SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

VPN Configuration

Does anyone have any experience setting up a vpn with a SRX210

 

I need assistance as i am having no luck whatsover making it work...

 

If you have gtalk or aim even better..please help if possible

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

What's your problem mate? Smiley Happy

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

Sent you a private message, trying to configure a vpn on a srx210 for employees. we have a windows 2008 domain controller, Users who sign into the vpn must authenticate against this, and get a ip address from the domain controller...where do i start?

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

I think it is the best to stay in the public forum so that others can attend the thread. One option would be to let handle Windows the whole VPN stuff and just to allow incoming PPTP and GRE traffic on the SRX (in case you do PPTP VPN, other options are L2TP over IPSec or the SSL tunneled VPN, introduced with Windows Server 2008). This requires configuring the Routing and Remote Access service. Advantage is the close AD integration that must be otherwise configured through RADIUS.

 

If you like to handle all VPN related stuff on the SRX, this can by achieved as mentioned by using RADIUS and the Pulse/Dynamic VPN client.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

A good introduction to Dynamic/VPN is this KB article:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318

 

to achieve your goal, more things need to be taken into account. RADIUS integration of your DC, probably Pulse client etc.

 

But I suggest you look at this article and come back with concrete questions.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

A question is this...do i need a radius server? i thought the firewall can authenticate to the Domain Controller via LDAP...sorry i am new at this

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

Yes, you need a RADIUS server. SRX can't speak LDAP. Luckily, the built in IAS (or the Network Policy and Access Services how the are called in Windows Server 2008 and above), will work perfectly, integrate well into the AD and are free of charge.

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

Ok, so i will configure the 2008 domain controller to be a RADIUS server as well...Then what is my next step for configuring the SRX210, the instructions are very difficult to navigate. I know i need to go to https://-ipaddress/dynamic-vpn at some point

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

I personally prefere PULSE client to connect. This KB article addresss the PULSE specific steps:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17641

 

The general approach remains the same. This KB article addresses the general steps very detailed:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN7

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

Okay, so i configured my domain controller as a RADIUS Server, and i set the SRX210 as a client, What do i need to do now on the SRX210 to allow me to login via the RADIUS Server? Thanks for the input so far

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

I suggest to install JUNOS 10.4 R1 on your SRX. Then you can use the interactive VPN wizard from GUI. This PDF from the KB article I mentioned contains a detailed step by step instruction for doing so including configuring the SRX as RADIUS client:

 

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v2...

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

what is the cli command to change the authentication order to local before radius, i can no longer log into to j-web

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

RADIUS should always be the first entry. To have local database as second, you can use this order:

 

 

set system authentication-order [ radius password ]

 

 

But nevertheless this only applies if you want to handle users for firewall management over RADIUS. For VPN authentication, you would use this command:

 

 

set access profile dyn-vpn-access-profile authentication-order radius 

 

Example from the PDF.

 

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

i cannot login to j-web with the user name and password..i guess im asking how to switch it back to local firewall auth

Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

nevermind i got local auth working again..when i set it as radius i can no longer login to the firewall at all

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

Hi,

 

don't confuse two different things. The ordinary authentication order under [system] is related to firewall's administrative access. You can configure a RADIUS or TACACS+ server here to avoid defining all users that should be able log on and manage the firewall locally. If you mention and in what order RADIUS and local depends on what should happen if the RADIUS server is offline.

 

Anyway, for the VPN authentication, RADIUS is definied in another context and can't intefere with the firewall login. So be careful not to mix these two configuration contexts.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

A good start would be for users to be able to login and manage the firewall via the j-web by their domain name...NPS Is installed on the domain controller..and on the j-web interface i enabled RADIUS and Local, Radius being first..but it wont let me login with my domain username...our domain is avsad0..so would the login be....avsad0\user??

Contributor
Posts: 27
Registered: ‎01-01-2011
0 Kudos

Re: VPN Configuration

Well i have gotten some success...i know am able to login to the dynamic-vpn client page

 

now the issue is...once it downloads and the access manager opens..it just sits on connecting to server

 

it prompts me for my password..then i get the invalid certificate screen...then it just sits on connecting to server

Trusted Contributor
Posts: 236
Registered: ‎06-11-2010
0 Kudos

Re: VPN Configuration

Does anyone know if it's possible to setup SSTP or IKEv2 VPN in Windows 7 to work with the SRX?  I've been investigating the IKEv2 option but without success so far.

 

mawr

Recognized Expert
Posts: 392
Registered: ‎01-05-2008
0 Kudos

Re: VPN Configuration

Hi,


IKEv2 is on the roadmap but not supported at the moment. SSTP seams to be Windows proprietary, so I don't assume we will ever see support on the SRX.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?