Hi Juniper Community,
after a few days of setting up my srx240, my read is, I lost the owerview. Maybe someone can help me.
I configured 2 WAN-IP interfaces:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 2XX.XXX.XXX.XX8/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 2XX.XXX.XXX.XX9/29;
}
}
}
The first one is for Internet, Webservice and site 2 site vpn.
The second one is only for JWEB-Web-Access and dynamic vpn with the pulse client. I created just the following:
web-management {
traceoptions {
level all;
flag all;
}
management-url no-access-jweb;
https {
port 443;
system-generated-certificate;
interface [ vlan.0 ge-0/0/1.0 ];
}
ike {
proposal dyn_sha1_psk_aes_128 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal dyn_sha1_psk_aes_256 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
policy ike-dyn-vpn-policy {
mode aggressive;
proposals [ dyn_sha1_psk_aes_128 dyn_sha1_psk_aes_256 ];
pre-shared-key ascii-text "XXXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname hosty.my-domain.local;
connections-limit 10;
ike-user-type group-ike-id;
}
external-interface ge-0/0/1.0;
xauth access-profile dyn-vpn-access-profile;
}
}
ipsec {
proposal dyn_vpn_sha1_aes128_esp {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 28800;
}
proposal dyn_vpn_sha1_aes256_esp {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}
policy ipsec-dyn-vpn-policy {
perfect-forward-secrecy {
keys group2;
}
proposals [ dyn_vpn_sha1_aes128_esp dyn_vpn_sha1_aes256_esp ];
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
}
}
application-tracking;
dynamic-vpn {
access-profile dyn-vpn-access-profile;
clients {
all {
remote-protected-resources {
192.168.123.0/24;
192.168.124.0/24;
192.168.125.0/24;
192.168.127.0/24;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dyn-vpn;
user {
user111;
}
}
}
}
proxy-arp {
interface vlan.0 {
address {
192.168.123.180/32 to 192.168.123.191/32;
}
}
}
}
policy policy_in_dyn_vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
access {
profile dyn-vpn-access-profile {
authentication-order password;
client user111 {
firewall-user {
password "XXXXXXXXXXXXXXXXXXXXXX"; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 192.168.123.0/24;
range dvpn-range {
low 192.168.123.180;
high 192.168.123.191;
}
xauth-attributes {
primary-dns 192.168.123.245/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile;
banner {
success ERFOLGREICH;
}
}
}
}
The site 2 site vpn's working fine. The issues on the dynamic vpn are :
- I can't reach any of my remote networks, except my own internal network
- The internal policies will used by the dynamic vpn, but not the external rules
- I use a software working with telnet and port 4444 authentication, connection will established but authentication won't work
Maybe someone has a approach oder example config for me. I attached my config file. Thanks for helping me.