SRX

Hi all,

I’m newbie for Juniper…

Just wonder that Shrew Soft VPN client (third party VPN client) able to work with Juniper SRX series? I had success to make the VPN connect by using Juniper Access Manager but not Shrew Soft. I know that Shrew Soft able to work with Juniper SSG series but how about SRX…

Can anybody advice on this? Here in my configuration.

Attachment(s)

TestVPN.txt   14 KB 1 version

Yes it works.

Here is a configuration one of our internal gurus came up with that has been tested in a lab with the Shrew client.

## Last changed: 2011-01-17 21:14:39 MST
version 10.4R1.9;
system {
        login {
        user admin {
            uid 2002;
            class super-user;
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file traffic-log {
            any any;
            match RT_FLOW;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.4.4.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 4.4.4.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.180.39/24;
            }
        }
    }
}
security {
    ike {
        proposal RemoteVPNPolicy1 {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy RemoteVPNIKE {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$ywMeMXVwgUjq7-jqmfn6revW7-"; # SECRET-DATA
        }
        policy t400-ike-policy {
            mode aggressive;
            proposals RemoteVPNPolicy1;
            pre-shared-key ascii-text "$9$IcPhyKX7V4aUM8aUjH5TRhSrM8"; # SECRET-DATA
        }
        inactive: gateway RemoteVPN {
            ike-policy RemoteVPNIKE;
            dynamic user-at-hostname "remote@domain.com";
            external-interface ge-0/0/1.0;
        }
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.com";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/1.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        proposal RemoteVPNIPSec {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy RemoteVPNIPSec {
            proposals RemoteVPNIPSec;
        }
        policy t400-ipsec-policy {
            proposals RemoteVPNIPSec;
        }
        inactive: vpn RemoteVPN {
            ike {
                gateway RemoteVPN;
                ipsec-policy RemoteVPNIPSec;
            }
            establish-tunnels on-traffic;
        }
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    zones {
        security-zone corp {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            address-book {
                address hq-net-10-4-4 10.4.4.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone untrust to-zone trust {
            policy RemoteVPN {
                match {
                    source-address any;
                    destination-address hq-net-10-4-4;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.40.0/24;
                range t400-range {
                    low 192.168.40.101;
                    high 192.168.40.149;
                }
                xauth-attributes {
                    primary-dns 10.4.4.85/32;
                }
            }
        }
    }
}

Thanks Hanks, it’s working with Shrew client now.

But… I can’t connect to the remote peer network + no internet connection after VPN is connected.

Do you have any idea?

Attachment(s)

VPNwork.doc   14 KB 1 version

ShrewSetting.doc   426 KB 1 version

It's doing global tunneling, you will need to create polices on your juniper to allow the traffic out or use split tunneling on the shrew.

Hi

By the way, is dynamic-vpn license still needed in this case for more than 2 users?

Yes Dymanic VPN liceses will be required.

Are you sure that Dynamic licenses are required for Shrew to work? It defeats the purpose of using a free VPN client. NCP does not require Dynamic licenses to be in place.

Thanks,

John

no it does not require dynamic vpn license.   I have about 60 shrew VPN tunnels up atm.

Dynamic VPN licenses are only required if you are using JUNOS Pulse or Juniper Access Manager (JAM), where the device pushes the config over to the PC, and client.  In this case, you are not using Dynamic VPN, and hence not required.

YIn both my srx (version 10.2R3.10;)  I can't add these commands

        address-assignment {
            pool t400-assign-pool;

access {
    address-pool t400-pool {
        address-range low 192.168.40.200 high 192.168.40.250 mask 55.255.255.0;
        primary-dns 10.4.4.75;
    }
    profile t400-access {
        authentication-order password;
        client joe {
            firewall-user {
                password "$9$K9QWX-YgJHqfVwqfTzCAvWLxVw"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }

After lots and lots of head-aches (my colleague left, I had to jump in, his config was half finished), I've come to this (censored) version, which finally allows me to connect from internet to our network.

* is it possible to have RADIUS verification, without a dynamic VPN license, with SRX 550, for the "t400-access" profile? Estimated users: 15. It was a feature we had on our SSG.

I've been able to configure RADIUS authentication for accessing the firewall (vendor code 2636, RADIUS = Windows Server 2012).

* is it possible to limit the VPN access to certain MAC addresses? My fear is that one day users will simply copy the VPN config from their ShrewSoft to their private laptops, which are missing our policies and antivirus software.

The following two problems seem to be solved, I'm leaving this here for future reference for others.

