Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Dynamic VPN requires logging in multiple times in some cases

0

0

Article ID: KB16477 KB Last Updated: 04 Mar 2017Version: 6.0
Summary:

For Dynamic VPN clients to be able to connect, two access profiles need to be configured; one under the 'security dynamic-vpn' stanza and another under 'security ike gateway'. If two different access profiles are configured, for example one for local authentication and the other for RADIUS authentication, then some confusion may arise with the user about when to use which credentials.

This may lead to the 'Authentication failure: Incorrect credentials' error message, when the user logs on to Dynamic VPN.

For this reason, it is strongly recommended to use the same access profile for both authentications.

Symptoms:
Symptoms:

  • The first Dynamic VPN connection requires authentication twice.

  • The next Dynamic VPN connections require only one user authentication.

  • If a different access profile is configured for each authentication (not recommended), the user may not always know which credentials to use when; leading to an authentication failure.
Solution:

When setting up the Dynamic VPN connection for the first time, the user needs to login twice.

The double login is only needed the first time that a Dynamic VPN connection is made, after installing the VPN client. From the second connection onwards, the user will only be prompted for the second authentication.

The reason for this is that the first time that a VPN connection is made, the VPN client configuration parameters, including a unique token, will be downloaded from the SRX device. From the second connection onwards the token will be used instead of the first authentication. This means that the user is then only requested to provide credentials once, using the credentials from the access profile configured under security ike gateway.

To avoid any confusion about which credentials to use and when to use them, it is strongly recommended to use the same access profile (using Radius or local authentication) in both locations of the configuration.

Here is a summary about when and which credentials to use.

The access profile configured under security dynamic-vpn is used for:

  • Logging on to https://firewall-ip/dynamic-vpn. This is used to download the Dynamic VPN client to the PC.

  • The first authentication request, at the first time a VPN is setup, after installing the Dynamic VPN client.

The access profile configured under security ike gateway is used for:

  • The second authentication request, at the first time a VPN is setup, after installing the Dynamic VPN client.

  • All subsequent Dynamic VPN connections.

For information on how to configure Dynamic VPN, refer to KB14318 - SRX Getting Started - Configure Dynamic VPN (VPN Client).

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search