This message was posted by a user wishing to remain anonymous
Hey folks.
We're in the process of trying to migrate a number of our Cisco ISR's over to Juniper SRX'es. One of the features that we use with our dynamic VPN setups on Cisco is the ability to have multiple VPN groups, each with a different level of access to the local resources. So VPN user A might be able to access 10.0.0.0/24, while VPN user B might be locked down to just 10.0.0.10/32.
I've been doing my darndest to try and mimic this setup on an SRX 300 in our lab, to no avail. I can get basic VPN connectivity working, but every user seems to need to have the same access to local resources.
I've opened a ticket with our vendor who is working with JTAC to determine:
a) Is this setup possible?
b) If so, how does one configure it?
But so far, it has been more than a couple of weeks and I still have not even been able to get a straight answer on (a). I've been given non-working config examples, which suggests that they believe it should be supported, but it's possible they're doing what I do when tackling lab-work, and simply throwing stuff at the wall to see what might stick.
Has anybody tried to implement this, and if so, were they successful?
I've tried configuring separate IKE gateways, IPSec VPN instances, remote access profiles, and access profiles for my two users that I'm trying to set up with different levels of access. However, when attempting to connect using the Juniper Secure Connect app, it associates with the default access profiles and I don't appear to have any way to change/specify that in the app itself.
I can change the default remote-access and access profiles via the SRX CLI, and that then forces all inbound VPN connection attempts to my alternate profiles, but it seems to be an all or nothing scenario. (i.e. all users are forced to the same profiles, specified by what's configured as the 'default' on the SRX)