SRX

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about the SRX Series.
Expand all | Collapse all

How to configure IPSec RemoteVPN on new branch SRX?

  • 1.  How to configure IPSec RemoteVPN on new branch SRX?

    Posted 08-24-2016 11:08

    For new branch SRX series there is no dynamic VPN licenses. I were told that I can use Shrew software to do IPSec RemoteVPN connections but I don't know how to configure that. There is no instruction or KB regarding this way of connecting to SRX, all of them specify dynamic VPN way which is now depriciated.

    Can somebody help me with some documentation, links or a config for doing this?

     



  • 2.  RE: How to configure IPSec RemoteVPN on new branch SRX?

     
    Posted 08-24-2016 22:33


  • 3.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 08-26-2016 05:20

    I tried following configuration provided under this link but I can't get access with Shrew Soft. I get the Phase 1 - ike tunnel up but then Shrew just stops at "bringing tunnel up" and SRX doesn't show the ipsec tunnel.


    Below please find my configuration and confirmation of phase 1 getting into the device

    [edit security ike]
    proposal aes-128-sha1 {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 180;
    }
    +    policy Remote_Access-pol {
    +        mode aggressive;
    +        proposals aes-128-sha1;
    +        pre-shared-key ascii-text "PSK-## SECRET-DATA"
    +    }
    [edit security ike]
    +    gateway Remote_Access-gw {
    +        ike-policy Remote_Access-pol;
    +        dynamic {
    +            user-at-hostname "vpn@hostname.pl";
    +            connections-limit 10;
    +            ike-user-type shared-ike-id;
    +        }
    +        external-interface ge-0/0/0.0;
    +        xauth access-profile Remote_Access-profile;
    +    }
    [edit security ipsec]
    proposal aes-128-cbc-sha1 {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy aes128_pfs2 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals aes-128-cbc-sha1;
    }
    +    vpn Remote_Access-VPN {
    +        ike {
    +            gateway Remote_Access-gw;
    +            ipsec-policy aes128_pfs2;
    +        }
    +    }
    [edit]
    +  access {
    +      profile Remote_Access-profile {
    +          authentication-order password;
    +          client user-login {
    +              firewall-user {
    +                  password "user-pass"
    +              }
    +          }
    +          address-assignment {
    +              pool Remote_Access-pool;
    +          }
    +      }
    +      address-assignment {
    +          pool Remote_Access-pool {
    +              family inet {
    +                  network 192.168.22.0/24;
    +                  range remote-vpn-range {
    +                      low 192.168.22.10;
    +                      high 192.168.22.100;
    +                  }
    +              }
    +          }
    +      }
    +  }
    [edit security address-book BrzegD_addresses]
    address Remote_VPN 192.168.22.0/24;
    attach zone INET;
    [edit security policies]
    +    from-zone INET to-zone USERS {
    +        policy RemoteVPN {
    +            match {
    +                source-address Remote_VPN;
    +                destination-address any;
    +                application any;
    +            }
    +            then {
    +                permit {
    +                    tunnel {
    +                        ipsec-vpn Remote_Access-VPN;
    +                    }
    +                }
    +            }
    +        }
    +    }
    
    root@SRX300 # run show security ike security-associations index 7391592 detail
    IKE peer MY-IP, Index 7391592, Gateway Name: Remote_Access-gw
      Role: Responder, State: UP
      Initiator cookie: 13c4e460b6863677, Responder cookie: 68976e09605ac5fc
      Exchange type: Aggressive, Authentication method: Pre-shared-keys
      Local: SRX-IP:4500, Remote: MY-IP:32563
      Lifetime: Expires in 156 seconds
      Peer ike-id: vpn@hostname.com
      Xauth assigned IP: 0.0.0.0
      Algorithms:
       Authentication        : hmac-sha1-96
       Encryption            : aes128-cbc
       Pseudo random function: hmac-sha1
       Diffie-Hellman group  : DH-group-2
      Traffic statistics:
       Input  bytes  :                 1838
       Output bytes  :                  564
       Input  packets:                    8
       Output packets:                    3
      IPSec security associations: 0 created, 0 deleted
      Phase 2 negotiations in progress: 0
    
        Flags: IKE SA is created

     I also attached traceoption files from IKE Phase 1 (vpn-RA.txt) and IKE Phase 2 (dynvpn-auth-RA.txt)

    Attachment(s)

    txt
    vpn-RA.txt   8 KB 1 version
    txt
    dynvpn-auth-RA.txt   22 KB 1 version


  • 4.  RE: How to configure IPSec RemoteVPN on new branch SRX?

