JNCIE-SEC : Dynamic VPN

In today’s post I will write about how we can setup Dynamic VPN connection
towards an SRX device in several scenarios This is part of my JNCIE-SEC
studies although I am falling very behind my schedule:( Let’s get started:

IPsec VPNs

  • Scenario1: Client receives an IP address which is already used inside the local network by other clients and split tunneling active
  • Scenario2: Client also accesses the Internet through the tunnel, if the term is correct no-split tunneling

Scenario1
According to the topology, I assume that XP-client is on Internet. Though they are directly connected you can imagine that is a client somewhere on Internet whose default gateway is 192.168.2.254

Based on this, I configure SRX to establish a dynamic vpn connection.

Enable HTTPS connection for the client and make sure no port forwarding/NAT is enabled
for the IP 192.168.2.100

Create profile, vpn user, assign a pool. We are allocating IPs between 150-160 to
the clients on 192.168.103.0/24 network.

Create IKE and IPSEC configuration

Define protected networks i.e for which networks client will route to the tunnel

fe-0/0/0.0 interface belongs to srx100-wan zone and the network that the client receives IP belongs to transit-zone zone. Documentation recommends to put this any any rule on top of any other policy but it didn’t work for me. That is why I put it to the end. I represented previous rules with dots.

As the final check we make sure that IKE and HTTPS are allowed on the external-interface

Now we connect via pulse client, we have the following routes available on the client: By the way, I had upgraded my SRX100 from 11.4R7.5 to 12.1X44-D20 and pulse informed me during the connection establishment to SRX that a new version of pulse client is available. I didn’t know that pulse also does this check:)

pulse_pushed_networks2

In this screenshot we can see that protected networks

are pushed to the client and client has received 192.168.103.157 IP. We can also check from SRX side as below. What I really didn’t understand is how SRX picks local-identity because to me it looked random. First I thought it picks the lowest network then I noticed that it keeps changing. I don’t know it yet!

We can also see that IKE port is 4500 not 500 for dynamic vpn.

Now I try to ping from this XP client IP address 192.168.103.20 but it doesn’t work. Because I forgot to add the proxy-arp config. Because client is receiving IP from an inside network, SRX has to do proxy arp on behalf of its vpn clients.

Once I add the following proxy-arp on vlan.103 interface, ping works. Now I can reach the internal resources on 192.168.103.20 network or in general
networks in transit-zone.

When I try to ping an available host 192.168.200.254, I can see that I can’t ping it.

We can see that this network is connected to vlan.200 interface which is in mgt zone.

A flow traceoptions is also showing that it is denied by default policy.

What I found a bit odd here is that context is from the public zone (srx100-wan) towards mgt zone. This creates a challenge here as I have to put the following policy to let this traffic through;

To be honest as this is my test system, I added this policy. In a production network, I believe vpn client destination networks should be restricted to one destination zone.

So the rule is:
If the destination network that the client is trying to reach is in a different destination zone than the main ipsec policy is created in i.e in our example transit-zone, then we have to create another policy from srx100-wan to the new zone.

In this scenario, we want the client to receive default gateway from the SRX and force the client to go through SRX for everything i.e even for internet it has to go through SRX. With this current config, client will only use tunnel for the remote-protected-networks. Now I will change this;

Now let’s see what the client received;

no-split-tunneling-srx

As we can see we have two default gateways but the one sent from SRX has metric 1. So now we are supposed to send all traffic towards SRX but Internet won’t work for 2 reasons;

1) Client has a private IP which must be translated
2) Another security policy on the external interface must be added

1) Because from SRX point of view, packet is coming from srx100-wan zone and for Internet it leaves again from srx100-wan external interface, we create nat from srx100-wan to srx100-wan for the client source address 192.168.103.0/24

2 We create the security policy for the same context like nat for the same source address.

After this config, I can see that all traffic from my client is going through the SRX device. Setting a security policy in the external zone like this doesn’t look perfect but this the current design as far as I can see.

This was a long post I suppose. If you have any feedback, please let me know.

6 thoughts on “JNCIE-SEC : Dynamic VPN

  1. Bhar

    Hi ,

    Appreciate your extensive post !

    I see that you have mentioned :

    xauth-attributes {
    primary-dns 192.168.103.20/32;
    secondary-dns 8.8.8.8/32;

    Does it mean that if 192.168.103.157 tries to reach any URL then DNS query will be sent to 192.168.103.20 ?
    or only when traffic is initiated from 192.168.103.157 to remote protected resources ?
    What will be the behavior when the traffic goes to internet and when it goes to remote protected resources ?

    Thanks !
    Bhar

    Reply
    1. rtoodtoo Post author

      Hi, in both cases DNS query will be sent to 192.168.103.20 regardless of the destination network. Apparently Juniper Network Virtual Adapter’s DNS servers take priority over the already configured DNS servers

      Reply
  2. Joel

    Hello,
    I am just tryng to establish Dynamic VPN between Windows 7 C with JunOS Pulse and SRX 210 (JunOS 12.1X44);
    Tunnel seems establsihed and I can see Sent bytes counters incrementing on PC Junos Pulse side;
    but no data flows from SRX to PC back in the tunnel ; Received Bytes counters remains 0;

    When I issue “show security ipsec sa detail, i notice that I have this line shown below, exactly as in your show sec ipsec sa det above :
    ” Tunnel Down Reason: SA not initiated” ;

    So, I was wondering if this is a “normal” status or not : I guess not ;

    thanks for any feedback

    Here is the “show sec ipsec sa” which looks good :
    root@FW01> show security ipsec sa
    node0:
    ————————————————————————–
    Total active tunnels: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    133955588 ESP:aes-128/sha1 dcc3d972 3598/ 500000 – root 63672 89.189.12.91

    here is the full show sec ipsec sa det which shows the Tunnel Down :
    root@HAN-S1-FW01> show security ipsec sa detail
    node0:
    ————————————————————————–
    ID: 133955588 Virtual-system: root, VPN Name: DYN-VPN
    Local Gateway: 10.239.9.4, Remote Gateway: 89.189.12.91
    Local Identity: ipv4_subnet(any:0,[0..7]=10.239.9.0/24)
    Remote Identity: ipv4(any:0,[0..3]=10.239.9.54)
    Version: IKEv1
    DF-bit: clear
    Policy-name: DYN-VPN-POLICY
    Port: 63672, Nego#: 8, Fail#: 0, Def-Del#: 0 Flag: 608829
    Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 3cb3eaee, AUX-SPI: 0
    , VPN Monitoring: –
    Hard lifetime: Expires in 3595 seconds
    Lifesize Remaining: 500000 kilobytes
    Soft lifetime: Expires in 3016 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: dcc3d972, AUX-SPI: 0
    , VPN Monitoring: –
    Hard lifetime: Expires in 3595 seconds
    Lifesize Remaining: 500000 kilobytes
    Soft lifetime: Expires in 3016 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Reply
  3. Joel

    The show sec ipsec sa was incomplete in my previous update :
    Here it is :

    root@FW01> show security ipsec sa
    node0:
    ————————————————————————–
    Total active tunnels: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    133955588 ESP:aes-128/sha1 dcc3d972 3598/ 500000 – root 63672 89.189.12.91

    Reply
  4. Joel

    root@FW01> show security ipsec sa
    ————————————————————————–
    Total active tunnels: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    133955588 ESP:aes-128/sha1 3cb3eaee 3598/ 500000 – root 63672 89.189.12.91
    133955588 ESP:aes-128/sha1 dcc3d972 3598/ 500000 – root 63672 89.189.12.91

    .

    Reply

You have a feedback?