Hi all,
I've got a 2 site setup with SRX240s in each site, and an IPSEC VPN tunnel between them. I've also set up Dynamic VPN access via Internet to the main site (PHV). Dyn-VPN Clients can successfully connect in from Internet zone and access resources in my Trusted zone (10.0.0.0/24) but are unable to access Camera zone (10.60.0.0/24)? I'm also trying to allow dynamic VPN clients to access some of the resource at the other site (DSQ) but have noticed this issue with accessing the Camera zone at the same site, so just trouble shooting this first.
So far I've found posts suggesting adding a client VPN range for arp proxy on Trusted interface, which had no affect for me, and tbh I don't fully understand what this is doing or why it's needed. VPN Clients are on 10.5.0.0/28 range, which is different to subnets they're trying to reach as I've seen recommended in KB articles, and everything I'm trying to reach is listed in protected resorces config and routes are added successfully on the client side.
I've generated flow-debug log, which seems to so that the dyn-vpn clients are sending packets to camera on 10.60.0.2 successfully, but nothing is showing up coming back from the camera zone, but I can see no reason why, I can successfully ping the camera zone from any machine in the trusted zone.
Flow from dyn-vpn client pinging camera 10.60.0.2:
root@srx1# run show log flow-debug | match 10.60.0.2 Oct 16 13:09:59 13:09:59.896426:CID-0:RT:<10.5.0.5/70->10.60.0.2/1;1> matched filter filter-dvpn: Oct 16 13:09:59 13:09:59.896426:CID-0:RT: pp0.0:10.5.0.5->10.60.0.2, icmp, (8/0) Oct 16 13:09:59 13:09:59.896426:CID-0:RT: find flow: table 0x4f0e2da0, hash 45142(0xffff), sa 10.5.0.5, da 10.60.0.2, sp 70, dp 1, proto 1, tok 6 Oct 16 13:09:59 13:09:59.896637:CID-0:RT:search gate for Internet:10.5.0.5/70->10.60.0.2/1,1 Oct 16 13:09:59 13:09:59.896637:CID-0:RT:search gate for Internet:10.5.0.5/70->10.60.0.2/1,1 Oct 16 13:09:59 13:09:59.896637:CID-0:RT:search widecast gate for Internet:10.5.0.5/70->10.60.0.2/1,1 Oct 16 13:09:59 13:09:59.896637:CID-0:RT: flow_first_in_dst_nat: in <pp0.0>, out <N/A> dst_adr 10.60.0.2, sp 70, dp 1 Oct 16 13:09:59 13:09:59.896637:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.60.0.2(1) Oct 16 13:09:59 13:09:59.896637:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.5.0.5, x_dst_ip 10.60.0.2, in ifp pp0.0, out ifp N/A sp 70, dp 1, ip_proto 1, tos 0 Oct 16 13:09:59 13:09:59.896637:CID-0:RT:flow_ipv4_rt_lkup success 10.60.0.2, iifl 0x4d, oifl 0x4a Oct 16 13:09:59 13:09:59.896637:CID-0:RT: routed (x_dst_ip 10.60.0.2) from Internet (pp0.0 in 0) to vlan.60, Next-hop: 10.60.0.2 Oct 16 13:09:59 13:09:59.896637:CID-0:RT: 10.5.0.5/2048 -> 10.60.0.2/19733 proto 1 Oct 16 13:09:59 13:09:59.896637:CID-0:RT: 10.5.0.5/2048 -> 10.60.0.2/19733 proto 1
Full config below, and help or pointers regarding any part of my setup much apreciated.
