Juniper SRX Dynamic VPN (Remote Access VPN) – Part 1

I have been really busy at work and personal stuff, and I have not posted any useful stuff lately. This post will be for a simple home Dynamic VPN or other vendors call it Remote Access VPN configuration.

Here is a simple topology

juniper dynamic-vpn topo.jpg

Figure 1

 

Juniper SRX firewalls comes with a dynamic VPN permanent license, but it is very limited. I have an SRX100 firewall, and it comes with 2 dynamic VPN license as shown in Example 1. The line that is highlighted is the license that comes with SRX100.

Example 1

root# run show system license
License usage:
                     Licenses       Licenses   Licenses     Expiry
Feature name             used      installed     needed
dynamic-vpn                 0           2           0       permanent
ax411-wlan-ap               0           2           0       permanent

Licenses installed: none
[edit]
root#

As you can see, it comes with two licenses for dynamic-vpn, and it is permanent; therefore, I can have two users that can VPN to my network. If I need more users then I would need to purchase a license. Since it is a home network, two licenses should be sufficient for now.

Now, before we jump into the configuration, you would need to download Junos Pulse (discontinued) or the Pulse Secure desktop client. For Linux desktop client, you can probably use this from Institute for Advanced Study. I have never tested this, so I can’t really comment on the Linux desktop client.

Unfortunately, if you are using a newer code (firmware) on the SRX the Windows’ desktop client is not available any longer, and if you try to navigate to https://<srx-untrust-ip-addr>/dynamic-vpn, you will get the banner as shown in Figure 2

Figure 1

Figure 2

The dynamic VPN requires https service for it to work. If you use JWEB via https to configure your SRX then you can skip the Example 2. The interface fe-0/0/0.0 (untrust) is my interface to connected to the Internet. We would the https service enabled on the Internet facing interface since it is the receiving interface for the dynamic VPN.

Example 2

[edit]
root# show system services web-management
https {
    system-generated-certificate;
    interface fe-0/0/0.0;
}
[edit]
root#
set system services web-management https system-generated-certificate
set system services web-management https interface fe-0/0/0.0

 

Ensure that the untrust interface, in this case is fe-0/0/0.0, is accepting https and ike. This is done under the security-zone. I do not have a static IP address that is why I have dhcp added, but for what we are trying to accomplish here, what we need are just the ike and https.

Example 3

[edit]

root# show security zones security-zone untrust            
screen untrust-screen;
interfaces {
   fe-0/0/0.0 {
       host-inbound-traffic {
           system-services {
               dhcp;
               https;
               ike;
           }
       }
   }
}
[edit]
root#
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

 

We need to configure the IKE and IPSEC proposals for the dynamic VPN for IKE and IPSEC tunnel configuration.

Example 4

[edit]
root# show security ike proposal IKE-DYN-PROPOSAL 
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 1200;

[edit]
root# show security ipsec proposal IPSEC-DYN-PROPOSAL 
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;

[edit]
root#
set security ike proposal IKE-DYN-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-DYN-PROPOSAL dh-group group2
set security ike proposal IKE-DYN-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-DYN-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-DYN-PROPOSAL lifetime-seconds 1200

set security ipsec proposal IPSEC-DYN-PROPOSAL protocol esp
set security ipsec proposal IPSEC-DYN-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-DYN-PROPOSAL encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-DYN-PROPOSAL lifetime-seconds 3600

 

Once you have prepared the ike and ipsec proposals, then you would need to configure the tunnel. The proposals you have created earlier will be linked to the policies. Also, I am using DDNS, so yours may be configure differently here if you have a static IP, but if you are using DDNS at your home then it should be the same.

Example 5

[edit]
root# show security ike policy IKE-DYN-POLICY 
mode aggressive;
proposals IKE-DYN-PROPOSAL;
pre-shared-key ascii-text "asd*#(0P;>!3Hb@&GnO0k.Ct0Bhc-Vw2JD.mT3/t5QO1hSvKL8X7-2a"; ## SECRET-DATA

[edit]
root# show security ike gateway IKE-DYN-GATEWAY 
ike-policy IKE-DYN-POLICY;
dynamic {
 hostname your-dynamic-dns.dyn.net;
 connections-limit 4;
 ike-user-type shared-ike-id;
}
external-interface fe-0/0/0;
xauth access-profile DYN-REMOTE-VPN;

[edit]
root# show security ipsec policy IPSEC-DYN-POLICY 
perfect-forward-secrecy {
 keys group5;
}
proposals IPSEC-DYN-PROPOSAL;

[edit]
root# show security ipsec vpn IPSEC-DYN-VPN 
ike {
 gateway IKE-DYN-GATEWAY;
 ipsec-policy IPSEC-DYN-POLICY;
}
establish-tunnels immediately;

