Dynamic VPN in SRX

Here is my simple dynamic vpn configuration.  I have tested it and it works:) However I could only use windows clients in my setup although I tried so hard to get a working linux client, debugging didn’t provide me any useful information. Here is the config:

1) First configure profile config which contains users and ip assignments for the VPN.

[edit]
root@hub# show access
profile dyn-vpn-prof1 {
    client john {
        firewall-user {
            password "$9$5znCO1hKMXtuMX7-2gTz36tuBIEyev"; ## SECRET-DATA
       }
    }
    address-assignment {
        pool pool1;
    }
}
address-assignment {
    pool pool1 {
        family inet {
            network 192.168.200.0/24;
           range range1 {
                low 192.168.200.20;
                high 192.168.200.40;
            }
            xauth-attributes {
                primary-dns 8.8.8.8/32;
            }
        }
   }
}
firewall-authentication {
    web-authentication {
        default-profile dyn-vpn-prof1;
    }
}

SET command output of access config

[edit]
root@hub# show access | display set
set access profile dyn-vpn-prof1 client john firewall-user password "$9$5znCO1hKMXtuMX7-2gTz36tuBIEyev"
set access profile dyn-vpn-prof1 address-assignment pool pool1
set access address-assignment pool pool1 family inet network 192.168.200.0/24
set access address-assignment pool pool1 family inet range range1 low 192.168.200.20
set access address-assignment pool pool1 family inet range range1 high 192.168.200.40
set access address-assignment pool pool1 family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dyn-vpn-prof1

2) Enable https on SRX

[edit]
root@hub# show system services web-management
https {
    system-generated-certificate;
   interface vlan.11;
}

SET command output of https config

[edit]
root@hub# show system services web-management | display set
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.11

3) Setup IKE Configuration

[edit]
root@hub# show security ike
proposal ike-dyn-prop1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm md5;
    encryption-algorithm 3des-cbc;
}
policy ike-dyn-pol1 {
    mode aggressive;
    proposals ike-dyn-prop1;
    pre-shared-key ascii-text "$9$QQpG3/t1RSM87uO87-V4oz369uOIEclvW"; ## SECRET-DATA
}
gateway gw-dyn-1 {
    ike-policy ike-dyn-pol1;
    dynamic {
        hostname rtoodtoo.net;
        connections-limit 2;
    }
    external-interface vlan.11;
    xauth access-profile dyn-vpn-prof1;
}

SET command output of IKE

[edit]
root@hub# show security ike | display set
set security ike proposal ike-dyn-prop1 authentication-method pre-shared-keys
set security ike proposal ike-dyn-prop1 dh-group group2
set security ike proposal ike-dyn-prop1 authentication-algorithm md5
set security ike proposal ike-dyn-prop1 encryption-algorithm 3des-cbc
set security ike policy ike-dyn-pol1 mode aggressive
set security ike policy ike-dyn-pol1 proposals ike-dyn-prop1
set security ike policy ike-dyn-pol1 pre-shared-key ascii-text "$9$QQpG3/t1RSM87uO87-V4oz369uOIEclvW"
set security ike gateway gw-dyn-1 ike-policy ike-dyn-pol1
set security ike gateway gw-dyn-1 dynamic hostname rtoodtoo.net
set security ike gateway gw-dyn-1 dynamic connections-limit 2
set security ike gateway gw-dyn-1 external-interface vlan.11
set security ike gateway gw-dyn-1 xauth access-profile dyn-vpn-prof1

4) Setup IPSEC configuration

[edit]
root@hub# show security ipsec
proposal dyn-prop-ph2 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
}
policy ipsec-dyn-pol {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals dyn-prop-ph2;
}
vpn vpn-dyn {
    ike {
        gateway gw-dyn-1;
        ipsec-policy ipsec-dyn-pol;
    }
}

SET Command output of IPSEC config

[edit]
root@hub# show security ipsec | display set
set security ipsec proposal dyn-prop-ph2 protocol esp
set security ipsec proposal dyn-prop-ph2 authentication-algorithm hmac-sha1-96
set security ipsec proposal dyn-prop-ph2 encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-dyn-pol perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dyn-pol proposals dyn-prop-ph2
set security ipsec vpn vpn-dyn ike gateway gw-dyn-1
set security ipsec vpn vpn-dyn ike ipsec-policy ipsec-dyn-pol

5) Setup Dynamic VPN Configuration

[edit]
root@hub# show security dynamic-vpn
access-profile dyn-vpn-prof1;
clients {
    client-config {
        remote-protected-resources {
            192.168.0.0/24;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn vpn-dyn;
        user {
            john;
        }
    }
}

SET command output of dynamic vpn config

[edit]
root@hub# show security ipsec | display set
set security ipsec proposal dyn-prop-ph2 protocol esp
set security ipsec proposal dyn-prop-ph2 authentication-algorithm hmac-sha1-96
set security ipsec proposal dyn-prop-ph2 encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-dyn-pol perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dyn-pol proposals dyn-prop-ph2
set security ipsec vpn vpn-dyn ike gateway gw-dyn-1
set security ipsec vpn vpn-dyn ike ipsec-policy ipsec-dyn-pol

6) dyn-vpn Zone Configuration

[edit]
root@hub# show security zones security-zone dyn-vpn
host-inbound-traffic {
    system-services {
        http;
        https;
        ping;
        ike;
    }
}
interfaces {
    vlan.11;
}

