Original Message:
Sent: 09-06-2024 15:43
From: Nikolay Semov
Subject: Juniper Secure Connect VPN not routing across site to site VPN (Newbie)
The RA clients shouldn't overlap with your other subnets. They're fine on 10.10.x.x. It's just that your remote SRX has no idea how to reach them.
On the second question, yes, I think so. Seems easier to me. You have to add route to 10.10.x.x on the remote SRX to go through the VPN tunnel so that it knows how to reach the RA devices.
------------------------------
Nikolay Semov
Original Message:
Sent: 09-06-2024 15:22
From: LUIZ CASTILHO
Subject: Juniper Secure Connect VPN not routing across site to site VPN (Newbie)
Thank you for the answer
So my clients should be on the 140 or 144 network? also you are recommending to setup the site to site VPN to be route base?
------------------------------
LUIZ CASTILHO
Original Message:
Sent: 09-06-2024 14:00
From: Nikolay Semov
Subject: Juniper Secure Connect VPN not routing across site to site VPN (Newbie)
The "ipsec" vpn has traffic selectors for 140 <-> 144 but your RA clients have 10.10.x.x addresses which don't match any of the defined selectors.
Since you have the site-to-site bound to st0.1 already, personally I prefer to use routing instead of traffic selectors.
------------------------------
Nikolay Semov
Original Message:
Sent: 08-30-2024 10:11
From: LUIZ CASTILHO
Subject: Juniper Secure Connect VPN not routing across site to site VPN (Newbie)
I have a site-to-site VPN between two SRX 300, I can ping devices on both ends of the VPN
I created a Juniper Secure Connect to one of the SRX, the user can connect and ping any device on the network but can't ping anything on the other network
Can someone help me find out what am I missing ?
## Last changed: 2024-08-28 16:02:14 EDT
version 22.4R3-S2.11;
system {
host-name hostname;
root-authentication {
encrypted-password "verylongpassword";
}
services {
ssh {
root-login allow;
}
netconf {
ssh;
}
web-management {
https {
pki-local-certificate Remote-Access-Cert;
}
}
}
name-server {
8.8.8.8;
1.1.1.1;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 10;
license {
autoupdate {
}
}
}
services {
ssl {
termination {
profile ra-ssl-term {
server-certificate Remote-Access-Cert;
}
}
}
}
security {
ike {
proposal Remote-Access{
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
proposal ipsec {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy Remote-Access{
mode aggressive;
proposals CT-Remote-Access;
pre-shared-key ascii-text "Verylongpassword"; ## SECRET-DATA
}
policy ipsec {
mode main;
proposals ipsec;
pre-shared-key ascii-text "Verylongpassword"; ## SECRET-DATA
}
gateway Remote-Access{
ike-policy CRemote-Access;
dynamic {
user-at-hostname "admin@usr.com";
ike-user-type shared-ike-id;
}
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
external-interface ge-0/0/0;
local-address 21.21.21.21;
aaa {
access-profile ra-access-profile;
}
version v1-only;
tcp-encap-profile ra-ssl-profile;
}
gateway ipsec {
ike-policy ipsec;
address 22.22.22.22;
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
external-interface ge-0/0/0;
local-address 21.21.21.21;
version v1-only;
}
}
ipsec {
proposal Remote-Access{
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
proposal ipsec {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy Remote-Access{
perfect-forward-secrecy {
keys group19;
}
proposals CT-Remote-Access;
}
policy ipsec {
perfect-forward-secrecy {
keys group2;
}
proposals ipsec;
}
vpn Remote-Access{
bind-interface st0.0;
df-bit clear;
copy-outer-dscp;
ike {
gateway Remote-Access;
ipsec-policy CT-Remote-Access;
}
traffic-selector ts-1 {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}
}
vpn ipsec {
bind-interface st0.1;
df-bit clear;
ike {
gateway ipsec;
ipsec-policy ipsec;
}
traffic-selector ts-1 {
local-ip 192.168.144.0/24;
remote-ip 192.168.144.0/24;
}
traffic-selector ts-2 {
local-ip 192.168.144.0/24;
remote-ip 192.168.140.0/24;
}
traffic-selector ts-3 {
local-ip 192.168.140.0/24;
remote-ip 192.168.144.0/24;
}
traffic-selector ts-4 {
local-ip 192.168.140.0/24;
remote-ip 192.168.140.0/24;
}
establish-tunnels immediately;
}
}
address-book {
global {
address net-local 192.168.144.0/24;
address net-ma 192.168.140.0/24;
}
}
remote-access {
profile Remote-Access{
ipsec-vpn Remote-Access;
access-profile ra-access-profile;
client-config Remote-Access;
}
client-config Remote-Access{
connection-mode manual;
dead-peer-detection {
interval 60;
threshold 5;
}
}
default-profile Remote-Access;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Remote-Access{
from zone ra-vpn;
to zone trust;
rule CT-Remote {
match {
source-address 0.0.0.0/0;
destination-address-name [ net-local net-ma ];
}
then {
source-nat {
interface;
}
}
}
rule Remote-Access{
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Zone_ra-vpn-Zone_site-to {
from zone ra-vpn;
to zone site-to-site-vpn;
rule CT-Remote-2 {
match {
source-address 0.0.0.0/0;
destination-address-name [ net-local net-ma ];
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone ra-vpn {
policy Remote-Access-1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone ra-vpn to-zone trust {
policy Remote-Access-2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone site-to-site-vpn {
policy ipsec-1 {
match {
source-address [ net-local net-ma ];
destination-address [ net-local net-ma ];
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone site-to-site-vpn to-zone trust {
policy ipsec-2 {
match {
source-address [ net-local net-ma ];
destination-address [ net-local net-ma ];
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone site-to-site-vpn to-zone ra-vpn {
policy ipsec-3 {
match {
source-address [ net-local net-ma ];
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
from-zone ra-vpn to-zone site-to-site-vpn {
policy ipsec-4 {
match {
source-address any;
destination-address [ net-local net-ma ];
application any;
dynamic-application any;
}
then {
permit;
}
}
}
pre-id-default-policy {
then {
log {
session-close;
}
}
}
}
tcp-encap {
profile ra-ssl-profile {
ssl-profile ra-ssl-term;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
ge-0/0/1.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
ike;
tcp-encap;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
security-zone ra-vpn {
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone site-to-site-vpn {
interfaces {
st0.1 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description WAN;
family inet {
address 21.21.21.21/24;
}
}
}
ge-0/0/1 {
unit 0 {
description LAN;
family inet {
address 192.168.144.254/24;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
irb {
unit 0 {
family inet {
address 192.168.10.254/24;
}
}
}
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
}
access {
profile ra-access-profile {
authentication-order password;
client lcastilho {
firewall-user {
password "verylongpassword"; ## SECRET-DATA
}
}
address-assignment {
pool ra-address-pool;
}
}
address-assignment {
pool ra-address-pool {
family inet {
network 10.10.5.0/24;
range ra-address-range {
low 10.10.5.5;
high 10.10.5.100;
}
xauth-attributes {
primary-dns 192.168.144.221/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile ra-access-profile;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
------------------------------
LUIZ CASTILHO
------------------------------