Routing VPN Subnet Networking – How to Route to Remote-Protected-Resource on Juniper SRX320

Multiple VPNs setup with a Juniper SRX320.

The SRX320 has an irb interface as follows:

  irb {
    unit 0 {
        family inet {
            address 192.168.120.1/24;
        }
    }
}

I've setup a dynamic VPN that I'm connecting to over the JuneOS Pulse software, using the same pool as all physically connected devices:

pool pool1 {
        family inet {
            network 192.168.120.0/24;
            dhcp-attributes {
                name-server {
                    192.168.120.15;
                }
                router {
                    192.168.120.1;
                }
            }

Remote resources are defined here:

dynamic-vpn {
    access-profile dyn-vpn;
    clients {
        all {
            remote-protected-resources {
                192.168.0.0/16;
            }
    ...
    ...

Policy set here:

    from-zone Untrust to-zone trust {
        policy dyn-vpn-trust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn dyn-vpn;
                    }
                }
            }
        }

So when I connect to the dyn-vpn:

I can see the routes getting passed down to me properly.
I can ping 192.168.120.1
I CANNOT ping any other 192.168.120.0/24 address (like the name server, or the DC, or anything else.
I can hit everything else inside 192.168.0.0/16 (the other VPNs, for instance 192.168.150.1)

If I change my pool assignment to a new pool and assign it to 192.168.121.252/30, I can ping everything within 192.168.120.0 but I can no longer access my other VPNs.
They are unaware of the route because that subnet is not being routed. I could put static assignments in and rig it but I feel like I'm lacking something basic in my understanding and I'd like to learn. The firewall clearly knows the route to me, as it responds from pings to the irb interface; so why will it not route any other .120 address?

If I missed a config that you need to know, let me know.

Best Answer

The subnet your allocate from pool1 is routed from the SRX to your VPN tunnel - it's not bridged into the existing subnet hanging off irb.1.

I suspect the SRX has a host route (/32) to your client which is why it is able to route traffic to and from your other VPN networks and the irb.1 address, but hosts in the 192.168.120.0/24 subnet will not be able to reach you.

The way to solve this problem is to give your VPN clients a dedicated subnet (as you were trying) and make that route available over your other VPNs.

NATting your VPN clients to an address in the 192.168.120.0/24 subnet might also work, but it would depend on your topology - traffic from the dynamic-vpn may not be classified correctly by source IP address when traversing zones, and I seem to recall that policy-based NAT was deprecated a while ago on the SRX.

Best Answer

Related Solutions

Vpn – ASA 5505 remote access VPN – Connection established, but no internet/access to internal subnet

Cisco – Some VPNs have 1-5% packet loss

Related Topic