Dynamic VPN in SRX
Here is my simple dynamic vpn configuration. I have tested it and it works:) However I could only use windows clients in my setup although I tried so hard to get a working linux client, debugging didn’t provide me any useful information. Here is the config:
1) First configure profile config which contains users and ip assignments for the VPN.
[edit]
root@hub# show access
profile dyn-vpn-prof1 {
client john {
firewall-user {
password "$9$5znCO1hKMXtuMX7-2gTz36tuBIEyev"; ## SECRET-DATA
}
}
address-assignment {
pool pool1;
}
}
address-assignment {
pool pool1 {
family inet {
network 192.168.200.0/24;
range range1 {
low 192.168.200.20;
high 192.168.200.40;
}
xauth-attributes {
primary-dns 8.8.8.8/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-prof1;
}
}
SET command output of access config
[edit] root@hub# show access | display set set access profile dyn-vpn-prof1 client john firewall-user password "$9$5znCO1hKMXtuMX7-2gTz36tuBIEyev" set access profile dyn-vpn-prof1 address-assignment pool pool1 set access address-assignment pool pool1 family inet network 192.168.200.0/24 set access address-assignment pool pool1 family inet range range1 low 192.168.200.20 set access address-assignment pool pool1 family inet range range1 high 192.168.200.40 set access address-assignment pool pool1 family inet xauth-attributes primary-dns 8.8.8.8/32 set access firewall-authentication web-authentication default-profile dyn-vpn-prof1
2) Enable https on SRX
[edit]
root@hub# show system services web-management
https {
system-generated-certificate;
interface vlan.11;
}
SET command output of https config
[edit] root@hub# show system services web-management | display set set system services web-management https system-generated-certificate set system services web-management https interface vlan.11
3) Setup IKE Configuration
[edit]
root@hub# show security ike
proposal ike-dyn-prop1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
}
policy ike-dyn-pol1 {
mode aggressive;
proposals ike-dyn-prop1;
pre-shared-key ascii-text "$9$QQpG3/t1RSM87uO87-V4oz369uOIEclvW"; ## SECRET-DATA
}
gateway gw-dyn-1 {
ike-policy ike-dyn-pol1;
dynamic {
hostname rtoodtoo.net;
connections-limit 2;
}
external-interface vlan.11;
xauth access-profile dyn-vpn-prof1;
}
SET command output of IKE
[edit] root@hub# show security ike | display set set security ike proposal ike-dyn-prop1 authentication-method pre-shared-keys set security ike proposal ike-dyn-prop1 dh-group group2 set security ike proposal ike-dyn-prop1 authentication-algorithm md5 set security ike proposal ike-dyn-prop1 encryption-algorithm 3des-cbc set security ike policy ike-dyn-pol1 mode aggressive set security ike policy ike-dyn-pol1 proposals ike-dyn-prop1 set security ike policy ike-dyn-pol1 pre-shared-key ascii-text "$9$QQpG3/t1RSM87uO87-V4oz369uOIEclvW" set security ike gateway gw-dyn-1 ike-policy ike-dyn-pol1 set security ike gateway gw-dyn-1 dynamic hostname rtoodtoo.net set security ike gateway gw-dyn-1 dynamic connections-limit 2 set security ike gateway gw-dyn-1 external-interface vlan.11 set security ike gateway gw-dyn-1 xauth access-profile dyn-vpn-prof1
4) Setup IPSEC configuration
[edit]
root@hub# show security ipsec
proposal dyn-prop-ph2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-dyn-pol {
