Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to allow protected resource to initiate traffic towards Dynamic VPN Clients

0

0

Article ID: KB32699 KB Last Updated: 23 Jul 2018Version: 1.0
Summary:

Traffic initiated from the Protected Resource to the Dynamic VPN Client can pass through the Dynamic VPN tunnel using NCP Client Software.

There was a limitation of Dynamic VPN with Pulse Client Software that remote protected Resource could not reach to a client if traffic is initiated from protected Resource. For more information, refer to KB21800 - [SRX] Traffic initiated from the Protected Resource to the Dynamic VPN Client does not pass through the Dynamic VPN tunnel using Pulse Secure Client Software

Symptoms:

Dynamic VPN with NCP Client Software has a feature where remote ​protected Resource could reach the client if traffic is initiated from ​Protected Resources.

Solution:
With NCP Client software, traffic initiated from the Protected Resource to the Dynamic VPN Client can pass through the Dynamic VPN tunnel. It uses the route-based VPN concept which allows the bi-directional communication.

Note: Juniper specific NCP client is available for SRX deployments using Junos OS 15.1X49-D80 or higher by using NCP Exclusive Remote Access Solution for Juniper SRX Series.

Refer to the following KB articles on NCP:
KB17266 - NCP Secure Client – Juniper Edition (IPsec client) FAQ
KB31616 - Juniper SRX Remote Access Solution - Frequently Asked Questions (FAQ)

Topology:

Client(NCP_Client_Software)---------(ge-0/0/0)_SRX_(ge-0/0/1)---------Remote_protected_resource(1.1.1.1/32)

Configuration on SRX:

Phase 1:

set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text Juniper
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "win1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/0
set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
set security ike gateway remote-vpn1 version v1-only

Phase 2:

set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 1.1.1.1/32 <-- Remote_protected_resource to which client wants to reach
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0

Access_profile:

set access profile aaa-prof1 authentication-order password
set access profile aaa-prof1 client win1 firewall-user password "$9$K2yWXNs2aikPdbkP5Q9CKM8"
set access profile aaa-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 30.1.1.0/24 <-- Subnet from which IP assigned to Client
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32
 

Other configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone VM_SRX_340 interfaces st0.0

Security policies for bi-direction traffic:

set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match source-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match destination-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match application any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX then permit 

set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match source-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match destination-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match application any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM then permit

On NCP Client:

Needs to add the remote-protected resource subnet under split-tunneling (Configuration>Profiles>Edit>Spli_tunneling)

Verification:

root@srx340-r2012# run show security ike active-peer
Remote Address   Port    Peer IKE-ID        AAA username    Assigned IP
10.1.1.2         10952   win1@juniper.net   win1            30.1.1.1            


Client to remote-protected-resource
C:\Windows\system32>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63

Reachibility from Remote_protected-resource to Client

root@srx210he2-r2323# run ping 30.1.1.1 source 1.1.1.1
PING 30.1.1.1 (30.1.1.1): 56 data bytes
64 bytes from 30.1.1.1: icmp_seq=0 ttl=127 time=3.336 ms
64 bytes from 30.1.1.1: icmp_seq=1 ttl=127 time=3.526 ms

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search