* using ShrewSoft VPN Access Manager 2.2.0, I still get disconnected. As suggested earlier, I changed the lifetimes: phase 1 => 180, phase 2 => 28800. Yet I still get disconnected after 2 or 3 minutes? (update - but it needs further testing: I might have this one fixed. On the firewall, I left the phase 1 lifetime on 180, in the ShrewSoft client I've put it on 60 ).

* perhaps it has to do with the RADIUS verification, but I can't ping nor access a computer if I use the UNC-path ( e.g.  \\MYPC-01.intranet.domain.com\C$ ) - I have to use its IP ( \\10.1.10.20\C$ ). How can I fix this, since a lot of the software we work with, rely on names rather than IPs? The DNS server is 10.1.10.18 (in the config below). => after changing the lifetime to 60, this also seems to be fixed, whatever the reason might be.

## Last changed: 2015-05-01 20:56:51 CEST
version 12.1X44-D45.2;
system {
    host-name SRX550;
    time-zone Europe/Brussels;
    authentication-order [ password radius ];
    root-authentication {
        encrypted-password "";
    }
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    name-resolution {
        no-resolve-on-input;
    }
    radius-server {
        10.1.10.20 {
            port 1812;
            secret "";
            timeout 3;
            retry 3;
            source-address <ip of your firewall>;
        }
    }
    radius-server {
        10.1.10.20 {
            port 1812;
            secret "X";
            timeout 3;
            retry 3;
            source-address ip-of-firewall;
        }
    }
    radius-options {
        password-protocol mschap-v2;
    }
    login {
     
        user remote {
            # Defines role for RADIUS users who are not individually specified.
            full-name "All remote users";
            uid 2000;
            # operator
            class read-only;
        }
    }
    services {
        ssh;
        web-management {
            https {
                system-generated-certificate;
                interface ge-0/0/1.0;
            }
            session {
                idle-timeout 60;
            }
        }
        dhcp {
            maximum-lease-time 86400;
            default-lease-time 86400;
            name-server {
                8.8.8.8;
                8.8.4.4;
            }
            router {
                192.168.0.1;
            }
            pool 192.168.0.0/24 {
                address-range low 192.168.0.2 high 192.168.0.254;
                maximum-lease-time 86400;
                default-lease-time 86400;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file kmd-logs {
            daemon info;
            match KMD;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server be.ntp.pool.org;
    }
}
interfaces {
    ge-0/0/0 {
        description Internet;
        unit 0 {
            family inet {
                address publicIp/29;
            }
        }
    }
    ge-0/0/1 {
        description Lan;
        gigether-options {
            no-auto-negotiation;
        }
        unit 0 {
            family inet {
                address <ip of your firewall>/28;
            }
        }
    }
    ge-0/0/2 {
        description uplink2;
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description uplink2;
            family inet {
                address publicIp/24;
            }
        }
    }
    ge-0/0/3 {
        description "Guest Users";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "Guest Users";
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        # removed
    }
}
protocols {
    stp {
        disable;
    }
}
security {
    ike {
        
        proposal t400-ike-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 180;
        }
         
        policy t400-ike-policy {
            mode aggressive;
            proposals t400-ike-proposal;
            pre-shared-key ascii-text "secret";
        }
       
        gateway t400-ike-gw {
            ike-policy t400-ike-policy;
            dynamic {
                user-at-hostname "remote@domain.org";
                connections-limit 50;
                ike-user-type shared-ike-id;
            }
            external-interface ge-0/0/0.0;
            xauth access-profile t400-access;
        }
    }
    ipsec {
        
        proposal t400-ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
       
        policy t400-ipsec-policy {
            proposals t400-ipsec-proposal;
        }
        
        vpn t400-vpn {
            ike {
                gateway t400-ike-gw;
                ipsec-policy t400-ipsec-policy;
            }
        }
    }
    alg {
        ike-esp-nat {
            enable;
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool src-nat-woonnet {
                address {
                    10.100.16.32/29;
                }
                port no-translation;
            }
            rule-set nsw_srcnat {
                from zone Trust;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
                 
           
            rule-set nsw_guestusers {
                from zone GuestUsers;
                to zone Internet;
                rule source-nat-rule-guestusers {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
			# removed
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    publicip/32 to publicip/32;
                }
            }
        }
    }
    policies {
        from-zone Trust to-zone Internet {
            policy InternetAccess {
                match {
                    source-address [ ClientPCs Servers ];
                    destination-address any;
                    application [ junos-http junos-https ];
                }
                then {
                    permit;
                }
            }
           
		   
            policy DNS {
                match {
                    source-address [ DNSServers ];
                    destination-address any;
                    application [ junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
			
            policy vpn-users {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                }
            }
        }
        from-zone Internet to-zone Trust {
         
            policy vpn-clients {
                match {
                    source-address vpn-clients;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn t400-vpn;
                        }
                    }
                }
            }
        }
        