perfect-forward-secrecy {
keys group2;
}
proposals dyn-prop-ph2;
}
vpn vpn-dyn {
ike {
gateway gw-dyn-1;
ipsec-policy ipsec-dyn-pol;
}
}
SET Command output of IPSEC config
[edit] root@hub# show security ipsec | display set set security ipsec proposal dyn-prop-ph2 protocol esp set security ipsec proposal dyn-prop-ph2 authentication-algorithm hmac-sha1-96 set security ipsec proposal dyn-prop-ph2 encryption-algorithm aes-128-cbc set security ipsec policy ipsec-dyn-pol perfect-forward-secrecy keys group2 set security ipsec policy ipsec-dyn-pol proposals dyn-prop-ph2 set security ipsec vpn vpn-dyn ike gateway gw-dyn-1 set security ipsec vpn vpn-dyn ike ipsec-policy ipsec-dyn-pol
5) Setup Dynamic VPN Configuration
[edit]
root@hub# show security dynamic-vpn
access-profile dyn-vpn-prof1;
clients {
client-config {
remote-protected-resources {
192.168.0.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn vpn-dyn;
user {
john;
}
}
}
SET command output of dynamic vpn config
[edit] root@hub# show security ipsec | display set set security ipsec proposal dyn-prop-ph2 protocol esp set security ipsec proposal dyn-prop-ph2 authentication-algorithm hmac-sha1-96 set security ipsec proposal dyn-prop-ph2 encryption-algorithm aes-128-cbc set security ipsec policy ipsec-dyn-pol perfect-forward-secrecy keys group2 set security ipsec policy ipsec-dyn-pol proposals dyn-prop-ph2 set security ipsec vpn vpn-dyn ike gateway gw-dyn-1 set security ipsec vpn vpn-dyn ike ipsec-policy ipsec-dyn-pol
6) dyn-vpn Zone Configuration
[edit]
root@hub# show security zones security-zone dyn-vpn
host-inbound-traffic {
system-services {
http;
https;
ping;
ike;
}
}
interfaces {
vlan.11;
}
SET command output of dyn-vpn zone configuration
root@hub# show security zones security-zone dyn-vpn | display set set security zones security-zone dyn-vpn host-inbound-traffic system-services http set security zones security-zone dyn-vpn host-inbound-traffic system-services https set security zones security-zone dyn-vpn host-inbound-traffic system-services ping set security zones security-zone dyn-vpn host-inbound-traffic system-services ike set security zones security-zone dyn-vpn interfaces vlan.11
7) Security Policy Configuration
[edit]
root@hub# show security policies from-zone dyn-vpn to-zone home-pcs
policy dyn-vpn-pol1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn vpn-dyn;
}
}
}
}
SET command output of policy configuration
[edit] root@hub# show security policies from-zone dyn-vpn to-zone home-pcs | display set set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match source-address any set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match destination-address any set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 match application any set security policies from-zone dyn-vpn to-zone home-pcs policy dyn-vpn-pol1 then permit tunnel ipsec-vpn vpn-dyn
Client SIDE:
After all this configuration if you point your browser at https://192.168.1.1/dynamic-vpn (assuming 192.168.1.1 is outside ip address on vlan.11 interface) you will receive authentication window and after providing john as username and password, you should be able to download Network Access Manager or Junos Pulse (depending on the version of Junos) and connect to internal network.
