Knowledge Search


×
 

[SRX] How to allow protected resource to initiate traffic towards Dynamic VPN Clients

  [KB32699] Show Article Properties


Summary:

Traffic initiated from the Protected Resource to the Dynamic VPN Client can pass through the Dynamic VPN tunnel using NCP Client Software.

There was a limitation of Dynamic VPN with Pulse Client Software that remote protected Resource could not reach to a client if traffic is initiated from protected Resource. For more information, refer to KB21800 - [SRX] Traffic initiated from the Protected Resource to the Dynamic VPN Client does not pass through the Dynamic VPN tunnel using Pulse Secure Client Software

Symptoms:

Dynamic VPN with NCP Client Software has a feature where remote ​protected Resource could reach the client if traffic is initiated from ​Protected Resources.

Solution:
With NCP Client software, traffic initiated from the Protected Resource to the Dynamic VPN Client can pass through the Dynamic VPN tunnel. It uses the route-based VPN concept which allows the bi-directional communication.

Note: Juniper specific NCP client is available for SRX deployments using Junos OS 15.1X49-D80 or higher by using NCP Exclusive Remote Access Solution for Juniper SRX Series.

Refer to the following KB articles on NCP:
KB17266 - NCP Secure Client – Juniper Edition (IPsec client) FAQ
KB31616 - Juniper SRX Remote Access Solution - Frequently Asked Questions (FAQ)

Topology:

Client(NCP_Client_Software)---------(ge-0/0/0)_SRX_(ge-0/0/1)---------Remote_protected_resource(1.1.1.1/32)

Configuration on SRX:

Phase 1:

set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text Juniper
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "win1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/0
set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
set security ike gateway remote-vpn1 version v1-only

Phase 2:

set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 1.1.1.1/32 <-- Remote_protected_resource to which client wants to reach
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0

Access_profile:

set access profile aaa-prof1 authentication-order password
set access profile aaa-prof1 client win1 firewall-user password "$9$K2yWXNs2aikPdbkP5Q9CKM8"
set access profile aaa-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 30.1.1.0/24 <-- Subnet from which IP assigned to Client
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32
 

Other configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone VM_SRX_340 interfaces st0.0

Security policies for bi-direction traffic:

set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match source-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match destination-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match application any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX then permit 

set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match source-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match destination-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match application any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM then permit

On NCP Client:

Needs to add the remote-protected resource subnet under split-tunneling (Configuration>Profiles>Edit>Spli_tunneling)

Verification:

root@srx340-r2012# run show security ike active-peer
Remote Address   Port    Peer IKE-ID        AAA username    Assigned IP
10.1.1.2         10952   win1@juniper.net   win1            30.1.1.1            


Client to remote-protected-resource
C:\Windows\system32>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63

Reachibility from Remote_protected-resource to Client

root@srx210he2-r2323# run ping 30.1.1.1 source 1.1.1.1
PING 30.1.1.1 (30.1.1.1): 56 data bytes
64 bytes from 30.1.1.1: icmp_seq=0 ttl=127 time=3.336 ms
64 bytes from 30.1.1.1: icmp_seq=1 ttl=127 time=3.526 ms
Related Links: