well it was my bad. seems it was working from the beginning :):) the problem was with my pc. tried on another laptop and works like a charm !
2014-07-09 6:11 GMT+03:00 Levi Pederson <[email protected]>: > It's part the Policy you make trust - untrust then permit tunnel > ipsec-vpn [vpn] pair policy untrust -trust > untrust - trust then permit > tunnel ipsec-vpn [vpn[ pair policy trust-untrust > > *Levi Pederson* > Mankato Networks LLC > cell | 612.481.0769 > work | 612.787.7392 > [email protected] > > > > > On Tue, Jul 8, 2014 at 8:49 AM, matan tal <[email protected]> wrote: > >> sorry i am not familiar with this command. >> what is the exact syntax? >> and it is used for? >> thanks for the help >> >> >> >> 2014-07-08 16:45 GMT+03:00 Levi Pederson < >> [email protected]>: >> >>> Don't forget the pair-policy command >>> >>> Thank you, >>> >>> >> *Levi Pederson* >> Mankato Networks LLC >> cell | 612.481.0769 >> work | 612.787.7392 >> [email protected] >> >> >> >> >> On Tue, Jul 8, 2014 at 8:43 AM, matan tal <[email protected]> wrote: >> >>> i am matching : >>> set security policies from-zone untrust to-zone trust policy >>> dyn-vpn-policy >>> match source-address any >>> set security policies from-zone untrust to-zone trust policy >>> dyn-vpn-policy >>> match destination-address any >>> set security policies from-zone untrust to-zone trust policy >>> dyn-vpn-policy >>> match application any >>> set security policies from-zone untrust to-zone trust policy >>> dyn-vpn-policy >>> then permit tunnel ipsec-vpn dyn-vpn >>> >>> :) >>> >>> >>> 2014-07-08 15:58 GMT+03:00 Levi Pederson < >>> [email protected]>: >>> >>>> Looks like you are missing the security policies part of the vpn. You >>>> are not matching any traffic and not pushing into tunnel >>>> On Jul 8, 2014 3:18 AM, "matan tal" <[email protected]> wrote: >>>> >>>>> hey everyone. >>>>> i was using the juniper official guide to deploy a dynamic vpn on >>>>> srx110. >>>>> this is the script : >>>>> >>>>> set security ike policy ike-dyn-vpn-policy mode aggressive >>>>> set security ike policy ike-dyn-vpn-policy proposal-set standard >>>>> set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text >>>>> "$9$SGAl87NdsJGiNdjqfQ9CO1REclKM8dwY8L" >>>>> set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy >>>>> set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn >>>>> set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 >>>>> set security ike gateway dyn-vpn-local-gw dynamic ike-user-type >>>>> group-ike-id >>>>> set security ike gateway dyn-vpn-local-gw external-interface pp0.0 >>>>> set security ike gateway dyn-vpn-local-gw xauth access-profile >>>>> dyn-vpn-access-profile >>>>> set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard >>>>> set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw >>>>> set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy >>>>> set security dynamic-vpn access-profile dyn-vpn-access-profile >>>>> set security dynamic-vpn clients all remote-protected-resources >>>>> 172.16.1.0/24 >>>>> set security dynamic-vpn clients all remote-protected-resources >>>>> 200.200.200.40/32 >>>>> set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0 >>>>> set security dynamic-vpn clients all ipsec-vpn dyn-vpn >>>>> set security dynamic-vpn clients all user matan >>>>> set security flow traceoptions file flow-debug >>>>> set security flow traceoptions flag basic-datapath >>>>> set security flow traceoptions packet-filter test source-prefix >>>>> 172.16.100.0/24 >>>>> set security flow traceoptions packet-filter test destination-prefix >>>>> 172.16.1.254/32 >>>>> set security flow traceoptions packet-filter test2 source-prefix >>>>> 172.16.1.254/32 >>>>> set security flow traceoptions packet-filter test2 