Original Message:
Sent: 01-28-2025 15:29
From: aaron.gould
Subject: srx345 and remote-access vpn not allowing juniper secure connect client to connect
Thanks Ben, I'm curious to know how to do this for SRX345 using Juniper Secure Connect… "There might be a way to load the self-signed cert into the client's local certificate store"
BTW, I'm also working an SRX2300 project…are you saying I will need to accomplish dynamic remote access vpn using "Let's Encrypt"?
------------------------------
- Aaron
Original Message:
Sent: 01-28-2025 14:58
From: bkamen
Subject: srx345 and remote-access vpn not allowing juniper secure connect client to connect
Hey Aaron,
Because the older Pulse Secure had the option to accept any certificate on first-connect. I don't think that's the case with the newer Juniper Secure Connect (which is actually a stripped down NCPe VPN client).
There might be a way to load the self-signed cert into the client's local certificate store, but it's just easier to set up Let's Encrypt on the SRX (after JunOS) 2022.4 IIRC) and use real certs.
The two clients are different applications from different companies. So not surprising they don't work the same.
------------------------------
Ben Kamen
Original Message:
Sent: 01-28-2025 14:44
From: aaron.gould
Subject: srx345 and remote-access vpn not allowing juniper secure connect client to connect
Hope it's OK to drop in on this thread… I have an SRX 345 and Pulse Secure clients remotely establishing dynamic remote access VPN using "Firewall (SRX)" type setting on the Pulse Secure client side. If I try to use Juniper Secure Connect client, I get a certificate error, something about self signed, and I'm unable to connect. Why would the pulse secure client work, but the Juniper secure connect client not work? What must I do to allow the Juniper Secure Connect client to work, and also still allow the Pulse Secure client to continue working also?
------------------------------
- Aaron
Original Message:
Sent: 01-25-2025 16:32
From: Avinash Kumar
Subject: srx345 and remote-access vpn not allowing juniper secure connect client to connect
Hello ILYA PETRASHKEVICH,
Try to add these commands and then check.
https://www.juniper.net/documentation/us/en/software/secure-connect/secure-connect-user-guide/topics/task/local-auth-with-local-ip-pool-cli-procedure.html
set services ssl termination profile Juniper_SCC-SSL-Term-Profile server-certificate JUNIPER_SECURE_CONNECT(RSA)set security tcp-encap profile SSL-VPN ssl-profile Juniper_SCC-SSL-Term-Profile
------------------------------
Avinash Kumar
Original Message:
Sent: 01-23-2025 06:49
From: ILYA PETRASHKEVICH
Subject: srx345 and remote-access vpn not allowing juniper secure connect client to connect
Hello, guys.
Could you please support here. I'm completely lost and got no meaningful explanation on what is going on there.
Config is pretty straight forward:
set system services web-management https interface ge-0/0/8.0
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services dhcpv6
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services tcp-encap
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services webapi-ssl
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic system-services ntp
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic protocols router-discovery
set interfaces ge-0/0/8 description "uplink"
set interfaces ge-0/0/8 unit 0 family inet address 192.168.178.11/24
set protocols router-advertisement interface ge-0/0/8.0
set security ike traceoptions file dynvpn.log
set security ike traceoptions file size 5m
set security ike traceoptions file files 5
set security ike traceoptions file world-readable
set security ike traceoptions flag ike
set security ike traceoptions flag general
set security ike traceoptions flag all
set security ike proposal SECURE_CONNECT_IKE-PROP authentication-method pre-shared-keys
set security ike proposal SECURE_CONNECT_IKE-PROP dh-group group19
set security ike proposal SECURE_CONNECT_IKE-PROP authentication-algorithm sha-256
set security ike proposal SECURE_CONNECT_IKE-PROP encryption-algorithm aes-256-cbc
set security ike proposal SECURE_CONNECT_IKE-PROP lifetime-seconds 28800
set security ike policy SECURE_CONNECT_IKE-POL mode aggressive
