Monday, November 13, 2017

Juniper SRX and Pulse client dialup

The Small-Branch models of the Juniper SRX appliances, typically  comes with two vpn licenses. You can easily set the  SRX up for ipsec-dialup access  for  remote-access.


The JWEBwebgui wizard does a good job & with building a simple/effective dialup-profile and for  local-accounts.

Here's the  final junOS  cli cfg details that seems to work best  with  pulse-client


IKE phase1 using the standard-proposl dhgrp2-aes128-sha1

set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set standard
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text KEEPITSECURED
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname GROUPIDHERE
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_profile
set security ike gateway gw_wizard_dyn_vpn version v1-only




IPSEC phase2 using the standard-proposl dhgrp2-aes128-sha1 and w/PFS

set security ipsec policy ipsec_pol_wizard_dyn_vpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set standard
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn



set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.1.1.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user socpuppets


set access profile remote_access_profile client socpuppets firewall-user password  mypasswordhere
set access firewall-authentication web-authentication default-profile remote_access_profile


set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool

set access firewall-authentication web-authentication default-profile remote_access_profile


     You need to ensure that the IKE service is allowed  & on the untrusted interface or where the  vpn-clients will connect on. if you get any log message of "no response" than 99.99% of the time it's due to the firewall-engineer forgetting to enable IKE.

e.g

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike



The wizard will also set a fwpolicy that you can later modified with the "services" you want


set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn




After a client connects,  you  can validate the  Phase1/Phase2 Security-Associations  details.


e.g







The NCP remote-client-access is very similar btw.



Ken    Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment