01-01-2011 03:28 PM
Does anyone have any experience setting up a vpn with a SRX210
I need assistance as i am having no luck whatsover making it work...
If you have gtalk or aim even better..please help if possible
01-01-2011 04:16 PM
Sent you a private message, trying to configure a vpn on a srx210 for employees. we have a windows 2008 domain controller, Users who sign into the vpn must authenticate against this, and get a ip address from the domain controller...where do i start?
01-01-2011 04:21 PM
I think it is the best to stay in the public forum so that others can attend the thread. One option would be to let handle Windows the whole VPN stuff and just to allow incoming PPTP and GRE traffic on the SRX (in case you do PPTP VPN, other options are L2TP over IPSec or the SSL tunneled VPN, introduced with Windows Server 2008). This requires configuring the Routing and Remote Access service. Advantage is the close AD integration that must be otherwise configured through RADIUS.
If you like to handle all VPN related stuff on the SRX, this can by achieved as mentioned by using RADIUS and the Pulse/Dynamic VPN client.
01-01-2011 04:31 PM
A good introduction to Dynamic/VPN is this KB article:
to achieve your goal, more things need to be taken into account. RADIUS integration of your DC, probably Pulse client etc.
But I suggest you look at this article and come back with concrete questions.
01-01-2011 04:45 PM
Yes, you need a RADIUS server. SRX can't speak LDAP. Luckily, the built in IAS (or the Network Policy and Access Services how the are called in Windows Server 2008 and above), will work perfectly, integrate well into the AD and are free of charge.
01-01-2011 04:49 PM
Ok, so i will configure the 2008 domain controller to be a RADIUS server as well...Then what is my next step for configuring the SRX210, the instructions are very difficult to navigate. I know i need to go to https://-ipaddress/dynamic-vpn at some point
01-01-2011 05:08 PM
I personally prefere PULSE client to connect. This KB article addresss the PULSE specific steps:
The general approach remains the same. This KB article addresses the general steps very detailed:
01-01-2011 05:12 PM
Okay, so i configured my domain controller as a RADIUS Server, and i set the SRX210 as a client, What do i need to do now on the SRX210 to allow me to login via the RADIUS Server? Thanks for the input so far
01-01-2011 05:15 PM
I suggest to install JUNOS 10.4 R1 on your SRX. Then you can use the interactive VPN wizard from GUI. This PDF from the KB article I mentioned contains a detailed step by step instruction for doing so including configuring the SRX as RADIUS client:
01-01-2011 06:52 PM
RADIUS should always be the first entry. To have local database as second, you can use this order:
set system authentication-order [ radius password ]
But nevertheless this only applies if you want to handle users for firewall management over RADIUS. For VPN authentication, you would use this command:
set access profile dyn-vpn-access-profile authentication-order radius
Example from the PDF.
01-02-2011 04:06 AM
don't confuse two different things. The ordinary authentication order under [system] is related to firewall's administrative access. You can configure a RADIUS or TACACS+ server here to avoid defining all users that should be able log on and manage the firewall locally. If you mention and in what order RADIUS and local depends on what should happen if the RADIUS server is offline.
Anyway, for the VPN authentication, RADIUS is definied in another context and can't intefere with the firewall login. So be careful not to mix these two configuration contexts.
01-02-2011 06:35 AM
A good start would be for users to be able to login and manage the firewall via the j-web by their domain name...NPS Is installed on the domain controller..and on the j-web interface i enabled RADIUS and Local, Radius being first..but it wont let me login with my domain username...our domain is avsad0..so would the login be....avsad0\user??
01-02-2011 03:07 PM
Well i have gotten some success...i know am able to login to the dynamic-vpn client page
now the issue is...once it downloads and the access manager opens..it just sits on connecting to server
it prompts me for my password..then i get the invalid certificate screen...then it just sits on connecting to server
01-02-2011 03:47 PM
IKEv2 is on the roadmap but not supported at the moment. SSTP seams to be Windows proprietary, so I don't assume we will ever see support on the SRX.