SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series.
  • 1.  Dynamic VPN client can't reach protected resource behind vpn

    Posted 02-05-2013 09:10
      |   view attached

    Hello,

     

    Basic setup:
    fe-0/0/0.0 is the WAN with xx.xx.139.160 public IP with xx.xx.139.162 being used to connect to.
    fe-0/0/1.0 is the interface (vlan.0) where the resource is with IP 172.16.1.2.
    The Dynamic VPN IP range is 172.16.200-250.

     

    I have configured a dynamic vpn for a client following the steps in: http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf

     

    I can get my client to connect to the dynamic VPN however it can't reach the machine it needs to behind the VPN, and that machine also can't reach the client's VPN IP. I read on this forum elsewhere that it had to do with Proxy ARP since the VPN IP range is on the same subnet as the resource, so I added a Proxy ARP rule on the vlan.0 interface. 

     

    I have debug logged basic-datapath and that won't get me any information unless I get the server on 172.16.1.2 to ping to 172.16.1.1.

     

    Anybody that can point out the flaw in my configuration? Or point me in the right direction? I feel it is something minor at this point.

     

     

    Thanks in advance.

     


    #pulse
    #dynamicVPN
    #SRX

    Attachment(s)

    txt
    5feb-configuration.txt   14 KB 1 version


  • 2.  RE: Dynamic VPN client can't reach protected resource behind vpn

    Posted 02-08-2013 00:53
      |   view attached

    Hi

     

    Firstly, you have posted encryption keys and passwords onto a public forum.  I would suggets that you change these now.

     

    In future I would suggest replacing keys and passwords with XXXXXXX.

     

    Anyway, back to your question.

     

    There are a few things that areincorrect with your config.  Sorry.

     

     

    I would suggest that you create a seperate security zone for the 172.16.200/24 range and you need to assign an IP address from the 172.16.200/24 network to the vlan associated with it.

     

    Currently your config does not know where to send packets for the 172.16.200/24.  It is not a connected network range.

     

    I have attached an example config which shows this.

     

    Please change your untrust allowed services.  Currently your SRX will accept and/all traffic to the interface/zone.  Limit this to the traffic/protocols that you need the SRX to process....EG Dyn-VPN HTTPS/IKE

    Attachment(s)



  • 3.  RE: Dynamic VPN client can't reach protected resource behind vpn

    Posted 02-12-2013 07:22
      |   view attached

    Hello John,

    I had actually scrambled said encrypted strings so they aren't good to anybody. So no harm in them that way, just not as easy to spot that they're worthless I suppose.

    And I'll restrict the traffic to the zones when I've got a working configuration, currently it's sitting on my desk, not a live environment obviously.

     

    I did as you suggested and created a vlan.1 for the separate range and then added it to a new zone.
    I then set the zone to allow traffic to/from the protected-resource's range (172.16.1.0/24) from it's own range and vice-versa.

    I also changed the range from 172.16.1.200/24 to 172.16.2.0/24 to see if it’d work without having to deal with a proxy-arp settings.
    However this still doesn't work. When I look at the "show route" output it shows a route for 172.16.2.0/24, but it shows that it will reject it.

    The vlan doesn't have to be assigned to an interface for it to be able to work this way does it? How else am I supposed to direct the traffic then?

    Attachment(s)

    txt
    12feb-configuration.txt   16 KB 1 version


  • 4.  RE: Dynamic VPN client can't reach protected resource behind vpn

    Posted 02-14-2013 08:37

    As far as I'm aware all that really needs to happen is that the SRX needs to know a route for the traffic because it doesn't know what to do with it. 

     

    From what I've read; this needs to be done using a policy, since route-based vpn is impossible using dynamic vpn. I however can't figure out  where I am supposed to point the traffic.

     

    Incoming traffic you can point to the dynamic vpn policy, but what about the traffic going out?



  • 5.  RE: Dynamic VPN client can't reach protected resource behind vpn

    Posted 02-24-2013 14:21

    I have followed the steps on this kb page and that doesn't get me much useful information.

     

    What I did notice was that a running dynamic vpn should show up under "show security ipsec security-associations" as an active session. However the connection doesn't show up. It does show up as running under the ike SA's.



  • 6.  RE: Dynamic VPN client can't reach protected resource behind vpn
    Best Answer

    Posted 02-27-2013 03:27

    The problem was caused by having multiple IP's defined on an interface without there being a preferred statement.

    After removing one of the IP's it started working as expected.