Little tip with SRX Dynamic VPNs and 'security screens' on the VPN's ingress zone I stumbled across during my JNCIE-SEC study.

UPDATE (20120401): Seems Juniper has addressed and fixed this bug ...
More info: 

It seems you can not have the 'IP Spoofing' screen enabled when sending IPSec Dynamic VPN traffic ingressing into the zone with the screen set. This traffic is dropped by the screen which can be seen via a 'security flow traceoption flag basic-datapath':

  • 'packet dropped, drop by spoofing check.'

So removing (or deactivating) the ip spoofing check solved the problem:

  • deactivate security screen ids-option from-Internet ip spoofing

Kind of lame, the spoofing screen sounds a good idea on your Internet facing interfaces, but seems a no no if you want dynamic VPNs. That is all. Hopefully eventually Juniper make this check smarter.

2 thoughts on “Juniper SRX Screens + Dynamic VPNs”
  1. Greetings !
    when are you taking the dive ? which version of junos are you using.Could you pls share as to how you are preparing for the IE ?

  2. wow !! so you have plenty of time..i dont 🙁
    ive been working on screenos for the last five years, moved to junos two years earlier..
    thx for sharing, im using 11.2 and 10.4 for my labs.i guess the challenging part would definetly be the vpn/nat part working hand-in-hand with the drp ! on a lighter note i recently discoved that should you be using the global address book, zone specific address book wont wrk and you will need to use
    “set sec add UNTRUST attach zone untrust” and add all entries here instead..
    for me its going to be vpn brushup this week..
    keep posting !

Leave a Reply

Your email address will not be published. Required fields are marked *