           
    }
    zones {
        security-zone Trust {
            address-book {

                address ClientPCs <ip range>/21;
				
				
                address dc01 <ip range>/32;
                address dc02 <ip range>/32;
                address Servers <ip range>/23;
				
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            #all;
                            ping;
                            https;
                            ssh;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            address-book {
                address vpn-clients 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                    ping;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            #all;
                            ike;
                            ping;
                        }
                    }
                }
                st0.0;
            }
        }
     
	 
        security-zone GuestUsers {
            description "Guest users from wireless";
            interfaces {
                ge-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                        }
                    }
                }
            }
        }
    }
}
access {
    address-pool t400-pool {
        address-range low 192.168.1.200 high 192.168.1.250 mask 255.255.255.0;
        primary-dns 10.1.10.18;
    }
	
	# spotted this on the net, but it doesn't seem to work yet?
        # if I use the GUI and select this profile, it complains about unsupported property?
    profile t400-access2 {
        authentication-order radius;
        address-assignment {
            pool t400-assign-pool;
        }
        radius-server {
            10.1.10.20 secret "secret";
        }
    }
    profile t400-access {
        authentication-order password;
        client Joe {
            firewall-user {
                password "secret";
            }
        }
        address-assignment {
            pool t400-assign-pool;
        }
    }
    address-assignment {
        pool t400-assign-pool {
            family inet {
                network 192.168.1.0/24;
                range t400-range {
                    low 192.168.1.101;
                    high 192.168.1.149;
                }
                xauth-attributes {
                    primary-dns 10.1.10.18/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile t400-access;
        }
    }
}
applications {

}

And for ShrewSoft VPN:

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:60
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:28800
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:client-dns-suffix-auto:0
s:network-host:<your public ip>
s:client-auto-mode:push
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-suffix:<yourdomainsuffix.org>
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:any
s:ident-client-data&colon;<remote@domain.org>
b:auth-mutual-psk:<your preshared key>
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:0
s:policy-level:auto
s:policy-list-include:<your own IP ranges> / <subnet>,<your own firewall IP range> / <subnet>
s:client-saved-username:Joe

I've figured out most of the issues/questions and updated the post above for reference, since a lot of people seem to link to this topic.

Basically only 2 questions remain:

* setting up RADIUS-authentication for VPN-users on SRX 550: is it possible to do so without a dynamic license? If so, how? I've seen configuration for an access profile relying on authentication-order radius, but it doesn't seem to work. When I configure it, and go to the GUI to the profile, it complains about unsupported values. So, is it possible or not, and how?

* if not: I would really like to tighten security by limiting the VPN option to MAC addresses - can I do that?

Great job, Jeffrey89!

I managed to use Shrew VPN on SRX345 after changing Phase1 life-time to 180 sec. Before that changes Shrew was auto-disconnecting every1-2 minutes.

Best regards,

Mike

Still facing instable connections.Or better: again. No idea why, it's been a while now. We did update our firmware. Could be the reason. With the exact same config as above, but with RADIUS enabled now (you can only do this with the CLI, not in the GUI).

Is there anyone with SRX device + ShrewSoft VPN with stable connections for longer periods?

Or is there  a  limit to the number of concurrent VPN users?

mike@esynctraining.com, I'm really curious towards your config / feedback, if you still read this. 🙂

----

Update 27th of November 2016:

Either I'm lucky, or this config works. Mainly same as above, but:

* Firewall: phase 1: 86400

* ShrewSoft: phase 1: 60

* Client keep-alive packet rate: 10 seconds

Requires ShrewSoft 2.2.2 (!) and JunOS 12.3XD48-30

Update 3rd of December, 2016:

Issue still not fixed. We replaced our modem.

From different locations: vpn stays up for max 5 minutes.

From internally:  <pc> - internet router (excluding the old/new modem) - firewall: remained stable Friday for 2 hours, but after no config changes and using a different laptop, it still disconnects sometimes.

Still unsure if the issue is with the config (which was quite stable before); the firmware (we upgraded in August); the hardware of the firewall or the internet provider hardware. Will connect the laptop directly onto the firewall early next week.

