Little tip with SRX Dynamic VPNs and ‘security screens’ on the VPN’s ingress zone I stumbled across during my JNCIE-SEC study.
UPDATE (20120401): Seems Juniper has addressed and fixed this bug …
It seems you can not have the ‘IP Spoofing’ screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a ‘security flow traceoption flag basic-datapath’:
- ‘packet dropped, drop by spoofing check.’
So removing (or deactivating) the ip spoofing check solved the problem:
- deactivate security screen ids-option from-Internet ip spoofing
Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.