SRX

 View Only
last person joined: 7 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Juniper Secure Connect "invalid realm"

  • 1.  Juniper Secure Connect "invalid realm"

    Posted 06-06-2024 12:46

    Hi all,

    I'm trying to configure Juniper Secure Connect in a SRX380 and I'm getting this error message:

    ERROR - Configuration download: Invalid realm

    I can't find any documentation about it. Juniper Secure Connect client log is below:

    06/06/2024 16:43:57 - MONITOR: StartCfgDownload  -> USERDNSDOMAIN is not available -> The system could not find the environment option that was entered
    06/06/2024 16:43:57 - MONITOR: StartCfgDownload with result = 1793
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> URL = https://1.1.1.1
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> UserName = testuser1
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> Password = ******
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> Realm = default
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> Version = 23.4.13.16.29678
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> FQDN = 1.1.1.1
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> HostName = XXXXXX
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> OperatingSystem  = Windows 10
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> DeviceId = b309efd918b732d3812dc72fefc24c1e882cda7a7a9313066d85a27a4a281a2f
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> Domain = 
    06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload  -> Workgroup = WORKGROUP
    06/06/2024 16:43:57 - Configuration download: Start configuration download (host: 1.1.1.1 realm: default)
    06/06/2024 16:43:59 - ERROR - Configuration download: Invalid realm

    I configured Juniper Secure Connect using the GUI and I think these are all the commands needed:

    request security pki generate-key-pair size 4096 type rsa certificate-id Juniper_Company_Europe
    request security pki local-certificate generate-self-signed certificate-id Juniper_Company_Europe subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1
    
    set system services web-management https pki-local-certificate Juniper_Company_Europe
    
    set security nat source rule-set Europe-JSC-2 description "Juniper Secure Connect"
    set security nat source rule-set Europe-JSC-2 from zone remote-JSC-VPN
    set security nat source rule-set Europe-JSC-2 to zone untrust
    set security nat source rule-set Europe-JSC-2 rule nat-rule match source-address 0.0.0.0/0
    set security nat source rule-set Europe-JSC-2 rule nat-rule then source-nat interface
    
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match source-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match destination-address any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match application any
    set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy then permit
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match source-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match destination-address any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match application any
    set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy then permit
    
    set security zones security-zone untrust host-inbound-traffic system-services https
    set security zones security-zone untrust host-inbound-traffic system-services tcp-encap
    set security zones security-zone untrust host-inbound-traffic system-services ike
    
    set security zones security-zone remote-JSC-VPN interfaces st0.4
    set interfaces st0 unit 4 description "JSC RA VPN Europe"
    set interfaces st0 unit 4 family inet
    
    set access address-assignment pool Europe-JSC-POOL family inet network 10.0.105.0/24
    set access address-assignment pool Europe-JSC-POOL family inet xauth-attributes primary-dns 8.8.8.8
    
    set access profile RA-JSC-profile client testuser1 firewall-user password PASSWORD
    
    set access profile RA-JSC-profile address-assignment pool Europe-JSC-POOL
    
    set access firewall-authentication web-authentication default-profile RA-JSC-profile
    
    set services ssl termination profile RA-JSC-term server-certificate Juniper_Company_Europe
    set security tcp-encap profile RA-JSC-SSL-VPN ssl-profile RA-JSC-term
    
    set security ike policy Europe-JSC-2 mode aggressive
    
    set security ike proposal Europe-JSC-2 authentication-method pre-shared-keys
    set security ike proposal Europe-JSC-2 dh-group group19
    set security ike proposal Europe-JSC-2 authentication-algorithm sha-256
    set security ike proposal Europe-JSC-2 encryption-algorithm aes-256-cbc
    set security ike proposal Europe-JSC-2 lifetime-seconds 28800
    
    set security ike policy Europe-JSC-2 proposals Europe-JSC-2
    set security ike policy Europe-JSC-2 pre-shared-key ascii-text "PSK"
    set security ike gateway Europe-JSC-2 ike-policy Europe-JSC-2
    set security ike gateway Europe-JSC-2 dynamic user-at-hostname "Company@edu.juniper.net"
    set security ike gateway Europe-JSC-2 dynamic ike-user-type shared-ike-id
    
    set security ike gateway Europe-JSC-2 dead-peer-detection optimized
    set security ike gateway Europe-JSC-2 dead-peer-detection interval 10
    set security ike gateway Europe-JSC-2 dead-peer-detection threshold 5
    
    set security ike gateway Europe-JSC-2 external-interface xe-0/0/17.199
    set security ike gateway Europe-JSC-2 local-address 1.1.1.1
    set security ike gateway Europe-JSC-2 aaa access-profile RA-JSC-profile
    set security ike gateway Europe-JSC-2 version v1-only
    
    set security ike gateway Europe-JSC-2 tcp-encap-profile RA-JSC-SSL-VPN
    
    set security ipsec proposal Europe-JSC-2 protocol esp
    set security ipsec proposal Europe-JSC-2 encryption-algorithm aes-256-gcm
    set security ipsec proposal Europe-JSC-2 lifetime-seconds 3600
    
    set security ipsec policy Europe-JSC-2 perfect-forward-secrecy keys group19
    set security ipsec policy Europe-JSC-2 proposals Europe-JSC-2
    set security ipsec vpn Europe-JSC-2 bind-interface st0.4
    set security ipsec vpn Europe-JSC-2 df-bit clear
    set security ipsec vpn Europe-JSC-2 copy-outer-dscp
    
    set security ipsec vpn Europe-JSC-2 ike gateway Europe-JSC-2
    set security ipsec vpn Europe-JSC-2 ike ipsec-policy Europe-JSC-2
    
    set security ipsec vpn Europe-JSC-2 traffic-selector ts-1 local-ip 10.10.0.0/27
    set security ipsec vpn Europe-JSC-2 traffic-selector ts-1 remote-ip 0.0.0.0/0
    
    set security remote-access client-config Europe-JSC-2 connection-mode manual
    set security remote-access client-config Europe-JSC-2 dead-peer-detection interval 60
    set security remote-access client-config Europe-JSC-2 dead-peer-detection threshold 5
     
    set security remote-access profile Europe-JSC-2 ipsec-vpn Europe-JSC-2
    set security remote-access profile Europe-JSC-2 access-profile RA-JSC-profile
    set security remote-access profile Europe-JSC-2 client-config Europe-JSC-2
    
    set security remote-access default-profile Europe-JSC-2

    This is the SRX log:

    > show log messages | match remote
    Jun  6 16:43:58  XXXX-FW0 httpd-gk: REMOTE_ACCESS_VPN_AUTH_FAIL: Authentication failed for user testuser1/ from 2.2.2.2 with user-application 23.4.13.16.29678, hostname XXXXX, deviceid XXXX, operatingsystem Windows 10, domain null, workgroup WORKGROUP due to invalid realm

    Any idea how to solve this issue please?

    Thank you!