SRX Services Gateway
Reply
Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

junos pulse with certificate authentication

could it be possible to know when the junos pulse will be able to connect to an srx gateway with certificate based authentication ? (for the ike part, not for the https part).

 

 

Juniper Employee
vairavan subramanian
Posts: 18
Registered: ‎11-15-2010
0

Re: junos pulse with certificate authentication

[ Edited ]

The curent solution on teh SRX is dynamic VPN. This is a clientless solution. The client delivered to host is an access manager

 

The dynamic vpn solution, does not support certificates as both the local cert as well CA cert have to be delivered after https authentication to the client such that IKE phase-1 can be negotiated.

 

Pulse client  will be integrated into the SRX, however that is a roadmap item.

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: junos pulse with certificate authentication

kb17641 mentions pulse, srx and dynamic vpn.

 

Even if pulse is mentionned, pulse is not used ?

 

This is really confusing.

 

Is there a way to use a regular ipsec client with an srx gateway (as a workaround) ?

 

 

 

Juniper Employee
vairavan subramanian
Posts: 18
Registered: ‎11-15-2010
0

Re: junos pulse with certificate authentication

yes a regular ipsec client does work with SRX. However JTAC does not officially support clients other than the dynamic vpn client.

 

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: junos pulse with certificate authentication

[ Edited ]

Do you have a sample config by chance (using route based or policy based) ?

 

I can use netscreen remote or any other vpn client.

 

I was already aware of thee non support, but if there is no alternative I take the risk anyway.

Juniper Employee
vairavan subramanian
Posts: 18
Registered: ‎11-15-2010
0

Re: junos pulse with certificate authentication

Actually the config on the SRX  for any remote client would be exactly the same as the config you use for "dynamic vpn". You just need to delete all the config uder the "security dynamic-vpn" stanza.

 

The res of the config under ike and ipsec will remain the same .

 

Ofcouse if you need certificates instead of pre-shared keys you can add that under the ike ocnfig.

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: junos pulse with certificate authentication

ns remote with psk and xauth works flawlessly;

 

ns remote with certificates also works fine;

 

I can share the config if some are interested. (all certificates are generated from the same

cert server).

 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: junos pulse with certificate authentication

This app note may be useful.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN16&cat=SRX_SERIES&actp=LIST

 

This applies to J-Series which supports NetScreen-Remote IPSec client. As Vairavan mentions, JTAC cannot support the configuration on SRX Branch. But configuration should be same. There is also an app note regarding PKI certificates with IPSec which may also be useful as well.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN17&cat=SRX_SERIES&actp=LIST

 

For NetScreen-Remote side itself there are also some KB articles out there on kb.juniper.net that can help you with that side. Between these app notes I think you should have information you need.

 

 

Contributor
pkcpkc
Posts: 89
Registered: ‎11-10-2010
0

Re: junos pulse with certificate authentication

thanks for the links.

 

Is there any info regarding pki in a cluster environment ?(target

is ns remote + certs vs srx cluster).

 

Is the certificate and pki info shared between the nodes ?

Otherwise how can I synchronize the certs and keys between the nodes ?

 

 

Juniper Employee
_Ronin
Posts: 14
Registered: ‎05-21-2009
0

Re: junos pulse with certificate authentication

PKI is supported in SRX cluster environment. It keep synchronized between nodes.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.