Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring Dynamic VPN on SRX while using NCP client (CLI instructions)

0

0
Article ID: KB32418 KB Last Updated: 13 Feb 2020Version: 3.0 Summary:

The Dynamic VPN on SRX devices is facilitated by using Pulse Secure software and is still being used. Starting with Junos OS version 15.1X49-D80, the NCP client software is used to achieve the Dynamic VPN functionality. Please refer to the VPN section of the Release Notes of release 15.1X49-D80 for more information.

This article provides a configuration example using the CLI. For the same instructions using the GUI, refer to KB33935.
 

Solution:

The NCP client is documented in Understanding IPsec VPNs with NCP Exclusive Remote Access Client, along with an Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients (using the authentication method - RSA signatures (cert based).

Here is another example based on pre-shared key as the authentication method.

The working CLI configuration on the SRX is as follows.

Topology

192.168.199.0/24-----(192.168.199.1/24)ge-0/0/6-[SRX]-ge-0/0/3(10.10.10.2/24)-----Internet----Remote clients
                                        Trust            Untrust

IKE and IPSEC configuration

set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400

set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$ABC123"

set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "user1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2 <<<< Depends on the number of licenses purchased for NCP client
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/3  <<<< External interface which receives the VPN request
set security ike gateway remote-vpn1 aaa access-profile profile1
set security ike gateway remote-vpn1 version v1-only

set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800

set security ipsec policy ipsec-policy proposals ipsec-prop1

set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 192.168.199.0/24 <<<< These are the local networks that you need to reach.
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0

Security zones and policies

set security policies from-zone untrust to-zone trust policy test match source-address any
set security policies from-zone untrust to-zone trust policy test match destination-address any
set security policies from-zone untrust to-zone trust policy test match application any
set security policies from-zone untrust to-zone trust policy test then permit
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces st0.0
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/6.0 host-inbound-traffic protocols all

Interface configuration and system services

set system services ssh
set system services web-management https system-generated-certificate
set interfaces ge-0/0/3 unit 0 family inet address 10.10.10.2/24
set interfaces ge-0/0/6 unit 0 family inet address 192.168.199.1/24
set interfaces st0 unit 0 family inet

Access profile configuration

set access profile profile1 authentication-order password
set access profile profile1 client user1 firewall-user password "$ABC123"
set access profile profile1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 10.1.1.0/24  <<<<  IP address pool assigned to remote clients
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32

 
Modification History:
2019-02-26: corrected link to GUI instructions.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search