SRX

For new branch SRX series there is no dynamic VPN licenses. I were told that I can use Shrew software to do IPSec RemoteVPN connections but I don't know how to configure that. There is no instruction or KB regarding this way of connecting to SRX, all of them specify dynamic VPN way which is now depriciated.

Can somebody help me with some documentation, links or a config for doing this?

 

Hi 

 

Please see below thread.

 

https://forums.juniper.net/t5/SRX-Services-Gateway/Can-SRX-series-work-with-Shrew-Soft-VPN-client/td-p/76176

 

Regards,

Anand

I tried following configuration provided under this link but I can't get access with Shrew Soft. I get the Phase 1 - ike tunnel up but then Shrew just stops at "bringing tunnel up" and SRX doesn't show the ipsec tunnel.

Below please find my configuration and confirmation of phase 1 getting into the device

[edit security ike]
proposal aes-128-sha1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 180;
}
+    policy Remote_Access-pol {
+        mode aggressive;
+        proposals aes-128-sha1;
+        pre-shared-key ascii-text "PSK-## SECRET-DATA"
+    }
[edit security ike]
+    gateway Remote_Access-gw {
+        ike-policy Remote_Access-pol;
+        dynamic {
+            user-at-hostname "vpn@hostname.pl";
+            connections-limit 10;
+            ike-user-type shared-ike-id;
+        }
+        external-interface ge-0/0/0.0;
+        xauth access-profile Remote_Access-profile;
+    }
[edit security ipsec]
proposal aes-128-cbc-sha1 {
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy aes128_pfs2 {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals aes-128-cbc-sha1;
}
+    vpn Remote_Access-VPN {
+        ike {
+            gateway Remote_Access-gw;
+            ipsec-policy aes128_pfs2;
+        }
+    }
[edit]
+  access {
+      profile Remote_Access-profile {
+          authentication-order password;
+          client user-login {
+              firewall-user {
+                  password "user-pass"
+              }
+          }
+          address-assignment {
+              pool Remote_Access-pool;
+          }
+      }
+      address-assignment {
+          pool Remote_Access-pool {
+              family inet {
+                  network 192.168.22.0/24;
+                  range remote-vpn-range {
+                      low 192.168.22.10;
+                      high 192.168.22.100;
+                  }
+              }
+          }
+      }
+  }
[edit security address-book BrzegD_addresses]
address Remote_VPN 192.168.22.0/24;
attach zone INET;
[edit security policies]
+    from-zone INET to-zone USERS {
+        policy RemoteVPN {
+            match {
+                source-address Remote_VPN;
+                destination-address any;
+                application any;
+            }
+            then {
+                permit {
+                    tunnel {
+                        ipsec-vpn Remote_Access-VPN;
+                    }
+                }
+            }
+        }
+    }

root@SRX300 # run show security ike security-associations index 7391592 detail
IKE peer MY-IP, Index 7391592, Gateway Name: Remote_Access-gw
  Role: Responder, State: UP
  Initiator cookie: 13c4e460b6863677, Responder cookie: 68976e09605ac5fc
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: SRX-IP:4500, Remote: MY-IP:32563
  Lifetime: Expires in 156 seconds
  Peer ike-id: vpn@hostname.com
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1838
   Output bytes  :                  564
   Input  packets:                    8
   Output packets:                    3
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Flags: IKE SA is created

 I also attached traceoption files from IKE Phase 1 (vpn-RA.txt) and IKE Phase 2 (dynvpn-auth-RA.txt)

Hello,

 

What is your shrew soft configuration?

Did you try some other client?

 

Regards,

 

Rushi

I didn't try any other clients then Shrew soft. What can you recommend which should work with IPSec Remote VPN?

Here is my Shrew connection setting

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:0
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:180
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
n:phase1-keylen:128
n:phase2-keylen:128
s:network-host:<SRX-IP>
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data:vpn@hostname.com
b:auth-mutual-psk:<PSK>
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:auto

Hello,

 

Though there are few posts saying they were able to connect using Shrew Soft client to SRX, I have faced few issues.

I was able to bring the VPN up with NCP juniper edition.

 

Regards,

 

Rushi

Hi,

 

if you can wait a month there will be readded support for remote access vpn to the SRX300 series in 15.1X49-D60 planned for release in september.

