09-22-2009 11:54 AM
I need some help/advice configuring a remote VPN gateway on my Juniper SRX 240. I read on a previous post to look at the Juniper Security Configuration Guide Chapter 21.
I followed the steps but it does not briefly describe how to configure the remote VPN gateway. I configured remote VPN gateways without any problems using an SSG but it looks alot different on the SRX.
I used this tutorial on my SSG http://www.juniperforum.com/index.php?page=37
What I am trying to accomplish is to create a Zone for all my Remote VPN users and bind it to a logical tunnel interface st0.2. I would like to use the 192.168.10.0 /24 subnet for all my remote VPN users.
So this is what I have done so far
1. Created a tunnel interface st0.2 (i am not to sure if I need to put an IP address on this interface)
2. Created a Zone "Remote VPN" and assigned st0.2 to that Zone
3. Created an access-rule "xauth" which points to the Radius server etc
4. Created VPN proposals, phase1 and gateway
5. Configured the gateway "gw-remotevpn"
- set dynamic user-at-hostname firstname.lastname@example.org
- set dynamic connection-limit 253
- set dynamic ike-user-type shared-ike-id
- set external-interface st0.2
- set exterbal xauth access-profile xauth
6. Configured policies
- set from zone "Remote VPN" to zone "Trusted" policy VPN match source-address any
- set from zone "Remote VPN" to zone "Trusted" policy VPN match destination-address any
- set from zone "Remote VPN" to zone "Trusted" policy VPN match application any
- set from zone "Remote VPN" to zone "Trusted" policy VPN then permit tunnel remote-vpn
7. Set policies vice-versa from zone "Trusted" to zone "Remote VPN"
I followed the steps on the Juniper Security Configuration Guide but I am not sure if I am doing it right. If anybody can help guide me to the appropriate direction on how I should configure the VPN gateway that would be great!
Any help would be highly appricated.
09-22-2009 01:44 PM
By looking at the Juniper documents I don't understand how I can seperate my Remote VPN zones from my Untrust zone.
In my setup I use ge-0/0/11 as the WAN port ip 18.104.22.168 and its attatchd to the untrusted zone.
On the IKE Gateway configuration it prompts me to bind the gateway to an interface. I don't want to bind it to my ge-0/0/11 interface since that is in the untrusted zone. I want to bind this to an interface located in my Remote VPN zone.
As you can see above the tunnel interface st0.2 is attatched to my Remote VPN zone. I want to bind the IKE Gateway interface to st0.2 but I don't know if I should put an IP address on that interface.
On the SSG config I set that interface as unnumbered. I was wondering if that is possible on the Juniper SRX. How would I assign an interface to an unnumbered interface? or can I assign the same WAN IP on my ge-0/0/11 interface to my st0.2 interface?
09-23-2009 10:49 AM
I looked at the Knowledge base document KB10182 - Remote Dialup VPN doc. This doc is great but I don't want my remote VPN's listed in the untrust zone.
I have 4 different remote VPN zones I need is it possible to configure a remote VPN on a different zone using an SRX. I configured it on the SSG, I assume it would be possible on the SRX since its the sucessor.
09-24-2009 07:26 AM
I looked through the Juniper documents again and apprently Netscreen Remote VPN is not supported in releases 9.5 and 9.6 and my Juniper SRX does not roll back to 9.3.
Does this mean that the Juniper SRX devices are only limited to the Dynamic VPN feature? If that is so there is now way to get remote VPN functionality even after all 50 remote VPN licenses are used?