Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[SRX] VPN connections using NCP Client Software support traffic initiated from remote protected resources to VPN client
Symptoms:
Solution:
VPNs established between SRX devices and NCP Client software allow for traffic being initiated from either from the VPN client or from the remote protected resource using a route-based VPN concept allowing the bi-directional session setup.
Note: Juniper specific NCP client is available for SRX deployments using Junos OS 15.1X49-D80 or higher by using NCP Exclusive Remote Access Solution for Juniper SRX Series.
Refer to the following links for NCP:
- KB17266 - NCP Secure Client – Juniper Edition (IPsec client) FAQ
- KB31616 - Juniper SRX Remote Access Solution - Frequently Asked Questions (FAQ)
Topology:
Client(NCP_Client_Software)----(ge-0/0/0)_SRX_(ge-0/0/1)----Remote_protected_resource(1.1.1.1/32)
Configuration on SRX:
Phase1:
set security ike proposal ike-prop1 authentication-method pre-shared-keys
set security ike proposal ike-prop1 dh-group group2
set security ike proposal ike-prop1 authentication-algorithm md5
set security ike proposal ike-prop1 encryption-algorithm 3des-cbc
set security ike proposal ike-prop1 lifetime-seconds 86400
set security ike policy ike-pol2 mode aggressive
set security ike policy ike-pol2 proposals ike-prop1
set security ike policy ike-pol2 pre-shared-key ascii-text "$9$0/S5OhrW87Vs4xNjH.mTQhSy"
set security ike gateway remote-vpn1 ike-policy ike-pol2
set security ike gateway remote-vpn1 dynamic hostname "win1@juniper.net"
set security ike gateway remote-vpn1 dynamic connections-limit 2
set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
set security ike gateway remote-vpn1 external-interface ge-0/0/0
set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
set security ike gateway remote-vpn1 version v1-onlyPhase2:
set security ipsec proposal ipsec-prop1 protocol esp
set security ipsec proposal ipsec-prop1 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-prop1 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-prop1 lifetime-seconds 28800
set security ipsec policy ipsec-policy proposals ipsec-prop1
set security ipsec vpn remote-vpn1 bind-interface st0.0
set security ipsec vpn remote-vpn1 ike gateway remote-vpn1
set security ipsec vpn remote-vpn1 ike ipsec-policy ipsec-policy
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 1.1.1.1/32 <-- Remote_protected_resource to which client wants to reach
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0Access_profile:
set access profile aaa-prof1 authentication-order password
set access profile aaa-prof1 client win1 firewall-user password "$9$K2yWXNs2aikPdbkP5Q9CKM8"
set access profile aaa-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 30.1.1.0/24 <--Subnet from which IP assigned to Client
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 4.2.2.2/32Other configuration:
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces st0 unit 0 family inet
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone VM_SRX_340 interfaces ge-0/0/0.0 host-inbound-traffic protocols all
set security zones security-zone VM_SRX_340 interfaces st0.0Security policies for bi-direction traffic:
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match source-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match destination-address any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX match application any
set security policies from-zone VM_SRX_340 to-zone 340_210_r2323 policy VM_SRX then permit
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match source-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match destination-address any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM match application any
set security policies from-zone 340_210_r2323 to-zone VM_SRX_340 policy SRX_VM then permitOn NCP Client:
Add the remote-protected resource subnet under split-tunneling (Configuration > Profiles > Edit > Spli_tunneling)
Verification:
root@srx340-r2012# run show security ike active-peer
Remote Address Port Peer IKE-ID AAA username Assigned IP
10.1.1.2 10952 win1@juniper.net win1 30.1.1.1 Client to remote-protected-resource
C:\Windows\system32>ping 1.1.1.1
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63
Reply from 1.1.1.1: bytes=32 time=1ms TTL=63Reachibility from Remote_protected-resource to Client
root@srx210he2-r2323# run ping 30.1.1.1 source 1.1.1.1
PING 30.1.1.1 (30.1.1.1): 56 data bytes
64 bytes from 30.1.1.1: icmp_seq=0 ttl=127 time=3.336 ms
64 bytes from 30.1.1.1: icmp_seq=1 ttl=127 time=3.526 msGetting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search