     
    Posted 08-26-2016 05:36

    Hello,

     

    What is your shrew soft configuration?

    Did you try some other client?

     

    Regards,

     

    Rushi



  • 5.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 08-26-2016 06:42

    I didn't try any other clients then Shrew soft. What can you recommend which should work with IPSec Remote VPN?

    Here is my Shrew connection setting

    n:version:4
    n:network-ike-port:500
    n:network-mtu-size:1380
    n:client-addr-auto:1
    n:network-natt-port:4500
    n:network-natt-rate:15
    n:network-frag-size:540
    n:network-dpd-enable:1
    n:client-banner-enable:0
    n:network-notify-enable:1
    n:client-dns-used:0
    n:client-dns-auto:1
    n:client-dns-suffix-auto:1
    n:client-splitdns-used:0
    n:client-splitdns-auto:0
    n:client-wins-used:0
    n:client-wins-auto:1
    n:phase1-dhgroup:2
    n:phase1-life-secs:180
    n:phase1-life-kbytes:0
    n:vendor-chkpt-enable:0
    n:phase2-life-secs:3600
    n:phase2-life-kbytes:0
    n:policy-nailed:0
    n:policy-list-auto:1
    n:phase1-keylen:128
    n:phase2-keylen:128
    s:network-host:<SRX-IP>
    s:client-auto-mode:pull
    s:client-iface:virtual
    s:network-natt-mode:enable
    s:network-frag-mode:enable
    s:auth-method:mutual-psk-xauth
    s:ident-client-type:ufqdn
    s:ident-server-type:any
    s:ident-client-data:vpn@hostname.com
    b:auth-mutual-psk:<PSK>
    s:phase1-exchange:aggressive
    s:phase1-cipher:aes
    s:phase1-hash:sha1
    s:phase2-transform:esp-aes
    s:phase2-hmac:sha1
    s:ipcomp-transform:disabled
    n:phase2-pfsgroup:2
    s:policy-level:auto


  • 6.  RE: How to configure IPSec RemoteVPN on new branch SRX?

     
    Posted 08-26-2016 07:43

    Hello,

     

    Though there are few posts saying they were able to connect using Shrew Soft client to SRX, I have faced few issues.

    I was able to bring the VPN up with NCP juniper edition.

     

    Regards,

     

    Rushi



  • 7.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 08-26-2016 08:46

    Hi,

     

    if you can wait a month there will be readded support for remote access vpn to the SRX300 series in 15.1X49-D60 planned for release in september.



  • 8.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 08-29-2016 02:03
    I heard that Juniper on new branch SRX doesn't support xauth that is why I may have problems with Remote VPN. Can somebody confirm that you got it working on SRX300 using xauth?


  • 9.  RE: How to configure IPSec RemoteVPN on new branch SRX?

     
    Posted 08-29-2016 02:40

    Hello,

     

    I was able to bring the Dial up IPSec VPN on vSRX2 from NCP client with following configuration:

     

    set security ike policy dynvpn-ike-policy mode aggressive
    set security ike policy dynvpn-ike-policy proposal-set compatible
    set security ike policy dynvpn-ike-policy proposal-set
    set security ike policy dynvpn-ike-policy pre-shared-key ascii-text "$9$Hk5FCA0IhruOLx-dsY5Qz"
    set security ike gateway dynvpn-gw ike-policy dynvpn-ike-policy
    set security ike gateway dynvpn-gw dynamic hostname <FQDN>
    set security ike gateway dynvpn-gw dynamic connections-limit 10
    set security ike gateway dynvpn-gw dynamic ike-user-type shared-ike-id
    set security ike gateway dynvpn-gw nat-keepalive 60
    set security ike gateway dynvpn-gw external-interface <external-interface>
    set security ike gateway dynvpn-gw xauth access-profile dynvpn-ncp

