Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to access remote-protected-resources over a Policy-based VPN.

0

0

Article ID: KB36032 KB Last Updated: 08 Jul 2020Version: 1.0
Summary:

This article contains a configuration example where a Dynamic VPN client is connected to the SRX via Pulse and the client needs to access protected resources located behind a different device and reachable over a Policy-based VPN.

For Route-based VPN, refer to KB36028 - How to access remote-protected-resources over Route-based VPN

For information on how to configure a Policy-based VPN, refer to TN107 - Configuration Examples: Policy-Based site-to-site VPN (CLI instructions)

Solution:

Topology:

In the scenario above, the Pulse client was assigned an IP address of 30.30.30.6 and can access the protected resources directly connected to the SRX2 (192.168.1.0/24):

root@srx2# run show security flow session source-prefix 30.30.30.6
Session ID: 215343, Policy name: Access-Protected-Resources-192/5, Timeout: 2, Valid
  In: 30.30.30.6/10405 --> 192.168.1.2/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
  Out: 192.168.1.2/2 --> 30.30.30.6/10405;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60

Session ID: 215346, Policy name: Access-Protected-Resources-192/5, Timeout: 2, Valid
  In: 30.30.30.6/10406 --> 192.168.1.2/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
  Out: 192.168.1.2/2 --> 30.30.30.6/10406;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,


The Pulse client also needs to communicate with resources at the other side of a policy-based VPN so that traffic sourced from 30.30.30.0/24 can reach subnet 13.13.13.0/24

SRX2 Configuration:

  1. Create the policy-based VPN between SRX1 and SRX2:
    set security ike proposal ike-prop-Pulse-13 authentication-method pre-shared-keys 
    set security ike proposal ike-prop-Pulse-13 dh-group group20 
    set security ike proposal ike-prop-Pulse-13 authentication-algorithm sha1 
    set security ike proposal ike-prop-Pulse-13 encryption-algorithm aes-128-cbc 
    
    set security ike policy ike-pol-Pulse-13 mode main 
    set security ike policy ike-pol-Pulse-13 proposals ike-prop-Pulse-13 
    set security ike policy ike-pol-Pulse-13 pre-shared-key ascii-text "$9$PTF/uORlK8CtK8X7sYfTz" 
    
    set security ike gateway ike-gat-Pulse-13 ike-policy ike-pol-Pulse-13 
    set security ike gateway ike-gat-Pulse-13 address 172.16.30.1 
    set security ike gateway ike-gat-Pulse-13 external-interface ge-0/0/0 
    
    set security ipsec proposal ipsec-pro-Pulse-13 protocol esp 
    set security ipsec proposal ipsec-pro-Pulse-13 authentication-algorithm hmac-sha1-96 
    set security ipsec proposal ipsec-pro-Pulse-13 encryption-algorithm aes-128-cbc 
    
    set security ipsec policy ipsec-pol-Pulse-13 perfect-forward-secrecy keys group20 
    set security ipsec policy ipsec-pol-Pulse-13 proposals ipsec-pro-Pulse-13 
    
    set security ipsec vpn Pulse-13 ike gateway ike-gat-Pulse-13 
    set security ipsec vpn Pulse-13 ike ipsec-policy ipsec-pol-Pulse-13 
  2. Create the address book to the subnets desired: 

    set security address-book global address 13.13.13.0 13.13.13.0/24 
    set security address-book global address 30.30.30.0 30.30.30.0/24 
  3. Create the security policy to permit traffic from untrust zone to untrust2 zone. Proxy-ids should match the interested traffic.

    set security policies from-zone untrust to-zone untrust2 policy TEST match source-address 30.30.30.0 <---
    set security policies from-zone untrust to-zone untrust2 policy TEST match destination-address 13.13.13.0 <--- 
    set security policies from-zone untrust to-zone untrust2 policy TEST match application any 
    set security policies from-zone untrust to-zone untrust2 policy TEST then permit tunnel ipsec-vpn Pulse-13 

    Notes:

    • Do not confuse the security policy above with the security policy any-any-any that establishes the communication between the Pulse Client and SRX2 to connect the directly protected resources (192.168.1.0/24)  

    • The Dynamic VPN currently configured demonstrates that by deleting the protected resource 13.13.13.0/24 under the dynamic-vpn hierarchy, the Pulse client cannot ping the subnet 13.13.13.0/24:

    delete security dynamic-vpn clients ALL remote-protected-resources 13.13.13.0/24 
    
    C:\Users\Administrator>ping 13.13.13.3
    
    Pinging 13.13.13.3 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 13.13.13.3:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
  4. Do not forget to indicate the subnet 13.13.13.0/24 as a remote protected resource under the dynamic-vpn hierarchy:  

    set security dynamic-vpn clients ALL remote-protected-resources 192.168.1.0/24  
    set security dynamic-vpn clients ALL remote-protected-resources 13.13.13.0/24 <---  
    set security dynamic-vpn clients ALL remote-exceptions 0.0.0.0/0  
    set security dynamic-vpn clients ALL ipsec-vpn DYN-VPN  
    set security dynamic-vpn clients ALL user borat  
    
    

T-shoot:

  • Pulse client successfully connected:

  • IP address assigned to Client Virtual Adapter is 30.30.30.6:

    root@srx2# run show security ike active-peer 
    Remote Address        Port     Peer IKE-ID         AAA username               Assigned IP 
    20.20.20.2            53244    boratdynvpn                borat               30.30.30.6 <--- 
    172.16.30.1           500      172.16.30.1                not available       0.0.0.0 
    
  • Ping from 30.30.30.6 to remote subnet 13.13.13.3 is successful:

    C:\Users\Administrator>ping 13.13.13.3
    
    Pinging 13.13.13.3 with 32 bytes of data:
    Reply from 13.13.13.3: bytes=32 time=4ms TTL=62
    Reply from 13.13.13.3: bytes=32 time=2ms TTL=62
    Reply from 13.13.13.3: bytes=32 time=2ms TTL=62
    Reply from 13.13.13.3: bytes=32 time=2ms TTL=62
    
    Ping statistics for 13.13.13.3:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 2ms, Maximum = 4ms, Average = 2ms
    
  • Session shown on SRX2:

    root@srx2# run show security flow session source-prefix 30.30.30.6
    Session ID: 213039, Policy name: TEST/4, Timeout: 2, Valid
      In: 30.30.30.6/9292 --> 13.13.13.3/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
      Out: 13.13.13.3/2 --> 30.30.30.6/9292;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
    
    Session ID: 213041, Policy name: TEST/4, Timeout: 4, Valid
      In: 30.30.30.6/9293 --> 13.13.13.3/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
      Out: 13.13.13.3/2 --> 30.30.30.6/9293;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
    
    Session ID: 213043, Policy name: TEST/4, Timeout: 4, Valid
      In: 30.30.30.6/9294 --> 13.13.13.3/2;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
      Out: 13.13.13.3/2 --> 30.30.30.6/9294;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
    
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search