Comments

Juniper SRX Screens + Dynamic VPNs

Posted by cooper on Mar 3, 2012 in g33k, juniper

Little tip with SRX Dynamic VPNs and ‘security screens’ on the VPN’s ingress zone I stumbled across during my JNCIE-SEC study.

UPDATE (20120401): Seems Juniper has addressed and fixed this bug …
More info:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21713&actp=RSS 

It seems you can not have the ‘IP Spoofing’ screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a ‘security flow traceoption flag basic-datapath’:

  • ‘packet dropped, drop by spoofing check.’

So removing (or deactivating) the ip spoofing check solved the problem:

  • deactivate security screen ids-option from-Internet ip spoofing

Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.

Tags: , , , , , , , , , ,

Copyright © 2017 I-R-Coops Blog All rights reserved. Theme by Laptop Geek.