destination-prefix >>>>> 172.16.100.0/24 >>>>> set security flow tcp-mss all-tcp mss 1350 >>>>> set security policies from-zone untrust to-zone trust policy >>>>> dyn-vpn-policy >>>>> match source-address any >>>>> set security policies from-zone untrust to-zone trust policy >>>>> dyn-vpn-policy >>>>> match destination-address any >>>>> set security policies from-zone untrust to-zone trust policy >>>>> dyn-vpn-policy >>>>> match application any >>>>> set security policies from-zone untrust to-zone trust policy >>>>> dyn-vpn-policy >>>>> then permit tunnel ipsec-vpn dyn-vpn >>>>> set security zones security-zone untrust host-inbound-traffic >>>>> system-services all >>>>> set security zones security-zone untrust host-inbound-traffic >>>>> protocols all >>>>> set security zones security-zone untrust interfaces at-1/0/0.0 >>>>> set security zones security-zone untrust interfaces pp0.0 >>>>> host-inbound-traffic system-services ike >>>>> set security zones security-zone untrust interfaces pp0.0 >>>>> host-inbound-traffic system-services https >>>>> set security zones security-zone untrust interfaces pp0.0 >>>>> host-inbound-traffic system-services all >>>>> set security zones security-zone untrust interfaces pp0.0 >>>>> host-inbound-traffic protocols all >>>>> set security zones security-zone trust address-book address loop >>>>> 200.200.200.40/32 >>>>> set security zones security-zone trust host-inbound-traffic >>>>> system-services >>>>> all >>>>> set security zones security-zone trust host-inbound-traffic protocols >>>>> all >>>>> set security zones security-zone trust interfaces vlan.10 >>>>> set security zones security-zone trust interfaces at-1/0/0.1 >>>>> set access profile dyn-vpn-access-profile client matan firewall-user >>>>> password "$9$OXBY1hreK8NVYuOMXxN2g" >>>>> set access profile dyn-vpn-access-profile address-assignment pool >>>>> dyn-vpn-address-pool >>>>> set access address-assignment pool dyn-vpn-address-pool family inet >>>>> network >>>>> 172.16.100.0/24 >>>>> set access address-assignment pool dyn-vpn-address-pool family inet >>>>> range >>>>> dvpn-range low 172.16.100.10 >>>>> set access address-assignment pool dyn-vpn-address-pool family inet >>>>> range >>>>> dvpn-range high 172.16.100.20 >>>>> set access address-assignment pool dyn-vpn-address-pool family inet >>>>> xauth-attributes primary-dns 4.2.2.2/32 >>>>> set access firewall-authentication web-authentication default-profile >>>>> dyn-vpn-access-profile >>>>> >>>>> the problem is that i can connect using pulse (windows 7 32 bit) but >>>>> cant >>>>> reach protected resource. >>>>> using traceoption and logging it seems that no traffic match's the >>>>> client. >>>>> on srx im getting this info : >>>>> bezeq@SMB> show security ipsec security-associations >>>>> Total active tunnels: 1 >>>>> ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >>>>> <268173324 ESP:aes-128/sha1 257a7e0 3594/ 500000 - root 54223 >>>>> 109.66.170.220 >>>>> >268173324 ESP:aes-128/sha1 fda75566 3594/ 500000 - root 54223 >>>>> 109.66.170.220 >>>>> >>>>> show sec ipsec stati: >>>>> ESP Statistics: >>>>> Encrypted bytes: 0 >>>>> Decrypted bytes: 0 >>>>> Encrypted packets: 0 >>>>> Decrypted packets: 0 >>>>> AH Statistics: >>>>> Input bytes: 0 >>>>> Output bytes: 0 >>>>> Input packets: 0 >>>>> Output packets: 0 >>>>> Errors: >>>>> AH authentication failures: 0, Replay errors: 0 >>>>> ESP authentication failures: 0, ESP decryption failures: 0 >>>>> Bad headers: 0, Bad trailers: 0 >>>>> >>>>> help will be much appreciated :):):): >>>>> _______________________________________________ >>>>> juniper-nsp mailing list [email protected] >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp >>>>> >>>> >>> >> > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
