SRX

Hi all,

I’m newbie for Juniper…

Just wonder that Shrew Soft VPN client (third party VPN client) able to work with Juniper SRX series? I had success to make the VPN connect by using Juniper Access Manager but not Shrew Soft. I know that Shrew Soft able to work with Juniper SSG series but how about SRX…

Can anybody advice on this? Here in my configuration.

Attachment(s)

TestVPN.txt   14 KB 1 version

Yes it works.

Here is a configuration one of our internal gurus came up with that has been tested in a lab with the Shrew client.

## Last changed: 2011-01-17 21:14:39 MST
version 10.4R1.9;
system {
        login {
        user admin {
            uid 2002;
            class super-user;
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file traffic-log {
            any any;
            match RT_FLOW;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 4.4.4.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.180.39/24;
            }
        }
    }
}
security {
    ike {
        proposal RemoteVPNPolicy1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy RemoteVPNIKE {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$ywMeMXVwgUjq7-jqmfn6revW7-"; # SECRET-DATA
        }
        policy t400-ike-policy {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$IcPhyKX7V4aUM8aUjH5TRhSrM8"; # SECRET-DATA
        }
        inactive: gateway RemoteVPN {
            ike-policy RemoteVPNIKE;
            dynamic user-at-hostname "remote@domain.com";
            external-interface ge-0/0/1.0;
        }
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.com";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/1.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        proposal RemoteVPNIPSec {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy RemoteVPNIPSec {
            proposals RemoteVPNIPSec;
        }
        policy t400-ipsec-policy {
            proposals RemoteVPNIPSec;
        }
        inactive: vpn RemoteVPN {
            ike {
                gateway RemoteVPN;
                ipsec-policy RemoteVPNIPSec;
            }
            establish-tunnels on-traffic;
        }
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    zones {
        security-zone corp {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            address-book {
                address hq-net-10-4-4 10.4.4.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy RemoteVPN {
                match {
                    source-address any;
                    destination-address hq-net-10-4-4;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.40.0/24;
                range t400-range {
                    low 192.168.40.101;
                    high 192.168.40.149;
                }
                xauth-attributes {
                    primary-dns 10.4.4.85/32;
                }
            }
        }
    }
}

Thanks Hanks, it’s working with Shrew client now.

But… I can’t connect to the remote peer network + no internet connection after VPN is connected.

Do you have any idea?

Attachment(s)

VPNwork.doc   14 KB 1 version

ShrewSetting.doc   426 KB 1 version

It's doing global tunneling, you will need to create polices on your juniper to allow the traffic out or use split tunneling on the shrew.

Hi

By the way, is dynamic-vpn license still needed in this case for more than 2 users?

Yes Dymanic VPN liceses will be required.

Are you sure that Dynamic licenses are required for Shrew to work? It defeats the purpose of using a free VPN client. NCP does not require Dynamic licenses to be in place.

Thanks,

John

no it does not require dynamic vpn license.   I have about 60 shrew VPN tunnels up atm.

Dynamic VPN licenses are only required if you are using JUNOS Pulse or Juniper Access Manager (JAM), where the device pushes the config over to the PC, and client.  In this case, you are not using Dynamic VPN, and hence not required.

YIn both my srx (version 10.2R3.10;)  I can't add these commands

        address-assignment {
            pool t400-assign-pool;

access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }

After lots and lots of head-aches (my colleague left, I had to jump in, his config was half finished), I've come to this (censored) version, which finally allows me to connect from internet to our network.

* is it possible to have RADIUS verification, without a dynamic VPN license, with SRX 550, for the "t400-access" profile? Estimated users: 15. It was a feature we had on our SSG.

I've been able to configure RADIUS authentication for accessing the firewall (vendor code 2636, RADIUS = Windows Server 2012).

* is it possible to limit the VPN access to certain MAC addresses? My fear is that one day users will simply copy the VPN config from their ShrewSoft to their private laptops, which are missing our policies and antivirus software.

The following two problems seem to be solved, I'm leaving this here for future reference for others.

* using ShrewSoft VPN Access Manager 2.2.0, I still get disconnected. As suggested earlier, I changed the lifetimes: phase 1 => 180, phase 2 => 28800. Yet I still get disconnected after 2 or 3 minutes? (update - but it needs further testing: I might have this one fixed. On the firewall, I left the phase 1 lifetime on 180, in the ShrewSoft client I've put it on 60 ).