set security ike policy SECURE_CONNECT_IKE-POL proposals SECURE_CONNECT_IKE-PROP
set security ike policy SECURE_CONNECT_IKE-POL pre-shared-key ascii-text bla-bla-bla
set security ike gateway SECURE_CONNECT_GW ike-policy SECURE_CONNECT_IKE-POL
set security ike gateway SECURE_CONNECT_GW dynamic inet 192.168.178.11
set security ike gateway SECURE_CONNECT_GW dynamic connections-limit 10
set security ike gateway SECURE_CONNECT_GW dynamic ike-user-type shared-ike-id
set security ike gateway SECURE_CONNECT_GW dead-peer-detection optimized
set security ike gateway SECURE_CONNECT_GW dead-peer-detection interval 10
set security ike gateway SECURE_CONNECT_GW dead-peer-detection threshold 5
set security ike gateway SECURE_CONNECT_GW external-interface ge-0/0/8
set security ike gateway SECURE_CONNECT_GW aaa access-profile SECURE_CONNECT_ACC-PRO
set security ike gateway SECURE_CONNECT_GW version v1-only
set security ipsec proposal SECURE_CONNECT_IPSEC-PROP encryption-algorithm aes-256-gcm
set security ipsec proposal SECURE_CONNECT_IPSEC-PROP lifetime-seconds 3600
set security ipsec policy SECURE_CONNECT_IPSEC-POL perfect-forward-secrecy keys group19
set security ipsec policy SECURE_CONNECT_IPSEC-POL proposals SECURE_CONNECT_IPSEC-PROP
set security ipsec vpn SECURE_CONNECT_VPN bind-interface st0.0
set security ipsec vpn SECURE_CONNECT_VPN ike gateway SECURE_CONNECT_GW
set security ipsec vpn SECURE_CONNECT_VPN ike ipsec-policy SECURE_CONNECT_IPSEC-POL
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector MGMT-subnets local-ip 10.13.0.0/24
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector MGMT-subnets remote-ip 0.0.0.0/0
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector IT-subnets local-ip 10.11.0.0/24
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector IT-subnets remote-ip 0.0.0.0/0
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector EVENG-subnets local-ip 10.12.0.0/24
set security ipsec vpn SECURE_CONNECT_VPN traffic-selector EVENG-subnets remote-ip 0.0.0.0/0
set security remote-access profile SECURE_CONNECT_RA-PROF ipsec-vpn SECURE_CONNECT_VPN
set security remote-access profile SECURE_CONNECT_RA-PROF access-profile SECURE_CONNECT_ACC-PRO
set security remote-access profile SECURE_CONNECT_RA-PROF client-config SECURE_CONNECT_CLI-CONF
set security remote-access client-config SECURE_CONNECT_CLI-CONF connection-mode manual
set security remote-access client-config SECURE_CONNECT_CLI-CONF dead-peer-detection interval 60
set security remote-access client-config SECURE_CONNECT_CLI-CONF dead-peer-detection threshold 5
set security remote-access default-profile SECURE_CONNECT_RA-PROF
set interfaces st0 unit 0 family inet
set access profile SECURE_CONNECT_ACC-PRO authentication-order password
set access profile SECURE_CONNECT_ACC-PRO client test_vpn_user firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user1 firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user2 firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user3 firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user4 firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO client user5 firewall-user password "bla-bla-bla"
set access profile SECURE_CONNECT_ACC-PRO address-assignment pool SECURE_CONNECT_ADDR-POOL
set access address-assignment pool SECURE_CONNECT_ADDR-POOL family inet network 10.99.0.0/24
set access address-assignment pool SECURE_CONNECT_ADDR-POOL family inet range SC_REMOTE-IP-RANGE low 10.99.0.10
set access address-assignment pool SECURE_CONNECT_ADDR-POOL family inet range SC_REMOTE-IP-RANGE high 10.99.0.30
set access address-assignment pool SECURE_CONNECT_ADDR-POOL family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool SECURE_CONNECT_ADDR-POOL family inet xauth-attributes secondary-dns 1.1.1.1/32
set access firewall-authentication web-authentication default-profile SECURE_CONNECT_ACC-PRO
set interfaces ge-0/0/0 description "ex2300 virtual chassis ae10"
set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 unit 101 description "subinterface in vlan 11 - Zone IT"
set interfaces ge-0/0/0 unit 101 vlan-id 101
set interfaces ge-0/0/0 unit 101 family inet address 10.11.0.1/24
set interfaces ge-0/0/0 unit 102 description "subinterface in vlan 12 - Zone DEV"
