SRX Services Gateway
SRX Services Gateway

junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 07:44 AM

could it be possible to know when the junos pulse will be able to connect to an srx gateway with certificate based authentication ? (for the ike part, not for the https part).

 

 

13 REPLIES
SRX Services Gateway

Re: junos pulse with certificate authentication

[ Edited ]
11.16.10   |  
‎11-16-2010 07:53 AM

The curent solution on teh SRX is dynamic VPN. This is a clientless solution. The client delivered to host is an access manager

 

The dynamic vpn solution, does not support certificates as both the local cert as well CA cert have to be delivered after https authentication to the client such that IKE phase-1 can be negotiated.

 

Pulse client  will be integrated into the SRX, however that is a roadmap item.

SRX Services Gateway

Re: junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 07:59 AM

kb17641 mentions pulse, srx and dynamic vpn.

 

Even if pulse is mentionned, pulse is not used ?

 

This is really confusing.

 

Is there a way to use a regular ipsec client with an srx gateway (as a workaround) ?

 

 

 

SRX Services Gateway

Re: junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 08:02 AM

yes a regular ipsec client does work with SRX. However JTAC does not officially support clients other than the dynamic vpn client.

 

SRX Services Gateway

Re: junos pulse with certificate authentication

[ Edited ]
11.16.10   |  
‎11-16-2010 08:04 AM

Do you have a sample config by chance (using route based or policy based) ?

 

I can use netscreen remote or any other vpn client.

 

I was already aware of thee non support, but if there is no alternative I take the risk anyway.

SRX Services Gateway

Re: junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 08:08 AM

Actually the config on the SRX  for any remote client would be exactly the same as the config you use for "dynamic vpn". You just need to delete all the config uder the "security dynamic-vpn" stanza.

 

The res of the config under ike and ipsec will remain the same .

 

Ofcouse if you need certificates instead of pre-shared keys you can add that under the ike ocnfig.

SRX Services Gateway

Re: junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 02:01 PM

ns remote with psk and xauth works flawlessly;

 

ns remote with certificates also works fine;

 

I can share the config if some are interested. (all certificates are generated from the same

cert server).

 

SRX Services Gateway

Re: junos pulse with certificate authentication

11.16.10   |  
‎11-16-2010 02:12 PM

This app note may be useful.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN16&cat=SRX_SERIES&actp=LIST

 

This applies to J-Series which supports NetScreen-Remote IPSec client. As Vairavan mentions, JTAC cannot support the configuration on SRX Branch. But configuration should be same. There is also an app note regarding PKI certificates with IPSec which may also be useful as well.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN17&cat=SRX_SERIES&actp=LIST

 

For NetScreen-Remote side itself there are also some KB articles out there on kb.juniper.net that can help you with that side. Between these app notes I think you should have information you need.

 

 

Highlighted
SRX Services Gateway

Re: junos pulse with certificate authentication

11.17.10   |  
‎11-17-2010 12:07 AM

thanks for the links.

 

Is there any info regarding pki in a cluster environment ?(target

is ns remote + certs vs srx cluster).

 

Is the certificate and pki info shared between the nodes ?

Otherwise how can I synchronize the certs and keys between the nodes ?

 

 

SRX Services Gateway

Re: junos pulse with certificate authentication

11.17.10   |  
‎11-17-2010 12:56 AM

PKI is supported in SRX cluster environment. It keep synchronized between nodes.

SRX Services Gateway

Re: junos pulse with certificate authentication

11.17.10   |  
‎11-17-2010 02:49 AM

thanks for the feedback.

 

another quick info : the certificate load info doesn't support filenames with spaces,

even if you specify the name between "".

 

 

SRX Services Gateway

Re: junos pulse with certificate authentication

11.17.10   |  
‎11-17-2010 03:17 AM

 

It will be verified and corrected if it is a bug.

SRX Services Gateway

Re: junos pulse with certificate authentication

03.02.12   |  
‎03-02-2012 08:19 AM

Hi PKCPKC,

 

It is too late to restart this discussion.

But do you have a working config for dynamic-vpn or remote-access vpn using certificates?

 

Thank you!

SRX Services Gateway

Re: junos pulse with certificate authentication

11.08.13   |  
‎11-08-2013 06:24 AM

Hello guys!

 

Could someone say if it is possible now to use Juniper SRX for certificate-based (smartcards with PINs) VPN authentification for remote users? Maybe somebody have configs for dynamic VPN or use Junos Pulse with this scenario or something like that.

 

The aim is to create VPN access for teleworkers with using smartcards which they use in office.