SRX Services Gateway
Reply
Contributor
Null7238
Posts: 17
Registered: ‎06-16-2011
0

SRX210 Dynamic VPN configuration

I have been attempting to configure the VPN on my SRX210 using the wizard but I can't seem to access the /dynamic-vpn portal. I can't seem to quite put my finger on what I'm doing wrong here. I come to the expertise of the forums yet again to try and get this solved,

 

thank you.

 

## Last changed: 2011-07-15 16:08:43 UTC
version 11.1R2.3;
system {
    host-name digi-srx-1;
    domain-name digi-pets.com;
    root-authentication {
        encrypted-password "$1$KRfQ.WBe$chXFsQG643TKllPj.ciM9/";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            management-url admin;
            http;
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            pool 10.0.16.0/20 {
                address-range low 10.0.16.10 high 10.0.16.254;
                router {
                    10.0.16.1;
                }
                server-identifier 10.0.16.1;
            }
            pool 10.0.32.0/20 {
                address-range low 10.0.32.10 high 10.0.32.254;
                router {
                    10.0.32.1;
                }
                server-identifier 10.0.32.1;
            }
            pool 10.0.0.1/20 {
                address-range low 10.0.0.10 high 10.0.0.254;
                router {
                    10.0.0.1;
                }
                server-identifier 10.0.0.1;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/1 {
        vlan-tagging;
        unit 16 {
            description Servers;
            vlan-id 16;
            family inet {
                address 10.0.16.1/20;
            }
        }
        unit 32 {
            description Dev;
            vlan-id 32;
            family inet {
                address 10.0.32.1/20;
            }
        }
        unit 100 {
            description vlan-trust;
            vlan-id 100;
            family inet {
                address 10.0.0.1/20;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
}
protocols {
    stp;
}
security {
    ike {
        policy ike_pol_wizard_dyn_vpn {
            mode aggressive;
            proposal-set compatible;
            pre-shared-key ascii-text "$9$A6y8tu1eK8Vb2cy-VY2UD9ApuEy-dbsgox7jHk.5T";
        }
        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname digi-srx-1;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile remote_access_profile;
        }
    }
    ipsec {
        policy ipsec_pol_wizard_dyn_vpn {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set compatible;
        }
        vpn wizard_dyn_vpn {
            ike {
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;
            }
        }
    }
    dynamic-vpn {
        access-profile remote_access_profile;
        clients {
            wizard-dyn-group {
                remote-protected-resources {
                    10.0.32.0/20;
                }
                ipsec-vpn wizard_dyn_vpn;
                user {
                    jlatta;
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dev-to-untrust {
                from zone dev-zone;
                to zone untrust;
                rule dev-source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dnat-pool-1 {
                address 10.0.17.10/20;
            }
            rule-set dst-nat {
                from zone untrust;
                rule r1 {
                    match {
                        destination-address 24.78.143.203/22;
                    }
                    then {
                        destination-nat pool dnat-pool-1;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    24.78.143.203/22;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dev-zone to-zone untrust {
            policy dev-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone servers-zone to-zone dev-zone {
            policy ssh-to-dev {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dev-zone to-zone servers-zone {
            policy ssh-to-servers {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone servers-zone {
            policy untrust-to-servers {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone dev-zone {
            policy policy_in_wizard_dyn_vpn {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn wizard_dyn_vpn;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone trust {
            interfaces {
                ge-0/0/1.100 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            https;
                            http;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone dev-zone {
            interfaces {
                ge-0/0/1.32 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                        }
                    }
                }
            }
        }
        security-zone servers-zone {
            interfaces {
                ge-0/0/1.16 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile remote_access_profile {
        client jlatta {
            firewall-user {
                password "$9$E.MSv8oaUji.dbDk.Pn6SreWNd";
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.0.32.0/20;
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile remote_access_profile;
        }
    }
}

 

Super Contributor
Aigarz
Posts: 59
Registered: ‎02-21-2011
0

Re: SRX210 Dynamic VPN configuration

At the first glance... it seems interface definition is missing:

 

try to add

set system services web-management https interface <ifname>

 

eg.

<ifname> = ge-0/0/0.0

Contributor
Null7238
Posts: 17
Registered: ‎06-16-2011
0

Re: SRX210 Dynamic VPN configuration

I tried this, but was still not able to access it. Am i typically trying to access it from another WAN link or internally on my network to setup initially? I have been trying both with no avail.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.