Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Cannot reach inside networks through Juniper Secure Connect VPN

    Posted 12-07-2022 14:34
    Hello Everyone,

    I am having an issue with my IPSEC VPN built on SRX 320. I have the tunnel up and my remote user is getting assigned an IP from my address pool, however no matter what I do I can't get the IP from the address pool to reach my inside network. I am thinking maybe it is an issue with NAT or maybe policies. I will post config below. Any help you can provide would be appreciated. The inside network I am trying to reach is 10.0.26.0 fyi. It is a network on a directly connected L3 switch. I have also added the route to the device going back to my inside pool which is 10.100.26.0/24.

    security {
    log {
    mode stream;
    report;
    }
    ike {
    proposal JUNVPN {
    authentication-method pre-shared-keys;
    dh-group group19;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 28800;
    }
    policy JUNVPN {
    mode aggressive;
    proposals JUNVPN;
    pre-shared-key ascii-text "$9$teRSpIcKvLNVY8XGDHkPfIEh"; ## SECRET-DATA
    }
    gateway JUNVPN {
    ike-policy JUNVPN;
    dynamic {
    user-at-hostname "test@juniper.edu";
    ike-user-type shared-ike-id;
    }
    dead-peer-detection {
    optimized;
    interval 10;
    threshold 5;
    }
    external-interface ge-0/0/0;
    local-address 172.16.20.2;
    aaa {
    access-profile JUNVPN;
    }
    version v1-only;
    tcp-encap-profile SSL_VPN;
    }
    }
    ipsec {
    proposal JUNVPN {
    protocol esp;
    encryption-algorithm aes-256-gcm;
    lifetime-seconds 3600;
    }
    policy JUNVPN {
    perfect-forward-secrecy {
    keys group19;
    }
    proposals JUNVPN;
    }
    vpn JUNVPN {
    bind-interface st0.0;
    df-bit clear;
    copy-outer-dscp;
    ike {
    gateway JUNVPN;
    ipsec-policy JUNVPN;
    }
    traffic-selector ts-1 {
    local-ip 10.0.26.0/24;
    remote-ip 0.0.0.0/0;
    }
    }
    }
    address-book {
    global {
    address VPN 10.100.26.0/24;
    address servers 10.0.26.0/24;
    }
    }
    remote-access {
    profile JUNVPN {
    ipsec-vpn JUNVPN;
    access-profile JUNVPN;
    client-config JUNVPN;
    }
    client-config JUNVPN {
    connection-mode manual;
    dead-peer-detection {
    interval 60;
    threshold 5;
    }
    }
    default-profile JUNVPN;
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set JUNVPN {
    from zone VPN;
    to zone trust;
    rule JUNVPN {
    match {
    source-address 1.0.43.0/24;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    policy juniper_vpn-1 {
    match {
    source-address VPN;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone untrust to-zone trust {
    policy juniper_vpn-2 {
    match {
    source-address any;
    destination-address VPN;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone junos-host to-zone untrust {
    policy VPNTEST-1 {
    match {
    source-address VPN;
    destination-address any;
    application any;
    }
    then {
    permit;
    log {
    session-close;
    }
    }
    }
    }
    from-zone untrust to-zone junos-host {
    policy VPNTEST-2 {
    match {
    source-address any;
    destination-address VPN;
    application any;
    }
    then {
    permit;
    log {
    session-close;
    }
    }
    }
    }
    from-zone trust to-zone VPN {
    policy TRUST_TO_VPN {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone VPN to-zone trust {
    policy VPN_TO_TRUST {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    tcp-encap {
    profile SSL_VPN {
    ssl-profile SSL_VPN_TERM;
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    }
    }
    security-zone untrust {
    screen untrust-screen;
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone MTG {
    interfaces {
    ge-0/0/5.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security-zone VPN {
    interfaces {
    st0.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 172.16.20.2/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family inet {
    address 1.0.43.2/30;
    }
    }
    }
    ge-0/0/6 {
    unit 0 {
    family ethernet-switching {
    vlan {
    members vlan-trust;
    }
    }
    }
    }
    ge-0/0/7 {
    unit 0 {
    family inet;
    }
    }
    irb {
    unit 0 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    }
    st0 {
    unit 0 {
    family inet;
    }
    }
    }
    access {
    profile test_user {
    authentication-order password;
    client test {
    firewall-user {
    password "$9$1LSIyKXxdsgJ-Vk.f5F3yle"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool VPN_POOL;
    }
    }
    profile VPNTEST {
    authentication-order password;
    client test {
    firewall-user {
    password "$9$4AoDk5T39tOFnSrKvLXDiH"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool inside;
    }
    }
    profile JUNVPN {
    authentication-order password;
    client test {
    firewall-user {
    password "$9$q.QntpBESeO1xNVb2gQF3"; ## SECRET-DATA
    }
    }
    address-assignment {
    pool JUNVPN;
    }
    }
    address-assignment {
    pool JUNVPN {
    family inet {
    network 10.100.26.0/24;
    range JUNVPNPOOL {
    low 10.100.26.1;
    high 10.100.26.100;
    }
    xauth-attributes {
    primary-dns 8.8.8.8/32;
    }
    }
    }
    }
    firewall-authentication {
    web-authentication {
    default-profile test_user;
    }
    }
    }
    vlans {
    VPN {
    vlan-id 43;
    l3-interface irb.43;
    }
    vlan-trust {
    vlan-id 3;
    l3-interface irb.0;
    }
    }
    protocols {
    l2-learning {
    global-mode switching;
    }
    rstp {
    interface all;
    }
    }
    routing-options {
    static {
    route 10.0.26.0/24 next-hop 1.0.43.1;
    route 192.168.21.0/24 next-hop 172.16.20.1;
    }

    ------------------------------
    MATTHEW LOVELAND
    ------------------------------


  • 2.  RE: Cannot reach inside networks through Juniper Secure Connect VPN
    Best Answer

    Posted 16 days ago
    The solution for this problem was a policy issue. I need to create a policy that allowed the VPN to get to the MTG zone.

    ------------------------------
    MATTHEW LOVELAND
    ------------------------------