10.0.26/0 is routed via the interface on ge-0/0/5. ge-0/0/5 is in the MTG zone. You need a policy from VPN zone to MTG zone.
------------------------------
David Divins
------------------------------
Original Message:
Sent: 12-22-2022 09:23
From: MATTHEW LOVELAND
Subject: Secure Connect VPN routing issue
Hello Everyone,
I am having an issue with my IPSEC VPN built on SRX 320. I have the tunnel up and my remote user is getting assigned an IP from my address pool, however no matter what I do I can't get the IP from the address pool to reach my inside network. I am thinking maybe it is an issue with NAT or maybe policies. I will post config below. Any help you can provide would be appreciated. The inside network I am trying to reach is 10.0.26.0 fyi. It is a network on a directly connected L3 switch. I have also added the route to the device going back to my inside pool which is 10.100.26.0/24.
security {
log {
mode stream;
report;
}
ike {
proposal JUNVPN {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy JUNVPN {
mode aggressive;
proposals JUNVPN;
pre-shared-key ascii-text "$9$teRSpIcKvLNVY8XGDHkPfIEh"; ## SECRET-DATA
}
gateway JUNVPN {
ike-policy JUNVPN;
dynamic {
user-at-hostname "test@juniper.edu";
ike-user-type shared-ike-id;
}
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
external-interface ge-0/0/0;
local-address 172.16.20.2;
aaa {
access-profile JUNVPN;
}
version v1-only;
tcp-encap-profile SSL_VPN;
}
}
ipsec {
proposal JUNVPN {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy JUNVPN {
perfect-forward-secrecy {
keys group19;
}
proposals JUNVPN;
}
vpn JUNVPN {
bind-interface st0.0;
df-bit clear;
copy-outer-dscp;
ike {
gateway JUNVPN;
ipsec-policy JUNVPN;
}
traffic-selector ts-1 {
local-ip 10.0.26.0/24;
remote-ip 0.0.0.0/0;
}
}
}
address-book {
global {
address VPN 10.100.26.0/24;
address servers 10.0.26.0/24;
}
}
remote-access {
profile JUNVPN {
ipsec-vpn JUNVPN;
access-profile JUNVPN;
client-config JUNVPN;
}
client-config JUNVPN {
connection-mode manual;
dead-peer-detection {
interval 60;
threshold 5;
}
}
default-profile JUNVPN;
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set JUNVPN {
from zone VPN;
to zone trust;
rule JUNVPN {
match {
source-address 1.0.43.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy juniper_vpn-1 {
match {
source-address VPN;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy juniper_vpn-2 {
match {
source-address any;
destination-address VPN;
application any;
}
then {
permit;
}
}
}
from-zone junos-host to-zone untrust {
policy VPNTEST-1 {
match {
source-address VPN;
destination-address any;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone untrust to-zone junos-host {
policy VPNTEST-2 {
match {
source-address any;
destination-address VPN;
application any;
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone VPN {
policy TRUST_TO_VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone trust {
policy VPN_TO_TRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
tcp-encap {
profile SSL_VPN {
ssl-profile SSL_VPN_TERM;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone MTG {
interfaces {
ge-0/0/5.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN {
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 172.16.20.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 1.0.43.2/30;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
irb {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
access {
profile test_user {
authentication-order password;
client test {
firewall-user {
password "$9$1LSIyKXxdsgJ-Vk.f5F3yle"; ## SECRET-DATA
}
}
address-assignment {
pool VPN_POOL;
}
}
profile VPNTEST {
authentication-order password;
client test {
firewall-user {
password "$9$4AoDk5T39tOFnSrKvLXDiH"; ## SECRET-DATA
}
}
address-assignment {
pool inside;
}
}
profile JUNVPN {
authentication-order password;
client test {
firewall-user {
password "$9$q.QntpBESeO1xNVb2gQF3"; ## SECRET-DATA
}
}
address-assignment {
pool JUNVPN;
}
}
address-assignment {
pool JUNVPN {
family inet {
network 10.100.26.0/24;
range JUNVPNPOOL {
low 10.100.26.1;
high 10.100.26.100;
}
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile test_user;
}
}
}
vlans {
VPN {
vlan-id 43;
l3-interface irb.43;
}
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
static {
route 10.0.26.0/24 next-hop 1.0.43.1;
route 192.168.21.0/24 next-hop 172.16.20.1;
}
------------------------------
MATTHEW LOVELAND
------------------------------
------------------------------
MATTHEW LOVELAND
------------------------------