* perhaps it has to do with the RADIUS verification, but I can't ping nor access a computer if I use the UNC-path ( e.g.  \\MYPC-01.intranet.domain.com\C$ ) - I have to use its IP ( \\10.1.10.20\C$ ). How can I fix this, since a lot of the software we work with, rely on names rather than IPs? The DNS server is 10.1.10.18 (in the config below). => after changing the lifetime to 60, this also seems to be fixed, whatever the reason might be.

## Last changed: 2015-05-01 20:56:51 CEST
version 12.1X44-D45.2;
system {
    host-name SRX550;
    time-zone Europe/Brussels;
    authentication-order [ password radius ];
    root-authentication {
        encrypted-password "";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    radius-server {
        10.1.10.20 {
            port 1812;
            secret "";
            timeout 3;
            retry 3;
            source-address <ip of your firewall>;
        }
    }
    radius-server {
        10.1.10.20 {
            port 1812;
            secret "X";
            timeout 3;
            retry 3;
            source-address ip-of-firewall;
        }
    }
    radius-options {
        password-protocol mschap-v2;
    }
    login {
     
        user remote {
            # Defines role for RADIUS users who are not individually specified.
            full-name "All remote users";
            uid 2000;
            # operator
            class read-only;
        }
    }
    services {
        ssh;
        web-management {
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            maximum-lease-time 86400;
            default-lease-time 86400;
            name-server {
                8.8.8.8;
                8.8.4.4;
            }
            router {
                192.168.0.1;
            }
            pool 192.168.0.0/24 {
                address-range low 192.168.0.2 high 192.168.0.254;
                maximum-lease-time 86400;
                default-lease-time 86400;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server be.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        description Internet;
        unit 0 {
            family inet {
                address publicIp/29;
            }
        }
    }
    ge-0/0/1 {
        description Lan;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address <ip of your firewall>/28;
            }
        }
    }
    ge-0/0/2 {
        description uplink2;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description uplink2;
            family inet {
                address publicIp/24;
            }
        }
    }
    ge-0/0/3 {
        description "Guest Users";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "Guest Users";
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        # removed
    }
}
protocols {
    stp {
        disable;
    }
}
security {
    ike {
        
        proposal t400-ike-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 180;
        }
         
        policy t400-ike-policy {
            mode aggressive;
            proposals t400-ike-proposal;
            pre-shared-key ascii-text "secret";
        }
       
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.org";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        
        proposal t400-ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
       
        policy t400-ipsec-policy {
            proposals t400-ipsec-proposal;
        }
        
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    alg {
        ike-esp-nat {
            enable;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool src-nat-woonnet {
                address {
                    10.100.16.32/29;
                }
                port no-translation;
            }
            rule-set nsw_srcnat {
                from zone Trust;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                 
           
            rule-set nsw_guestusers {
                from zone GuestUsers;
                to zone Internet;
                rule source-nat-rule-guestusers {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
			# removed
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    publicip/32 to publicip/32;
                }
            }
        }
    }
    policies {
        from-zone Trust to-zone Internet {
            policy InternetAccess {
                match {
                    source-address [ ClientPCs Servers ];
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
           
		   
            policy DNS {
                match {
                    source-address [ DNSServers ];
                    destination-address any;
                    application [ junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
			
            policy vpn-users {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                }
            }
        }
        from-zone Internet to-zone Trust {
         
            policy vpn-clients {
                match {
                    source-address vpn-clients;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                }
            }
        }
        
           
    }
    zones {
        security-zone Trust {
            address-book {

                address ClientPCs <ip range>/21;
				
				
                address dc01 <ip range>/32;
                address dc02 <ip range>/32;
                address Servers <ip range>/23;
				
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            #all;
                            ping;
                            https;
                            ssh;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            address-book {
                address vpn-clients 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            #all;
                            ike;
                            ping;
                        }
                    }
                }
                st0.0;
            }
        }
     
	 
        security-zone GuestUsers {
            description "Guest users from wireless";
            interfaces {
                ge-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.1.200 high 192.168.1.250 mask 255.255.255.0;
        primary-dns 10.1.10.18;
    }
	
	# spotted this on the net, but it doesn't seem to work yet?
        # if I use the GUI and select this profile, it complains about unsupported property?
    profile t400-access2 {
        authentication-order radius;
        address-assignment {
            pool t400-assign-pool;
        }
        radius-server {
            10.1.10.20 secret "secret";
        }
    }
    profile t400-access {
        authentication-order password;
        client Joe {
            firewall-user {
                password "secret";
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.1.0/24;
                range t400-range {
                    low 192.168.1.101;
                    high 192.168.1.149;
                }
                xauth-attributes {
                    primary-dns 10.1.10.18/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile t400-access;
        }
    }
}
applications {