## Last changed: 2016-10-14 21:01:10 BST
version 12.1X46-D50.4;
system {
host-name srx1;
domain-name xxx.xxxxx.net;
domain-search xxx.xxxxx.net;
time-zone Europe/London;
root-authentication {
encrypted-password ; ## SECRET-DATA
}
name-server {
10.0.0.60;
10.0.0.65;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh {
protocol-version v2;
connection-limit 5;
}
dns {
max-cache-ttl 600;
max-ncache-ttl 300;
}
web-management {
management-url jweb;
http {
interface vlan.2;
}
https {
system-generated-certificate;
interface vlan.2;
}
session {
idle-timeout 300;
}
}
}
syslog {
archive size 1000k files 10;
user * {
any emergency;
}
host 10.0.0.99 {
any any;
authorization info;
security any;
change-log any;
interactive-commands error;
match RT_FLOW_SESSION;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
max-configurations-on-flash 12;
max-configuration-rollbacks 25;
archival {
configuration {
transfer-on-commit;
archive-sites {
"ftp://junos@172.16.0.98:/Juniper" password ; ## SECRET-DATA
}
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 212.71.248.69;
server uk.pool.ntp.org;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 1;
}
}
}
interfaces {
ge-0/0/0 {
description "ISP Link";
gigether-options {
auto-negotiation;
}
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
description "Wifi AP";
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
vlan {
members WiFi-Guest;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/4 {
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/5 {
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/6 {
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/7 {
gigether-options {
auto-negotiation;
802.3ad ae0;
}
}
ge-0/0/8 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-Private;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/12 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-Private;
}
}
}
}
ge-0/0/13 {
description Cisco-3650-Management;
gigether-options {
auto-negotiation;
ignore-l3-incompletes;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members Management;
}
}
}
}
ge-0/0/14 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-Private;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching;
}
}
pt-1/0/0 {
description "ISP Link VDSL";
vlan-tagging;
vdsl-options {
vdsl-profile auto;
}
unit 0 {
encapsulation ppp-over-ether;
vlan-id 101;
}
}
ae0 {
description "EtherChannel Trunk to Cisco";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id 1;
}
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
point-to-point;
ppp-options {
chap {
default-chap-secret "xxxxx"; ## SECRET-DATA
local-name "xxxxxx";
no-rfc2486;
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
idle-timeout 0;
auto-reconnect 3;
client;
}
no-keepalives;
family inet {
mtu 1492;
negotiate-address;
}
}
}
st0 {
unit 0 {
description "VPN to DSQ";
family inet {
address 10.99.99.1/30;
}
}
}
vlan {
unit 2 {
family inet {
address 10.0.0.100/24;
}
}
unit 3 {
family inet {
address 10.10.0.100/24;
}
}
unit 30 {
description "WiFi Guest";
family inet {
address 10.30.0.100/24;
}
}
unit 60 {
description "IP Cameras";
family inet {
address 10.60.0.1/27;
}
}
unit 99 {
description Management;
family inet {
address 10.99.0.100/24;
}
}
}
}
forwarding-options {
helpers {
bootp {
server 10.0.0.60;
server 10.0.0.65;
maximum-hop-count 10;
minimum-wait-time 1;
vpn;
interface {
ge-1/0/13;
ge-1/0/13.0;
vlan.60;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
metric 0;
}
route 172.16.0.0/24 next-hop st0.0;
route 192.168.1.0/24 next-hop st0.0;
route 172.16.90.0/24 next-hop st0.0;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface vlan.2;
interface vlan.3;
interface st0.0 {
interface-type p2p;
neighbor 10.99.99.2;
}
interface vlan.60;
}
}
stp;
}
security {
log {
cache;
mode event;
}
ike {
