SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Juniper Secure Connect CLI

  • 1.  Juniper Secure Connect CLI

    Posted 08-09-2021 13:20
    Hi all,

    I have followed the instructions on how to configure the new Juniper VPN client: https://www.youtube.com/watch?v=uB54u-4cFGo

    However, I cannot commit the config:
    srx#commit check
    [edit security ike]
      'gateway RA-JSC-GW'
        Dynamic Main Mode or IKEv2 gateway with same ike external interface must use same set of IKE proposals
    error: configuration check-out failed​


    The Juniper Secure Connect config is as follows:

    request security pki generate-key-pair size 4096 type rsa certificate-id Juniper
    request security pki local-certificate generate-self-signed certificate-id Juniper subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1
    
    set system services web-management https pki-local-certificate Juniper
    
    set security nat source rule-set RA-JSC from zone remote-JSC-VPN
    set security nat source rule-set RA-JSC to zone trust
    set security nat source rule-set RA-JSC rule RA-JSC-rule match source-address 0/0
    set security nat source rule-set RA-JSC rule RA-JSC-rule then source-nat interface
    
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match source-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match destination-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match application any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy then permit
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match source-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match destination-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match application any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy then permit
    
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services tcp-encap
    set security zones security-zone untrust host-inbound-traffic system-services https
    
    set security zones security-zone remote-JSC-VPN interfaces st0.0
    set interfaces st0.0 family inet
    
    set access address-assignment pool RA-JSC-pool family inet network 10.0.0.0/24
    set access address-assignment pool RA-JSC-pool family inet xauth-attributes primary-dns 8.8.8.8
    set access profile RA-JSC-profile client user1 firewall-user password "password"
    set access profile RA-JSC-profile address-assignment pool RA-JSC-pool 
    set access firewall-authentication web-authentication default-profile RA-JSC-profile
    set services ssl termination profile SSL-JSC-term server-certificate Juniper
    set security tcp-encap profile SSL-JSC-profile ssl-profile SSL-JSC-term
    
    set security ike policy RA-JSC-IKE-Policy mode aggressive
    
    set security ike proposal RA-JSC-IKE-Prop authentication-method pre-shared-keys
    set security ike proposal RA-JSC-IKE-Prop dh-group group20
    set security ike proposal RA-JSC-IKE-Prop authentication-algorithm sha-256
    set security ike proposal RA-JSC-IKE-Prop encryption-algorithm aes-256-cbc
    set security ike proposal RA-JSC-IKE-Prop lifetime-seconds 28800
    
    set security ike policy RA-JSC-IKE-Policy proposals RA-JSC-IKE-Prop
    set security ike policy RA-JSC-IKE-Policy pre-shared-key ascii-text "key"
    set security ike gateway RA-JSC-GW ike-policy RA-JSC-IKE-Policy
    set security ike gateway RA-JSC-GW dynamic user-at-hostname lab@edu.juniper.net
    set security ike gateway RA-JSC-GW dynamic ike-user-type shared-ike-id
    
    set security ike gateway RA-JSC-GW dead-peer-detection optimized
    set security ike gateway RA-JSC-GW dead-peer-detection interval 10
    set security ike gateway RA-JSC-GW dead-peer-detection threshold 5
    
    set security ike gateway RA-JSC-GW external-interface ge-0/0/0.0
    set security ike gateway RA-JSC-GW local-address 1.1.1.1
    set security ike gateway RA-JSC-GW aaa access-profile RA-JSC-profile
    set security ike gateway RA-JSC-GW version v1-only
    
    set security ike gateway RA-JSC-GW tcp-encap-profile SSL-JSC-profile
    
    set security ipsec proposal RA-JSC-IPsec-Pro protocol esp
    set security ipsec proposal RA-JSC-IPsec-Pro encryption-algorithm aes-256-cbc
    set security ipsec proposal RA-NCP-IPsec-Pro authentication-algorithm hmac-sha-256-128
    set security ipsec proposal RA-JSC-IPsec-Pro lifetime-seconds 3600
    set security ipsec policy RA-JSC-IPsec-Policy perfect-forward-secrecy keys group20
    set security ipsec policy RA-JSC-IPsec-Policy proposals RA-JSC-IPsec-Pro
    set security ipsec vpn RA-JSC-VPN bind-interface st0.0
    
    
    set security ipsec vpn RA-JSC-VPN df-bit clear
    set security ipsec vpn RA-JSC-VPN ike gateway RA-JSC-GW
    set security ipsec vpn RA-JSC-VPN ike ipsec-policy RA-JSC-IPsec-Policy
    
    set security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 local-ip 192.168.1.0/24
    set security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 remote-ip 0.0.0.0/0
    
    set security remote-access client-config RA-JSC-Client connection-mode manual
    set security remote-access client-config RA-JSC-Client dead-peer-detection interval 60
    set security remote-access client-config RA-JSC-Client dead-peer-detection threshold 5
    
    set security remote-access profile RA-JSC-1 ipsec-vpn RA-JSC-VPN
    set security remote-access profile RA-JSC-1 access-profile RA-JSC-profile
    set security remote-access profile RA-JSC-1 client-config RA-JSC-Client
    set security remote-access default-profile RA-JSC-1


    Any idea why this is happening?
    Thank you in advance



  • 2.  RE: Juniper Secure Connect CLI

    Posted 08-16-2021 09:05
    Hi,

    @hoocbb (thanks Jared) replied to my message but somehow it is not showing up here:

    Hi,
    
    I have been working on this same thing for the last week or so and have run into the same exact issues.  Here is what I found through my personal digging and talking with JTAC.
    
    *******Without knowing if you have site-to-site IPSec tunnels, this is all based on the assumption that you have these configured.********
    
    1 - If you already have an existing IPSec VPN tunnel on the preferred external interface, you cannot combine certificate based IKE proposals and pre-shared key based proposals on the same interface.
    2 - You cannot use 2 different IKE proposals, even if they are exactly the same with different names, on the same external interface.
    3 - You must use the same IKE proposal that is already configured for both the site-to-site IPSec tunnel and Secure Connect when using the same external interface.
    4 - It appears that you should be able to use different pre-shared keys as that is defined in the IKE policy.  
    
    I have not yet committed my configuration, but it validates when "commit check" is issued.  I am simply waiting for my organization to approve using the pre-shared key method for IKE authentication where we previously preferred cert based for greater security.
    
    ------------------------------
    JARED HEALER
    ------------------------------
    ​
    ​My findings are similar to his. I had site-to-site VPN tunnels using IKEv2 and apparently this is not compatible with Juniper Secure Connect using IKEv1.