Dynamic VPN or Remote Access VPN is a feature available in branch series SRX. By default, branch series SRX gateways come pre-installed with two dynamic VPN licenses. So by default, only two remote users can have dynamic VPN simultaneously. You can purchase additional license for more dynamic VPN users. Dynamic VPN is used by users from Internet to access the corporate LANs. The required VPN client for user’s machine can be downloaded from SRX’s web interface and is automatically installed. When the user logs into the SRX’s dynamic VPN web page, the VPN session on user’s PC is initiated and required VPN client is automatically downloaded without user interaction. You can also manually download and install JunOS Pulse which is a VPN client application. In this post, I will show steps to configure Dynamic (Remote Access) VPN in Juniper SRX.
Configure Dynamic (Remote Access) VPN in Juniper SRX
To view the existing license information, type show system license command as shown below. As you can see the number of dynamic-vpn installed license is 2 and the expiry is permanent.
The diagram below is our scenario for dynamic access VPN. Here, 10.0.0.0/24 is the protected network. We have Active Directory Domain Controller in the network. We want users to be able to access this protected network from the Internet.
Step 1. Configure Dynamic VPN Users and IP Address Pool
set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rdset access profile Dynamic-XAuth client Steve firewall-user password P@ssw0rd
set access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool set access address-assignment pool Dynamic-VPN-Pool family inet network 192.168.1.0/24
set access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.0.0.10/32 set access firewall-authentication web-authentication default-profile Dynamic-XAuth
Step 2. Configure IPSec Phase 1
set security ike proposal Dynamic-VPN-P1-Proposal description “Dynamic P1 Proposal”set security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys
set security ike proposal Dynamic-VPN-P1-Proposal dh-group group2
set security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1
set security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc
set security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200 set security ike policy Dynamic-VPN-P2-Policy mode aggressive
set security ike policy Dynamic-VPN-P2-Policy description “Dynamic P2 Policy”
set security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal
set security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123 set security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy
set security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname mustbegeek.com
set security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id
set security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0/0/0.0
set security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth
Step 3. Configure IPSec Phase 2
set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposalset security ipsec proposal Dynamic-P2-Proposal protocol esp
set security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600 set security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5
set security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal set security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway
set security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy
set security ipsec vpn Dynamic-VPN establish-tunnels immediately
Step 4. Configure Dynamic VPN Parameters
set security dynamic-vpn force-upgradeset security dynamic-vpn access-profile Dynamic-XAuth
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn Dynamic-VPN
set security dynamic-vpn clients all user Jed
set security dynamic-vpn clients all user Steve
Step 5. Configure Security Policy
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match source-address anyset security policies from-zone untrust to-zone trust policy Dynamic-VPN match destination-address any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match application any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN then permit tunnel ipsec-vpn Dynamic-VPN
Step 6. Verifying IPSec Connection
root@SRX240> show security dynamic-vpn users root@SRX240> show security dynamic-vpn client version root@SRX240> show security ike active-peer root@SRX240> show security ike security-associations root@SRX240> show security ipsec security-associationsYou can download and install JunOS Pulse client application on user PCs. JunOS Pulse is a VPN client from Juniper. Users out on the internet can use this tool to connect to VPN. To use this tool, click Add (+) button. Uner type, choose SRX. Then type name of the connection. Type IP address or domain name of the SRX device. And then, click Add button.
After creating a new connection, click Connect button. The client will now attempt to connect.
Click Connect again on certificate warning. Now type username and password to connect to VPN.
In this way you can configure dynamic VPN in Juniper SRX and use JunOS Pulse to connect to VPN.
Configure Dynamic (Remote Access) VPN in Juniper SRX is a post from: MustBeGeek