Juniper SRX Screens + Dynamic VPNs

Little tip with SRX Dynamic VPNs and 'security screens' on the VPN's ingress zone I stumbled across during my JNCIE-SEC study.

UPDATE (20120401): Seems Juniper has addressed and fixed this bug ...
More info: 

It seems you can not have the 'IP Spoofing' screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a 'security flow traceoption flag basic-datapath':

  • 'packet dropped, drop by spoofing check.'

So removing (or deactivating) the ip spoofing check solved the problem:

  • deactivate security screen ids-option from-Internet ip spoofing

Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.

Related Posts

Book REVIEW: Linux Service Management Made Easy with systemd: Advanced techniques to effectively manage, control, and monitor Linux systems and services 1st Edition

Amazon Link Disclaimer: I get no royalites or anything here – Just had coworkers ask me about it So since I’m no systems guru and am now…

CLI Templates for Python + Rust

Do you also write a lot of services that need a few CLI option (e.g. –config) and or little CLI tools from time to time? Want a…

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…


Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

This Post Has 2 Comments

  1. Greetings !
    when are you taking the dive ? which version of junos are you using.Could you pls share as to how you are preparing for the IE ?

  2. wow !! so you have plenty of time..i dont 🙁
    ive been working on screenos for the last five years, moved to junos two years earlier..
    thx for sharing, im using 11.2 and 10.4 for my labs.i guess the challenging part would definetly be the vpn/nat part working hand-in-hand with the drp ! on a lighter note i recently discoved that should you be using the global address book, zone specific address book wont wrk and you will need to use
    “set sec add UNTRUST attach zone untrust” and add all entries here instead..
    for me its going to be vpn brushup this week..
    keep posting !

Leave a Reply

Your email address will not be published. Required fields are marked *