fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Juniper SRX - Dynamic VPN

Contents[Hide]

Within this tutorial we will be showing you how to configure Remote Access VPN (Dynamic VPN) on the Juniper SRX.

IKE

Configure Aggressive Mode

set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard

Define Preshared Key

set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text <PRE-SHARED KEY>

Configure the IKE Gateway

Here we define that each client will have its own IKE-ID. This IKE-ID is generated using the user-name and group ID (dynvpn).
In addition to this we also specify which interface will listen for connections. If you are running PPPoE then this should be set to pp0.0.
The xauth profile determines how to authenticate the user, assign addresses and access parameters.

set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type shared-ike-id
set security ike gateway dyn-vpn-local-gw external-interface <UNTRUST INTERFACE>
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

IPSEC

Define the IPSEC VPN

set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

Additional

Configure System Services

The following services are required to terminate the VPN.

set security zones security-zone untrust interfaces <UNTRUST INTERFACE> host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces <UNTRUST INTERFACE> host-inbound-traffic system-services https

Split Tunneling

To configure what is sent through the tunnel and what is sent out in clear text the following commands are used. The 'remote-protected-resources' command defines what is routed through the tunnel. The 'remote-exceptions' command defines what traffic is sent out in clear text.

set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all remote-protected-resources 172.16.1.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all user rick

Configure Policy

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

Configure Authentication / User

set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
set access profile dyn-vpn-access-profile client <USERNAME> firewall-user password <PASSWORD>
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

Configure Address Pool

set access address-assignment pool dyn-vpn-address-pool family inet network 172.16.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range low 172.16.100.10
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range high 172.16.100.20
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32

Show Commands

  • show security ike security-associations
  • show security ike active-peer
  • show security dynamic-vpn users
  • show system license
  • show security ipsec security-associations

Tags: VPN, SRX

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001