Tuesday, February 22, 2011

Setting up dynamic VPN on Juniper SRX

Setting up dynamic VPN on Juniper SRX

It took me sometime to setup dynamic VPN on Juniper SRX 240 (10.0R3.10) integrated with free radius and then with NPS on windows 2008 (active directory integrated.) Following are the steps that should be followed to configure dynamic (user based) VPN on SRX. The configuration on the SRX can be divided into 5 steps:

Access configuration
HTTPS configuration
IKE/IPSEC configuration
Dynamic VPN configuration
Policy configuration

Login to Juniper SRX, go to configuration mode and type the following commands:

Access configuration:
set access profile radius-server authentication-order radius
set access profile radius-server radius-server 172.16.x.x secret your-radius-secret

set access profile user-auth-profile client allien firewall-user password your-password
set access firewall-authentication web-authentication default-profile radius-server

HTTPS configuration:

set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/2.0



IKE/IPSEC configuration:

set security ike proposal dvpn authentication-method pre-shared-keys
set security ike proposal dvpn dh-group group2
set security ike proposal dvpn authentication-algorithm sha1
set security ike proposal dvpn encryption-algorithm 3des-cbc

set security ike policy ike-dvpn mode aggressive
set security ike policy ike-dvpn proposals dvpn
set security ike policy ike-dvpn pre-shared-key ascii-text anything

set security ike gateway dyn-gw-ali ike-policy ike-dvpn
set security ike gateway dyn-gw-ali dynamic hostname allien
set security ike gateway dyn-gw-ali external-interface ge-0/0/2.0
set security ike gateway dyn-gw-ali xauth access-profile radius-server




set security ipsec proposal dvpn protocol esp
set security ipsec proposal dvpn authentication-algorithm hmac-sha1-96
set security ipsec proposal dvpn encryption-algorithm 3des-cbc

set security ipsec policy ipsec-dvpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dvpn proposals dvpn

set security ipsec vpn dynamic-vpn-ali ike gateway dyn-gw-ali
set security ipsec vpn dynamic-vpn-ali ike ipsec-policy ipsec-dvpn

Dynamic VPN configuration:

set security dynamic-vpn access-profile user-auth-profile
set security dynamic-vpn clients dynamic-vpn remote-protected-resources 172.16.16.0/0
set security dynamic-vpn clients dynamic-vpn remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients dynamic-vpn ipsec-vpn dynamic-vpn-ali
set security dynamic-vpn clients dynamic-vpn user allien

Policy configuration:

set security policies from-zone untrust to-zone trust policy dvpn-ali match source-address any
set security policies from-zone untrust to-zone trust policy dvpn-ali match destination-address any
set security policies from-zone untrust to-zone trust policy dvpn-ali match application any
set security policies from-zone untrust to-zone trust policy dvpn-ali then permit tunnel ipsec-vpn dynamic-vpn-ali

Thursday, February 17, 2011

Nazm - Shabeena Adeeb - Tum Mere Paas Raho

Jo bhi tha kiya thora tha By Hassan Awan Sardhi


jo bhi tha kia thora tha

Jaun Elia - Jab teri jaan hogai hogi (Aalami Mushaira,Khi Club,2001)


ek haweli thee dil mohallay main
ab wo veeran hogai ho gee


jab teri jaan ho gai hogi
jaan hairaan ho gai hogi
shab thaa merii nigaah kaa bojh us par
vo to halkaan ho gayii hogi
uskii Khaatir hu’aa maiN Khaar bahut
vo merii aan ho gayii hogii
ho ke dushvaar zindagii apnii
kitnii aasaan ho gayii hogii
be-gilaa huuN maiN ab bahut din se
vo pariishaan ho gayii hogii
ek havelii thii dil muhalle meN
ab vo viiraan ho gayi hogi
uske kuuche meN aayii thii ShiiriiN
uskii darbaan ho gayii hogii
kamsini main bahut shariir thee wo
ab to shaitaan ho gai hogi

Habib Jalib




sar-e-mimbar wo khwaboan k mehal tameer kartay hain
ilaj-e-gham nahein kartay faqat taqreer kartay hain