SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Client using Dynamic Remote VPN is not able to connect internal network.

  • 1.  Client using Dynamic Remote VPN is not able to connect internal network.

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2022 09:33
    This message was posted by a user wishing to remain anonymous

    Hi everyone,

    I have created a dynamic VPN on a SRX instance and I am able to connect to the VPN using the Pulse client, but I am not able to connect to any resource or ping inside my network. I am doing split tunneling and missing something so thought to ask in this forum.

    Here's my configuration:

    set version 19.4R3-S1.3
    set system host-name dynvpn
    set system services ssh root-login allow
    set system services netconf ssh
    set system services dhcp-local-server group jdhcp-group interface irb.0
    set system services web-management https system-generated-certificate
    set system time-zone EST
    set system name-server 8.8.8.8
    set system name-server 8.8.4.4
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system phone-home rfc-compliant
    set security ike policy ike-dyn-vpn-policy mode aggressive
    set security ike policy ike-dyn-vpn-policy proposal-set standard
    set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$eGnMLNs2airskPdbkP5Q9CKM8XdbYgoGKjH"
    set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
    set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
    set security ike gateway dyn-vpn-local-gw dynamic connections-limit 2
    set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
    set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/1.0
    set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
    set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
    set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
    set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
    set security dynamic-vpn access-profile dyn-vpn-access-profile
    set security dynamic-vpn clients all remote-protected-resources 192.168.100.0/24
    set security dynamic-vpn clients all remote-protected-resources 192.168.2.0/30
    set security dynamic-vpn clients all remote-protected-resources 192.168.20.0/24
    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all ipsec-vpn dyn-vpn
    set security dynamic-vpn clients all user client1
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
    set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
    set security policies from-zone trust to-zone trust policy trust-to-trust match application any
    set security policies from-zone trust to-zone trust policy trust-to-trust then permit
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces irb.0
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
    set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
    set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/30
    set interfaces ge-0/0/1 unit 0 family inet dhcp vendor-id Juniper-srx320
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
    set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
    set interfaces cl-1/0/0 dialer-options pool 1 priority 100
    set interfaces dl0 unit 0 family inet negotiate-address
    set interfaces dl0 unit 0 family inet6 negotiate-address
    set interfaces dl0 unit 0 dialer-options pool 1
    set interfaces dl0 unit 0 dialer-options dial-string 1234
    set interfaces dl0 unit 0 dialer-options always-on
    set interfaces irb unit 0 family inet
    set interfaces irb unit 100 family inet address 192.168.100.1/24
    set interfaces st0 unit 0 family inet
    set interfaces st0 unit 100 family inet
    set access profile dyn-vpn-access-profile client andy firewall-user password "$9$79dwgGDkTz6oJz69Afvvfvsaswdw1INdbsoJUjHm5Q"
    set access profile dyn-vpn-access-profile client nenad firewall-user password "$9$-2bYoDi.z39JG39ApacascascacaacREdbs2JGjHqfQF"
    set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.100.0/24
    set access address-assignment pool dyn-vpn-address-pool family inet range dyn-vpn-IP-RANGE low 192.168.100.50
    set access address-assignment pool dyn-vpn-address-pool family inet range dyn-vpn-IP-RANGE high 192.168.100.60
    set access address-assignment pool dyn-vpn-address-pool family inet dhcp-attributes router 192.168.100.1
    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
    set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
    set vlans vlan-trust vlan-id 3
    set vlans vlan-trust l3-interface irb.0
    set protocols l2-learning global-mode switching
    set protocols rstp interface all
    set routing-options static route 192.168.20.0/24 next-hop 192.168.2.2

    From Windows client machine: (getting the dhcp address):

    Ethernet adapter Ethernet 3:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Networks Virtual Adapter
    Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::f0f8:c411:17da:eb9%2(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.100.51(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    NetBIOS over Tcpip. . . . . . . . : Enabled


    Route Print from the windows client machine:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.162.205 192.168.162.206 50
    78.172.98.188 255.255.255.255 192.168.162.205 192.168.162.206 50
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    192.168.2.0 255.255.255.252 On-link 192.168.100.51 1
    192.168.20.0 255.255.255.0 On-link 192.168.100.51 1
    192.168.100.0 255.255.255.0 On-link 192.168.100.51 1
    192.168.100.51 255.255.255.255 On-link 192.168.100.51 256
    192.168.162.0 255.255.255.0 On-link 192.168.162.206 306
    192.168.162.206 255.255.255.255 On-link 192.168.162.206 306
    192.168.162.255 255.255.255.255 On-link 192.168.162.206 306
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.162.206 306
    224.0.0.0 240.0.0.0 On-link 192.168.100.51 256
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.162.206 306
    255.255.255.255 255.255.255.255 On-link 192.168.100.51 256
    ===========================================================================
    Persistent Routes:
    None

    Thanks in advance for your help.