I heard that Juniper on new branch SRX doesn't support xauth that is why I may have problems with Remote VPN. Can somebody confirm that you got it working on SRX300 using xauth?

Hello,

 

I was able to bring the Dial up IPSec VPN on vSRX2 from NCP client with following configuration:

 

set security ike policy dynvpn-ike-policy mode aggressive
set security ike policy dynvpn-ike-policy proposal-set compatible
set security ike policy dynvpn-ike-policy proposal-set
set security ike policy dynvpn-ike-policy pre-shared-key ascii-text "$9$Hk5FCA0IhruOLx-dsY5Qz"
set security ike gateway dynvpn-gw ike-policy dynvpn-ike-policy
set security ike gateway dynvpn-gw dynamic hostname <FQDN>
set security ike gateway dynvpn-gw dynamic connections-limit 10
set security ike gateway dynvpn-gw dynamic ike-user-type shared-ike-id
set security ike gateway dynvpn-gw nat-keepalive 60
set security ike gateway dynvpn-gw external-interface <external-interface>
set security ike gateway dynvpn-gw xauth access-profile dynvpn-ncp

set security ipsec policy ipsec-dynvpn-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dynvpn-policy proposal-set compatible
set security ipsec vpn dynvpn-ncp df-bit copy
set security ipsec vpn dynvpn-ncp ike gateway dynvpn-gw
set security ipsec vpn dynvpn-ncp ike ipsec-policy ipsec-dynvpn-policy
set security ipsec vpn dynvpn-ncp establish-tunnels immediately

set access profile dynvpn-ncp authentication-order password
set access profile dynvpn-ncp client radela firewall-user password "$9$bKwoGkqfznCP51RcSeKoJZ"
set access profile dynvpn-ncp address-assignment pool dynvpn-pool
set access address-assignment pool dynvpn-pool family inet network 10.254.24.0/24
set access address-assignment pool dynvpn-pool family inet range test low 10.254.24.1
set access address-assignment pool dynvpn-pool family inet range test high 10.254.24.254
set access address-assignment pool dynvpn-pool family inet xauth-attributes primary-dns 172.16.0.111/32
set access address-assignment pool dynvpn-pool family inet xauth-attributes secondary-dns 172.17.0.111/32

set security zones security-zone untrust address-book address remote-vpn 10.254.24.0/24

set security policies from-zone untrust to-zone trust policy remote-vpn match source-address remote-vpn
set security policies from-zone untrust to-zone trust policy remote-vpn match destination-address any
set security policies from-zone untrust to-zone trust policy remote-vpn match application any
set security policies from-zone untrust to-zone trust policy remote-vpn then permit tunnel ipsec-vpn dynvpn-ncp

 

You can give it a try.

 

Regards,

 

Rushi

Hi,

 

15.1X49-D60 was released a few hours ago with support for Remote access VPN client (dynamic vpn). No need for third party solutions anymore.

#dynamicVPN
#srx300

Thanks for great info. Will test that and edit this post. In old boxes 2 dynamic VPN connections where on the box and for more we needed license. What about new SRX300 which doesn't have licenses for dynamic vpn?

The CLI shows 2 licenses included with the box:

 

root@srx300> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent

 

I expect the license scheme used on the SRX300 is the same as the legacy branch series (SRX-RAC-X-LTU where X is 5,10,25,50,100,150,250) but please check with your reseller/partner to avoid issues.

 

The SRX-RAC- licenses are still present in the latest pricelist from Juniper.

Just to confirm. Dynamic VPN on new software D60 is working and it is using the licenses installed on the box:

 

License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed

  dynamic-vpn                           1            2           0    permanent

Instructions for configuring dynamic vpn with Pulse Secure client:

https://www.juniper.net/documentation/en_US/junos12.3x48/topics/example/vpn-security-dynamic-example-configuring.html

 

In free time I may check if now I can get Shrew to work to bypass the need to use dynamic-vpn licenses.

I tested this today using a similar config that I had used on the previous series branch SRXs. The pulse secure client gave the error "failed to receive http response." I thought that was odd since HTTPS was enabled on the untrust security zone.

 

The fix is to enable web-management on the WAN interface.

set system services web-management https interface ge-0/0/7.0