FREE RADIUS CONFIG
If you want to authenticate users via radius instead of local, you should change access-profile as below;
root@host# show
authentication-order [ radius password ];
client john {
firewall-user {
password "$9$WZWX-woaUkmTGDkPTQCABIEcyKsYo"; ## SECRET-DATA
}
}
address-assignment {
pool sales-addr-pool;
}
radius-server {
172.30.73.219 secret "$9$2VoGiPfz/A0QF/t0OSyM8X7-wHkP"; ## SECRET-DATA
}
SET command output:
[edit access profile dyn-vpn-prof1] root@host# show | display set set access profile dyn-vpn-prof1 authentication-order radius set access profiledyn-vpn-prof1 authentication-order password set access profile dyn-vpn-prof1 client john firewall-user password "$9$WZWX-woaUkmTGDkPTQCABIEcyKsYo" set access profile dyn-vpn-prof1 address-assignment pool sales-addr-pool set access profile dyn-vpn-prof1 radius-server 172.30.73.219 secret "$9$2VoxiPfz/A0QF/t0OSyM8X7-wHkP"
Below is also my MySQL table in my freeradius database for a single user:
mysql> select * from radcheck; +----+----------+--------------------+----+------------+ | id | username | attribute | op | value | +----+----------+--------------------+----+------------+ | 1 | raduser1 | Cleartext-Password | := | juniper123 | +----+----------+--------------------+----+------------+ 1 row in set (0.00 sec) mysql> select * from radgroupreply; +----+-----------+--------------+----+-------------+ | id | groupname | attribute | op | value | +----+-----------+--------------+----+-------------+ | 2 | sales | Service-Type | = | Framed-User | +----+-----------+--------------+----+-------------+ 1 row in set (0.00 sec) mysql> select * from radreply; +----+----------+-------------------+----+---------------+ | id | username | attribute | op | value | +----+----------+-------------------+----+---------------+ | 1 | raduser1 | Framed-IP-Address | = | 10.10.10.103 | | 2 | raduser1 | Framed-IP-Netmask | = | 255.255.255.0 | +----+----------+-------------------+----+---------------+ 2 rows in set (0.00 sec) mysql> select * from radusergroup; +----------+-----------+----------+ | username | groupname | priority | +----------+-----------+----------+ | raduser1 | sales | 1 | +----------+-----------+----------+ 1 row in set (0.00 sec)
///UPDATE:
After I wrote this document, while I was playing with dynamic VPN on junos 10.4R6.5, I noticed that my vpn client cannot pass phase1 and it fails on IKE. When I checked my ike debug log, I saw the following error logs;
Oct 13 19:42:58 KMD_INTERNAL_ERROR: Number of connections (0) for the ike gateway gate-dynamic exceeds connection limit. Terminating the connection Oct 13 19:42:58 Unable to find ike gateway as remote peer:192.168.1.2 is not recognized. Oct 13 19:42:58 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=10.10.10.1) p1_remote=fqdn(udp:0,[0..12]=user1srx1.com)
The thing is junos doesn’t force you to set this max connection limit. After I set the connection limit in my config then my client could connect. Here is the config snippet;
[edit security ike gateway gate-dynamic]
root@srx1# show
ike-policy ike-pol;
dynamic {
hostname rtoodtoo.net;
connections-limit 2;
}
external-interface vlan.11;
xauth access-profile dynamic-profile;
Hi,
I am a newbie in juniper field.
I’ve tried your example of Dynamic VPN in SRX but there are a few problems.
Vlan.11 is not defined
home-pcs – is not defined
Apparently I forgot to paste interface and zone config. Thanks for pointing this but I don’t have the config at the moment. vlan.11 seems to have 192.168.1.1 address and home-pcs should be a simple internal facing zone.
Hi,
Have you tried to setup dynamic VPN on junos 12.1? I can’t get correct subnet on version 12.1…
You can find more information here:
http://forums.juniper.net/t5/SRX-Services-Gateway/VPN-No-internet-No-access-to-managment-lan/td-p/271722/page/3
Aaron, I think I did dynamic VPN tests both on 11.4 and 12.1 and don’t recall of having seen this issue.
As recommended in the forum, I think it is better to contact JTAC for investigation if it hasn’t been done so far.
Thanks for your insight. I’m struggling in getting more then one hard coded user to work. There is the possibility to name “user-groups” instead of “user”, but I can’t figure out what to fill in here.
Also if I look at the ldap lookup via traceoptions it stops where the bind succeeds.
Is it true that the dynamic VPN function does not work on the Virtual SRX?
Gregory, currently it doesn’t have this feature. Who knows maybe in the future.
I think you got the wrong set commands for 5) Setup Dynamic VPN Configuration
If you provide your input, I would appreciate it Emil as I can’t update SRX posts anymore.
I got stuck in connecting to Server, I used Pulse Client to connect but the error entry is ” The certificate or certificate chain is based on an untruste root ”
I carry those steps in this website but I couldn’t connect, the error entry still show though i reconnect and save settings 🙁
http://kb.juniper.net/InfoCenter/index?page=content&id=KB23031&actp=search
Thanks you!