11-16-2010 07:44 AM
could it be possible to know when the junos pulse will be able to connect to an srx gateway with certificate based authentication ? (for the ike part, not for the https part).
11-16-2010 07:53 AM - edited 11-16-2010 08:42 AM
The curent solution on teh SRX is dynamic VPN. This is a clientless solution. The client delivered to host is an access manager
The dynamic vpn solution, does not support certificates as both the local cert as well CA cert have to be delivered after https authentication to the client such that IKE phase-1 can be negotiated.
Pulse client will be integrated into the SRX, however that is a roadmap item.
11-16-2010 07:59 AM
kb17641 mentions pulse, srx and dynamic vpn.
Even if pulse is mentionned, pulse is not used ?
This is really confusing.
Is there a way to use a regular ipsec client with an srx gateway (as a workaround) ?
11-16-2010 08:04 AM - edited 11-16-2010 08:06 AM
Do you have a sample config by chance (using route based or policy based) ?
I can use netscreen remote or any other vpn client.
I was already aware of thee non support, but if there is no alternative I take the risk anyway.
11-16-2010 08:08 AM
Actually the config on the SRX for any remote client would be exactly the same as the config you use for "dynamic vpn". You just need to delete all the config uder the "security dynamic-vpn" stanza.
The res of the config under ike and ipsec will remain the same .
Ofcouse if you need certificates instead of pre-shared keys you can add that under the ike ocnfig.
11-16-2010 02:01 PM
ns remote with psk and xauth works flawlessly;
ns remote with certificates also works fine;
I can share the config if some are interested. (all certificates are generated from the same
11-16-2010 02:12 PM
This app note may be useful.
This applies to J-Series which supports NetScreen-Remote IPSec client. As Vairavan mentions, JTAC cannot support the configuration on SRX Branch. But configuration should be same. There is also an app note regarding PKI certificates with IPSec which may also be useful as well.
For NetScreen-Remote side itself there are also some KB articles out there on kb.juniper.net that can help you with that side. Between these app notes I think you should have information you need.
11-17-2010 12:07 AM
thanks for the links.
Is there any info regarding pki in a cluster environment ?(target
is ns remote + certs vs srx cluster).
Is the certificate and pki info shared between the nodes ?
Otherwise how can I synchronize the certs and keys between the nodes ?