SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Client using Dynamic Remote VPN is not able to connect internal network.

  • 1.  Client using Dynamic Remote VPN is not able to connect internal network.

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2022 09:33
    This message was posted by a user wishing to remain anonymous

    Hi everyone,

    I have created a dynamic VPN on a SRX instance and I am able to connect to the VPN using the Pulse client, but I am not able to connect to any resource or ping inside my network. I am doing split tunneling and missing something so thought to ask in this forum.

    Here's my configuration:

    set version 19.4R3-S1.3
    set system host-name dynvpn
    set system services ssh root-login allow
    set system services netconf ssh
    set system services dhcp-local-server group jdhcp-group interface irb.0
    set system services web-management https system-generated-certificate
    set system time-zone EST
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system phone-home rfc-compliant
    set security ike policy ike-dyn-vpn-policy mode aggressive
    set security ike policy ike-dyn-vpn-policy proposal-set standard
    set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$eGnMLNs2airskPdbkP5Q9CKM8XdbYgoGKjH"
    set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
    set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
    set security ike gateway dyn-vpn-local-gw dynamic connections-limit 2
    set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
    set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/1.0
    set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
    set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
    set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
    set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
    set security dynamic-vpn access-profile dyn-vpn-access-profile
    set security dynamic-vpn clients all remote-protected-resources 192.168.100.0/24
    set security dynamic-vpn clients all remote-protected-resources 192.168.2.0/30
    set security dynamic-vpn clients all remote-protected-resources 192.168.20.0/24
    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all ipsec-vpn dyn-vpn
    set security dynamic-vpn clients all user client1
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.0
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/30
    set interfaces ge-0/0/1 unit 0 family inet dhcp vendor-id Juniper-srx320
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
    set interfaces cl-1/0/0 dialer-options pool 1 priority 100
    set interfaces dl0 unit 0 family inet negotiate-address
    set interfaces dl0 unit 0 family inet6 negotiate-address
    set interfaces dl0 unit 0 dialer-options pool 1
    set interfaces dl0 unit 0 dialer-options dial-string 1234
    set interfaces dl0 unit 0 dialer-options always-on
    set interfaces irb unit 0 family inet
    set interfaces irb unit 100 family inet address 192.168.100.1/24
    set interfaces st0 unit 0 family inet
    set interfaces st0 unit 100 family inet
    set access profile dyn-vpn-access-profile client andy firewall-user password "$9$79dwgGDkTz6oJz69Afvvfvsaswdw1INdbsoJUjHm5Q"
    set access profile dyn-vpn-access-profile client nenad firewall-user password "$9$-2bYoDi.z39JG39ApacascascacaacREdbs2JGjHqfQF"
    set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.100.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet range dyn-vpn-IP-RANGE low 192.168.100.50
    set access address-assignment pool dyn-vpn-address-pool family inet range dyn-vpn-IP-RANGE high 192.168.100.60
    set access address-assignment pool dyn-vpn-address-pool family inet dhcp-attributes router 192.168.100.1
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
    set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface irb.0
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set routing-options static route 192.168.20.0/24 next-hop 192.168.2.2

    From Windows client machine: (getting the dhcp address):

    Ethernet adapter Ethernet 3:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Networks Virtual Adapter
    Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::f0f8:c411:17da:eb9%2(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.100.51(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled


    Route Print from the windows client machine:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.162.205 192.168.162.206 50
    78.172.98.188 255.255.255.255 192.168.162.205 192.168.162.206 50
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    192.168.2.0 255.255.255.252 On-link 192.168.100.51 1
    192.168.20.0 255.255.255.0 On-link 192.168.100.51 1
    192.168.100.0 255.255.255.0 On-link 192.168.100.51 1
    192.168.100.51 255.255.255.255 On-link 192.168.100.51 256
    192.168.162.0 255.255.255.0 On-link 192.168.162.206 306
    192.168.162.206 255.255.255.255 On-link 192.168.162.206 306
    192.168.162.255 255.255.255.255 On-link 192.168.162.206 306
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.162.206 306
    224.0.0.0 240.0.0.0 On-link 192.168.100.51 256
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.162.206 306
    255.255.255.255 255.255.255.255 On-link 192.168.100.51 256
    ===========================================================================
    Persistent Routes:
    None

    Thanks in advance for your help.