    set security ipsec policy ipsec-dynvpn-policy perfect-forward-secrecy keys group2
    set security ipsec policy ipsec-dynvpn-policy proposal-set compatible
    set security ipsec vpn dynvpn-ncp df-bit copy
    set security ipsec vpn dynvpn-ncp ike gateway dynvpn-gw
    set security ipsec vpn dynvpn-ncp ike ipsec-policy ipsec-dynvpn-policy
    set security ipsec vpn dynvpn-ncp establish-tunnels immediately

    set access profile dynvpn-ncp authentication-order password
    set access profile dynvpn-ncp client radela firewall-user password "$9$bKwoGkqfznCP51RcSeKoJZ"
    set access profile dynvpn-ncp address-assignment pool dynvpn-pool
    set access address-assignment pool dynvpn-pool family inet network 10.254.24.0/24
    set access address-assignment pool dynvpn-pool family inet range test low 10.254.24.1
    set access address-assignment pool dynvpn-pool family inet range test high 10.254.24.254
    set access address-assignment pool dynvpn-pool family inet xauth-attributes primary-dns 172.16.0.111/32
    set access address-assignment pool dynvpn-pool family inet xauth-attributes secondary-dns 172.17.0.111/32

    set security zones security-zone untrust address-book address remote-vpn 10.254.24.0/24

    set security policies from-zone untrust to-zone trust policy remote-vpn match source-address remote-vpn
    set security policies from-zone untrust to-zone trust policy remote-vpn match destination-address any
    set security policies from-zone untrust to-zone trust policy remote-vpn match application any
    set security policies from-zone untrust to-zone trust policy remote-vpn then permit tunnel ipsec-vpn dynvpn-ncp

     

    You can give it a try.

     

    Regards,

     

    Rushi



  • 10.  RE: How to configure IPSec RemoteVPN on new branch SRX?
    Best Answer

    Posted 09-20-2016 02:21

    Hi,

     

    15.1X49-D60 was released a few hours ago with support for Remote access VPN client (dynamic vpn). No need for third party solutions anymore.


    #dynamicVPN
    #srx300


  • 11.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 09-20-2016 03:12
    Thanks for great info. Will test that and edit this post. In old boxes 2 dynamic VPN connections where on the box and for more we needed license. What about new SRX300 which doesn't have licenses for dynamic vpn?


  • 12.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 09-20-2016 03:22

    The CLI shows 2 licenses included with the box:

     

    root@srx300> show system license
    License usage:
    Licenses Licenses Licenses Expiry
    Feature name used installed needed
    dynamic-vpn 0 2 0 permanent

     

    I expect the license scheme used on the SRX300 is the same as the legacy branch series (SRX-RAC-X-LTU where X is 5,10,25,50,100,150,250) but please check with your reseller/partner to avoid issues.

     

    The SRX-RAC- licenses are still present in the latest pricelist from Juniper.



  • 13.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 09-20-2016 06:03

    Just to confirm. Dynamic VPN on new software D60 is working and it is using the licenses installed on the box:

     

    License usage:
                                     Licenses     Licenses    Licenses    Expiry
      Feature name                       used    installed      needed
    
      dynamic-vpn                           1            2           0    permanent
    

    Instructions for configuring dynamic vpn with Pulse Secure client:

    https://www.juniper.net/documentation/en_US/junos12.3x48/topics/example/vpn-security-dynamic-example-configuring.html

     

    In free time I may check if now I can get Shrew to work to bypass the need to use dynamic-vpn licenses.



  • 14.  RE: How to configure IPSec RemoteVPN on new branch SRX?

    Posted 10-19-2016 10:25

    I tested this today using a similar config that I had used on the previous series branch SRXs. The pulse secure client gave the error "failed to receive http response." I thought that was odd since HTTPS was enabled on the untrust security zone.

     

    The fix is to enable web-management on the WAN interface.

    set system services web-management https interface ge-0/0/7.0