Hi,
I'm experiencing a perplexing Dynamic VPN issue with my SRX running 12.1X46-D71 using the straightforward example at https://www.juniper.net/documentation/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-configuring.html. Initially the Pulse client returned error 1804 "Connection method doesn't allow concurrent connections" and the SRX on the WAN side won't resolve to https://<IP>/dynamic-vpn (redirects to https://<IP>/servererror.php?code=404). The problem was "system services web-management https" did not contain the untrust interface. After adding the interface I could connect.
I have 3 subnets in my trust zone, each on a different VLAN.
vlan.0 (192.168.3.0/24) has
- router at 192.168.3.254
- UNIX appliance at 192.168.3.250 (reservation) - ge-0/0/2 (trunk)
- Windows test box at 192.168.3.100 (DHCP) - ge-0/0/3
vlan.72 (x.y.z.0/24) has
vlan.82 (x.y.a.0/24) has
Once I connected as 192.168.4.104, I can ping all 3 subnets' routers. I can ping the UNIX appliance, but I can't ping the Windows machine. I have set vlan.0's entire /24 in remote-protected-resources. If I login to the SRX I can ping all resources. When logged into the UNIX appliance, I can ping all resources in vlan.0, but not the routers at vlan.72/vlan.82. I'm not too concerned if hosts in vlan.0 can't ping hosts in vlan.72/vlan.82 at this time. I also noticed if I attempt to access J-Web through vlan.0's router IP (192.168.3.254) I get the same response as though I'm accessing through the WAN. Within the Windows machine I can access J-Web through 192.168.3.254. Displaying security flow session indicates 192.168.3.100 does get an ICMP but it's not returned to the VPN client.
It just seems like there is something blocking the packets going from the Windows machine back to the VPN client but the default trust-to-untrust rule should take care of that and also doesn't explain why it works for the UNIX appliance.
Any help greatly appreciated.
# run show dhcp server binding
IP address Session Id Hardware address Expires State Interface
192.168.3.100 1 aa:bb:cc:dd:ee:ff 82329 BOUND vlan.0
192.168.3.250 2 xx:yy:zz:ww:aa:bb 82344 BOUND vlan.0
# run show security flow session
Session ID: 6396, Policy name: DYN-VPN-policy/6, Timeout: 26, Valid
In: 192.168.4.104/184 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.100/1 --> 192.168.4.104/184;icmp, If: vlan.0, Pkts: 0, Bytes: 0
Session ID: 6401, Policy name: DYN-VPN-policy/6, Timeout: 36, Valid
In: 192.168.4.104/185 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.100/1 --> 192.168.4.104/185;icmp, If: vlan.0, Pkts: 0, Bytes: 0
Session ID: 6403, Policy name: DYN-VPN-policy/6, Timeout: 42, Valid
In: 192.168.4.104/186 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.100/1 --> 192.168.4.104/186;icmp, If: vlan.0, Pkts: 0, Bytes: 0
Session ID: 6406, Policy name: DYN-VPN-policy/6, Timeout: 46, Valid
In: 192.168.4.104/187 --> 192.168.3.100/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.100/1 --> 192.168.4.104/187;icmp, If: vlan.0, Pkts: 0, Bytes: 0
.
.
