SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Dynamic VPN Issue - No Default Gateway Assigned

    Posted 03-07-2019 14:57

    Hello,

    I have created a dynamic VPN on a VSRX instance hosted in AWS.  I am able to connect to the VPN using the NCP client, but I don't get a default gateway.

    Here's my IKE gateway (specifying the access profile):

    gateway Corios-VPN-IKE-GW {
    ike-policy Corios-VPN-IKE-Pol;
    dynamic {
    user-at-hostname "itadmins@coriosgroup.com";
    connections-limit 2;
    ike-user-type shared-ike-id;
    }
    dead-peer-detection;
    local-identity inet XXX.XXX.XXX.XXX;
    external-interface ge-0/0/1.0;
    aaa {
    access-profile ad01-cg-radius;
    }
    version v1-only;
    tcp-encap-profile NCP;
    }

     

    Here's the access profile:

    profile ad01-cg-radius {
    authentication-order radius;
    address-assignment {
    pool Corios-VPN;
    }
    radius {
    authentication-server 10.1.10.7;
    accounting-server 10.1.10.7;
    }
    radius-server {
    10.1.10.7 {
    port 1815;
    secret "REDACTED"; ## SECRET-DATA
    timeout 15;
    retry 2;
    source-address 10.132.0.85;
    routing-instance vpn_gateway;
    }
    }
    accounting {
    order radius;
    accounting-stop-on-failure;
    accounting-stop-on-access-deny;
    }
    }

     

    And here's my DHCP pool:

    address-assignment {
    pool Corios-VPN {
    family inet {
    network 10.132.3.0/24;
    range address_range {
    low 10.132.3.10;
    high 10.132.3.100;
    }
    dhcp-attributes {
    name-server {
    10.129.1.11;
    10.129.2.11;
    }
    router {
    10.132.3.1;
    }
    }
    xauth-attributes {
    primary-dns 10.129.1.11/32;
    secondary-dns 10.129.2.11/32;
    }
    }
    }
    }

     

    I can connect and receive an IP address, but I don't have a default route assigned:

    Unknown adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Link-local IPv6 Address . . . . . : fe80::e45f:629:6728:11f9%11
    IPv4 Address. . . . . . . . . . . : 10.132.3.20
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :

     

    Thanks in advance for any help on this.



  • 2.  RE: Dynamic VPN Issue - No Default Gateway Assigned

    Posted 03-07-2019 19:10

    Traffic selectors configured on the SRX Series device and the NCP client determine the client traffic that is sent through the IPsec VPN tunnel. 

    Eg:- 

    set security ipsec vpn RA_VPN traffic-selector NO-SPLIT local-ip 0.0.0.0/0
    set security ipsec vpn RA_VPN traffic-selector NO-SPLIT remote-ip 0.0.0.0/0

    Reference: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-ncp-exclusive-remote-access-client.html#jd0e58

     

    Please check the route table on your PC after the vpn is connected:

    route print

    ipconfig /all

     



  • 3.  RE: Dynamic VPN Issue - No Default Gateway Assigned

    Posted 03-08-2019 08:27

    Thank you for getting back to me Nellikka.

    I have a traffic selector on the VPN:

     

    [edit security ipsec vpn Corios-VPN]
    ec2-user@VSRX2# show
    bind-interface st0.9;
    ike {
    gateway Corios-VPN-IKE-GW;
    ipsec-policy Corios-VPN-IPSEC-Pol;
    }
    traffic-selector TS1 {
    local-ip 0.0.0.0/0;
    remote-ip 0.0.0.0/0;
    }

     

    Here's the routing table on my Windows machine.  Please note that I have an ethernet connection in 10.1.11.0/24.

     

    PS C:\Users\dramage> route print
    ===========================================================================
    Interface List
    11...02 00 4a 5d e8 b0 ......NCP Secure Client Virtual NDIS6.20 Adapter
    18...b4 6b fc d1 03 ee ......Intel(R) Dual Band Wireless-AC 8265
    12...b4 6b fc d1 03 ef ......Microsoft Wi-Fi Direct Virtual Adapter
    3...b6 6b fc d1 03 ee ......Microsoft Wi-Fi Direct Virtual Adapter #2
    4...10 65 30 4d c4 14 ......Intel(R) Ethernet Connection (4) I219-LM
    7...b4 6b fc d1 03 f2 ......Bluetooth Device (Personal Area Network)
    1...........................Software Loopback Interface 1
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.1.11.1 10.1.11.146 35
    0.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
    10.1.11.0 255.255.255.0 On-link 10.1.11.146 291
    10.1.11.0 255.255.255.0 10.132.3.23 10.132.3.22 257
    10.1.11.146 255.255.255.255 On-link 10.1.11.146 291
    10.1.11.255 255.255.255.255 On-link 10.1.11.146 291
    10.132.3.22 255.255.255.255 On-link 10.132.3.22 257
    52.37.18.20 255.255.255.255 10.1.11.1 10.1.11.146 291
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    128.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 10.1.11.146 291
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 10.132.3.22 257
    255.255.255.255 255.255.255.255 On-link 10.1.11.146 291
    ===========================================================================

     

     



  • 4.  RE: Dynamic VPN Issue - No Default Gateway Assigned

    Posted 03-08-2019 11:03

    I've just had somethign of an "a-ha" moment and realized that I'm gettig a /32 subnet mask assigned:

     

    Unknown adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Link-local IPv6 Address . . . . . : fe80::e45f:629:6728:11f9%11
    IPv4 Address. . . . . . . . . . . : 10.132.3.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :

     

    I fired up Wireshark, and I can see the /32 mask being assigned.  I don't see a router as one of the options sent, but that's a bit of a moot point given the subnet mask.



  • 5.  RE: Dynamic VPN Issue - No Default Gateway Assigned
    Best Answer

    Posted 03-08-2019 13:12

    IP address with /32 subnet mask is an expected behavior. There is no point in assigning /24 subnet mask for a point to point tunnel interface. There is no need to assign ip address on st0.9 interface in this case and you can simply remove the configured /24 address. From the official documention: "When an IP address is assigned from an external RADIUS server or a local address pool, an IP address with a 32-bit mask is passed to the NCP Exclusive Remote Access Client. After the tunnel is established, auto route insertion (ARI) automatically inserts a static route to the remote client’s IP address so that traffic from behind the SRX Series device can be sent into the VPN tunnel to the client’s IP address" (https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-ncp-exclusive-remote-access-client.html#jd0e108)

    Instead of configuring a default route(0/0), NCP installs two /1 networks in the clients routing table, which are equivalent to default route. Because best route is calculated based on longest prefix match (/1 > /0) traffic will match NCP routes and will go via tunnel. So everything is working as expected. Are you facing any issue other than this default gateway not displaying?

     

    0.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257
    ....
    128.0.0.0 128.0.0.0 10.132.3.23 10.132.3.22 257

     



  • 6.  RE: Dynamic VPN Issue - No Default Gateway Assigned

    Posted 03-08-2019 14:43

    The lack of a default route is a red herring.  I'm good to go.