[edit]
root#
set security ike policy IKE-DYN-POLICY mode aggressive
set security ike policy IKE-DYN-POLICY proposals IKE-DYN-PROPOSAL
set security ike policy IKE-DYN-POLICY pre-shared-key ascii-text "asd*#(0P;>!3Hb@&GnO0k.Ct0Bhc-Vw2JD.mT3/t5QO1hSvKL8X7-2a"; ## SECRET-DATA
set security ike gateway IKE-DYN-GATEWAY ike-policy IKE-DYN-POLICY
set security ike gateway IKE-DYN-GATEWAY dynamic hostname your-dynamic-dns.dyn.net
set security ike gateway IKE-DYN-GATEWAY dynamic connections-limit 4
set security ike gateway IKE-DYN-GATEWAY dynamic ike-user-type shared-ike-id
set security ike gateway IKE-DYN-GATEWAY external-interface fe-0/0/0
set security ike gateway IKE-DYN-GATEWAY xauth access-profile DYN-REMOTE-VPN
set security ipsec policy IPSEC-DYN-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-DYN-POLICY proposals IPSEC-DYN-PROPOSAL
set security ipsec vpn IPSEC-DYN-VPN ike gateway IKE-DYN-GATEWAY
set security ipsec vpn IPSEC-DYN-VPN ike ipsec-policy IPSEC-DYN-POLICY
set security ipsec vpn IPSEC-DYN-VPN establish-tunnels immediately

 

Once the tunnel has been configured, the DHCP address assignment for dynamic VPN users need to be configured

Example 6

[edit]
root# show access address-assignment pool DYN-REMOTE-POOL
family inet {
   network 192.168.0.0/24;
   range DYN-REMOTE-IP-RANGE {
       low 192.168.0.100;
       high 192.168.0.110;
   }
   xauth-attributes {
       primary-dns 8.8.8.8/32;
   }
}
[edit]
root#
set access address-assignment pool DYN-REMOTE-POOL family inet network 192.168.0.0/24
set access address-assignment pool DYN-REMOTE-POOL family inet range DYN-REMOTE-IP-RANGE low 192.168.0.100
set access address-assignment pool DYN-REMOTE-POOL family inet range DYN-REMOTE-IP-RANGE high 192.168.0.110
set access address-assignment pool DYN-REMOTE-POOL family inet xauth-attributes primary-dns 8.8.8.8/32

 

Configuring the dynamic VPN authentication, and the dhcp pool that was created above need to be link to this configuration.

Example 7

[edit]
root# show access profile DYN-REMOTE-VPN
client user01 {
   firewall-user {
       password "your-remote-user-password"; ## SECRET-DATA
   }
}
address-assignment {
   pool DYN-REMOTE-POOL;
}
[edit]
root# show access firewall-authentication 
web-authentication {
    default-profile DYN-REMOTE-VPN;
}
[edit]
root#
set access profile DYN-REMOTE-VPN client user01 firewall-user password your-remote-user-password
set access profile DYN-REMOTE-VPN address-assignment pool DYN-REMOTE-POOL
set access firewall-authentication web-authentication default-profile DYN-REMOTE-VPN

Here is a caveat:
If your remote clients is going to be in the same pool as you internal clients, you would need to use the nat proxy-arp. This is only needed if one of the interfaces is directly connected to the SRX because the SRX would need to respond to the ARP requests by the clients. Otherwise, it is not needed. 

Example 7.1
set security nat proxy-arp interface fe-0/0/0.0 address 192.168.3.100 to 192.168.3.110

 

Now, we need to associate the VPN user(s) to the dymanic-vpn configurations. At this point, I just to make things clear here, the remote-protected-resources are the IP or subnets internal to your network. Meaning, if the remote user trying to download something from your server via VPN, the server IP or subnet needs to be under the remote-protected-resources.

To enable split-tunneling, you would need to use the remote-exceptions. Therefore, all the traffic that is not destine to the IP or subnets specified in remote-protected-resources will be routed to the remote client’s local network (client’s router to the Internet, etc). In this example, any (0.0.0.0/0) traffic destination is not 192.168.0.0/24 or 192.168.1.100/32 will not be sent to the tunnel.

