Answer the question
In order to leave comments, you need to log in
E
E
EvilMause2016-03-02 16:26:07
EvilMause, 2016-03-02 16:26:07
Is it possible to access via Juniper dynamic vpn to a routable subnet?
Greetings!
Let's start with the network diagram:
Client-----Juniper---l3 switch---trust net 1 (192.168.20.0/24)
|
trust net 2 (192.168.10.0/24)Juniper is configured with Dynamic vpn for client access. It works quite successfully, but only for those subnets that Juniper itself serves. If it does not have an interface to this subnet and goes to it through another gateway (in the diagram it is l3 switch), there is no access to hosts in this subnet. At the same time, there is access from the trust net 2 subnet 2 to the trust net 1 subnet in both directions, with Juniper there is access to trust net 1, and vice versa.
The Dunamic vpn settings contain everything that is needed and is indicated in KB Juniper.
those. in the dynamic-vpn - clients - remote-protected-resources section, the required subnets are specified, the security policy for ipsec-vpn dyn-vpn has been created.
The route to the required subnet is configured and the network is available.
The only thing we managed to find was an incomprehensible line in the log taken through the secury flow traceoptions.
Normally it looks like this:
Feb 29 17:00:37 17:03:13.670332:CID-1:RT: flow_first_create_session
Feb 29 17:00:37 17:03:13.670352:CID-1:RT: flow_first_in_dst_nat: in <reth0.504>, out <N/A> dst_adr 192.168.10.51, sp 326, dp 1
Feb 29 17:00:37 17:03:13.670360:CID-1:RT: chose interface N/A as incoming nat if.
Feb 29 17:00:37 17:03:13.670393:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.10.51(1)
Feb 29 17:00:37 17:03:13.670415:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 10.10.20.15, x_dst_ip 192.168.10.51, in ifp reth0.504, out ifp N/A sp 326, dp 1, ip_proto 1, tos 0
Feb 29 17:00:37 17:03:13.670439:CID-1:RT:Doing DESTINATION addr route-lookup
Feb 29 17:00:37 17:03:13.670468:CID-1:RT: routed (x_dst_ip 192.168.10.51) from dmz (reth0.504 in 1) to reth0.1010, Next-hop: 192.168.10.51
Feb 29 17:00:37 17:03:13.670495:CID-1:RT: policy search from zone dmz-> zone servers (0x0,0x1460001,0x1)In the case of access to a routable subnet, like this:
Feb 29 16:46:58 16:49:34.806023:CID-1:RT: flow_first_create_session
Feb 29 16:46:58 16:49:34.806023:CID-1:RT: flow_first_in_dst_nat: in <reth0.504>, out <N/A> dst_adr 192.168.20.75, sp 241, dp 1
Feb 29 16:46:58 16:49:34.806056:CID-1:RT: chose interface N/A as incoming nat if.
Feb 29 16:46:58 16:49:34.806080:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.20.75(1)
Feb 29 16:46:58 16:49:34.806091:CID-1:RT:flow_first_routing: vr_id 5, call flow_route_lookup(): src_ip 10.10.20.15, x_dst_ip 192.168.20.75, in ifp reth0.504, out ifp N/A sp 241, dp 1, ip_proto 1, tos 0
Feb 29 16:46:58 16:49:34.806125:CID-1:RT:Doing DESTINATION addr route-lookup
Feb 29 16:46:58 16:49:34.806132:CID-1:RT: routed (x_dst_ip 192.168.20.75) from dmz (reth0.504 in 1) to reth0.504, Next-hop: <i>internet gateway</i>
Feb 29 16:46:58 16:49:34.806160:CID-1:RT: policy search from zone dmz-> zone dmz (0x0,0xf10001,0x1)As you can see, the packets are sent back to the external interface! How to fix it?
Similar questions
L
N
P
B
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question