Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to access remote-protected-resources over Route-based VPN

0

0

Article ID: KB36028 KB Last Updated: 08 Jul 2020Version: 1.0
Summary:

This article provides a configuration example where a Dynamic VPN client is connected to the SRX via Pulse and the client needs to access protected resources located behind a different device and reachable over a Route-based VPN.

For Policy-based VPN, refer to KB36032 - How to access remote-protected-resources over Policy-based VPN

For more information on configuring Route-based VPN, refer to TN108 - Configuration Examples: Route-Based site-to-site VPN (CLI instructions)

Solution:

Topology:

In the scenario above, the Pulse client was assigned an IP address of 30.30.30.1 and can access the protected resources directly connected to the SRX2 (192.168.1.0/24): 

root@srx2# run show security flow session source-prefix 30.30.30.1 
Session ID: 4210, Policy name: Access-Protected-Resources-192/5, Timeout: 2, Valid 
  In: 30.30.30.1/38795 --> 192.168.1.2/1;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60, 
  Out: 192.168.1.2/1 --> 30.30.30.1/38795;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, 

The Pulse client also needs to communicate with resources at the other side of a route-based VPN so that traffic sourced from 30.30.30.0/24 can reach subnet 13.13.13.0/24 via an st0.2 interface.

SRX2 Configuration: 

  1. Create a route-based VPN between SRX1 and SRX2. Take into consideration that Traffic Selectors should indicate the interested traffic: 

    set security ike proposal ike-prop-Pulse-13 authentication-method pre-shared-keys 
    set security ike proposal ike-prop-Pulse-13 dh-group group20 
    set security ike proposal ike-prop-Pulse-13 authentication-algorithm sha1 
    set security ike proposal ike-prop-Pulse-13 encryption-algorithm aes-128-cbc 
    
    set security ike policy ike-pol-Pulse-13 mode main 
    set security ike policy ike-pol-Pulse-13 proposals ike-prop-Pulse-13 
    set security ike policy ike-pol-Pulse-13 pre-shared-key ascii-text "$9$PTF/uORlK8CtK8X7sYfTz" 
    
    set security ike gateway ike-gat-Pulse-13 ike-policy ike-pol-Pulse-13 
    set security ike gateway ike-gat-Pulse-13 address 172.16.30.1 
    set security ike gateway ike-gat-Pulse-13 external-interface ge-0/0/0 
    
    
    set security ipsec proposal ipsec-pro-Pulse-13 protocol esp 
    set security ipsec proposal ipsec-pro-Pulse-13 authentication-algorithm hmac-sha1-96 
    
    ​set security ipsec proposal ipsec-pro-Pulse-13 encryption-algorithm aes-128-cbc 
    set security ipsec policy ipsec-pol-Pulse-13 perfect-forward-secrecy keys group20 
    set security ipsec policy ipsec-pol-Pulse-13 proposals ipsec-pro-Pulse-13 
    
    set security ipsec vpn Pulse-13 bind-interface st0.2 
    set security ipsec vpn Pulse-13 ike gateway ike-gat-Pulse-13 
    set security ipsec vpn Pulse-13 ike ipsec-policy ipsec-pol-Pulse-13 
    set security ipsec vpn Pulse-13 traffic-selector ts1 local-ip 30.30.30.0/24 <--- 
    set security ipsec vpn Pulse-13 traffic-selector ts1 remote-ip 13.13.13.0/24 <--- 
    set security ipsec vpn Pulse-13 establish-tunnels immediately 
  2. Since remote subnet (13.13.13.0/24) is reached via st0.2 which belongs to the security zone called vpn, configure the security policy from untrust zone to vpn zone

    set security policies from-zone untrust to-zone vpn policy Access-to-VPN-site match source-address any 
    set security policies from-zone untrust to-zone vpn policy Access-to-VPN-site match destination-address any 
    set security policies from-zone untrust to-zone vpn policy Access-to-VPN-site match application any 
    set security policies from-zone untrust to-zone vpn policy Access-to-VPN-site then permit
  3. Do not forget to indicate the subnet 13.13.13.0/24 as a remote protected resource under the dynamic-vpn hierarchy: 

    set security dynamic-vpn clients ALL remote-protected-resources 192.168.1.0/24 
    set security dynamic-vpn clients ALL remote-protected-resources 13.13.13.0/24  <--- 
    set security dynamic-vpn clients ALL remote-exceptions 0.0.0.0/0 
    set security dynamic-vpn clients ALL ipsec-vpn DYN-VPN 
    set security dynamic-vpn clients ALL user borat 

T-shoot: 

  • Pulse client successfully connected:

  • IP address assigned to Client Virtual Adapter is 30.30.30.1

    root@srx2# run show security ike active-peer 
    Remote Address         Port       Peer IKE-ID         AAA username         Assigned IP 
    20.20.20.2             50825      boratdynvpn         borat                30.30.30.1 <---
    172.16.30.1            500        172.16.30.1         not available        0.0.0.0 
  • Session shown on SRX2

    root@srx2# run show security flow session source-prefix 30.30.30.1 
    Session ID: 3359, Policy name: Access-to-VPN-site/6, Timeout: 2, Valid 
      In: 30.30.30.1/38558 --> 13.13.13.3/1;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60, 
      Out: 13.13.13.3/1 --> 30.30.30.1/38558;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 60, 
    Session ID: 3361, Policy name: Access-to-VPN-site/6, Timeout: 2, Valid In: 30.30.30.1/38559 --> 13.13.13.3/1;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60, Out: 13.13.13.3/1 --> 30.30.30.1/38559;icmp, Conn Tag: 0x0, If: st0.2, Pkts: 1, Bytes: 60,
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search