Hello,
I've been strugging to set up dynamic vpn on my SRX220H2 for many weeks now. My Pulse Secure client is on a Windows 7 laptop. When I try to log in with Pulse Secure, it says "Connection Requested", then "Connecting", and then "Error 1453: Network error. Network errors can be caused by temporary conditions such as an invalid URL, a server not available, and so on. "
We would like to be able to connect to our network through a dynamic VPN. Ideally, we would like VPN users to be in the same subnet as the rest of our internal network (192.168.254.0/24), and we would like to be able to access the internet through the VPN.
For immediate purposes, though, we would just like to get a response from our SRX.
This is what my licensing looks like.
admin@mrp-srx220> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
dynamic-vpn 0 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
Licenses installed: none
My Junos software version is 12.1X46-D45.4.
Our SRX has two active interfaces:
ge-0/0/0 - untrust interface, IP address 198.27.134.230/28, configured in zone called "Internet"
ge-0/0/4 - trust interface, in vlan.0, IP address 192.168.254.254, configured in zone called "Trust"
I'm attaching my full configuration, but here are the parts that I think are of particular interest. (Note: I replaced all of the password fields with elipses.)
System services
system {
...
services {
ssh {
root-login deny;
}
web-management {
https {
system-generated-certificate;
interface [ ge-0/0/0.0 vlan.0 ];
}
session {
idle-timeout 60;
}
}
}
External Interface:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
/* This line is for VOIP QoS*/
output voice-term;
}
address 198.27.134.230/28;
}
}
}
Security:
security {
ike {
/* Phase 1 */
proposal Dynamic-VPN-P1-Proposal {
description "Dynamic P1 Proposal";
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 1200;
}
policy Dynamic-VPN-P2-Policy {
mode aggressive;
description "Dynamic P2 Policy";
proposals Dynamic-VPN-P1-Proposal;
pre-shared-key ascii-text ...; ## SECRET-DATA
}
gateway Dynamic-VPN-P1-Gateway {
ike-policy Dynamic-VPN-P2-Policy;
dynamic {
hostname pacificmortgagecompany.com;
connections-limit 5;
ike-user-type shared-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile Dynamic-XAuth;
}
}
/* Phase 2 */
ipsec {
proposal Dynamic-P2-Proposal {
description Dynamic-VPN-P2-Proposal;
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy Dynamic-P2-Policy {
perfect-forward-secrecy {
keys group5;
}
proposals Dynamic-P2-Proposal;
}
vpn Dynamic-VPN {
/* fragment TCP packets */
df-bit copy;
ike {
gateway Dynamic-VPN-P1-Gateway;
ipsec-policy Dynamic-P2-Policy;
}
establish-tunnels immediately;
}
}
. . .
/* Dynamic VPN */
dynamic-vpn {
force-upgrade;
access-profile Dynamic-XAuth;
clients {
all {
remote-protected-resources {
192.168.254.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn Dynamic-VPN;
user {
jklein;
mikem;
}
}
}
}
. . .
/* Policies */
policies {
/* Trust to Untrust */
from-zone Trust to-zone Internet {
policy All_Trust_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
/* This is an unrelated access rule for our VOIP provider */
policy NextivaOutbound {
match {
source-address any;
destination-address [ NextivaInbound NextivaInbound2 ];
application any;
}
then {
permit;
}
}
}
/* Untrust to Trust */
from-zone Internet to-zone Trust {
/* This is an unrelated access rule for our VOIP provider */
policy NextivaInbound {
match {
source-address [ NextivaInbound NextivaInbound2 ];
destination-address any;
application any;
}
then {
permit;
}
}
policy Dynamic-VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn Dynamic-VPN;
}
}
}
}
}
}
/* Zones */
zones {
/* Trust */
security-zone Trust {
address-book {
address Michael 192.168.254.0/24;
}
host-inbound-traffic {
system-services {
ping;
http;
https;
ike;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
http;
ike;
}
}
}
}
}
/* Untrust ("Internet") */
security-zone Internet {
address-book {
address Nextiva {
range-address 208.73.144.1 {
to {
208.73.151.254;
}
}
}
address NextivaInbound 208.73.144.0/21;
address NextivaInbound2 208.89.108.0/22;
address Untrust_interface 198.27.134.0/28;
}
host-inbound-traffic {
system-services {
ping;
http;
https;
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ike;
}
}
}
}
}
/* Loopback interface. */
security-zone lo0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
security-zone junos-host;
}
}
Access profile
access {
/* Dynamic X-Auth */
profile Dynamic-XAuth {
authentication-order password;
/* User 1 */
client jklein {
firewall-user {
password ...; ## SECRET-DATA
}
}
/* User 2 */
client mikem {
firewall-user {
password ...; ## SECRET-DATA
}
}
address-assignment {
pool Dynamic-VPN-Pool;
}
}
address-assignment {
pool Dynamic-VPN-Pool {
family inet {
network 192.168.254.0/24;
xauth-attributes {
primary-dns 192.168.254.221/24;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile Dynamic-XAuth;
}
}
}
Some additional things to note:
- When we tried to use a Macbook (Yosemite 10.10.5) as our Pulse Secure client, we got the error "No HTTP Response".
- I cannot ping my SRX's external interface, so it's possible it isn't responding to HTTP either. Is there anything I should add to my config that would make sure it responds to HTTP?
Thank you very much, and I would greatly appreciate a response.