Session ID: 6781, Policy name: DYN-VPN-policy/6, Timeout: 2, Valid
In: 192.168.4.104/198 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.250/1 --> 192.168.4.104/198;icmp, If: vlan.0, Pkts: 1, Bytes: 60
Session ID: 6791, Policy name: DYN-VPN-policy/6, Timeout: 2, Valid
In: 192.168.4.104/199 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.250/1 --> 192.168.4.104/199;icmp, If: vlan.0, Pkts: 1, Bytes: 60
Session ID: 6802, Policy name: DYN-VPN-policy/6, Timeout: 4, Valid
In: 192.168.4.104/200 --> 192.168.3.250/1;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.3.250/1 --> 192.168.4.104/200;icmp, If: vlan.0, Pkts: 1, Bytes: 60
Config
system {
services {
web-management {
https {
pki-local-certificate MY-cert;
interface [ vlan.0 vlan.82 ge-0/0/0.0 ];
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client {
update-server;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan-Management vlan-User ];
}
native-vlan-id vlan-trust;
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.3.254/24;
}
}
unit 72 {
family inet {
address x.y.z.254/24;
}
}
unit 82 {
family inet {
address x.y.a.254/24;
}
}
}
}
security {
pki {
ca-profile SRX {
ca-identity MYID;
}
}
ike {
policy IKE-DYN-VPN-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "XXX"; ## SECRET-DATA
}
gateway DYN-VPN-local-gw {
ike-policy IKE-DYN-VPN-policy;
dynamic {
hostname DYNvpn;
connections-limit 2;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile DYN-VPN-access-profile;
}
}
ipsec {
policy IPSEC-DYN-VPN-policy {
proposal-set standard;
}
vpn DYN-VPN {
ike {
gateway DYN-VPN-local-gw;
ipsec-policy IPSEC-DYN-VPN-policy;
}
}
}
dynamic-vpn {
access-profile DYN-VPN-access-profile;
clients {
all {
remote-protected-resources {
192.168.3.0/24;
x.y.a.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn DYN-VPN;
user {
Client1;
Client2;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DNAT-SSH-test {
address 192.168.3.100/32 port 22;
}
rule-set DST-NAT {
from zone untrust;
rule Rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port nnnn;
}
then {
destination-nat {
pool {
DNAT-SSH-test;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy UNTRUST-to-TRUST-test {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy DYN-VPN-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn DYN-VPN;
}
}
}
}
}
}
zones {
security-zone trust {
address-book {
address TESThost 192.168.3.100/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.72;
vlan.82;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
ping;
ike;
https;
}
}
}
}
}
}
}
access {
profile DYN-VPN-access-profile {
client Client1 {
firewall-user {
password "XXX"; ## SECRET-DATA
}
}
client Client2 {
firewall-user {
password "XXX"; ## SECRET-DATA
}
}
address-assignment {
pool DYN-VPN-address-pool;
}
}
address-assignment {
pool DefaultPool {
family inet {
network 192.168.3.0/24;
range 1 {
low 192.168.3.100;
high 192.168.3.199;
}
dhcp-attributes {
name-server {
1.1.1.1;
1.0.0.1;
8.8.8.8;
}
router {
192.168.3.254;
}
}
host UNIX {
hardware-address xx:yy:zz:ww:aa:bb;
ip-address 192.168.3.250;
}
}
}
pool ManagementPool {
family inet {
network x.y.a.0/24;
range 1 {
low x.y.a.100;
high x.y.a.199;
}
dhcp-attributes {
name-server {
1.1.1.1;
1.0.0.1;
8.8.8.8;
}
router {
x.y.a.254;
}
}
}
}
pool UserPool {
family inet {
network x.y.z.0/24;
range 1 {
low x.y.z.100;
high x.y.z.199;
}
dhcp-attributes {
name-server {
1.1.1.1;
1.0.0.1;
8.8.8.8;
}
router {
x.y.z.254;
}
}
}
}
pool DYN-VPN-address-pool {
family inet {
network 192.168.4.0/24;
range DYN-VPN-address-range {
low 192.168.4.100;
high 192.168.4.109;
}
xauth-attributes {
primary-dns 1.1.1.1/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile DYN-VPN-access-profile;
}
}
}
applications {
application SSH-DNAT {
protocol tcp;
source-port 1024-65535;
destination-port nnnn;
}
}
vlans {
vlan-Management {
vlan-id 82;
l3-interface vlan.82;
}
vlan-User {
vlan-id 72;
l3-interface vlan.72;
}
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}