[j-nsp] (no subject)
matan tal
matantal23 at gmail.com
Tue Jul 8 03:27:39 EDT 2014
hey everyone.
i was using the juniper official guide to deploy a dynamic vpn on srx110.
this is the script :
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text
"$9$SGAl87NdsJGiNdjqfQ9CO1REclKM8dwY8L"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface pp0.0
set security ike gateway dyn-vpn-local-gw xauth access-profile
dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources
172.16.1.0/24
set security dynamic-vpn clients all remote-protected-resources
200.200.200.40/32
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user matan
set security flow traceoptions file flow-debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter test source-prefix
172.16.100.0/24
set security flow traceoptions packet-filter test destination-prefix
172.16.1.254/32
set security flow traceoptions packet-filter test2 source-prefix
172.16.1.254/32
set security flow traceoptions packet-filter test2 destination-prefix
172.16.100.0/24
set security flow tcp-mss all-tcp mss 1350
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust host-inbound-traffic
system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces at-1/0/0.0
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services https
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic protocols all
set security zones security-zone trust address-book address loop
200.200.200.40/32
set security zones security-zone trust host-inbound-traffic system-services
all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.10
set security zones security-zone trust interfaces at-1/0/0.1
set access profile dyn-vpn-access-profile client matan firewall-user
password "$9$OXBY1hreK8NVYuOMXxN2g"
set access profile dyn-vpn-access-profile address-assignment pool
dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network
172.16.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range
dvpn-range low 172.16.100.10
set access address-assignment pool dyn-vpn-address-pool family inet range
dvpn-range high 172.16.100.20
set access address-assignment pool dyn-vpn-address-pool family inet
xauth-attributes primary-dns 4.2.2.2/32
set access firewall-authentication web-authentication default-profile
dyn-vpn-access-profile
the problem is that i can connect using pulse (windows 7 32 bit) but cant
reach protected resource.
using traceoption and logging it seems that no traffic match's the client.
on srx im getting this info :
bezeq at SMB> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173324 ESP:aes-128/sha1 257a7e0 3594/ 500000 - root 54223
109.66.170.220
>268173324 ESP:aes-128/sha1 fda75566 3594/ 500000 - root 54223
109.66.170.220
show sec ipsec stati:
ESP Statistics:
Encrypted bytes: 0
Decrypted bytes: 0
Encrypted packets: 0
Decrypted packets: 0
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
help will be much appreciated :):):):
More information about the juniper-nsp
mailing list