SRX

Has anyone been successful in configuring a SRX for dynamic VPN using the recent documentation Juniper released?  I'm able to establish a VPN connection following the instructions in the link below, but I'm unable to reach anything in the trust zone.  My machine is receiving an IP address from the dyn-vpn-address-pool.  I keep seeing "IPSec negotiation failed with error: Timed out. IKE Version: 1, VPN: dyn-vpn Gateway: dyn-vpn-local-gw, Local: *REMOVED*/4500, Remote: *REMOVED*/1717, Local IKE-ID: *REMOVED*, Remote IKE-ID: client1dynvpn, VR-ID: 0" in the logs, but IPSec is up.

Juniper-SRX300# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7903786 UP 191b83b9ba322d15 42c43ee97394737b Aggressive 174.240.136.92

Juniper-SRX300# run show security ike active-peer
Remote Address Port Peer IKE-ID AAA username Assigned IP
174.240.136.92 1717 client1dynvpn client1 10.10.10.3

Juniper-SRX300# run show security ipsec security-associations
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108869 ESP:aes-cbc-128/sha1 c224c5fe 3554/ 500000 - root 1717 174.240.136.92
>67108869 ESP:aes-cbc-128/sha1 32213190 3554/ 500000 - root 1717 174.240.136.92

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html

set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"

set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC456"

set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 1.1.1.1/32

set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

set security ike policy ike-dyn-vpn-policy mode aggressive

set security ike policy ike-dyn-vpn-policy proposal-set standard

set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC789"

set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy

set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn

set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10

set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id

set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0

set security ike gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile

set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard

set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw

set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

set security dynamic-vpn access-profile dyn-vpn-access-profile

set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8

set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0

set security dynamic-vpn clients all ipsec-vpn dyn-vpn

set security dynamic-vpn clients all user client1

set security dynamic-vpn clients all user client2

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-secure-clients.html

The issue has been resolved.  To get to any subnet in the trust zone, I removed "set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8" and used "set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0"

Now all the traffic like other webiste traffic will also go through the firewall, its not the best practice.

set security dynamic-vpn clients all remote-protected-resources x.x.x.x

the above command should have networks routed to the firewall, the networks in show interface terse.

so when a vpn client wants to send traffic to that network it uses the vpn client.

ex.

>show interface terse

ge-0/0/1.1754 up up inet 1.2.3.1/28
ge-0/0/1.1768 up up inet 4.5.6.1/28

set security dynamic-vpn clients all remote-protected-resources 1.2.3.0/28

set security dynamic-vpn clients all remote-protected-resources 4.5.6.0/28

suppose you have 4 networks behind firewall & you want only 3 networks to be reached via vpn, then dont include the 4th network in remote-protected-resources.

This is exactly how I want it.  I do not want to perform split tunneling.  You say this isn't the best practice, but where is that documented?

Imagine having one of your VPN users use bittorrent and downloaded a copyrighted material or accessed child porn. Their illicit traffic would be "originated" from your public IP and not theirs. You either get "the letter" from your ISP or worse, a visit from the FBI.

Unless you have your SRX blocking all sorts of illicit traffic, I would not want to be responsible for other people's unlawful reservations

For this specific case, I'm the only user on this VPN.  For that reason, I've configured it for my needs.