Knowledge Search


×
 

[SRX] Example - Configuring Dynamic VPN on SRX while using NCP client (CLI instructions)

  [KB32418] Show Article Properties


Summary:

The Dynamic VPN on SRX devices is facilitated by using Pulse Secure software and is still being used. Starting with Junos OS version 15.1X49-D80, the NCP client software is used to achieve the Dynamic VPN functionality. Please refer to the VPN section of the Release Notes of release 15.1X49-D80 for more information.

This article provides a configuration example using the CLI. For the same instructions using the GUI, refer to KB33935.

Note: Pulse Secure is still supported, but it is recommended to use the NCP client. 

Solution:

The NCP client is documented in Understanding IPsec VPNs with NCP Exclusive Remote Access Client, along with an Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients (using the authentication method - RSA signatures (cert based).

Here is another example based on pre-shared key as the authentication method.

The working CLI configuration on the SRX is as follows.

Topology

192.168.199.0/24-----(192.168.199.1/24)ge-0/0/6-[SRX]-ge-0/0/3(10.10.10.2/24)-----Internet----Remote clients
                                        Trust            Untrust

IKE and IPSEC configuration

set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400

set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$9$iqPT69pRhrz3hrev7Nik.Pz3/CtOIE"

set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "user1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2 <<<< Depends on the number of licenses purchased for NCP client
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/3  <<<< External interface which receives the VPN request
set security ike gateway remote-vpn1 aaa access-profile profile1
set security ike gateway remote-vpn1 version v1-only

set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800

set security ipsec policy ipsec-policy proposals ipsec-prop1

set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 192.168.199.0/24 <<<< These are the local networks that you need to reach.
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0

Security zones and policies

set security policies from-zone untrust to-zone trust policy test match source-address any
set security policies from-zone untrust to-zone trust policy test match destination-address any
set security policies from-zone untrust to-zone trust policy test match application any
set security policies from-zone untrust to-zone trust policy test then permit
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces st0.0
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic protocols all

Interface configuration and system services

set system services ssh
set system services web-management https system-generated-certificate
set interfaces ge-0/0/3 unit 0 family inet address 10.10.10.2/24
set interfaces ge-0/0/6 unit 0 family inet address 192.168.199.1/24
set interfaces st0 unit 0 family inet 

Access profile configuration

set access profile profile1 authentication-order password
set access profile profile1 client user1 firewall-user password "$9$yQ9eMLdb2GDkxNDk.P3nylKMxNVwYoZU"
set access profile profile1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 10.1.1.0/24  <<<<  IP address pool assigned to remote clients
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32

 
Modification History:
2019/02/26: corrected link to GUI instructions.
Related Links: