SRX

Hi,

Many apologies. This is one part of the configuration I neglected.

I need to configure an IPSec VPN for client access. So, for example, we will need access to the ISP Data Network via a VPN but only for work personnel so if any work needs completing from home it can be.

The Client VPN package we use is "anyconnect".... Basically, I have no idea how to complete this configuration.

Thank you

Hi there adgwytc, 

Depending on your topology, use case, 'AnyConnect'-specific deployment parameters and a multitude of other criteria; there's a pretty sizeable variance in possible SRX-side configuration requirements. 

Here's a good place to start.

If you get stuck on something, shout out - the more information you provide about your implementation/topology/etc, the more likely it is that myself or someone else will be able to help.

Best,

-s

you can configure dynamic vpn (basic license has 2 concurrent connection capability).

To configure dynamic vpn - follow the kb.

https://kb.juniper.net/InfoCenter/index?page=content&id=TN7&actp=METADATA

Also, you might need to install JUNOS Pulse client for dynamic vpn access.

Also, hope you are running JUNOS 15.x49D75 onwards if you are using SRX3xx series.

HTH..

I have had a read of the KB article...... We are utilising 2 x SRX1500. The current JunOS version is the Juniper recommended for an SRX1500. I will have a look when I get to work.

The set up is for client access running direct from a laptop at home or somewhere out in the World... it is NOT a sit-to-site VPN.

Laptop --> Internet --> Core1 --> SRX

The connection from core is via upstream service provider and we have an ae link to the SRX on a customer routing-instance. Would the VPN access have to be on its own routing-instance? So,a separate connection from the Core1 to the SRX?

I don't think Junos Pulse is available for SRX1500?

Is a license required for the VPN Please?

Thank you

"The connection from core is via upstream service provider and we have an ae link to the SRX on a customer routing-instance. Would the VPN access have to be on its own routing-instance? So,a separate connection from the Core1 to the SRX?"

 - I think IPSec VPN and routing instances work independantly..As long as, customer's public IP is reachable over internet whether inside routing instance or in main routing instacne, the VPN will be formed provided the parameters matches.

 "I don't think Junos Pulse is available for SRX1500?"

- Yes..I did not know that you were looking for SRX 1500. For 1500 series, kindly have a look on following.

Feature support – https://apps.juniper.net/feature-explorer/feature-info.html?fKey=7741&fn=NCP+Exclusive+Remote+Access+Client+connections+to+IPsec+VPN+gateways

NCP remote access client -  https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-vpn-ncp-remote-access-client.html

Config KB –

https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-ncp-remote-access-client-configuring.html

“Is a license required for the VPN Please?”

 - A two-user license is supplied by default on an SRX Series device. A license is required for additional users. Contact your Juniper Networks representative for license information

Hi Milindmistry,

Thank you for the information.

We actually don't require a license. It appears that only 2 users will ever have access via VPN to these systems. The License is released after 60 seconds of IKE teardown, so all is good there.

The example utilises RADIUS as the authentication process whereas we require local SRX authentication given that it is only 2 users.... also, is the locally generated certificate secure enough? If not, is there a particular authority that is normally utilised please?

Thanks

"We actually don't require a license. It appears that only 2 users will ever have access via VPN to these systems. The License is released after 60 seconds of IKE teardown, so all is good there." - okay

"The example utilises RADIUS as the authentication process whereas we require local SRX authentication given that it is only 2 users" - 2 concurrent user connections are possible with the license. You may configure n number of local users however at one instant only 2 of them will be able to connect.

"also, is the locally generated certificate secure enough? If not, is there a particular authority that is normally utilised please?" - i think it is secured enough as it is using 2048 bit of rsa key still if you would like third party then it will be end client's choice of CA.

Hi Milindmistry,

Thank you for the response.

Apologies, I should have re-worded my question...... I'm asking how to configure the VPN for local user authentication rather than RADIUS. The documentation only seems to supply for RADIUS authentication. Any help would be great... Thank you

i do not have the lab devices running the same setup however you may try as follows.

From config kb, you might to change the following and see that helps.

set access profile RA_EXTERNAL-AUTH client client1 firewall-user password "$ABC123"
set access profile RA_EXTERNAL-AUTH client client2 firewall-user password "$ABC123"
set access profile RA_EXTERNAL-AUTH address-assignment pool RA_LOCAL-IP-POOL

set security ike gateway RA_IKEv2_EXT-AUTH xauth access-profile RA_EXTERNAL-AUTH

not to be configured ->aaa access-profile RA_EXTERNAL-AUTH

Hi Milindmistry,

Thank you for the response. Just one last quesiton please:

In the document it states the following for the CA:

Hi,

It seems there are some real problems using the example given and what the SRX expects......

