SRX

Expand all | Collapse all

SRX IPsec client VPN

Jump to Best Answer
  • 1.  SRX IPsec client VPN

     
    Posted 03-19-2018 10:10

    Hi,

     

    Many apologies. This is one part of the configuration I neglected.

     

    I need to configure an IPSec VPN for client access. So, for example, we will need access to the ISP Data Network via a VPN but only for work personnel so if any work needs completing from home it can be.

     

    The Client VPN package we use is "anyconnect".... Basically, I have no idea how to complete this configuration.

     

    Thank you



  • 2.  RE: SRX IPsec client VPN

    Posted 03-19-2018 12:05

    Hi there adgwytc, 

     

    Depending on your topology, use case, 'AnyConnect'-specific deployment parameters and a multitude of other criteria; there's a pretty sizeable variance in possible SRX-side configuration requirements. 

     

    Here's a good place to start.

     

    If you get stuck on something, shout out - the more information you provide about your implementation/topology/etc, the more likely it is that myself or someone else will be able to help.

     

    Best,

    -s



  • 3.  RE: SRX IPsec client VPN

    Posted 03-19-2018 21:33

    you can configure dynamic vpn (basic license has 2 concurrent connection capability).

     

    To configure dynamic vpn - follow the kb.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=TN7&actp=METADATA

     

    Also, you might need to install JUNOS Pulse client for dynamic vpn access.

     

    Also, hope you are running JUNOS 15.x49D75 onwards if you are using SRX3xx series.

     

    HTH..



  • 4.  RE: SRX IPsec client VPN

     
    Posted 03-20-2018 00:39

    I have had a read of the KB article...... We are utilising 2 x SRX1500. The current JunOS version is the Juniper recommended for an SRX1500. I will have a look when I get to work.

     

    The set up is for client access running direct from a laptop at home or somewhere out in the World... it is NOT a sit-to-site VPN.

     

    Laptop --> Internet --> Core1 --> SRX

     

    The connection from core is via upstream service provider and we have an ae link to the SRX on a customer routing-instance. Would the VPN access have to be on its own routing-instance? So,a separate connection from the Core1 to the SRX?

     

    I don't think Junos Pulse is available for SRX1500?

    Is a license required for the VPN Please?

     

    Thank you



  • 5.  RE: SRX IPsec client VPN

    Posted 03-20-2018 01:18

    "The connection from core is via upstream service provider and we have an ae link to the SRX on a customer routing-instance. Would the VPN access have to be on its own routing-instance? So,a separate connection from the Core1 to the SRX?"

     - I think IPSec VPN and routing instances work independantly..As long as, customer's public IP is reachable over internet whether inside routing instance or in main routing instacne, the VPN will be formed provided the parameters matches.

     

     "I don't think Junos Pulse is available for SRX1500?"

    - Yes..I did not know that you were looking for SRX 1500. For 1500 series, kindly have a look on following.

     

    Feature support – https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7741&fn=NCP+Exclusive+Remote+Access+Client+connections+to+IPsec+VPN+gateways

     

    NCP remote access client -  https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-vpn-ncp-remote-access-client.html

     

    Config KB –

    https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-ncp-remote-access-client-configuring.html

     

    “Is a license required for the VPN Please?”

     - A two-user license is supplied by default on an SRX Series device. A license is required for additional users. Contact your Juniper Networks representative for license information



  • 6.  RE: SRX IPsec client VPN

     
    Posted 03-20-2018 02:45

    Hi Milindmistry,

     

    Thank you for the information.

     

    We actually don't require a license. It appears that only 2 users will ever have access via VPN to these systems. The License is released after 60 seconds of IKE teardown, so all is good there.

     

    The example utilises RADIUS as the authentication process whereas we require local SRX authentication given that it is only 2 users.... also, is the locally generated certificate secure enough? If not, is there a particular authority that is normally utilised please?

