SRX

hi all,

i did a little research on the VPN, because im a neewby in the Junos, i couldnt find the answer to my question.

Is it possible with a smarphone or any device, to login with VPN on a SRX210?

what i want to do is, because i've a little network at home, with couple of webservices, shh, ftp, i like it very hard, to port-forward everything and secure every username and password. instead of opening all those ports, i want to be do like, if i am at home, give a ip-address to my device 192.168.x.x

so in fact:

(phone) ---------- Untrust ------- SRX ----- Trust----- xxx

192.168.1.5 ...........ISP-ip ........192.168.1.1/24

i dont know how to redefine my question as this is. maybe someone knows what i mean and help a little...

Please Read:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15053

At this moment this is not supported with Pulse Client

Some configuration about a dynamic vpn:

http://www.juniper.net/techpubs/en_US/junos12.1x46/information-products/pathway-pages/security/security-vpn-dynamic.html#configuration

Hi serdar,

You can use DynamiC VPN for SRX210 devices. Below URLs explains the configuration and working.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318

http://kb.juniper.net/InfoCenter/index?page=content&id=TN7

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

Thanks,

Suraj

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

hi,

thx for the links.

i did get so far:

 
set access profile dyn-vpn-access-profile client client1 firewall-user password xx
set access profile dyn-vpn-access-profile client client2 firewall-user password xx
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text xxxXXXxxx
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy match application any
set security policies from-zone UNTRUST to-zone TRUST policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 192.168.1.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user client1

set security dynamic-vpn clients all user client2

After did, i tried with junos pulse to connect, it asks me verytime for user and pass, but it does not connect.

and after verifying the steps as in the link for configuring the VPN

http://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/vpn-security-dynamic-example-configuring.html

serdar@SRX210> show security ike security-associations       --> EMPTY

serdar@SRX210> show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
145.94.172.128 59477 client2dynvpn                                       --> this is the IP where im at remote location!!!!!
145.94.172.128 64357 not available client1

serdar@SRX210> show security ipsec security-associations
Total active tunnels: 0

serdar@SRX210>

so what im missing? i also tried with the iphone.... but it says it fails to connect with the server

Dynamic VPN is not supported on Smartphone devices, as details in this KB article.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&smlogin=true

If you require smart devices to connect to the network using VPN then you need Junos Pulse (now known as Pulse Secure).

Thanks.

Mas

yes, thats for sure, but also the Junos Pulse on my win7 does not connect, it ask several times for authentorization.what do i miss for config?

Can you run a traceoption for IKE, the logs will tell you why auth is failing. 

Does web login work, i.e browse to the SRX login with the account and see if it launches pulse that way?

out of nothing it worked, after i login in the webpage... i think that did the trick!!!

so what i am seeing now is that normal traffic as going on web etc, it goes through the remote network....why?

why i want the VPN is, to be able to do everything from my own network....

what am i missing now? its also a huge thing to be able to get into my network... soo it works 50% :))))

this is my config

security {
    ike {
        policy ike-dyn-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "$9$GdjmTQF/0BEApvL7V4o"; ## SECRET-DATA
        }
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy;
            dynamic {
                hostname dynvpn;
                connections-limit 10;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile dyn-vpn-access-profile;
        }
    }
    ipsec {
        policy ipsec-dyn-vpn-policy {
            proposal-set standard;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-dyn-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            all {
                remote-protected-resources {
                    192.168.1.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn dyn-vpn;
                user {
                    client1;
                    client2;
                }
            }
        }




ZONE - POLICY



            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }

access {
    profile dyn-vpn-access-profile {
        client client1 {
            firewall-user {
                password "$9$HmPQ0ORhSeTz1hcy8LZUD"; ## SECRET-DATA
            }
        }
        client client2 {
            firewall-user {
                password "$9$xN.dVYHkP5Qns2.5TzAtM8L"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 10.10.10.0/24;
                xauth-attributes {
                    primary-dns 8.8.8.8/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}

Then you need to push a default  route towards your clients, keep in mind that is you are on a remote network / mobile you always need a default route / host route towards your "vpn concentrator"  otherwise you will not be able to setup your vpn

i had to put also SOURCENAT and policy for UNTRUST to UNTRUST

and i changed the remote-protected-resources  to 0.0.0.0/0 and deleted the other one.

so its working perfect. thanks all for supporting and pointing in right direction!!