    SRX-A hosts
    - IP block 192.168.5.0/24

    - Has static routes for Internet, Amazon, and SRX-B internal network
    - Assigns 192.168.10.0/24 to dynamic-vpn

     

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.6.0/24 next-hop st0.3;

     

     

    SRX-B hosts

    - IP block 192.168.6.0/24

    - Has static routes for Internet, Amazon, and SRX-B internal network
    - Assigns 192.168.20.0/24 to dynamic-vpn

     

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.5.0/24 next-hop st0.3;

     

    In the above example dynamic vpn traffic could reach the other networks but there was no return path. SRX-A had no idea how to send traffic to 192.168.20.0.

     


    Below is the solution:

    SRX-A hosts

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.6.0/24 next-hop st0.3;     <-- this is the route to SRX-B

    route 192.168.20.0/24 next hop st0.3;   <-- this is the route to the dynamic-vpn ip-range on SRX-B

     

    SRX-B hosts

    # show routing-options

    static {
    route 10.0.0.0/16 next-hop [ st0.1 st0.2 ];
    route 0.0.0.0/0 next-hop 173.161.47.xxx;
    route 192.168.5.0/24 next-hop st0.3;  <-- this is the route to SRX-A

    route 192.168.10.0/24 next-hop st0.3; <-- this is the route to the dynamic-vpn ip-range on SRX-A