I am trying to overcome the "Commit" errors that occur becasue of differing configuration commands and cannot get a working version from the example given. For local authentication I need to use "Pre-Shared-Keys" as no certificate is being generated (unless there is a way I can achieve that locally on the SRX - all examples I can find use a Server somewhere)..... Unfortunately, this means that I can only use Version 1 and, of course, it won't let me, it tells me I have to use Version 2 ..... it appears NCP requires version 2.

How can I get around this issue please?

This is what I have configured so far:

1: Configured Dynamic users and IP address pool;

set access profile dynamic-xauth client John firewall-user password <password>
set access profile dynamic-xauth client Dave firewall-user password <password>
set access profile dynamic-xauth client Chris firewall-user password <password>
set access profile dynamic-xauth client Daniel firewall-user password <password>

set access profile dynamic-xauth address-assignment pool dynamic-vpn-pool
set access address-assignment pool dynamic-vpn-pool family inet network 192.168.1.0/24
set access address-assignment pool dynamic-vpn-pool family inet xauth-attributes primary-dns 100.100.100.10/32
set access firewall-authentication web-authentication default-profile dynamic-xauth

2: Configured IKE Proposal:

user@THW-CORE-01#set security tcp-encap profile NCP

[edit security ike proposal nguser]
user@HEX-SRX-02#set authentication-method pre-shared-keys
user@THW-CORE-01#set authentication-method rsa-signatures
user@THW-CORE-01#set dh-group group19
user@THW-CORE-01#set encryption-algorithm aes-256-gcm

[edit security ike policy ngikepolicy]
set proposals ngvpnuser
set pre-shared-key ascii-text testing123

[edit security ike gateway ngikepolicy]
set ike-policy ngikepolicy
set dynamic hostname ninegroup.co.uk
set dynamic ike-user-type shared-ike-id
set aaa access-profile dynamic-xauth
set external-interface ae2
set tcp-encap-profile NCP

3: Configured IPsec proposal:

[edit security ipsec proposal ngipsecproposal]
set protocol esp
set encryption-algorithm aes-256-gcm

[edit security ipsec policy RemoteAccess]
set perfect-forward-secrecy keys group19
set proposals ngipsecproposal

Let's try and make this a bit easier for troubleshooting.....

I have got what, in theory, should be a working NCP configuration.... all is good apart from one important part.... here is the basic configuration that I think should work:

set access profile xauth-prof1 authentication-order password
set access profile xauth-prof1 client clive firewall-user password password
set access profile xauth-prof1 address-assignment pool xauth-pool
set access address-assignment pool xauth-pool family inet network 192.168.20.0/24
set access address-assignment pool xauth-pool family inet xauth-attributes primary-dns 100.100.100.10/32

[edit security ike proposal ngikeproposal-1]
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-192-cbc
set lifetime-seconds 28800

[edit security ike policy ngikepolicy-1]
set mode aggressive
set proposals ngikeproposal-1
set pre-shared-key ascii-text testing123

[edit security ike gateway ng-remote-vpn-1]
set ike-policy ngikepolicy-1
set dynamic user-at-hostname clive@ninegroup.co.uk
set dynamic connections-limit 2
set dynamic ike-user-type shared-ike-id
set external-interface ae2
set xauth access-profile xauth-prof1

[edit security ipsec proposal ng-ipsec-proposal-1]
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc

[edit security ipsec policy ng-ipsec-policy-1]
set perfect-forward-secrecy keys group2
set proposals ng-ipsec-proposal-1

[edit security ipsec vpn ng-remote-vpn-1]
set ike gateway ng-remote-vpn-1
set ike ipsec-policy ng-ipsec-policy-1

I have highlighted the line that is causing the issue.... there is no "xauth" option under that stanza so I cannot complete the configuration. 

Thanks

Hi,

Is there anyone who knows how to get around, or the Juniper recommended method of getting around this missing "xauth" command?

I knwo it is required for the connectivity between the access profile that will have the users and passwords and IP pool assigned, and the actual authentication process for the tunnel. I have looked at "Dynamic VPN" but have found that it is only for Junos Pulse, which is not available for SRX1500. If there is a way of getting a certficate installed directly on the Junos Device for Local logon that may be a way around the issue.....

Thank you

XAUTH is deprecated from 15.1X49-D80 and we have to use AAA. Its same as xauth but just the name change.

root@srx# set security ike gateway TEST aaa access-profile   

Thank you rsuraj

Tested and works... thanks

I guess I should have tried that before, but in the options it can cause a little "confusion" as I expect anything stating "aaa" to be bound for a RADIUS Server and not local login.

Again, many thanks