After lots and lots of head-aches (my colleague left, I had to jump in, his config was half finished), I've come to this (censored) version, which finally allows me to connect from internet to our network.
* is it possible to have RADIUS verification, without a dynamic VPN license, with SRX 550, for the "t400-access" profile? Estimated users: 15. It was a feature we had on our SSG.
I've been able to configure RADIUS authentication for accessing the firewall (vendor code 2636, RADIUS = Windows Server 2012).
* is it possible to limit the VPN access to certain MAC addresses? My fear is that one day users will simply copy the VPN config from their ShrewSoft to their private laptops, which are missing our policies and antivirus software.
The following two problems seem to be solved, I'm leaving this here for future reference for others.
* using ShrewSoft VPN Access Manager 2.2.0, I still get disconnected. As suggested earlier, I changed the lifetimes: phase 1 => 180, phase 2 => 28800. Yet I still get disconnected after 2 or 3 minutes? (update - but it needs further testing: I might have this one fixed. On the firewall, I left the phase 1 lifetime on 180, in the ShrewSoft client I've put it on 60 ).
* perhaps it has to do with the RADIUS verification, but I can't ping nor access a computer if I use the UNC-path ( e.g. \\MYPC-01.intranet.domain.com\C$ ) - I have to use its IP ( \\10.1.10.20\C$ ). How can I fix this, since a lot of the software we work with, rely on names rather than IPs? The DNS server is 10.1.10.18 (in the config below). => after changing the lifetime to 60, this also seems to be fixed, whatever the reason might be.
## Last changed: 2015-05-01 20:56:51 CEST
version 12.1X44-D45.2;
system {
host-name SRX550;
time-zone Europe/Brussels;
authentication-order [ password radius ];
root-authentication {
encrypted-password "";
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
radius-server {
10.1.10.20 {
port 1812;
secret "";
timeout 3;
retry 3;
source-address <ip of your firewall>;
}
}
radius-server {
10.1.10.20 {
port 1812;
secret "X";
timeout 3;
retry 3;
source-address ip-of-firewall;
}
}
radius-options {
password-protocol mschap-v2;
}
login {
user remote {
# Defines role for RADIUS users who are not individually specified.
full-name "All remote users";
uid 2000;
# operator
class read-only;
}
}
services {
ssh;
web-management {
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
maximum-lease-time 86400;
default-lease-time 86400;
name-server {
8.8.8.8;
8.8.4.4;
}
router {
192.168.0.1;
}
pool 192.168.0.0/24 {
address-range low 192.168.0.2 high 192.168.0.254;
maximum-lease-time 86400;
default-lease-time 86400;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server be.ntp.pool.org;
}
}
interfaces {
ge-0/0/0 {
description Internet;
unit 0 {
family inet {
address publicIp/29;
}
}
}
ge-0/0/1 {
description Lan;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
address <ip of your firewall>/28;
}
}
}
ge-0/0/2 {
description uplink2;
gigether-options {
auto-negotiation;
}
unit 0 {
description uplink2;
family inet {
address publicIp/24;
}
}
}
ge-0/0/3 {
description "Guest Users";
gigether-options {
auto-negotiation;
}
unit 0 {
description "Guest Users";
family inet {
address 192.168.0.1/24;
}
}
}
}
routing-options {
static {
# removed
}
}
protocols {
stp {
disable;
}
}
security {
ike {
proposal t400-ike-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy t400-ike-policy {
mode aggressive;
proposals t400-ike-proposal;
pre-shared-key ascii-text "secret";
}
gateway t400-ike-gw {
ike-policy t400-ike-policy;
dynamic {
user-at-hostname "remote@domain.org";
connections-limit 50;
ike-user-type shared-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile t400-access;
}
}
ipsec {
proposal t400-ipsec-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy t400-ipsec-policy {
proposals t400-ipsec-proposal;
}
vpn t400-vpn {
ike {
gateway t400-ike-gw;
ipsec-policy t400-ipsec-policy;
}
}
}
alg {
ike-esp-nat {
enable;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
pool src-nat-woonnet {
address {
10.100.16.32/29;
}
port no-translation;
}
rule-set nsw_srcnat {
from zone Trust;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
rule-set nsw_guestusers {
from zone GuestUsers;
to zone Internet;
rule source-nat-rule-guestusers {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
# removed
}
proxy-arp {
interface ge-0/0/0.0 {
address {
publicip/32 to publicip/32;
}
}
}
}
policies {
from-zone Trust to-zone Internet {
policy InternetAccess {
match {
source-address [ ClientPCs Servers ];
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
policy DNS {
match {
source-address [ DNSServers ];
destination-address any;
application [ junos-dns-tcp junos-dns-udp ];
}
then {
permit;
}
}
policy vpn-users {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn t400-vpn;
}
}
}
}
}
from-zone Internet to-zone Trust {
policy vpn-clients {
match {
source-address vpn-clients;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn t400-vpn;
}
}
}
}
}
}
zones {
security-zone Trust {
address-book {
address ClientPCs <ip range>/21;
address dc01 <ip range>/32;
address dc02 <ip range>/32;
address Servers <ip range>/23;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
#all;
ping;
https;
ssh;
}
}
}
}
}
security-zone Internet {
address-book {
address vpn-clients 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
#all;
ike;
ping;
}
}
}
st0.0;
}
}
security-zone GuestUsers {
description "Guest users from wireless";
interfaces {
ge-0/0/3.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
access {
address-pool t400-pool {
address-range low 192.168.1.200 high 192.168.1.250 mask 255.255.255.0;
primary-dns 10.1.10.18;
}
# spotted this on the net, but it doesn't seem to work yet?
# if I use the GUI and select this profile, it complains about unsupported property?
profile t400-access2 {
authentication-order radius;
address-assignment {
pool t400-assign-pool;
}
radius-server {
10.1.10.20 secret "secret";
}
}
profile t400-access {
authentication-order password;
client Joe {
firewall-user {
password "secret";
}
}
address-assignment {
pool t400-assign-pool;
}
}
address-assignment {
pool t400-assign-pool {
family inet {
network 192.168.1.0/24;
range t400-range {
low 192.168.1.101;
high 192.168.1.149;
}
xauth-attributes {
primary-dns 10.1.10.18/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile t400-access;
}
}
}
applications {
}
And for ShrewSoft VPN:
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:60
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-dns-suffix-auto:0
s:network-host:<your public ip>
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-suffix:<yourdomainsuffix.org>
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data:<remote@domain.org>
b:auth-mutual-psk:<your preshared key>
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:auto
s:policy-list-include:<your own IP ranges> / <subnet>,<your own firewall IP range> / <subnet>
s:client-saved-username:Joe