Example 8

[edit]
root# show security dynamic-vpn
access-profile DYN-REMOTE-VPN;
clients {
   DYN-REMOTE-ACCESS-VPN {
       remote-protected-resources {
           192.168.2.0/24;
           192.168.1.100/32;
       }
       remote-exceptions {
           0.0.0.0/0;          
       }
       ipsec-vpn IPSEC-DYN-VPN;
       user {
           user01;
       }
   }
}
[edit]
root#
set security dynamic-vpn access-profile DYN-REMOTE-VPN
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-protected-resources 192.168.2.0/24
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-protected-resources 192.168.1.100/32
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients DYN-REMOTE-ACCESS-VPN ipsec-vpn IPSEC-DYN-VPN
set secuity dynamic-vpn clients DYN-REMOTE-ACCESS-VPN user user01

 

Now, to get the dynamic VPN working, a security policy is needed to allow the traffic coming from the Internet into your internal network. In this case, the destination is in the trust zone; therefore, the from-zone is untrust and the to-zone is trust.

Example 9

[edit]
root# show security policies
from-zone untrust to-zone trust {
   policy DYN-untrust_TO_trust {
       description "TO ALLOW TRAFFIC FROM DYNAMIC VPN TO PASS TRAFFIC THROUGH";
       match {
           source-address any;
           destination-address any;
           application any;
       }
       then {
           permit {
               tunnel {
                   ipsec-vpn IPSEC-DYN-VPN;
               }
           }
       }
   }
}
[edit]
root#
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust description "TO ALLOW TRAFFIC FROM DYNAMIC VPN TO PASS TRAFFIC THROUGH"
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match source-address any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match destination-address any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust match application any
set security policies from-zone untrust to-zone trust policy DYN-untrust_TO_trust then permit tunnel ipsec-vpn IPSEC-DYN-VPN

 

If you follow along, you should be able to establish a dynamic VPN using either of one the mentioned desktop client at the beginning of this post. HOWEVER, you won’t be able to access anything behind the SRX, your internal network, and your remote clients won’t receive an IP address from the DHCP we configured earlier.

First let’s get the DHCP working for remote user(s) assuming the SRX is the DHCP server. For the SRX to respond to the DHCP request from the client, the security-zone host-inbound-traffic should be configured to allow dhcp on the dynamic-vpn interface.

Example 10

[edit]
root# show security zones security-zone DYN-VPN-ZONE
host-inbound-traffic {
   system-services {
       all;
   }
   protocols {
       all;
   }
}
interfaces {
   vlan.9 {
       host-inbound-traffic {
           system-services {
               dhcp;
           }
       }
   }
}
[edit]
root#
set security zones security-zone DYN-VPN-ZONE interfaces vlan.9 host-inbound-traffic system-services dhcp

 

Once the DHCP has been added to the dynamic vpn interface under the security-zone, the SRX should respond to remote client(s)’ DHCP request.

In this post, if you have not noticed, I have the dynamic VPN interface on a different security-zone than the trust zone as shown in Figure 1 topology. So I have to create another security policy to allow traffic from the security-zone where the dynamic VPN interface is to the destination which is the trust zone.

Example 11

[edit]
root# show security policies
from-zone DYN-VPN-ZONE to-zone trust {
   policy DYN-USERS_TO_NIXDOMAIN {
       match {
           source-address any;
           destination-address any;
           application any;
       }
       then {
           permit;
       }
   }
}
[edit]
root#
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN description "ALLOW DYNAMIC VPN TO REACH THE TRUST ZONE RESOURCES"
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match source-address any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match destination-address any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN match application any
set security policies from-zone DYN-VPN-ZONE to-zone trust policy DYN-USERS_TO_NIXDOMAIN then permit

 

This is it. We have finished configuring our home SRX for dynamic VPN. At this point, the remote user should be able to establish a dynamic VPN to the SRX and able to access the resources based on the 2nd security policy. 

This post is getting longer, please see Part 2 for verification and troubleshooting.

Cheers!

Donations are always appreciated:

BTC: 14wVPFBWNAKmfNsgUrPpw8EytkXFLjxYoU
ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a
LTC: LMpW2rGYnYdUwvnHA4huB6TGcPEEc1JzXw
NAV: NM7c5u8Vius5UJWtCdTdQxgKT9F3PpTXbK
Any ERC-20 (tokens/coins): 0x9f337F9e0796eD3af5ccF0332674fD1eaDfA03BC

Thanks

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks BTC: 14wVPFBWNAKmfNsgUrPpw8EytkXFLjxYoU ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a LTC : LMpW2rGYnYdUwvnHA4huB6TGcPEEc1JzXw
This entry was posted in Firewall, Juniper, Misc. and tagged , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Juniper SRX Dynamic VPN (Remote Access VPN) – Part 1

  1. Szabi says:

    What is the configuration of the vlan.9 interface?

  2. Ifwanfly1 says:

    Hi Szabi,
    In this topology, would like to confirm that you are using the srx firewall to do dial up is it ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s