SRX

Expand all | Collapse all

How to set up Remote Access VPN at SRX300

  • 1.  How to set up Remote Access VPN at SRX300

    Posted 06-26-2017 03:08

    Hi

     

    I use the following products::

     SRX300

     version 15.1X49-D80.4

     

    I would like to use Remote Access VPN, and attempted to configure with looking following pages.

    http://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/vpn-security-dynamic-example-configuring.html#jd0e520

     

    However, the following error massage appearred.

     

    *** error message *** 

    root@hostname# commit

    [edit security ike]
    'gateway'
    Missing xauth access profile for IKE gateway gw_wizard_dyn_vpn for ipsec_vpn wizard_dyn_vpn
    commit complete

     

    Please tell me how to solve it.

     



  • 2.  RE: How to set up Remote Access VPN at SRX300

    Posted 06-26-2017 03:15
    The blew release notes shows that SRX authentication method has turned from XAUTH to AAA on 15.1X49-D80.
    --------------------------------------------------------
    http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/release-notes/15.1x49-d80/junos-release-notes-15.1X49-D80.pdf

    Please use something like this ..
    set security ike gateway gw_wizard_dyn_vpn aaa access-profile xauth-users
    set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type shared-ike-id >>>> This line is important , with out which we will not be able to use AAA profile .
    Please note , ike-user-type could be set to either shared-ike-id or group-ike-id. But it is mandatory with AAA profile, which was not the case with XAUTH profile .


  • 3.  RE: How to set up Remote Access VPN at SRX300

     
    Posted 06-26-2017 03:16
    X-AUTH is not deprecated from 15.1X49-D80 and you need to use "aaa" profile. Below given is a sample config.

    set security ike gateway remote-vpn1 ike-policy ike-pol2
    set security ike gateway remote-vpn1 dynamic hostname "user1@juniper.net"
    set security ike gateway remote-vpn1 dynamic connections-limit 2
    set security ike gateway remote-vpn1 dynamic ike-user-type shared-ike-id
    set security ike gateway remote-vpn1 external-interface ge-0/0/1
    set security ike gateway remote-vpn1 aaa access-profile aaa-prof1
    set security ike gateway remote-vpn1 version v1-only


    set access profile aaa-prof1 authentication-order password
    set access profile aaa-prof1 client test firewall-user password "$9$N5VsgGDkTz6oJz69A1INdb"
    set access profile aaa-prof1 address-assignment pool xauth-pool
    set access address-assignment pool xauth-pool family inet network 10.1.1.0/24
    set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 10.219.194.50/32


    Please note that from 15.1X49-D80 , NCP is the official supported remote VPN client for SRX.


  • 4.  RE: How to set up Remote Access VPN at SRX300

     
    Posted 06-26-2017 22:02

    Hi Folks,

    I do find the below KB interesting,

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=TN7&actp=METADATA

     

    -rengar



  • 5.  RE: How to set up Remote Access VPN at SRX300

    Posted 07-10-2018 08:04

    I think that's D80 bug ,  all replay about  the Dynamic Remote Access with pulse secure client was old version  about    ~D80~ 

    i change to D120 and " pulse secure  5.3.3 (1021)   it's succcessful .

    use same config  CLI or J-WEB Dynamic vip wizard . 

    amazing ~  that's kill me 2 day . 

    and  I need to  resolve the  other security policy 's problume .............

    how can i reference about the   Dynamic Remote Access   , secutity policy  ?