}

And for ShrewSoft VPN:

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:60
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-dns-suffix-auto:0
s:network-host:<your public ip>
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-suffix:<yourdomainsuffix.org>
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data&colon;<remote@domain.org>
b:auth-mutual-psk:<your preshared key>
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:auto
s:policy-list-include:<your own IP ranges> / <subnet>,<your own firewall IP range> / <subnet>
s:client-saved-username:Joe

I've figured out most of the issues/questions and updated the post above for reference, since a lot of people seem to link to this topic.

Basically only 2 questions remain:

* setting up RADIUS-authentication for VPN-users on SRX 550: is it possible to do so without a dynamic license? If so, how? I've seen configuration for an access profile relying on authentication-order radius, but it doesn't seem to work. When I configure it, and go to the GUI to the profile, it complains about unsupported values. So, is it possible or not, and how?

* if not: I would really like to tighten security by limiting the VPN option to MAC addresses - can I do that?

Great job, Jeffrey89!

I managed to use Shrew VPN on SRX345 after changing Phase1 life-time to 180 sec. Before that changes Shrew was auto-disconnecting every1-2 minutes.

Best regards,

Mike

Still facing instable connections.Or better: again. No idea why, it's been a while now. We did update our firmware. Could be the reason. With the exact same config as above, but with RADIUS enabled now (you can only do this with the CLI, not in the GUI).

Is there anyone with SRX device + ShrewSoft VPN with stable connections for longer periods?

Or is there  a  limit to the number of concurrent VPN users?

mike@esynctraining.com, I'm really curious towards your config / feedback, if you still read this. 🙂

----

Update 27th of November 2016:

Either I'm lucky, or this config works. Mainly same as above, but:

* Firewall: phase 1: 86400

* ShrewSoft: phase 1: 60

* Client keep-alive packet rate: 10 seconds

Requires ShrewSoft 2.2.2 (!) and JunOS 12.3XD48-30

Update 3rd of December, 2016:

Issue still not fixed. We replaced our modem.

From different locations: vpn stays up for max 5 minutes.

From internally:  <pc> - internet router (excluding the old/new modem) - firewall: remained stable Friday for 2 hours, but after no config changes and using a different laptop, it still disconnects sometimes.

Still unsure if the issue is with the config (which was quite stable before); the firmware (we upgraded in August); the hardware of the firewall or the internet provider hardware. Will connect the laptop directly onto the firewall early next week.

The issue has NOT been resolved. It's been with Juniper support for 2 weeks.

We've been trying to pinpoint when the issue started, we think it was in the Summer, when Juniper advised a firmware upgrade for a different reason. We come from 12.1X44-series, which is no longer supported, but for which the config worked.

Right now, the config has changed, but mostly typical policies were added and some stuff has been tried to block a video stream (all possible ways failed, Juniper had no conclusive answer on how to block RTMP streams without specifying the IP of the website).

Anyhow, after removing nearly all changes, I still can't get the VPN to stay up in the 12.3X48-series (upgraded to the latest version this noon).  So it might be a firmware issue. That's my main suspect for now. It's 100% definitely a firewall issue, not a network issue.

Has anyone a working config for IPSec VPN with ShrewSoft, which works on 12.3X48 series?
If so, please be so kind to share it here or privately.
If I get something to work, I'll post  it here again.

Oh, also, the question "are dynamic VPN licenses required?". The first support engineer claimed it was necessary, the last guy told me they are not required for the config as suggested in this topic...

SRX comes with two DynVPN user licenses. You have to purchase more to support more users. Why dont you enable traceoptiosn and see if it gets you some information?

Have you ever found a solution to this? I've exactly the same problem, where the very same configuration works flawlessly on a SRX-650 running 12.1X46-D40.2 (stable for weeks, no disconnects), but I'm seeing those repeated disconnects on my lab SRX 320 running 15.1X49-D90.7. Again, very same config (load merge terminal).

Hey, just grappled with this

Need to tell the Shrew client what networks are going to be tunneled.

To do this open the client

Policy tab 

Untick "Obtain Topology Automatically or Tunnel All"

Click "Add" and enter the network that you want to tunnel to 

Save and reconnect, should work.