SRX

Expand all | Collapse all

Dynamic VPN and Linux client - working solution

  • 1.  Dynamic VPN and Linux client - working solution

    Posted 12-18-2018 01:00

    As we all know, there have always been a problem connecting Linux clients to SRX-based dynamic VPN service. For quite some time we tended to ignore this and work with Pulse Secure under Windows VM's. But since Pulse Secure stopped working reliably lately (TSB17441) we needed another solution. Windows boxes manage somehow with Shrew VPN but I thought that maybe if Shrew client does work with plain IPSec we can use Linux box without any external clients to connect to SRX (Shrew does have Linux client but it doesn't work on new systems).

    And so I came up with a solution which works for me. YMMV.

    The "server-side" configuration is pretty normal for a dyn-vpn with LDAP authentication:

    user@fw# show security ike
    proposal Proposal1 {
        authentication-method pre-shared-keys;
        dh-group group14;
        authentication-algorithm sha-256;
        encryption-algorithm aes-256-cbc;
    }
    
    policy Dyn-vpn-P3 {
        mode aggressive;
        proposals Proposal1;
        pre-shared-key ascii-text "aaaaaa"; ## SECRET-DATA
    }
    
    gateway dyn-vpn {
        ike-policy Dyn-vpn-P3;
        dynamic {
            hostname myhostname;
            ike-user-type shared-ike-id;
        }
        external-interface ge-0/0/0.0;
        aaa {
            access-profile vpn-ldap;
        }
    }
    [edit]
    
    user@fw# show security ipsec
    proposal Proposal1 {
        authentication-algorithm hmac-sha-256-128;
        encryption-algorithm aes-256-cbc;
    }
    
    policy dyn-vpn-policy {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals Proposal1;
    }
    vpn dyn-vpn {
        ike {
            gateway dyn-vpn;
            ipsec-policy dyn-vpn-policy;
        }
    }
    [edit]
    
    user@fw# show access
    profile vpn-ldap {
        authentication-order ldap;
       address-assignment {
            pool VPN-POOL;
        }
        ldap-options {
            base-distinguished-name dc=company,dc=com;
            search {
                search-filter samaccountname=;
                admin-search {
                    distinguished-name cn=junvpn,OU=Users,DC=company,DC=com;
                    password "password"; ## SECRET-DATA
                }
            }
        }
        ldap-server {
            192.168.100.100;
        }
    }
    
    address-assignment {
        pool VPN-POOL {
            family inet {
                network 10.0.10.0/24;
                range POOL1 {
                    low 10.0.10.11;
                    high 10.0.10.200;
                }
                xauth-attributes {
                    primary-dns 192.168.100.101/32;
                    secondary-dns 192.168.100.102/32;
                }
            }
        }
    }
    firewall-authentication {
        pass-through {
            default-profile vpn-ldap;
        }
        web-authentication {
            default-profile vpn-ldap;
        }
    }
     
    [edit]
    
    user@fw# show security dynamic-vpn
    access-profile vpn-ldap;
    clients {
        OFFICE {
            remote-protected-resources {
                172.16.100.0/24;
                10.0.0.0/24;
            }   
            ipsec-vpn dyn-vpn;
            user-groups {
                VPN;
            }   
        }    
    }        
    [edit]
    

    Few remarks about this config:

    1. I should have probably used stronger algorithms but I needed to downgrade to have backward compatibility with Shrew on Windows
    2. The "remote-protected-resources" is not important for plain IPSec connection. It's just used to push configuration using Pulse Secure during the initial WebAPI connection phase. With IPSec we need to manually specify those on client's side.
    3. Of course there are additional firewall policies allowing traffic from remote to protected networks but I didn't paste them here for clarity.
    4. You can go with ike-user-type group-ike-id but I didn't want to have to specify a different ID per user (wanted a shared config file that I could distribute among users).

    And the setup of Libreswan (on Fedora 29, but one of our users uses Ubuntu 18.04 and seems to got it working as well) looks like this:

    /etc/ipsec.d/client.conf

    conn "client"
            ikev2=no
            keyexchange=ike
            ike=aes256-sha256;dh14
            esp=aes256-sha256;dh2
            left=%defaultroute
            leftsubnets=0.0.0.0/0
            leftxauthclient=yes
            leftmodecfgserver=yes
            leftxauthusername=myuser
            right=111.222.333.444
            rightsubnets={ 10.0.0.0/24, 172.16.100.0/16, 192.168.100.0/24 }
            authby=secret
            rightxauthserver=yes
            rightmodecfgclient=yes
            rekey=yes
            leftid=@myhostname
            pfs=yes
            aggrmode=yes
            auto=add
            modecfgpull=yes
            salifetime=60s
            ikelifetime=60s
            vti-interface=yes
            vti-routing=yes
            vti-shared=yes
            mark=-1
    

    And of course we need some secrets. /etc/ipsec.d/client.secrets:

    %any 111.222.333.444: PSK "aaaaaa"
    @user: XAUTH "Domain Password"

    I'm not sure if you can force libreswan to ask for xauth password instead of writing it down in the secrets file.

     

    Hope this helps someone to set up his/her own IPSec connection


    #ipseclinuxdynvpndynamic-vpn


  • 2.  RE: Dynamic VPN and Linux client - working solution

    Posted 04-16-2020 03:31

    Hi,

    As per this solution, I am installed libreswan and IPSec is showing active and running.my problem is in /etc/ipsec.d/client.conf I am added that configuration also, in that one instead of "leftxauthusername=myuser "

    what details I need to provide and "right=" what IP indeed to provide, in "right subnet" also what details I need to provide, if anybody knows about these details please help me.

     



  • 3.  RE: Dynamic VPN and Linux client - working solution

    Posted 09-28-2020 04:43

    leftxauthusername corresponds to the user you're authenticating to your configured LDAP server with (probably your local AD user).

    If you don't want to use LDAP, you need to change authentication-order from ldap to password and create local client accounts in this access profile.

    right IP is the IP of your SRX gateway