     

    Thanks



  • 7.  RE: SRX IPsec client VPN

    Posted 03-20-2018 02:57

    "We actually don't require a license. It appears that only 2 users will ever have access via VPN to these systems. The License is released after 60 seconds of IKE teardown, so all is good there." - okay

     

    "The example utilises RADIUS as the authentication process whereas we require local SRX authentication given that it is only 2 users" - 2 concurrent user connections are possible with the license. You may configure n number of local users however at one instant only 2 of them will be able to connect.

     

    "also, is the locally generated certificate secure enough? If not, is there a particular authority that is normally utilised please?" - i think it is secured enough as it is using 2048 bit of rsa key still if you would like third party then it will be end client's choice of CA.



  • 8.  RE: SRX IPsec client VPN

     
    Posted 03-20-2018 06:11

    Hi Milindmistry,

     

    Thank you for the response.

     

    Apologies, I should have re-worded my question...... I'm asking how to configure the VPN for local user authentication rather than RADIUS. The documentation only seems to supply for RADIUS authentication. Any help would be great... Thank you



  • 9.  RE: SRX IPsec client VPN

    Posted 03-20-2018 10:42

    i do not have the lab devices running the same setup however you may try as follows.

     

    From config kb, you might to change the following and see that helps.

     

    set access profile RA_EXTERNAL-AUTH client client1 firewall-user password "$ABC123"
    set access profile RA_EXTERNAL-AUTH client client2 firewall-user password "$ABC123"
    set access profile RA_EXTERNAL-AUTH address-assignment pool RA_LOCAL-IP-POOL

    set security ike gateway RA_IKEv2_EXT-AUTH xauth access-profile RA_EXTERNAL-AUTH

    not to be configured ->aaa access-profile RA_EXTERNAL-AUTH

     

     



  • 10.  RE: SRX IPsec client VPN

     
    Posted 03-21-2018 03:02

    Hi Milindmistry,

     

    Thank you for the response. Just one last quesiton please:

     

    In the document it states the following for the CA:

    user@host# set security pki ca-profile CA_Server ca-identity CA_Server
    user@host# set security pki ca-profile CA_Server enrollment url http://192.168.5.12/certsrv/mscep/mscep.dll
    user@host# set security pki ca-profile CA_Server revocation-check crl url http://192.168.5.12/crl
    user@host$ Commit
     
    What would be the URL requirements if this was local logon authentication? Or is this what needs to overwritten with your commands please?
     
    Thanks


  • 11.  RE: SRX IPsec client VPN

     
    Posted 03-21-2018 07:44

    Hi,

     

    It seems there are some real problems using the example given and what the SRX expects......

     

    I am trying to overcome the "Commit" errors that occur becasue of differing configuration commands and cannot get a working version from the example given. For local authentication I need to use "Pre-Shared-Keys" as no certificate is being generated (unless there is a way I can achieve that locally on the SRX - all examples I can find use a Server somewhere)..... Unfortunately, this means that I can only use Version 1 and, of course, it won't let me, it tells me I have to use Version 2 ..... it appears NCP requires version 2.

     

    How can I get around this issue please?

     

    This is what I have configured so far:

     

    1: Configured Dynamic users and IP address pool;

    set access profile dynamic-xauth client John firewall-user password <password>
    set access profile dynamic-xauth client Dave firewall-user password <password>
    set access profile dynamic-xauth client Chris firewall-user password <password>
    set access profile dynamic-xauth client Daniel firewall-user password <password>

    set access profile dynamic-xauth address-assignment pool dynamic-vpn-pool
    set access address-assignment pool dynamic-vpn-pool family inet network 192.168.1.0/24
    set access address-assignment pool dynamic-vpn-pool family inet xauth-attributes primary-dns 100.100.100.10/32
    set access firewall-authentication web-authentication default-profile dynamic-xauth

    2: Configured IKE Proposal:

    user@THW-CORE-01#set security tcp-encap profile NCP

    [edit security ike proposal nguser]
    user@HEX-SRX-02#set authentication-method pre-shared-keys
    user@THW-CORE-01#set authentication-method rsa-signatures
    user@THW-CORE-01#set dh-group group19
    user@THW-CORE-01#set encryption-algorithm aes-256-gcm