The issue has NOT been resolved. It's been with Juniper support for 2 weeks.

We've been trying to pinpoint when the issue started, we think it was in the Summer, when Juniper advised a firmware upgrade for a different reason. We come from 12.1X44-series, which is no longer supported, but for which the config worked.

Right now, the config has changed, but mostly typical policies were added and some stuff has been tried to block a video stream (all possible ways failed, Juniper had no conclusive answer on how to block RTMP streams without specifying the IP of the website).

Anyhow, after removing nearly all changes, I still can't get the VPN to stay up in the 12.3X48-series (upgraded to the latest version this noon).  So it might be a firmware issue. That's my main suspect for now. It's 100% definitely a firewall issue, not a network issue.

Has anyone a working config for IPSec VPN with ShrewSoft, which works on 12.3X48 series?
If so, please be so kind to share it here or privately.
If I get something to work, I'll post  it here again.

Oh, also, the question "are dynamic VPN licenses required?". The first support engineer claimed it was necessary, the last guy told me they are not required for the config as suggested in this topic...

SRX comes with two DynVPN user licenses. You have to purchase more to support more users. Why dont you enable traceoptiosn and see if it gets you some information?

Have you ever found a solution to this? I've exactly the same problem, where the very same configuration works flawlessly on a SRX-650 running 12.1X46-D40.2 (stable for weeks, no disconnects), but I'm seeing those repeated disconnects on my lab SRX 320 running 15.1X49-D90.7. Again, very same config (load merge terminal).

Hey, just grappled with this

Need to tell the Shrew client what networks are going to be tunneled.

To do this open the client

Policy tab 

Untick "Obtain Topology Automatically or Tunnel All"

Click "Add" and enter the network that you want to tunnel to 

Save and reconnect, should work.

I've tried the suggested configuration and it woks just for 200 seconds.

After that time I receive back :

gateway is not responding

tunnel disabled

detached from key daemon....

Tested with SRX240 10.4.8.5 junos version and Shrew 2.1.7 and 2.2.0(beta).

Any suggestion ?

I have this same problem and would really love to figure this out.  The SRX deletes the SA after a couple minutes, then Shrew reports that the gateway is not responding and disconnects.   Running Wireshark and I am not seeing Heartbeats or any packets for that matter that are coming from the SRX.  From the IKE traceoption is appears that the SRX is receiving DPD packets from Shrew client.

10.4R8.5 with shrew 2.2.0.

Juniper Networks Access Manager works fine with dynamic VPN.

YES

Juniper Networks Access Manager works fine.

I've used it.

I got the same problem with Shrew and SRX: disconnects consistently after 200 sec.

The workaround is to set Phase1 key life time to 180 sec while keeping Phase2 key life time on default 28800. This will force a rekey before the SA is deleted from the SRX. Tunnel connectivity is not disrupted and the tunnels stays up.

Have been testing the tunnel using icmp for the last hour and get occasional spikes of 70ms delay, I guess because of the rekey (min latency is 35ms and avg is 40ms).

Tested with SRX210H running Junos 11.4r2.1 and Shrew 2.1.6 on Windows and on Linux (Ubuntu).  

Pascal.

The proper supported IPsec VPN client is NCP: http://www.ncp-e.com.

It works with no problems, stable, reliable and fast. I think you get what you pay for 😎

from my experience, the device disconnects after 60 seconds, just like whats mentioned in the link

https://lists.shrew.net/pipermail/vpn-help/2012-December/014094.html

once i set the key life time limit to 55 seconds its stays up with no issues. Anyways it should be fixed hopefully in the next release of shrew.

HTH

khalid.

Hi

I got Juniper SRX 1400 and Shrew Soft VPN client 2.2.2 and I was going to configure VPN remote access client between SRX 1400 an Shrew 2.2.2 and when I tried to connect from client VPN I got error "negotiation timout occurred" and then "detached from key daemon"

I got error in debug VPN IKE and IPSEC as below:

0/1/0 KMD2]IKE negotiation fail for local: remote: IKEv1 with status: No proposal chosen
 0/1/0 KMD2]  IKEv1 Error : No proposal chosen

configuration is:

proposal RemoteVPNPolicy1 {
    authentication-method pre-shared-keys;
    dh-group group2;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;

policy t400-ike-policy {
    mode aggressive;
    proposals RemoteVPNPolicy1;
    pre-shared-key ascii-text "$9$1uxESeLxdgoGvWoGDif5IEcyvWX7-w24"; ## SECRET-DATA

gateway t400-ike-gw {
    ike-policy t400-ike-policy;
    dynamic {
        user-at-hostname test.org;
        ike-user-type shared-ike-id;
    }
    local-identity hostname test.org;
    external-interface ge-0/0/9;
    xauth access-profile t400-access;

