[j-nsp] Dynamic vpn on srx - connected but no traffic over tunnel.
matan tal
matantal23 at gmail.com
Wed Jul 9 03:33:11 EDT 2014
well it was my bad.
seems it was working from the beginning :):)
the problem was with my pc.
tried on another laptop and works like a charm !
2014-07-09 6:11 GMT+03:00 Levi Pederson <levipederson at mankatonetworks.net>:
> It's part the Policy you make trust - untrust then permit tunnel
> ipsec-vpn [vpn] pair policy untrust -trust
> untrust - trust then permit
> tunnel ipsec-vpn [vpn[ pair policy trust-untrust
>
> *Levi Pederson*
> Mankato Networks LLC
> cell | 612.481.0769
> work | 612.787.7392
> levipederson at mankatonetworks.net
>
>
>
>
> On Tue, Jul 8, 2014 at 8:49 AM, matan tal <matantal23 at gmail.com> wrote:
>
>> sorry i am not familiar with this command.
>> what is the exact syntax?
>> and it is used for?
>> thanks for the help
>>
>>
>>
>> 2014-07-08 16:45 GMT+03:00 Levi Pederson <
>> levipederson at mankatonetworks.net>:
>>
>>> Don't forget the pair-policy command
>>>
>>> Thank you,
>>>
>>>
>> *Levi Pederson*
>> Mankato Networks LLC
>> cell | 612.481.0769
>> work | 612.787.7392
>> levipederson at mankatonetworks.net
>>
>>
>>
>>
>> On Tue, Jul 8, 2014 at 8:43 AM, matan tal <matantal23 at gmail.com> wrote:
>>
>>> i am matching :
>>> set security policies from-zone untrust to-zone trust policy
>>> dyn-vpn-policy
>>> match source-address any
>>> set security policies from-zone untrust to-zone trust policy
>>> dyn-vpn-policy
>>> match destination-address any
>>> set security policies from-zone untrust to-zone trust policy
>>> dyn-vpn-policy
>>> match application any
>>> set security policies from-zone untrust to-zone trust policy
>>> dyn-vpn-policy
>>> then permit tunnel ipsec-vpn dyn-vpn
>>>
>>> :)
>>>
>>>
>>> 2014-07-08 15:58 GMT+03:00 Levi Pederson <
>>> levipederson at mankatonetworks.net>:
>>>
>>>> Looks like you are missing the security policies part of the vpn. You
>>>> are not matching any traffic and not pushing into tunnel
>>>> On Jul 8, 2014 3:18 AM, "matan tal" <matantal23 at gmail.com> wrote:
>>>>
>>>>> hey everyone.
>>>>> i was using the juniper official guide to deploy a dynamic vpn on
>>>>> srx110.
>>>>> this is the script :
>>>>>
>>>>> set security ike policy ike-dyn-vpn-policy mode aggressive
>>>>> set security ike policy ike-dyn-vpn-policy proposal-set standard
>>>>> set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text
>>>>> "$9$SGAl87NdsJGiNdjqfQ9CO1REclKM8dwY8L"
>>>>> set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
>>>>> set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
>>>>> set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
>>>>> set security ike gateway dyn-vpn-local-gw dynamic ike-user-type
>>>>> group-ike-id
>>>>> set security ike gateway dyn-vpn-local-gw external-interface pp0.0
>>>>> set security ike gateway dyn-vpn-local-gw xauth access-profile
>>>>> dyn-vpn-access-profile
>>>>> set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
>>>>> set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
>>>>> set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
>>>>> set security dynamic-vpn access-profile dyn-vpn-access-profile
>>>>> set security dynamic-vpn clients all remote-protected-resources
>>>>> 172.16.1.0/24
>>>>> set security dynamic-vpn clients all remote-protected-resources
>>>>> 200.200.200.40/32
>>>>> set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
>>>>> set security dynamic-vpn clients all ipsec-vpn dyn-vpn
>>>>> set security dynamic-vpn clients all user matan
>>>>> set security flow traceoptions file flow-debug
>>>>> set security flow traceoptions flag basic-datapath
>>>>> set security flow traceoptions packet-filter test source-prefix
>>>>> 172.16.100.0/24
>>>>> set security flow traceoptions packet-filter test destination-prefix
