SRX Services Gateway
Reply
Contributor
Bockelbrink
Posts: 15
Registered: ‎09-28-2009
0

Another Dynamic VPN Problem

Hello

 

we have the same problem like other people in the forum with the dynamic vpn client but we can't solve our problem.

 

We want to make a VPN Connection from a Laptop to the SRX 210. The only way is to use the dynamic-vpn feature or is there another ipsec client available?

 

At the moment ist wors that i can login from the extrnal to my srx

 

http://srx/

 

We get a User login Screen. With the local User i can access to the portal and get a page where i can close the windows. there is nothing else on the screen.

 

I mean that there will be the Client for Download ?

 

First i uses a Radius Server connection but the SRX wan't make a Radius Connection. With the Test Command i have testet a radius User but get this message:

 

run test access profile NTB-RADIUS user test password test
error: the l2tp-service subsystem is not running 

 

Did anybody know what it want from me? I only want to make radius for dynanic vpn :smileyhappy:

 

Here is my config:

 

ike {
    proposal DynVPN-Proposal {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm md5;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 28400;
    }
    policy DynVPN-IKE {
        mode aggressive;
        proposals DynVPN-Proposal;
        pre-shared-key ascii-text "weißichnichtmehr"; ## SECRET-DATA
    }
    gateway DynVPN-GW {
        ike-policy DynVPN-IKE;
        dynamic hostname vpn.domain.de;
        external-interface fe-0/0/7;
        xauth access-profile NTB-LOCAL;
    }
}
ipsec {
    proposal DynVPN-Proposal2 {
        protocol esp;
        authentication-algorithm hmac-md5-96;
        encryption-algorithm aes-256-cbc;
        lifetime-seconds 28800;
    }
    policy DynVPN-IPSEC {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals DynVPN-Proposal2;
    }
    vpn DynVPN-IPSEC-AutoKey {
        ike {
            gateway DynVPN-GW;
            idle-time 1800;
            ipsec-policy DynVPN-IPSEC;
        }
        establish-tunnels immediately;
    }
}

dynamic-vpn {
    force-upgrade;
    access-profile NTB-LOCAL;
    clients {
        DynVPN {
            remote-protected-resources {
                0.0.0.0/0;
            }
            ipsec-vpn DynVPN-IPSEC-AutoKey;
            user {
                ntb;
            }
        }
    }
}

[edit]

Thank you for help.

 

Bye

Marco

Trusted Contributor
groque1
Posts: 254
Registered: ‎09-09-2009
0

Re: Another Dynamic VPN Problem

Hi Bockelbrink,

 

Are you sure you are going to http://yourSRXIP/dynamic-vpn page?, it should bring you up to a page that prompts you to enter in a username and password. 

 

The username is the user that you associated during the Dynamic VPN client config the password should be whatever you set to that user name. 

 

Once you log in it should ask you to either download the VPN client or install it via Active X. 

 

Once the VPN Client (Juniper Access Manager) is installed you can log in with your Radius username and passwords then you should be good to go. 

 

I haven't got Radius working myself but atleast you can get the client to download 

Contributor
Bockelbrink
Posts: 15
Registered: ‎09-28-2009
0

Re: Another Dynamic VPN Problem

Problem is fixed

 

Upgrades from 9.5 to 9.6. Now the Client make an connection...

Visitor
merouman
Posts: 4
Registered: ‎03-29-2011
0

Re: Another Dynamic VPN Problem

Hi,

 

I have the same problem on srx210 with JUNOS Software Release [10.0R3.10].

Can someone help?

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: Another Dynamic VPN Problem

[ Edited ]

I'd recommend upgrading to 10.4R3 and following the appnote on Dynamic VPN, should be simple enough then, you could even use a wizard.

 

http://kb.juniper.net/index?page=content&id=TN7

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Visitor
merouman
Posts: 4
Registered: ‎03-29-2011
0

Re: Another Dynamic VPN Problem

Hi,

It seems strange that you need to upgrade to a non recommanded firmware (10.2 for production) for a function that is part of the system from 9.6 junos version (at least for srx210).

Sincerly

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: Another Dynamic VPN Problem

[ Edited ]

You don't _have_ to upgrade, it just simplifies things considerably as you then can use group-ike-id and local ip pool assignment etc.

 

For what it's worth, here's the relevant stuff for a lab I did on 10.4Rx, it's basically the same on previous releases except that you have to make configuration for each user, you have no default proposal-sets, and you get ip/dns from your radius server of choice.

 

root# show security ike   
policy dynamic {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "x"; ## SECRET-DATA
}
gateway srx {
    ike-policy dynamic;
    dynamic {
        hostname dynvpn;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/3.0;
    xauth access-profile dynvpn;
}

root# show security ipsec 
policy dynamic {
    proposal-set standard;
}
vpn dyn-vpn {
    ike {
        gateway srx;
        ipsec-policy dynamic;
    }
}

root# show security dynamic-vpn 
access-profile dynvpn;
clients {
    all {
        remote-protected-resources {
            192.168.0.0/24;
        }
        ipsec-vpn dyn-vpn;
        user {
            test;
            test2;
        }
    }
}

root# show security policies
from-zone untrust to-zone trust {
    policy dynvpn {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn dyn-vpn;
                }                       
            }
        }
    }
}

root# show access 
profile dynvpn {
    authentication-order radius;
    address-assignment {
        pool dynvpn;
    }
    radius-server {
        10.10.10.10 secret "x"; ## SECRET-DATA
    }
}
address-assignment {
    pool dynvpn {
        family inet {
            network 1.2.3.0/24;
            xauth-attributes {
                primary-dns 192.168.0.234/32;
            }
        }
    }
}
firewall-authentication {               
    web-authentication {
        default-profile dynvpn;
    }
}

 

 

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.