SRX

Expand all | Collapse all

Dynamic VPN

Jump to Best Answer
  • 1.  Dynamic VPN

    Posted 03-08-2020 09:08

    Has anyone been successful in configuring a SRX for dynamic VPN using the recent documentation Juniper released?  I'm able to establish a VPN connection following the instructions in the link below, but I'm unable to reach anything in the trust zone.  My machine is receiving an IP address from the dyn-vpn-address-pool.  I keep seeing "IPSec negotiation failed with error: Timed out. IKE Version: 1, VPN: dyn-vpn Gateway: dyn-vpn-local-gw, Local: *REMOVED*/4500, Remote: *REMOVED*/1717, Local IKE-ID: *REMOVED*, Remote IKE-ID: client1dynvpn, VR-ID: 0" in the logs, but IPSec is up.

     

    Juniper-SRX300# run show security ike security-associations
    Index State Initiator cookie Responder cookie Mode Remote Address
    7903786 UP 191b83b9ba322d15 42c43ee97394737b Aggressive 174.240.136.92


    Juniper-SRX300# run show security ike active-peer
    Remote Address Port Peer IKE-ID AAA username Assigned IP
    174.240.136.92 1717 client1dynvpn client1 10.10.10.3


    Juniper-SRX300# run show security ipsec security-associations
    Total active tunnels: 1 Total Ipsec sas: 1
    ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
    <67108869 ESP:aes-cbc-128/sha1 c224c5fe 3554/ 500000 - root 1717 174.240.136.92
    >67108869 ESP:aes-cbc-128/sha1 32213190 3554/ 500000 - root 1717 174.240.136.92

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html

     

    set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"

    set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC456"

    set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

    set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24

    set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 1.1.1.1/32

    set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

    set security ike policy ike-dyn-vpn-policy mode aggressive

    set security ike policy ike-dyn-vpn-policy proposal-set standard

    set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC789"

    set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy

    set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn

    set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10

    set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id

    set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0

    set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile

    set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard

    set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw

    set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any

    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any

    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any

    set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

    set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

    set security dynamic-vpn access-profile dyn-vpn-access-profile

    set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8

    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0

    set security dynamic-vpn clients all ipsec-vpn dyn-vpn

    set security dynamic-vpn clients all user client1

    set security dynamic-vpn clients all user client2

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html



  • 2.  RE: Dynamic VPN
    Best Answer

    Posted 03-08-2020 21:02

    The issue has been resolved.  To get to any subnet in the trust zone, I removed "set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8" and used "set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0"



  • 3.  RE: Dynamic VPN

    Posted 06-09-2020 00:21

    Now all the traffic like other webiste traffic will also go through the firewall, its not the best practice.

     

    set security dynamic-vpn clients all remote-protected-resources x.x.x.x

     

    the above command should have networks routed to the firewall, the networks in show interface terse.

    so when a vpn client wants to send traffic to that network it uses the vpn client.

     

    ex.

    >show interface terse

    ge-0/0/1.1754 up up inet 1.2.3.1/28
    ge-0/0/1.1768 up up inet 4.5.6.1/28

     

    set security dynamic-vpn clients all remote-protected-resources 1.2.3.0/28

    set security dynamic-vpn clients all remote-protected-resources 4.5.6.0/28

     

    suppose you have 4 networks behind firewall & you want only 3 networks to be reached via vpn, then dont include the 4th network in remote-protected-resources.



  • 4.  RE: Dynamic VPN

    Posted 06-09-2020 04:46

    This is exactly how I want it.  I do not want to perform split tunneling.  You say this isn't the best practice, but where is that documented?



  • 5.  RE: Dynamic VPN

    Posted 06-23-2020 13:07

    Imagine having one of your VPN users use bittorrent and downloaded a copyrighted material or accessed child porn. Their illicit traffic would be "originated" from your public IP and not theirs. You either get "the letter" from your ISP or worse, a visit from the FBI.

     

    Unless you have your SRX blocking all sorts of illicit traffic, I would not want to be responsible for other people's unlawful reservations



  • 6.  RE: Dynamic VPN

    Posted 06-23-2020 13:51

    For this specific case, I'm the only user on this VPN.  For that reason, I've configured it for my needs.