>>>>> 172.16.1.254/32
>>>>> set security flow traceoptions packet-filter test2 source-prefix
>>>>> 172.16.1.254/32
>>>>> set security flow traceoptions packet-filter test2 destination-prefix
>>>>> 172.16.100.0/24
>>>>> set security flow tcp-mss all-tcp mss 1350
>>>>> set security policies from-zone untrust to-zone trust policy
>>>>> dyn-vpn-policy
>>>>> match source-address any
>>>>> set security policies from-zone untrust to-zone trust policy
>>>>> dyn-vpn-policy
>>>>> match destination-address any
>>>>> set security policies from-zone untrust to-zone trust policy
>>>>> dyn-vpn-policy
>>>>> match application any
>>>>> set security policies from-zone untrust to-zone trust policy
>>>>> dyn-vpn-policy
>>>>> then permit tunnel ipsec-vpn dyn-vpn
>>>>> set security zones security-zone untrust host-inbound-traffic
>>>>> system-services all
>>>>> set security zones security-zone untrust host-inbound-traffic
>>>>> protocols all
>>>>> set security zones security-zone untrust interfaces at-1/0/0.0
>>>>> set security zones security-zone untrust interfaces pp0.0
>>>>> host-inbound-traffic system-services ike
>>>>> set security zones security-zone untrust interfaces pp0.0
>>>>> host-inbound-traffic system-services https
>>>>> set security zones security-zone untrust interfaces pp0.0
>>>>> host-inbound-traffic system-services all
>>>>> set security zones security-zone untrust interfaces pp0.0
>>>>> host-inbound-traffic protocols all
>>>>> set security zones security-zone trust address-book address loop
>>>>> 200.200.200.40/32
>>>>> set security zones security-zone trust host-inbound-traffic
>>>>> system-services
>>>>> all
>>>>> set security zones security-zone trust host-inbound-traffic protocols
>>>>> all
>>>>> set security zones security-zone trust interfaces vlan.10
>>>>> set security zones security-zone trust interfaces at-1/0/0.1
>>>>> set access profile dyn-vpn-access-profile client matan firewall-user
>>>>> password "$9$OXBY1hreK8NVYuOMXxN2g"
>>>>> set access profile dyn-vpn-access-profile address-assignment pool
>>>>> dyn-vpn-address-pool
>>>>> set access address-assignment pool dyn-vpn-address-pool family inet
>>>>> network
>>>>> 172.16.100.0/24
>>>>> set access address-assignment pool dyn-vpn-address-pool family inet
>>>>> range
>>>>> dvpn-range low 172.16.100.10
>>>>> set access address-assignment pool dyn-vpn-address-pool family inet
>>>>> range
>>>>> dvpn-range high 172.16.100.20
>>>>> set access address-assignment pool dyn-vpn-address-pool family inet
>>>>> xauth-attributes primary-dns 4.2.2.2/32
>>>>> set access firewall-authentication web-authentication default-profile
>>>>> dyn-vpn-access-profile
>>>>>
>>>>> the problem is that i can connect using pulse (windows 7 32 bit) but
>>>>> cant
>>>>> reach protected resource.
>>>>> using traceoption and logging it seems that no traffic match's the
>>>>> client.
>>>>> on srx im getting this info :
>>>>> bezeq at SMB> show security ipsec security-associations
>>>>> Total active tunnels: 1
>>>>> ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
>>>>> <268173324 ESP:aes-128/sha1 257a7e0 3594/ 500000 - root 54223
>>>>> 109.66.170.220
>>>>> >268173324 ESP:aes-128/sha1 fda75566 3594/ 500000 - root 54223
>>>>> 109.66.170.220
>>>>>
>>>>> show sec ipsec stati:
>>>>> ESP Statistics:
>>>>> Encrypted bytes: 0
>>>>> Decrypted bytes: 0
>>>>> Encrypted packets: 0
>>>>> Decrypted packets: 0
>>>>> AH Statistics:
>>>>> Input bytes: 0
>>>>> Output bytes: 0
>>>>> Input packets: 0
>>>>> Output packets: 0
>>>>> Errors:
>>>>> AH authentication failures: 0, Replay errors: 0
>>>>> ESP authentication failures: 0, ESP decryption failures: 0
>>>>> Bad headers: 0, Bad trailers: 0
>>>>>
>>>>> help will be much appreciated :):):):
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>
>>>
>>
>
More information about the juniper-nsp
mailing list