SET command output of dyn-vpn zone configuration

root@hub# show security zones security-zone dyn-vpn | display set
set security zones security-zone dyn-vpn host-inbound-traffic system-services http
set security zones security-zone dyn-vpn host-inbound-traffic system-services https
set security zones security-zone dyn-vpn host-inbound-traffic system-services ping
set security zones security-zone dyn-vpn host-inbound-traffic system-services ike
set security zones security-zone dyn-vpn interfaces vlan.11

7) Security Policy Configuration

[edit]
root@hub# show security policies from-zone dyn-vpn to-zone home-pcs
policy dyn-vpn-pol1 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn-dyn;
            }
        }
    }
}

SET command output of policy configuration

[edit]
root@hub# show security policies from-zone dyn-vpn to-zone home-pcs | display set
set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match source-address any
set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match destination-address any
set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match application any
set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 then permit tunnel ipsec-vpn vpn-dyn

Client SIDE:

After all this configuration if you point your browser at https://192.168.1.1/dynamic-vpn (assuming 192.168.1.1 is outside ip address on vlan.11 interface) you will receive authentication window and after providing john as username and password, you should be able to download Network Access Manager or Junos Pulse (depending on the version of Junos) and connect to internal network.

FREE RADIUS CONFIG

If you want to authenticate users via radius instead of local, you should change access-profile as below;

root@host# show
authentication-order [ radius password ];
client john {
firewall-user {
password "$9$WZWX-woaUkmTGDkPTQCABIEcyKsYo"; ## SECRET-DATA
}
}
address-assignment {
pool sales-addr-pool;
}
radius-server {
172.30.73.219 secret "$9$2VoGiPfz/A0QF/t0OSyM8X7-wHkP"; ## SECRET-DATA
}

SET command output:

[edit access profile dyn-vpn-prof1]
root@host# show | display set
set access profile dyn-vpn-prof1 authentication-order radius
set access profiledyn-vpn-prof1 authentication-order password
set access profile dyn-vpn-prof1 client john firewall-user password "$9$WZWX-woaUkmTGDkPTQCABIEcyKsYo"
set access profile dyn-vpn-prof1 address-assignment pool sales-addr-pool
set access profile dyn-vpn-prof1 radius-server 172.30.73.219 secret "$9$2VoxiPfz/A0QF/t0OSyM8X7-wHkP"

Below is also my MySQL table in my freeradius database for a single user:

mysql> select * from radcheck;
+----+----------+--------------------+----+------------+
| id | username | attribute          | op | value      |
+----+----------+--------------------+----+------------+
|  1 | raduser1 | Cleartext-Password | := | juniper123 |
+----+----------+--------------------+----+------------+
1 row in set (0.00 sec)

mysql> select * from radgroupreply;
+----+-----------+--------------+----+-------------+
| id | groupname | attribute    | op | value       |
+----+-----------+--------------+----+-------------+
|  2 | sales     | Service-Type | =  | Framed-User |
+----+-----------+--------------+----+-------------+
1 row in set (0.00 sec)

mysql> select * from radreply;
+----+----------+-------------------+----+---------------+
| id | username | attribute         | op | value         |
+----+----------+-------------------+----+---------------+
|  1 | raduser1 | Framed-IP-Address | =  | 10.10.10.103  |
|  2 | raduser1 | Framed-IP-Netmask | =  | 255.255.255.0 |
+----+----------+-------------------+----+---------------+
2 rows in set (0.00 sec)

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| raduser1 | sales     |        1 |
+----------+-----------+----------+
1 row in set (0.00 sec)

///UPDATE:
After I wrote this document, while I was playing with dynamic VPN on junos 10.4R6.5, I noticed that my vpn client cannot pass phase1 and it fails on IKE. When I checked my ike debug log, I saw the following error logs;

Oct 13 19:42:58 KMD_INTERNAL_ERROR: Number of connections (0) for the ike gateway gate-dynamic exceeds connection limit. Terminating the connection
Oct 13 19:42:58 Unable to find ike gateway as remote peer:192.168.1.2 is not recognized.
Oct 13 19:42:58 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.10.10.1) p1_remote=fqdn(udp:0,[0..12]=user1srx1.com)

The thing is junos doesn’t force you to set this max connection limit. After I set the connection limit in my config then my client could connect. Here is the config snippet;

[edit security ike gateway gate-dynamic]
root@srx1# show
ike-policy ike-pol;
dynamic {
    hostname rtoodtoo.net;
    connections-limit 2;
}
external-interface vlan.11;
xauth access-profile dynamic-profile;

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


10 thoughts on “Dynamic VPN in SRX”

  1. Hi,
    I am a newbie in juniper field.
    I’ve tried your example of Dynamic VPN in SRX but there are a few problems.
    Vlan.11 is not defined
    home-pcs – is not defined

    1. Apparently I forgot to paste interface and zone config. Thanks for pointing this but I don’t have the config at the moment. vlan.11 seems to have 192.168.1.1 address and home-pcs should be a simple internal facing zone.

    1. Aaron, I think I did dynamic VPN tests both on 11.4 and 12.1 and don’t recall of having seen this issue.
      As recommended in the forum, I think it is better to contact JTAC for investigation if it hasn’t been done so far.

  2. Thanks for your insight. I’m struggling in getting more then one hard coded user to work. There is the possibility to name “user-groups” instead of “user”, but I can’t figure out what to fill in here.
    Also if I look at the ldap lookup via traceoptions it stops where the bind succeeds.

Leave a Reply to Aaron Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.