set interfaces ge-0/0/0 unit 102 vlan-id 12
set interfaces ge-0/0/0 unit 102 family inet address 10.12.0.1/24
set interfaces ge-0/0/0 unit 103 description "subinterface in vlan 13 - Zone MGMT"
set interfaces ge-0/0/0 unit 103 vlan-id 13
set interfaces ge-0/0/0 unit 103 family inet address 10.13.0.1/24
set security zones security-zone IT interfaces ge-0/0/0.101
set security zones security-zone DEV interfaces ge-0/0/0.102
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services ping
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services https
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services webapi-ssl
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services ike
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services tcp-encap
set security zones security-zone MGMT interfaces ge-0/0/0.103 host-inbound-traffic system-services ssh
set security zones security-zone VPN_users description "zone where all vpn users are landed"
set security zones security-zone VPN_users interfaces st0.0 host-inbound-traffic system-services ping
set security zones security-zone VPN_users interfaces st0.0 host-inbound-traffic system-services ssh
set security zones security-zone VPN_users interfaces st0.0 host-inbound-traffic system-services https
set system services web-management traceoptions file https.log
set system services web-management traceoptions flag all
set system services web-management management-url admin
set system services web-management https port 443
set system services web-management https pki-local-certificate jweb-local1
set system services web-management https interface ge-0/0/0.103
set system services web-management https interface ge-0/0/8.0
set system services web-management https interface st0.0
certificate jweb-local1 is a self-signed cert.
I use Juniper Secure Connect client.
After the reboot I'm not able to connect and get:
[Jan 23 12:31:54][0] IKEv1 packet R(192.168.178.11:500 <- 192.168.178.108:500): len= 508, mID=00000000, HDR, SA, KE, Nonce, ID, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid, Vid
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..8] = da8e9378 80010000 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..8] = 09002689 dfd6b712 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 11358651 8b314baa ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 11358651 8b314baa ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = c61baca1 f1a60cc1 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Jan 23 12:31:54][0] ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
[Jan 23 12:31:54][0] ike_st_i_sa_proposal: Start
[Jan 23 12:31:54][0] ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Jan 23 12:31:54][0] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Jan 23 12:31:54][0] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 36aae00)
[Jan 23 12:31:54][0] ike_isakmp_sa_reply: Start
[Jan 23 12:31:54][0] ike_state_restart_packet: Start, restart packet SA = { 72b37c47 06289d7e - 8f968fac 7d84a22c}, nego = -1
[Jan 23 12:31:54][0] 192.168.178.11:500 (Responder) <-> 192.168.178.108:10952 { 72b37c47 06289d7e - 8f968fac 7d84a22c [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14)
But after I do a "commit full" vpn suddenly starts working:
[Jan 23 12:39:41][0] ike_st_i_vid: VID[0..16] = 11358651 8b314baa ...
[Jan 23 12:39:41][0] ike_st_i_vid: VID[0..16] = c61baca1 f1a60cc1 ...
[Jan 23 12:39:41][0] ike_st_i_vid: VID[0..20] = 4048b7d5 6ebce885 ...
[Jan 23 12:39:41][0] ike_st_i_vid: VID[0..16] = 12f5f28c 457168a9 ...
[Jan 23 12:39:41][0] ike_st_i_sa_proposal: Start
[Jan 23 12:39:41][0] ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Jan 23 12:39:41][0] Peer's proposed IKE SA payload is SA()
[Jan 23 12:39:41][0] Configured proposal is SA()
[Jan 23 12:39:41][0] ike_isakmp_sa_reply: Start
And I see my vpn client connected:
root# run show security ike active-peer
Remote Address Port Peer IKE-ID AAA username Assigned IP
192.168.178.21 10954 192.168.178.11 user2 10.99.0.10
[edit]
root#
Tried on 23.4R2.13 and on 24.4R1.9, everywhere is the same behavior.
It's not a configuratin issue, I suppose, as it would not work with "commit full".
Please help...
------------------------------
------------------------------