As we all know, there have always been a problem connecting Linux clients to SRX-based dynamic VPN service. For quite some time we tended to ignore this and work with Pulse Secure under Windows VM's. But since Pulse Secure stopped working reliably lately (TSB17441) we needed another solution. Windows boxes manage somehow with Shrew VPN but I thought that maybe if Shrew client does work with plain IPSec we can use Linux box without any external clients to connect to SRX (Shrew does have Linux client but it doesn't work on new systems).
And so I came up with a solution which works for me. YMMV.
The "server-side" configuration is pretty normal for a dyn-vpn with LDAP authentication:
user@fw# show security ike
proposal Proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy Dyn-vpn-P3 {
mode aggressive;
proposals Proposal1;
pre-shared-key ascii-text "aaaaaa"; ## SECRET-DATA
}
gateway dyn-vpn {
ike-policy Dyn-vpn-P3;
dynamic {
hostname myhostname;
ike-user-type shared-ike-id;
}
external-interface ge-0/0/0.0;
aaa {
access-profile vpn-ldap;
}
}
[edit]
user@fw# show security ipsec
proposal Proposal1 {
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy dyn-vpn-policy {
perfect-forward-secrecy {
keys group2;
}
proposals Proposal1;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn;
ipsec-policy dyn-vpn-policy;
}
}
[edit]
user@fw# show access
profile vpn-ldap {
authentication-order ldap;
address-assignment {
pool VPN-POOL;
}
ldap-options {
base-distinguished-name dc=company,dc=com;
search {
search-filter samaccountname=;
admin-search {
distinguished-name cn=junvpn,OU=Users,DC=company,DC=com;
password "password"; ## SECRET-DATA
}
}
}
ldap-server {
192.168.100.100;
}
}
address-assignment {
pool VPN-POOL {
family inet {
network 10.0.10.0/24;
range POOL1 {
low 10.0.10.11;
high 10.0.10.200;
}
xauth-attributes {
primary-dns 192.168.100.101/32;
secondary-dns 192.168.100.102/32;
}
}
}
}
firewall-authentication {
pass-through {
default-profile vpn-ldap;
}
web-authentication {
default-profile vpn-ldap;
}
}
[edit]
user@fw# show security dynamic-vpn
access-profile vpn-ldap;
clients {
OFFICE {
remote-protected-resources {
172.16.100.0/24;
10.0.0.0/24;
}
ipsec-vpn dyn-vpn;
user-groups {
VPN;
}
}
}
[edit]
Few remarks about this config:
- I should have probably used stronger algorithms but I needed to downgrade to have backward compatibility with Shrew on Windows
- The "remote-protected-resources" is not important for plain IPSec connection. It's just used to push configuration using Pulse Secure during the initial WebAPI connection phase. With IPSec we need to manually specify those on client's side.
- Of course there are additional firewall policies allowing traffic from remote to protected networks but I didn't paste them here for clarity.
- You can go with ike-user-type group-ike-id but I didn't want to have to specify a different ID per user (wanted a shared config file that I could distribute among users).
And the setup of Libreswan (on Fedora 29, but one of our users uses Ubuntu 18.04 and seems to got it working as well) looks like this:
/etc/ipsec.d/client.conf
conn "client"
ikev2=no
keyexchange=ike
ike=aes256-sha256;dh14
esp=aes256-sha256;dh2
left=%defaultroute
leftsubnets=0.0.0.0/0
leftxauthclient=yes
leftmodecfgserver=yes
leftxauthusername=myuser
right=111.222.333.444
rightsubnets={ 10.0.0.0/24, 172.16.100.0/16, 192.168.100.0/24 }
authby=secret
rightxauthserver=yes
rightmodecfgclient=yes
rekey=yes
leftid=@myhostname
pfs=yes
aggrmode=yes
auto=add
modecfgpull=yes
salifetime=60s
ikelifetime=60s
vti-interface=yes
vti-routing=yes
vti-shared=yes
mark=-1
And of course we need some secrets. /etc/ipsec.d/client.secrets:
%any 111.222.333.444: PSK "aaaaaa"
@user: XAUTH "Domain Password"
I'm not sure if you can force libreswan to ask for xauth password instead of writing it down in the secrets file.
Hope this helps someone to set up his/her own IPSec connection
#ipseclinuxdynvpndynamic-vpn