Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN client connections fail when Destination NAT is also configured on the SRX

0

0

Article ID: KB33442 KB Last Updated: 25 Jan 2019Version: 1.0
Summary:

This article provides information about the limitation while configuring Dynamic VPN with Destination NAT on the egress interface.

Symptoms:

Dynamic VPN may not work when Destination NAT is configured on the egress interface because the IKE negotiation always happens on the primary IP address. The packets from the Pulse clients will reach the primary address and since Destination NAT is configured for that IP, pulse clients cannot establish a connection. Only HTTPS connections may succeed.

Example Topology:

Internal Network---------SRX-ge-2/0/5.0(66.66.66.66)--Internet-------Pulse Client
                                        66.66.66.67                  66.66.66.65
Solution:

Specify the local-address (the secondary IP address) under the IKE gateway,

Example Configuration and Output:

root# edit security ike
 
[edit security ike]
gateway dyn-vpn-local-gw2 {
    ike-policy ike-dyn-vpn-policy;
    dynamic {
        hostname dynvpn;
        connections-limit 10;
        ike-user-type group-ike-id;
    }
    external-interface ge-2/0/6.0;
    local-address 66.66.66.67    >>>>>>>>>>>>>>>>>>>
    xauth access-profile dyn-vpn-access-profile;
}


Then it will successfully connect.

Pulse client IKE connection:

root# run show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
595595  UP     1840dbc8def62252  ba91c5fbfbd38cbb  Aggressive     66.66.66.65
 

Pulse client SA:

[edit]
root# run show security ipsec sa
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <67108880 ESP:aes-cbc-128/sha1 3e0f114d 3536/  500000 - root 56123 66.66.66.65
  >67108880 ESP:aes-cbc-128/sha1 a850df99 3536/  500000 - root 56123 66.66.66.65
 

IP assigned to Pulse client and username:

[edit]
root# run show security ike active-peer
Remote Address       Port     Peer IKE-ID      XAUTH username          Assigned IP
66.66.66.65          56123    client1dynvpn    client1                 10.10.10.15


Primary and secondary IP addresses configured:

[edit]
root# run show interfaces terse ge-2/0/6.0
Interface               Admin Link Proto    Local                 Remote
ge-2/0/5.0              up    up   inet     66.66.66.66 /24       
                                            66.66.66.67/24
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search