This message was posted by a user wishing to remain anonymous
That was it. Thank you!
Original Message:
Sent: 04-17-2025 10:58
From: Nikolay Semov
Subject: Trying to route from a remote access vpn to a site to site vpn
Well, you already have policy from RemoteVPN to GSTVPN. But you're also using "dynamic-application any" there when you don't have application-identification service (AppID) enabled. If you're not using AppID, you should remove dynamic-application statements (I think "none" would work to like you have in Internal -> GSTVPN).
See https://supportportal.juniper.net/s/article/Traffic-is-not-hitting-the-corresponding-security-policy-due-to-having-dynamic-application-statement-set?language=en_US
------------------------------
Nikolay Semov
Original Message:
Sent: 04-16-2025 18:46
From: Anonymous
Subject: Trying to route from a remote access vpn to a site to site vpn
This message was posted by a user wishing to remain anonymous
10.x.15.2/1-->10.x.1.1/9901;icmp,ipid-63136,st0.0,Dropped by POLICY:Denied by Policy default-policy-logical-system-00. This record shows up on the main side of the site to site. I know that the default policy is to reject everything that's not stated to be allowed, so I'm guessing I'm missing a security policy somewhere.
Original Message:
Sent: 04-16-2025 15:28
From: Nikolay Semov
Subject: Trying to route from a remote access vpn to a site to site vpn
In that case, you can use show security packet-drop records to see if there's anything obvious about traffic from JSC to other side of the site-to-site is being dropped. Do on both sides of the site-to-site VPN.
If nothing obvious is shown there, you'll need to do a flow trace to see where things fall apart. You can use monitor security flow commands to set up (specify file name and filter), start, and stop a flow trace.
------------------------------
Nikolay Semov
Original Message:
Sent: 04-16-2025 13:14
From: Anonymous
Subject: Trying to route from a remote access vpn to a site to site vpn
This message was posted by a user wishing to remain anonymous
On the other side of the site to site I have this static route 10.x.15.0/24 next-hop st0.1.
Original Message:
Sent: 04-15-2025 14:11
From: Nikolay Semov
Subject: Trying to route from a remote access vpn to a site to site vpn
Does that other side of the site-to-site VPN know how to reach 10.x.15.0/24?
------------------------------
Nikolay Semov
Original Message:
Sent: 04-14-2025 12:57
From: Anonymous
Subject: Trying to route from a remote access vpn to a site to site vpn
This message was posted by a user wishing to remain anonymous
I have a site to site VPN on my SRX 320 that has been working flawlessly for 6 months. I have recently set up a remote access VPN that is able to ping and access internal resources that are located on my main network. I would like to be able to access my secondary network from the remote access client through the site to site VPN. I assume this is a routing issue from the remote access to site to site. Any help will be greatly appreciated. Thanks.
version 23.4R2.13;
services {
netconf {
ssh;
}
ssh {
root-login allow;
}
telnet;
xnm-clear-text;
web-management {
management-url admin;
http;
https {
port 443;
pki-local-certificate JWEB;
}
session {
idle-timeout 60;
}
}
}
time-zone GMT-8;
name-server {
8.8.8.8;
4.2.2.1;
}
name-resolution {
no-resolve-on-input;
}
syslog {
archive {
size 100k;
files 3;
}
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
}
ssl {
termination {
profile RA-JSC-term {
server-certificate JWEB;
}
}
}
security {
log {
mode stream;
report;
}
ike {
proposal JSC {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ike_pol_GST2VENisp1 {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "Secret"; ## SECRET-DATA
}
policy JSC {
mode aggressive;
proposals JSC;
pre-shared-key ascii-text "Secret"; ## SECRET-DATA
}
gateway gw_GST2VENisp1 {
ike-policy ike_pol_GST2VENisp1;
address 216.x.x.x;
external-interface ge-0/0/7.0;
}
gateway JSC {
ike-policy JSC;
dynamic {
user-at-hostname "secret";
ike-user-type shared-ike-id;
}
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
external-interface ge-0/0/7;
local-address 207.x.x.x;
aaa {
access-profile RA-JSC-profile;
}
version v1-only;
tcp-encap-profile RA-JSC-SSL-VPN;
}
}
ipsec {
proposal JSC {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy ipsec_pol_GST2VENisp1 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
policy JSC {
perfect-forward-secrecy {
keys group19;
}
proposals JSC;
}
vpn GST2VENisp1 {
bind-interface st0.1;
vpn-monitor;
ike {
gateway gw_GST2VENisp1;
ipsec-policy ipsec_pol_GST2VENisp1;
}
establish-tunnels immediately;
}
vpn JSC {
bind-interface st0.0;
df-bit clear;
copy-outer-dscp;
ike {
gateway JSC;
ipsec-policy JSC;
}
traffic-selector ts-1 {
local-ip 10.0.0.0/8;
remote-ip 0.0.0.0/0;
}
}
}
address-book {
Internal {
address addr_10_x_1_0_24 10.x.1.0/24;
address addr_10_x_201_0_24 10.x.201.0/24;
address 10_x_15_0_24 10.x.15.0/24;
attach {
zone Internal;
}
}
GSTVPN {
address addr_10_x_1_0_24 10.x.1.0/24;
attach {
zone GSTVPN;
}
}
global {
address 10_x_1_0-24 10.x.1.0/24;
}
}
alg {
sip disable;
}
remote-access {
profile 207.x.x.x {
ipsec-vpn JSC;
access-profile RA-JSC-profile;
client-config JSC;
}
client-config JSC {
connection-mode manual;
dead-peer-detection {
interval 60;
threshold 5;
}
credentials {
username;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-ack-ack-proxy threshold 500;
syn-flood {
alarm-threshold 800;
attack-threshold 200;
source-threshold 80;
destination-threshold 2048;
timeout 30;
}
land;
}
limit-session {
source-ip-based 100;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Guest-NAT {
from zone WLAN_Guest_Zone;
to zone Internet;
rule Guest {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set JSC {
description "Juniper Secure Connect";
from zone RemoteVPN;
to zone Internet;
rule JSC {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Zone_RemoteV-Zone_GSTVPN {
from zone RemoteVPN;
to zone GSTVPN;
rule JSC-remote {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Zone_RemoteV-Zone_Interna {
from zone RemoteVPN;
to zone Internal;
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone GSTVPN {
policy policy_out_GST2VENisp1 {
match {
source-address any;
destination-address any;
application any;
dynamic-application none;
}
then {
permit;
}
}
}
from-zone GSTVPN to-zone Internal {
policy policy_in_GST2VENisp1 {
match {
source-address any;
destination-address any;
application any;
dynamic-application none;
}
then {
permit;
}
}
}
from-zone WLAN_Guest_Zone to-zone Internet {
policy WLAN_Guest {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WLAN_Guest_Zone to-zone WLAN_Guest_Zone {
policy WLAN_Guest {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone RemoteVPN {
policy RA-JSC-Policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone RemoteVPN to-zone Internal {
policy RA-JSC-Policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone RemoteVPN to-zone GSTVPN {
policy Remote-GSTvpn {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
from-zone GSTVPN to-zone RemoteVPN {
policy GST-Remote {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
}
}
}
}
tcp-encap {
profile RA-JSC-SSL-VPN {
ssl-profile RA-JSC-term;
}
}
zones {
security-zone Internal {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
irb.4;
irb.5;
irb.6;
irb.7;
irb.8;
irb.9;
irb.2;
irb.10;
}
}
security-zone Internet {
screen untrust-screen;
host-inbound-traffic {
system-services {
https;
tcp-encap;
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
https;
tcp-encap;
ike;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
tcp-encap;
ike;
}
}
}
}
}
security-zone GSTVPN {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
st0.1;
}
}
security-zone WLAN_Guest_Zone {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.3;
}
}
security-zone RemoteVPN {
interfaces {
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 50.x.x.x/30;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
address 207.x.x.x/29;
}
}
}
irb {
unit 0 {
family inet {
address 10.x.1.1/24;
}
}
unit 2 {
family inet {
address 10.x.211.1/24;
}
}
unit 3 {
family inet {
address 10.x.221.1/24;
}
}
unit 4 {
family inet {
address 10.x.99.1/24;
}
}
unit 5 {
family inet {
address 10.x.11.1/24;
}
}
unit 6 {
family inet {
address 10.x.21.1/24;
}
}
unit 7 {
family inet {
address 10.x.31.1/24;
}
}
unit 8 {
family inet {
address 10.x.202.1/24;
}
}
unit 9 {
family inet {
address 10.x.201.1/24;
}
}
unit 10 {
family inet {
address 10.x.10.1/24;
}
}
}
st0 {
unit 0 {
description "JSC RA VPN";
family inet;
}
unit 1 {
family inet;
}
}
}
forwarding-options {
dhcp-relay {
server-group {
DHCP_Server_1 {
10.x.1.10;
}
group;
}
group DHCP_group_1 {
active-server-group DHCP_Server_1;
interface irb.2;
interface irb.3;
interface irb.4;
interface irb.5;
interface irb.6;
interface irb.7;
interface irb.8;
interface irb.9;
interface irb.10;
}
}
}
access {
profile RA-JSC-profile {
client msteiner {
firewall-user {
password "Secret"; ## SECRET-DATA
}
}
address-assignment {
pool 10_x_15_0-24;
}
}
address-assignment {
pool 10_x_15_0-24 {
family inet {
network 10.x.15.0/24;
dhcp-attributes {
name-server {
10.x.1.10;
}
router {
10.x.15.1;
}
}
xauth-attributes {
primary-dns 10.x.1.10/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile RA-JSC-profile;
}
}
}
routing-instances {
isp-1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 207.x.x.x;
qualified-next-hop 50.x.x.x;
preference 100;
}
}
}
}
isp-2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop 50.x.x.x;
qualified-next-hop 207.x.x.x;
preference 100;
}
}
}
}
}
vlans {
IP_Phones {
vlan-id 111;
l3-interface irb.5;
}
OBM {
vlan-id 999;
l3-interface irb.4;
}
Printers {
vlan-id 121;
l3-interface irb.6;
}
Servers {
vlan-id 131;
l3-interface irb.7;
}
VPN_Guest {
vlan-id 10;
l3-interface irb.10;
}
WLAN_Chrome {
vlan-id 202;
l3-interface irb.8;
}
WLAN_Employee {
vlan-id 211;
l3-interface irb.2;
}
WLAN_Internal {
vlan-id 201;
l3-interface irb.9;
}
WLAN_guest {
vlan-id 221;
l3-interface irb.3;
}
vlan0 {
description;
vlan-id 2;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
interface-routes {
rib-group inet isp;
}
static {
route 0.0.0.0/0 next-table isp-1.inet.0;
route 10.x.1.0/24 next-hop st0.1;
}
rib-groups {
isp {
import-rib [ inet.0 isp-1.inet.0 isp-2.inet.0 ];
}
}
}