Hi all,
I'm trying to configure Juniper Secure Connect in a SRX380 and I'm getting this error message:
ERROR - Configuration download: Invalid realm
I can't find any documentation about it. Juniper Secure Connect client log is below:
06/06/2024 16:43:57 - MONITOR: StartCfgDownload -> USERDNSDOMAIN is not available -> The system could not find the environment option that was entered
06/06/2024 16:43:57 - MONITOR: StartCfgDownload with result = 1793
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> URL = https://1.1.1.1
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> UserName = testuser1
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> Password = ******
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> Realm = default
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> Version = 23.4.13.16.29678
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> FQDN = 1.1.1.1
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> HostName = XXXXXX
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> OperatingSystem = Windows 10
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> DeviceId = b309efd918b732d3812dc72fefc24c1e882cda7a7a9313066d85a27a4a281a2f
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> Domain =
06/06/2024 16:43:57 - INFO - Configuration download: StartCfgDownload -> Workgroup = WORKGROUP
06/06/2024 16:43:57 - Configuration download: Start configuration download (host: 1.1.1.1 realm: default)
06/06/2024 16:43:59 - ERROR - Configuration download: Invalid realm
I configured Juniper Secure Connect using the GUI and I think these are all the commands needed:
request security pki generate-key-pair size 4096 type rsa certificate-id Juniper_Company_Europe
request security pki local-certificate generate-self-signed certificate-id Juniper_Company_Europe subject "DC=Juniper,CN=edu" domain-name edu.juniper.net ip-address 1.1.1.1
set system services web-management https pki-local-certificate Juniper_Company_Europe
set security nat source rule-set Europe-JSC-2 description "Juniper Secure Connect"
set security nat source rule-set Europe-JSC-2 from zone remote-JSC-VPN
set security nat source rule-set Europe-JSC-2 to zone untrust
set security nat source rule-set Europe-JSC-2 rule nat-rule match source-address 0.0.0.0/0
set security nat source rule-set Europe-JSC-2 rule nat-rule then source-nat interface
set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match source-address any
set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match destination-address any
set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy match application any
set security policies from-zone trust to-zone remote-JSC-VPN policy RA-JSC-Policy then permit
set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match source-address any
set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match destination-address any
set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy match application any
set security policies from-zone remote-JSC-VPN to-zone trust policy RA-JSC-Policy then permit
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services tcp-encap
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone remote-JSC-VPN interfaces st0.4
set interfaces st0 unit 4 description "JSC RA VPN Europe"
set interfaces st0 unit 4 family inet
set access address-assignment pool Europe-JSC-POOL family inet network 10.0.105.0/24
set access address-assignment pool Europe-JSC-POOL family inet xauth-attributes primary-dns 8.8.8.8
set access profile RA-JSC-profile client testuser1 firewall-user password PASSWORD
set access profile RA-JSC-profile address-assignment pool Europe-JSC-POOL
set access firewall-authentication web-authentication default-profile RA-JSC-profile
set services ssl termination profile RA-JSC-term server-certificate Juniper_Company_Europe
set security tcp-encap profile RA-JSC-SSL-VPN ssl-profile RA-JSC-term
set security ike policy Europe-JSC-2 mode aggressive
set security ike proposal Europe-JSC-2 authentication-method pre-shared-keys
set security ike proposal Europe-JSC-2 dh-group group19
set security ike proposal Europe-JSC-2 authentication-algorithm sha-256
set security ike proposal Europe-JSC-2 encryption-algorithm aes-256-cbc
set security ike proposal Europe-JSC-2 lifetime-seconds 28800
set security ike policy Europe-JSC-2 proposals Europe-JSC-2
set security ike policy Europe-JSC-2 pre-shared-key ascii-text "PSK"
set security ike gateway Europe-JSC-2 ike-policy Europe-JSC-2
set security ike gateway Europe-JSC-2 dynamic user-at-hostname "Company@edu.juniper.net"
set security ike gateway Europe-JSC-2 dynamic ike-user-type shared-ike-id
set security ike gateway Europe-JSC-2 dead-peer-detection optimized
set security ike gateway Europe-JSC-2 dead-peer-detection interval 10
set security ike gateway Europe-JSC-2 dead-peer-detection threshold 5
set security ike gateway Europe-JSC-2 external-interface xe-0/0/17.199
set security ike gateway Europe-JSC-2 local-address 1.1.1.1
set security ike gateway Europe-JSC-2 aaa access-profile RA-JSC-profile
set security ike gateway Europe-JSC-2 version v1-only
set security ike gateway Europe-JSC-2 tcp-encap-profile RA-JSC-SSL-VPN
set security ipsec proposal Europe-JSC-2 protocol esp
set security ipsec proposal Europe-JSC-2 encryption-algorithm aes-256-gcm
set security ipsec proposal Europe-JSC-2 lifetime-seconds 3600
set security ipsec policy Europe-JSC-2 perfect-forward-secrecy keys group19
set security ipsec policy Europe-JSC-2 proposals Europe-JSC-2
set security ipsec vpn Europe-JSC-2 bind-interface st0.4
set security ipsec vpn Europe-JSC-2 df-bit clear
set security ipsec vpn Europe-JSC-2 copy-outer-dscp
set security ipsec vpn Europe-JSC-2 ike gateway Europe-JSC-2
set security ipsec vpn Europe-JSC-2 ike ipsec-policy Europe-JSC-2
set security ipsec vpn Europe-JSC-2 traffic-selector ts-1 local-ip 10.10.0.0/27
set security ipsec vpn Europe-JSC-2 traffic-selector ts-1 remote-ip 0.0.0.0/0
set security remote-access client-config Europe-JSC-2 connection-mode manual
set security remote-access client-config Europe-JSC-2 dead-peer-detection interval 60
set security remote-access client-config Europe-JSC-2 dead-peer-detection threshold 5
set security remote-access profile Europe-JSC-2 ipsec-vpn Europe-JSC-2
set security remote-access profile Europe-JSC-2 access-profile RA-JSC-profile
set security remote-access profile Europe-JSC-2 client-config Europe-JSC-2
set security remote-access default-profile Europe-JSC-2
This is the SRX log:
> show log messages | match remote
Jun 6 16:43:58 XXXX-FW0 httpd-gk: REMOTE_ACCESS_VPN_AUTH_FAIL: Authentication failed for user testuser1/ from 2.2.2.2 with user-application 23.4.13.16.29678, hostname XXXXX, deviceid XXXX, operatingsystem Windows 10, domain null, workgroup WORKGROUP due to invalid realm
Any idea how to solve this issue please?
Thank you!