some update:
I configured my SRX240 now for the use with the NCP Secure Client - Juniper Edition.
The Tunnel is now establishing successful, but I'm not able to get any traffic from client to the remoted protected network.
From my point of view everything is set, but maybe i missed something..?
It would be great if anybody could have a look through my config any maybe has a hint for me why no traffic is going through the tunnel?
As already mentioned we have an active-actice cluster. The untrust interface is reth15.0 and the trust interface is reth2.0.
I had to choose manual IP in NCP Client, as we dont have a DHCP server yet, i just give the client one of the IP's within the trust network 10.200.1.30.
The authentication is made with a RADIUS Server and it seems to working also fine.
So, the tunnel itself seems to working fine, except that no traffic is going through...
---------------------------------------------------------------------------------------------
interfaces {
ge-0/0/2 {
gigether-options {
redundant-parent reth2;
}
}
ge-0/0/15 {
gigether-options {
redundant-parent reth15;
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.200.1.1/24;
}
}
}
reth15 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address <ourPublicIP>/28;
}
}
}
security {
ike {
proposal PSK-DES-MD5-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
policy dialup-ike-policy {
mode aggressive;
proposals PSK-DES-MD5-DH2;
pre-shared-key ascii-text "SECRET";
}
gateway dialup-ike {
ike-policy dialup-ike-policy;
dynamic {
hostname "user@juniper.net";
connections-limit 10;
ike-user-type shared-ike-id;
}
external-interface reth15.0;
xauth access-profile xauth-users;
}
}
ipsec {
proposal ESP-3DES-SHA256 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm 3des-cbc;
}
policy dialup-ipsec-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ESP-3DES-SHA256;
}
vpn dialup-vpn {
ike {
gateway dialup-ike;
ipsec-policy dialup-ipsec-policy;
}
establish-tunnels on-traffic;
}
}
flow {
}
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit-trust-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
count;
}
}
}
from-zone untrust to-zone trust {
policy dialup-unt-tr {
match {
source-address any;
destination-address TRUST_ALL_HOSTS_MGMT_NETWORK_10.200.1.0/24;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dialup-vpn;
}
}
}
}
policy default-untrust-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
address-book {
address TRUST_ALL_HOSTS_MGMT_NETWORK_10.200.1.0/24 10.200.1.0/24;
}
host-inbound-traffic {
system-services {
http;
https;
ping;
ssh;
telnet;
snmp;
}
}
interfaces {
reth2.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
https;
ssh;
ike;
}
}
interfaces {
reth15.0;
access {
profile xauth-users {
authentication-order radius;
session-options {
client-idle-timeout 180;
}
radius-server {
<RADIUS-SERVER-IP {
port 1812;
secret "RADIUS-SERVER SECRET";
}
}
}
}
---------------------------------------------------------------------------------------------
And here is the log from NCP client:
---------------------------------------------------------------------------------------------
14.11.2012 12:56:32 IPSec: Start building connection
14.11.2012 12:56:32 Ike: Outgoing connect request AGGRESSIVE mode - gateway=OUR-PUBLIC-IP : PROFILENAME
14.11.2012 12:56:32 Ike: XMIT_MSG1_AGGRESSIVE - PROFILENAME
14.11.2012 12:56:32 Ike: RECV_MSG2_AGGRESSIVE - PROFILENAME
14.11.2012 12:56:32 Ike: IKE phase I: Setting LifeTime to 28800 seconds
14.11.2012 12:56:32 Ike: Turning on XAUTH mode - IT-onBase
14.11.2012 12:56:32 Ike: IkeSa negotiated with the following properties -
14.11.2012 12:56:32 Authentication=XAUTH_INIT_PSK,Encryption=DES,Hash=MD5,DHGroup=2,KeyLen=0
14.11.2012 12:56:32 Ike: IT-onBase ->Support for NAT-T version - 9
14.11.2012 12:56:32 Ike: Turning on NATD mode - PROFILENAME - 1
14.11.2012 12:56:32 IPSec: Final Tunnel EndPoint is:OURPUBLICIP
14.11.2012 12:56:32 Ike: XMIT_MSG3_AGGRESSIVE - PROFILENAME
14.11.2012 12:56:32 Ike: IkeSa negotiated with the following properties -
14.11.2012 12:56:32 Authentication=XAUTH_INIT_PSK,Encryption=DES,Hash=MD5,DHGroup=2,KeyLen=0
14.11.2012 12:56:32 Ike: phase1:name(PROFILENAME) - connected
14.11.2012 12:56:32 SUCCESS: IKE phase 1 ready
14.11.2012 12:56:32 IPSec: Phase1 is Ready,AdapterIndex=0,IkeIndex=49,LocTepIpAdr=0.0.0.0,AltRekey=1
14.11.2012 12:56:32 IkeXauth: RECV_XAUTH_REQUEST
14.11.2012 12:56:32 IkeXauth: XMIT_XAUTH_REPLY
14.11.2012 12:56:32 IkeXauth: RECV_XAUTH_SET
14.11.2012 12:56:32 IkeXauth: XMIT_XAUTH_ACK
14.11.2012 12:56:32 IkeCfg: name <IT-onBas> - IkeXauth: enter state open
14.11.2012 12:56:32 SUCCESS: Ike Extended Authentication is ready
14.11.2012 12:56:32 IPSec: Quick Mode is Ready: IkeIndex = 00000031 , VpnSrcPort = 10954
14.11.2012 12:56:32 IPSec: Assigned IP Address: 10.200.1.30
14.11.2012 12:56:32 IPSec: Gateway IP Address: 0.0.0.0
14.11.2012 12:56:32 IkeQuick: XMIT_MSG1_QUICK - PROFILENAME
14.11.2012 12:56:32 IkeQuick: Received Notify(IT-onBase) -> remote is reducing LifeTime to 3600
14.11.2012 12:56:32 IkeQuick: RECV_MSG2_QUICK - PROFILENAME
14.11.2012 12:56:32 IkeQuick: Turning on PFS mode(PROFILENAME) with group 2
14.11.2012 12:56:32 IkeQuick: XMIT_MSG3_QUICK - PROFILENAME
14.11.2012 12:56:32 IkeQuick: phase2:name(PROFILENAME) - connected
14.11.2012 12:56:32 SUCCESS: Ike phase 2 (quick mode) ready
14.11.2012 12:56:32 IPSec: Created an IPSEC SA with the following characteristics -
14.11.2012 12:56:32 IpSrcRange=[10.200.1.30-10.200.1.30],IpDstRange=[10.200.1.0-10.200.1.255],IpProt=0,SrcPort=0,DstPort=0
14.11.2012 12:56:32 IPSec: connected: LifeDuration in Seconds = 2520 and in KiloBytes = 0
14.11.2012 12:56:32 IPSec: Connected to PROFILENAME on channel 1.
14.11.2012 12:56:32 PPP(Ipcp): connected to IT-onBase with IP Address: 10.200.1.30
14.11.2012 12:56:32 SUCCESS: IpSec connection ready
14.11.2012 12:56:35 SUCCESS: Link -> <PROFILENAME> IP address assigned to IP stack - link is operational.
Thanks for any hints...