    [edit security ike policy ngikepolicy]
    set proposals ngvpnuser
    set pre-shared-key ascii-text testing123

    [edit security ike gateway ngikepolicy]
    set ike-policy ngikepolicy
    set dynamic hostname ninegroup.co.uk
    set dynamic ike-user-type shared-ike-id
    set aaa access-profile dynamic-xauth
    set external-interface ae2
    set tcp-encap-profile NCP

    3: Configured IPsec proposal:

    [edit security ipsec proposal ngipsecproposal]
    set protocol esp
    set encryption-algorithm aes-256-gcm

    [edit security ipsec policy RemoteAccess]
    set perfect-forward-secrecy keys group19
    set proposals ngipsecproposal



  • 12.  RE: SRX IPsec client VPN

     
    Posted 03-21-2018 08:32

    Let's try and make this a bit easier for troubleshooting.....

     

    I have got what, in theory, should be a working NCP configuration.... all is good apart from one important part.... here is the basic configuration that I think should work:

    set access profile xauth-prof1 authentication-order password
    set access profile xauth-prof1 client clive firewall-user password password
    set access profile xauth-prof1 address-assignment pool xauth-pool
    set access address-assignment pool xauth-pool family inet network 192.168.20.0/24
    set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 100.100.100.10/32

     

    [edit security ike proposal ngikeproposal-1]
    set authentication-method pre-shared-keys
    set dh-group group2
    set authentication-algorithm sha1
    set encryption-algorithm aes-192-cbc
    set lifetime-seconds 28800

     

    [edit security ike policy ngikepolicy-1]
    set mode aggressive
    set proposals ngikeproposal-1
    set pre-shared-key ascii-text testing123

     

    [edit security ike gateway ng-remote-vpn-1]
    set ike-policy ngikepolicy-1
    set dynamic user-at-hostname clive@ninegroup.co.uk
    set dynamic connections-limit 2
    set dynamic ike-user-type shared-ike-id
    set external-interface ae2
    set xauth access-profile xauth-prof1

     

    [edit security ipsec proposal ng-ipsec-proposal-1]
    set protocol esp
    set authentication-algorithm hmac-sha1-96
    set encryption-algorithm aes-128-cbc

     

    [edit security ipsec policy ng-ipsec-policy-1]
    set perfect-forward-secrecy keys group2
    set proposals ng-ipsec-proposal-1

     

    [edit security ipsec vpn ng-remote-vpn-1]
    set ike gateway ng-remote-vpn-1
    set ike ipsec-policy ng-ipsec-policy-1

     

    I have highlighted the line that is causing the issue.... there is no "xauth" option under that stanza so I cannot complete the configuration. 

     

    Thanks

     

     



  • 13.  RE: SRX IPsec client VPN

     
    Posted 03-22-2018 01:54

    Hi,

     

    Is there anyone who knows how to get around, or the Juniper recommended method of getting around this missing "xauth" command?

     

    I knwo it is required for the connectivity between the access profile that will have the users and passwords and IP pool assigned, and the actual authentication process for the tunnel. I have looked at "Dynamic VPN" but have found that it is only for Junos Pulse, which is not available for SRX1500. If there is a way of getting a certficate installed directly on the Junos Device for Local logon that may be a way around the issue.....

     

    Thank you

     



  • 14.  RE: SRX IPsec client VPN
    Best Answer

     
    Posted 03-22-2018 02:05

    XAUTH is deprecated from 15.1X49-D80 and we have to use AAA. Its same as xauth but just the name change.

     

    root@srx# set security ike gateway TEST aaa access-profile   

     

     



  • 15.  RE: SRX IPsec client VPN

     
    Posted 03-22-2018 04:59

    Thank you rsuraj

     

    Tested and works... thanks

     

    I guess I should have tried that before, but in the options it can cause a little "confusion" as I expect anything stating "aaa" to be bound for a RADIUS Server and not local login.

     

    Again, many thanks