SRX

Dear folks

Does SRX has the capability of terminating dialup VPN?? is NS-remote used as a client or any other client??

Urgent response is appreciatible.

regards, 

Ok just gone through SRX- Security- config guide. Yes this has support via NSR.

any one who has any comment further, can share.

thanks

Hi,

NS-Remote is not officially supported any more on SRX. But I have a working solution for dialup VPN. It is still working, it's IPSec, isn't it?

If you want to, I will provide you with my config example. Give me an email address or another ressource to

to upload a simple text-file. I would not like to present the solution here, because Juniper does not support it.

[EDIT]

http://kb.juniper.net/index?page=content&id=KB14370&actp=search&searchid=1256727835504

Regards,

Klaus

I would very much like to see how to set up a dial-up vpn using a third party client.  Plese send it to daniel.wells@mhtn.com.

Hi,

I would also very appreciate to you if you can share dial up vpn configuration with me, actually I m facing this for very long time and can't get help from any body else
currently I m using Net screen Remote VPN client with SSG 140, now we have purchased SRX 240H but not able to configure dial VPN with srx, also suggest me, can I use same net screen remote VPN with srx or not.

Again I m very appreciate to you if you can send me the config, My mail Id is anoop@datasecureindia.com

Thanks,

Anoop

Hi,

I am very appreciate too, if you can send me the config of your srx device für dialup vpn, my mail address is

ingo@seel.de.

Best regards

Ingo

Hi All,

finally I did it myself, it is working fine with Netscreen Remote VPN client. I have tested it in my LAB setup. But Officially it is not support by Juniper so now we are going for Dynamic VPN.

Thanks to all for sharing knowledge over here.

Thanks,

Anoop Singh

Hello Anoop-Singh,

Can you post your configuration?

regards.

Hi Anoop can  post  both your srx  config &   your   psd file from vpn client

Hi,

Please find it as in attachment. I hope your query will be resolved.

Thanks,

Anoop Singh

Attachment(s)

vpn.txt   6 KB 1 version

Thanks Anoop

Hi

Can any one guide me how to assign IP address/DNS to Netscreen Remote dialup VPN client on SRX?

Thanks

I would try to use the VSA Juniper assigned attributes for DNS settings

Hi

I am using local authenticaiton for dialup vpn users not radius.

Thanks

hi aeroplane ,  you said that you use local authentication for dial up vpn users ?   are you sure ? as per my knowledge srx doen't support that

Hi SSHSSH,

Yes, I have also used local authentication. You can see my previous attached config.

Also you can follow this command.

set access profile xuth-users authentication-order password
set access profile xuth-users client "test1@abc.com" firewall-user password "$9$1h9ISevMX-b28Xx-Vb2gTzF/p0"

I hope your query will be resolve.

Thanks,

Anoop Singh

Hi Klaus,

is it possible to send me the working solution for dial-up vpn to ingo@seel.de , please?

Thanks and best regards

Ingo

Klaus, My email address is msoho@archertechgroup.com

I would very much appreciate if you could send this config example to me.  Thanks!

Hi Fahad, 

Can you please send me a sample configuration for this 

Thanks my e-mail is groque@pointfinancials.com 

Cheers 

I would be glad if someone could send me the configuration

flavio-juniper@zipman.it

Thanks 🙂

Did anyone ever get it? Why not just post it here?

-Keith

i didn't get it  😞 

HI Fahad

Can you send me too?

gsilveriodasilva@gmail.com 

Thanks a lot!

Sample configuration for a "normal" DialUp-VPN:

set access profile dialup authentication-order password
/* Passwort = User */
set access profile dialup client klauzi firewall-user password "$9$1M2hyKbwgoaUwY6ApOcS"

set security ike proposal phase1 authentication-method pre-shared-keys
set security ike proposal phase1 dh-group group2
set security ike proposal phase1 authentication-algorithm sha1
set security ike proposal phase1 encryption-algorithm 3des-cbc
set security ike proposal phase1 lifetime-seconds 300
(maybe change lifetime?)

set security ike policy dialup mode aggressive
set security ike policy dialup proposals phase1
set security ike policy dialup pre-shared-key ascii-text "secrect-key"

set security ike gateway dialup dynamic user-at-hostname "test@entrada.de"
set security ike gateway dialup dynamic connections-limit 10
set security ike gateway dialup dynamic ike-user-type shared-ike-id
set security ike gateway dialup external-interface ge-0/0/0
set security ike gateway dialup xauth access-profile dialup

set security ipsec proposal phase2 protocol esp
set security ipsec proposal phase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2 encryption-algorithm 3des-cbc
set security ipsec proposal phase2 lifetime-seconds 28800
(lifetime?)

set security ipsec policy dialup perfect-forward-secrecy keys group2
set security ipsec policy dialup proposals phase2

set security ipsec vpn dialup ike gateway dialup
set security ipsec vpn dialup ike ipsec-policy dialup


Zone/Interface:
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.25/24

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike

set security policies from-zone untrust to-zone trust policy dialup match source-address any
set security policies from-zone untrust to-zone trust policy dialup match destination-address any
set security policies from-zone untrust to-zone trust policy dialup match application any
set security policies from-zone untrust to-zone trust policy dialup then permit tunnel ipsec-vpn dialup
set security policies from-zone untrust to-zone trust policy dialup then log session-init

It looks like it does not matter, if one puts an "any" in the policy, even if the
client has a specific address/network configured. The proxy-id of the client was
ignored (in my testing)

Hi Entrada, 

Thank you for posting your config. One question if I configure dial up VPN clients do I have the controll to allow them to certain network resources.

For example I want my normal head office employees to not have access to my test servers, is that possible? or do I have to allow them to everything? 

culd you send the sampe config to my email tooo : ade@nec.co.id

many thanks