[j-nsp] Dynamic vpn on srx - connected but no traffic over tunnel.‏

matan tal matantal23 at gmail.com
Tue Jul 8 04:16:01 EDT 2014 

hey everyone.
i was using the juniper official guide to deploy a dynamic vpn on srx110.
 this is the script :

set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text
"$9$SGAl87NdsJGiNdjqfQ9CO1REclKM8dwY8L"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface pp0.0
set security ike gateway dyn-vpn-local-gw xauth access-profile
dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources
172.16.1.0/24
set security dynamic-vpn clients all remote-protected-resources
200.200.200.40/32
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user matan
set security flow traceoptions file flow-debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter test source-prefix
172.16.100.0/24
set security flow traceoptions packet-filter test destination-prefix
172.16.1.254/32
set security flow traceoptions packet-filter test2 source-prefix
172.16.1.254/32
set security flow traceoptions packet-filter test2 destination-prefix
172.16.100.0/24
set security flow tcp-mss all-tcp mss 1350
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy
then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust host-inbound-traffic
system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces at-1/0/0.0
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services https
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic system-services all
set security zones security-zone untrust interfaces pp0.0
host-inbound-traffic protocols all
set security zones security-zone trust address-book address loop
200.200.200.40/32
set security zones security-zone trust host-inbound-traffic system-services
all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.10
set security zones security-zone trust interfaces at-1/0/0.1
set access profile dyn-vpn-access-profile client matan firewall-user
password "$9$OXBY1hreK8NVYuOMXxN2g"
set access profile dyn-vpn-access-profile address-assignment pool
dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network
172.16.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range
dvpn-range low 172.16.100.10
set access address-assignment pool dyn-vpn-address-pool family inet range
dvpn-range high 172.16.100.20
set access address-assignment pool dyn-vpn-address-pool family inet
xauth-attributes primary-dns 4.2.2.2/32
set access firewall-authentication web-authentication default-profile
dyn-vpn-access-profile

the problem is that i can connect using pulse (windows 7 32 bit) but cant
reach protected resource.
using traceoption and logging it seems that no traffic match's the client.
on srx im getting this info :
bezeq at SMB> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI     Life:sec/kb  Mon lsys Port  Gateway
  <268173324 ESP:aes-128/sha1 257a7e0 3594/  500000 - root 54223
109.66.170.220
  >268173324 ESP:aes-128/sha1 fda75566 3594/  500000 - root 54223
109.66.170.220

show sec ipsec stati:
ESP Statistics:
  Encrypted bytes:                0
  Decrypted bytes:                0
  Encrypted packets:              0
  Decrypted packets:              0
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

help will be much appreciated :):):):

More information about the juniper-nsp mailing list