cancel
Showing results for 
Search instead for 
Did you mean: 
schmiewliski
Level 10

Starting to pull my hair out!! - VPN

Hello All

Ok been trying to get something fairly simple working..

Remote user logging in froma remote location (home, hotel etc). Using Juniper Network Connect client.

I have the rules set like this

Allow loopback- (Allow - Either)

Allow Mcafee signed Apps - (Allow - Either)

Basic Networking

    Allow 802.1X Authentication - (Allow - Either)

    Allow DNS - (Allow - Out)

Allow HTTP / HTTPS - (Allow - Out)

VPN

    Allow IPsec ESP - (Allow - Either)

    Allow IKE - (Allow - In)

    Allow GRE - (Allow - Either)

    Allow IKE Outbound - (Allow - Out)

I have not enabled IPS or NIPS. I can start the juniper client and the web interface starts to enter the credentials. I enter the credentials and the connection starts but times out. If I disable the firewall I can establish the connection.

I even tried putting the firewall into adaptive mode and learn mode to see if this would add the rules in but nothing.. also nothing showing in the logs.

Can anyway guide me to the light please !!!

Cheers

Steve

0 Kudos
5 Replies
greatscott
Level 12

Re: Starting to pull my hair out!! - VPN

Is there anything at all showing up in your firewall logs? Maybe within your VPN group, allow all inbound/outbound to the remote address of your VPN concentrator(s). I am assuming the connection can be made if the firewall is disabled?

0 Kudos
Tristan
Level 15

Re: Starting to pull my hair out!! - VPN

I'm not familiar with the Juniper VPN client so excuse me if this is a silly question.

What type of VPN is it SSL or IPSec?

If it's SSL you would need to allow HTTPS both ways.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5671

0 Kudos
schmiewliski
Level 10

Re: Starting to pull my hair out!! - VPN

Ok managed to move a little closer sorting the issue.

Now have the following

Allow loopback- (Allow - Either)

Allow Mcafee signed Apps - (Allow - Either)

Basic Networking

    Allow 802.1X Authentication - (Allow - Either)

    Allow DNS - (Allow - Out)

Web Access - Timed group

    Allow HTTP / HTTPS - (Allow - Out)

VPN

    Allow IPsec ESP - (Allow - Either)

    Allow IKE - (Allow - In)

    Allow GRE - (Allow - Either)

    Allow IKE Outbound - (Allow - Out)

CAG - CorpNetwork (based on default gateway and dns suffix)

    Allow all

CAG - VPN (based on if ePO is contactable)

    Allow all

This now works apart from the timed group (web access part).. I start the timer can establish a VPN tunnel connect into the corp network etc all good until the time period expires and I lose all web traffic. Is there a way I can fix this? I was hoping having the allow all rule in both CAGS would stop this but it doesn't.

0 Kudos
greatscott
Level 12

Re: Starting to pull my hair out!! - VPN

I would take the timed group out, as it provides little to no security. The user can just keep resetting their timer. Just put the "Allow HTTP/HTTPS - (Allow - Out)" rule into your Basic Networking group and test if that works.

0 Kudos
mlmarshall3
Level 7

Re: Starting to pull my hair out!! - VPN

I believe that greatscott is correct.  Once that timer ends that rule essentially acts as a deny for those ports and the CAG rulesets, allow all, cannot supercede this. 

0 Kudos