proposal IKE-PROP {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
proposal Dynamic-VPN-P1-Proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy IKE-POL {
mode main;
proposals IKE-PROP;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
policy Dynamic-VPN-P2-Policy {
mode aggressive;
proposals Dynamic-VPN-P1-Proposal;
pre-shared-key ascii-text "xxxxxx"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POL;
address xxx.xxx.xxx.xxx;
external-interface pp0.0;
}
gateway Dynamic-VPN-P1-Gateway {
ike-policy Dynamic-VPN-P2-Policy;
dynamic {
hostname xxx.xxxxx.xxx;
ike-user-type shared-ike-id;
}
external-interface pp0.0;
xauth access-profile Dynamic-LDAP-XAuth;
}
}
ipsec {
proposal IPSEC-PROP {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
proposal Dynamic-P2-Proposal {
description Dynamic-VPN-P2-Proposal;
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC-POL {
perfect-forward-secrecy {
keys group14;
}
proposals IPSEC-PROP;
}
policy Dynamic-P2-Policy {
perfect-forward-secrecy {
keys group5;
}
proposals Dynamic-P2-Proposal;
}
vpn IPSEC-VPN {
bind-interface st0.0;
vpn-monitor;
ike {
gateway IKE-GW;
ipsec-policy IPSEC-POL;
}
establish-tunnels immediately;
}
vpn Dynamic-VPN {
ike {
gateway Dynamic-VPN-P1-Gateway;
ipsec-policy Dynamic-P2-Policy;
}
establish-tunnels immediately;
}
}
dynamic-vpn {
force-upgrade;
access-profile Dynamic-LDAP-XAuth;
clients {
all {
remote-protected-resources {
10.0.0.0/24;
172.16.0.0/24;
192.168.1.1/24;
10.60.0.0/24;
10.99.0.100/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn Dynamic-VPN;
user-groups {
VPN-Users-Peacehaven;
}
}
}
}
flow {
traceoptions {
file flow-debug;
flag basic-datapath;
packet-filter filter-dvpn {
source-prefix 10.5.0.0/24;
destination-prefix 10.60.0.2/32;
}
packet-filter camtodvpn {
source-prefix 10.60.0.2/32;
destination-prefix 10.5.0.0/24;
}
}
allow-dns-reply;
syn-flood-protection-mode syn-cookie;
tcp-mss {
all-tcp {
mss 1300;
}
}
tcp-session {
rst-sequence-check;
strict-syn-check;
}
}
screen {
ids-option untrust-screen {
icmp {
large;
ping-death;
}
ip {
bad-option;
security-option;
source-route-option;
strict-source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
winnuke;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone [ Trusted WiFi-Guest ];
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
}
proxy-arp {
interface vlan.2 {
address {
10.5.0.1/32 to 10.5.0.14/32;
}
}
}
}
policies {
from-zone Trusted to-zone Internet {
policy All_Trusted_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Trusted to-zone WiFi-Guest {
policy Trusted_WiFi_HTTP {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WiFi-Guest to-zone Internet {
policy All_WiFi_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Trusted to-zone Trusted {
policy Trusted_IVR {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone WiFi-Guest to-zone Trusted {
policy Wifi_to_Trusted {
match {
source-address [ UKPK1K1GT THETA ];
destination-address DELTA;
application synergy;
}
then {
permit;
}
}
policy Dynamic-VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Dynamic-VPN;
}
}
}
}
}
from-zone Internet to-zone Trusted {
policy Internet_to_NAS {
match {
source-address any;
destination-address NAS;
application transmission;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
policy Dynamic-VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Dynamic-VPN;
}
}
log {
session-init;
session-close;
}
}
}
}
from-zone WiFi-Guest to-zone WiFi-Guest {
policy WiFi_to_WiFi {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Trusted to-zone VPN {
policy Trusted_to_VPN {
match {
source-address [ PHV-Private PHV-Cameras ];
destination-address [ DSQ-Trusted DSQ-SQ-Network DSQ-Trusted-VsphereMgmt DSQ-Trusted-Private ];
application any;
}
then {
permit;
}
}
}
from-zone VPN to-zone Trusted {
policy VPN_to_Trusted {
match {
source-address DSQ-Trusted;
destination-address PHV-Private;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Trusted to-zone Cameras {
policy Camera_Access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone VPN to-zone Cameras {
policy VPN_to_Cameras {
match {
source-address DSQ-Trusted;
destination-address PHV-Cameras;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Internet {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcp;
ike;
https;
}
}
}
}
}
security-zone Trusted {
address-book {
address DELTA 10.0.0.40/32;
address GAMER 10.0.0.12/32;
address NAS 10.0.0.99/32;
address BURTHA 10.0.0.98/32;
address INPUT 10.0.0.71/32;
address PHV-Private 10.0.0.0/24;
address DSQ-Trusted-Private 172.16.0.0/24;
address DSQ-Trusted-VsphereMgmt 192.168.1.0/24;
address SRX1 10.0.0.100/32;
address PHV-Cameras 10.60.0.0/24;
address-set DSQ-Trusted {
address DSQ-Trusted-Private;
address DSQ-Trusted-VsphereMgmt;
}
}
interfaces {
vlan.2 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
dhcp;
dns;
}
}
}
ge-0/0/8.0;
ge-0/0/12.0;
ge-0/0/13.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
ge-0/0/14.0;
}
}
security-zone WiFi-Guest {
address-book {
address UKPK1K1GT 10.10.0.5/32;
address THETA 10.10.0.50/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
vlan.30 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone VPN {
address-book {
address PHV-Private 10.0.0.0/24;
address DSQ-Trusted-Private 172.16.0.0/24;
address DSQ-Trusted-VsphereMgmt 192.168.1.0/24;
address PHV-Cameras 10.60.0.0/24;
address DSQ-SQ-Network 172.16.90.0/24;
address-set DSQ-Trusted {
address DSQ-Trusted-Private;
address DSQ-Trusted-VsphereMgmt;
}
}
interfaces {
st0.0;
}
}
security-zone Cameras {
address-book {
address PHV-Cameras 10.60.0.0/24;
address FrontDoor 10.60.0.3/32;
}
interfaces {
vlan.60 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
access {
profile Dynamic-XAuth {
client Jill {
firewall-user {
password "xxxxx"; ## SECRET-DATA
}
}
client McG {
firewall-user {
password "xxxxx"; ## SECRET-DATA
}
}
address-assignment {
pool Dynamic-VPN-Pool;
}
}
profile Dynamic-LDAP-XAuth {
authentication-order ldap;
address-assignment {
pool Dynamic-VPN-Pool;
}
session-options {
client-group VPN-Users-xxxxx;
}
ldap-options {
base-distinguished-name "OU=xxxxxx,DC=xxx,DC=xxxxx,DC=xxx";
search {
search-filter sAMAccountName=;
admin-search {
distinguished-name "CN=xxxxx,OU=xxxx,DC=xxx,DC=xxxxx,DC=xxx";
password "xxxxx"; ## SECRET-DATA
}
}
}
ldap-server {
xxx.xxxxxx.xxx port 389;
}
}
address-assignment {
pool WiFi {
family inet {
network 10.10.0.0/24;
range THETA {
low 10.10.0.50;
high 10.10.0.50;
}
range DEFAULT {
low 10.10.0.200;
high 10.10.0.254;
}
range UKPK1K1GT {
low 10.10.0.5;
high 10.10.0.5;
}
dhcp-attributes {
maximum-lease-time 86400;
server-identifier 10.10.0.100;
name-server {
8.8.8.8;
}
router {
10.10.0.100;
}
}
host THETA {
hardware-address 3c:97:0e:b1:c2:bf;
ip-address 10.10.0.50;
}
host UKPK1K1GT {
hardware-address xxxxx;
ip-address 10.10.0.5;
}
}
}
pool Dynamic-VPN-Pool {
family inet {
network 10.5.0.0/28;
range dyn-vpn-range {
low 10.5.0.1;
high 10.5.0.14;
}
dhcp-attributes {
domain-name xxx.xxxxx.xxx;
name-server {
10.0.0.60;
10.0.0.65;
}
}
xauth-attributes {
primary-dns 10.0.0.60/32;
secondary-dns 10.0.0.65/32;
}
}
}
}
firewall-authentication {
pass-through {
default-profile Dynamic-LDAP-XAuth;
}
web-authentication {
default-profile Dynamic-LDAP-XAuth;
}
}
}
applications {
}
vlans {
Cameras {
description "IP Cameras";
vlan-id 60;
l3-interface vlan.60;
}
Management {
description Management;
vlan-id 99;
l3-interface vlan.99;
}
WiFi-Guest {
description "Wifi Clients";
vlan-id 30;
l3-interface vlan.30;
}
vlan-Private {
description Internal;
vlan-id 2;
l3-interface vlan.2;
}
}