Knowledge Search


×
 

[SRX] VPN connections using NCP Client Software support traffic initiated from remote protected resources to VPN client

  [KB32546] Show Article Properties


Summary:

Traffic initiated from the Protected Resource to the VPN Client can pass through the VPN tunnel using NCP Client Software.

There is a limitation of Dynamic-VPNs using Pulse Client Software that prevented traffic initiation from remote protected Resource to Pulse client (refer KB21800).

Symptoms:

VPNs established between SRX from NCP clients support traffic initiated from remote ​protected resource.

Solution:

VPNs established between SRX devices and NCP Client software allow for traffic being initiated from either from the VPN client or from the remote protected resource using a route-based VPN concept  allowing the bi-directional session setup.

Note: Juniper specific NCP client is available for SRX deployments using Junos OS 15.1X49-D80 or higher by using NCP Exclusive Remote Access Solution for Juniper SRX Series.

Refer to the following links for NCP:


Topology:



Client(NCP_Client_Software)----(ge-0/0/0)_SRX_(ge-0/0/1)----Remote_protected_resource(1.1.1.1/32)
 

Configuration on SRX:

Phase1:

set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$9$0/S5OhrW87Vs4xNjH.mTQhSy"
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "win1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/0
set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
set security ike gateway remote-vpn1 version v1-only

 

Phase2:

set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 1.1.1.1/32 <-- Remote_protected_resource to which client wants to reach
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0

 

Access_profile:

set access profile aaa-prof1 authentication-order password
set access profile aaa-prof1 client win1 firewall-user password "$9$K2yWXNs2aikPdbkP5Q9CKM8"
set access profile aaa-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 30.1.1.0/24 <--Subnet from which IP assigned to Client
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32

Other configuration:

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone VM_SRX_340 interfaces st0.0

 

Security policies for bi-direction traffic:

set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match source-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match destination-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match application any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX then permit 

set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match source-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match destination-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match application any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM then permit

 

On NCP Client:

Add the remote-protected resource subnet under split-tunneling (Configuration > Profiles > Edit > Spli_tunneling)


 

Verification:

root@srx340-r2012# run show security ike active-peer
Remote Address      Port     Peer IKE-ID          AAA username     Assigned IP
10.1.1.2            10952    win1@juniper.net     win1             30.1.1.1     
      
 
Client to remote-protected-resource
C:\Windows\system32>ping 1.1.1.1

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63

 
Reachibility from Remote_protected-resource to Client

root@srx210he2-r2323# run ping 30.1.1.1 source 1.1.1.1
PING 30.1.1.1 (30.1.1.1): 56 data bytes
64 bytes from 30.1.1.1: icmp_seq=0 ttl=127 time=3.336 ms
64 bytes from 30.1.1.1: icmp_seq=1 ttl=127 time=3.526 ms

 
Related Links: