SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Juniper Secure Connect CLI

    Posted 08-09-2021 13:20
    Hi all,

    I have followed the instructions on how to configure the new Juniper VPN client: https://www.youtube.com/watch?v=uB54u-4cFGo

    However, I cannot commit the config:
    srx#commit check
    [edit security ike]
      'gateway RA-JSC-GW'
        Dynamic Main Mode or IKEv2 gateway with same ike external interface must use same set of IKE proposals
    error: configuration check-out failed​


    The Juniper Secure Connect config is as follows:

    request security pki generate-key-pair size 4096 type rsa certificate-id Juniper
    request security pki local-certificate generate-self-signed certificate-id Juniper subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1
    
    set system services web-management https pki-local-certificate Juniper
    
    set security nat source rule-set RA-JSC from zone remote-JSC-VPN
    set security nat source rule-set RA-JSC to zone trust
    set security nat source rule-set RA-JSC rule RA-JSC-rule match source-address 0/0
    set security nat source rule-set RA-JSC rule RA-JSC-rule then source-nat interface
    
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match source-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match destination-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match application any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy then permit
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match source-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match destination-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match application any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy then permit
    
    set security zones security-zone untrust host-inbound-traffic system-services ike
    set security zones security-zone untrust host-inbound-traffic system-services tcp-encap
    set security zones security-zone untrust host-inbound-traffic system-services https
    
    set security zones security-zone remote-JSC-VPN interfaces st0.0
    set interfaces st0.0 family inet
    
    set access address-assignment pool RA-JSC-pool family inet network 10.0.0.0/24
    set access address-assignment pool RA-JSC-pool family inet xauth-attributes primary-dns 8.8.8.8
    set access profile RA-JSC-profile client user1 firewall-user password "password"
    set access profile RA-JSC-profile address-assignment pool RA-JSC-pool 
    set access firewall-authentication web-authentication default-profile RA-JSC-profile
    set services ssl termination profile SSL-JSC-term server-certificate Juniper
    set security tcp-encap profile SSL-JSC-profile ssl-profile SSL-JSC-term
    
    set security ike policy RA-JSC-IKE-Policy mode aggressive
    
    set security ike proposal RA-JSC-IKE-Prop authentication-method pre-shared-keys
    set security ike proposal RA-JSC-IKE-Prop dh-group group20
    set security ike proposal RA-JSC-IKE-Prop authentication-algorithm sha-256
    set security ike proposal RA-JSC-IKE-Prop encryption-algorithm aes-256-cbc
    set security ike proposal RA-JSC-IKE-Prop lifetime-seconds 28800
    
    set security ike policy RA-JSC-IKE-Policy proposals RA-JSC-IKE-Prop
    set security ike policy RA-JSC-IKE-Policy pre-shared-key ascii-text "key"
    set security ike gateway RA-JSC-GW ike-policy RA-JSC-IKE-Policy
    set security ike gateway RA-JSC-GW dynamic user-at-hostname lab@edu.juniper.net
    set security ike gateway RA-JSC-GW dynamic ike-user-type shared-ike-id
    
    set security ike gateway RA-JSC-GW dead-peer-detection optimized
    set security ike gateway RA-JSC-GW dead-peer-detection interval 10
    set security ike gateway RA-JSC-GW dead-peer-detection threshold 5
    
    set security ike gateway RA-JSC-GW external-interface ge-0/0/0.0
    set security ike gateway RA-JSC-GW local-address 1.1.1.1
    set security ike gateway RA-JSC-GW aaa access-profile RA-JSC-profile
    set security ike gateway RA-JSC-GW version v1-only
    
    set security ike gateway RA-JSC-GW tcp-encap-profile SSL-JSC-profile
    
    set security ipsec proposal RA-JSC-IPsec-Pro protocol esp
    set security ipsec proposal RA-JSC-IPsec-Pro encryption-algorithm aes-256-cbc
    set security ipsec proposal RA-NCP-IPsec-Pro authentication-algorithm hmac-sha-256-128
    set security ipsec proposal RA-JSC-IPsec-Pro lifetime-seconds 3600
    set security ipsec policy RA-JSC-IPsec-Policy perfect-forward-secrecy keys group20
    set security ipsec policy RA-JSC-IPsec-Policy proposals RA-JSC-IPsec-Pro
    set security ipsec vpn RA-JSC-VPN bind-interface st0.0
    
    
    set security ipsec vpn RA-JSC-VPN df-bit clear
    set security ipsec vpn RA-JSC-VPN ike gateway RA-JSC-GW
    set security ipsec vpn RA-JSC-VPN ike ipsec-policy RA-JSC-IPsec-Policy
    
    set security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 local-ip 192.168.1.0/24
    set security ipsec vpn RA-JSC-VPN traffic-selector RA-JSC-TS-1 remote-ip 0.0.0.0/0
    
    set security remote-access client-config RA-JSC-Client connection-mode manual
    set security remote-access client-config RA-JSC-Client dead-peer-detection interval 60
    set security remote-access client-config RA-JSC-Client dead-peer-detection threshold 5
    
    set security remote-access profile RA-JSC-1 ipsec-vpn RA-JSC-VPN
    set security remote-access profile RA-JSC-1 access-profile RA-JSC-profile
    set security remote-access profile RA-JSC-1 client-config RA-JSC-Client
    set security remote-access default-profile RA-JSC-1


    Any idea why this is happening?
    Thank you in advance



  • 2.  RE: Juniper Secure Connect CLI

    Posted 08-16-2021 09:05
    Hi,

    @hoocbb (thanks Jared) replied to my message but somehow it is not showing up here:

    Hi,
    
    I have been working on this same thing for the last week or so and have run into the same exact issues.  Here is what I found through my personal digging and talking with JTAC.
    
    *******Without knowing if you have site-to-site IPSec tunnels, this is all based on the assumption that you have these configured.********
    
    1 - If you already have an existing IPSec VPN tunnel on the preferred external interface, you cannot combine certificate based IKE proposals and pre-shared key based proposals on the same interface.
    2 - You cannot use 2 different IKE proposals, even if they are exactly the same with different names, on the same external interface.
    3 - You must use the same IKE proposal that is already configured for both the site-to-site IPSec tunnel and Secure Connect when using the same external interface.
    4 - It appears that you should be able to use different pre-shared keys as that is defined in the IKE policy.  
    
    I have not yet committed my configuration, but it validates when "commit check" is issued.  I am simply waiting for my organization to approve using the pre-shared key method for IKE authentication where we previously preferred cert based for greater security.
    
    ------------------------------
    JARED HEALER
    ------------------------------
    ​
    ​My findings are similar to his. I had site-to-site VPN tunnels using IKEv2 and apparently this is not compatible with Juniper Secure Connect using IKEv1.