SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 32
Registered: ‎06-16-2015
0 Kudos

Dynamic VPN setup

[ Edited ]

Hi,

 

I am trying to create a dynamic vpn connetion to my office but everything fail, can some one guide me throught the configuration ?

 

My setup:

client1: windows 10 with pulse secure from windows store, go to settings -> network and internet -> vpn -> add a vpn connection -> vpn provider: pulse secure, the strange thing is that I cannot edit the user and password fields

 

juniper configuration:

Model: srx240h
JUNOS Software Release [12.1X46-D65.4]

set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"
set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC123"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile


set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/4
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn


set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2

And the client/windows error is 

Protocol error in received messages.

https configuration

set system services web-management https pki-local-certificate cert1

cert1 is the self-signed certificate which I imported into windows Trusted CA

Appreciate your help

 

--

Dan

Recognized Expert
Posts: 160
Registered: ‎01-06-2016
0 Kudos

Re: Dynamic VPN setup

Hi,

 

the Pulse Secure client in the Windows store only works towards Pulse Connect Secure directly.

 

If you need access to a dynamic VPN on a SRX you need to download the full client from here: http://www.juniper.net/support/downloads/?p=pulse

 

Please note when creating a new VPN connection to select type: firewall (SRX). Otherwise it will not work.

 

 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
Contributor
Posts: 32
Registered: ‎06-16-2015
0 Kudos

Re: Dynamic VPN setup

that's odd, I don't have access to download that file ...

Contributor
Posts: 32
Registered: ‎06-16-2015
0 Kudos

Re: Dynamic VPN setup

ok so I magaed to get the pulse client from juniper site, now when I connect it keeps asking me for password, but I am sure the user and password are correct. How can I debug the connection ?

 

--

Dan

Highlighted
Recognized Expert
Posts: 160
Registered: ‎01-06-2016
0 Kudos

Re: Dynamic VPN setup

Overall the answer is 'traceoptions' which gives you debug information on Junos devices.

 

There are several good debugging suggestions for dynamic VPN in this forum post: http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Dynamic-VPN-Issue/m-p/285460#M39352

 

I would also suggest looking into traceoptions on security dynamic-vpn (set security dynamic-vpn traceoptions flag all + set security dynamic-vpn traceoptions file dynvpn-debug)

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)