IPSEC

proposal RemoteVPNIPSec {
    protocol esp;
    authentication-algorithm hmac-md5-96;
    encryption-algorithm 3des-cbc;

policy t400-ipsec-policy {
    proposals RemoteVPNIPSec;
}
vpn t400-vpn {
    ike {
        gateway t400-ike-gw;
        ipsec-policy t400-ipsec-policy;

Access

profile t400-access {
    authentication-order password;
    client test {
        firewall-user {
            password "$9$l8/MWx2gJDHm8XJDiHmPBIRSKM"; ## SECRET-DATA
        }
    }
    address-assignment {
        pool t400-assign-pool;
    }
}
address-assignment {
    pool t400-assign-pool {
        family inet {
            network 10.10.110.0/24;
            range t400-range {
                low 10.10.110.1;
                high 10.10.110.100;
            }
            xauth-attributes {
                primary-dns 10.10.13.1/32;

anybody has any advice please?

Best regards,

I can't put my fingers on the documentation right now.  But I am pretty sure that dynamic vpn is only supported on the branch SRX devices (those with 3 digit model numbers).  That the data center series does not support these dynamic vpn connections.

the vpns are ipsec so you could use the Shrew client on the branch setups.

Thank you for your response and help.

Yes, I have been already trying to test with mentioned Juniper configuration with Shrew client but I got mentioned error when I tried to connect from Shrew 2.2.2 version to SRX 1400 with JUNOS version 12.1X44-D25.5. I checked this fourm before and found sample configuration for Shrew version 2.2.0 and SRX JUNOS 10.4 and I followed according to exact configuration but I still got error and cant connect VPN. Do you have any idea where can be problem?

Best Regards,

Shahinsrx,

What we are saying is that your SRX1400 does NOT work with this feature.  You would need to have one of the 3 digit SRX models like SRX100; SRX220 or the like to configure dynamic vpn.

So, I've configured an SRX 300 per the config on page 1 of this subject, but I'm new to configuring VPNs and new to Shrew, so can anyone tell me how to configure the Shrew connection to work with the above configuration? Screenshots would be awesome, but a tab-by-tab explanation might substitute.  There are an awful lot of options, but if I can get this configuration to work, it would be enormously helpful for future deployments.  Thank you.

Touched up the general instructions from the Shrew site to match the parameters that are available in the first post.  The main missing piece is the policies on network access in the last tab.

General Tab
This Host Name or IP Address is defined to match the Junipers public interface address. The Auto Configuration mode should be set to ike config push.

Phase 1 Tab
The Exchange Type is set to aggressive and the DH Exchange is set to group 2 with lifetime of 86400

Authentication Tab
The Authentication Method is defined as Mutual PSK + XAuth.

Local Identity Tab
The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "test.org" to match the Phase1 User ID value.

Remote Identity Tab
The Remote Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of "test.org" to match the Auto Key Advanced Gateway ID value.

Credentials Tab
The Credentials Pre Shared Key needs to match this in the Junos config so pick a new passphrase and set on both.

set security ike policy t400-ike-policy pre-shared-key BLAH

Policy Tab
Create an include Topology entry for each IPsec Policy network created on the gateway. These are the network ranges you want to reach on the connection.

Hi to all,

I'm configuring this in a SRX345 and I'm not able to mantain the tunnel activated and enable... The tunnel is disabled in about 60 seconds... I have configured the times for ike and Ipsec (180 and 28800 seconds) how is said in the thread, but the tunnel is deactivated automatically...

In the Shrew VPN trace I can see " ii:received peer DELETE message" sended by the gateway (the SRX345 in this case) then the VPN client delete the ike phase 1.

I'm searching on Google, but I only get threads that talk about the times, but this does not solve my problem. Any ideas on this?

I have an SRX345 with 15.1X49-160.2 and Shrew VPN client 2.2.2 version.

Thanks in advance!!

Regards,

David

I would start by changing the 180 ike timeout to something more usual like 3600.

I suspect the very short duration is at least part of the issue.

Hi Spuluka,

Should I change the both sides timings??? I mean in the SRX and the VPN Client...

I have tested this with many timings but the client is disconnected in all of cases.

Thanks.

David.

Yes, both the time values and all the crypto settings have to match on both the SRX and the client.