Tuesday, February 22, 2011

Setting up dynamic VPN on Juniper SRX

Setting up dynamic VPN on Juniper SRX

It took me sometime to setup dynamic VPN on Juniper SRX 240 (10.0R3.10) integrated with free radius and then with NPS on windows 2008 (active directory integrated.) Following are the steps that should be followed to configure dynamic (user based) VPN on SRX. The configuration on the SRX can be divided into 5 steps:

Access configuration
HTTPS configuration
IKE/IPSEC configuration
Dynamic VPN configuration
Policy configuration

Login to Juniper SRX, go to configuration mode and type the following commands:

Access configuration:
set access profile radius-server authentication-order radius
set access profile radius-server radius-server 172.16.x.x secret your-radius-secret

set access profile user-auth-profile client allien firewall-user password your-password
set access firewall-authentication web-authentication default-profile radius-server

HTTPS configuration:

set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/2.0



IKE/IPSEC configuration:

set security ike proposal dvpn authentication-method pre-shared-keys
set security ike proposal dvpn dh-group group2
set security ike proposal dvpn authentication-algorithm sha1
set security ike proposal dvpn encryption-algorithm 3des-cbc

set security ike policy ike-dvpn mode aggressive
set security ike policy ike-dvpn proposals dvpn
set security ike policy ike-dvpn pre-shared-key ascii-text anything

set security ike gateway dyn-gw-ali ike-policy ike-dvpn
set security ike gateway dyn-gw-ali dynamic hostname allien
set security ike gateway dyn-gw-ali external-interface ge-0/0/2.0
set security ike gateway dyn-gw-ali xauth access-profile radius-server




set security ipsec proposal dvpn protocol esp
set security ipsec proposal dvpn authentication-algorithm hmac-sha1-96
set security ipsec proposal dvpn encryption-algorithm 3des-cbc

set security ipsec policy ipsec-dvpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec-dvpn proposals dvpn

set security ipsec vpn dynamic-vpn-ali ike gateway dyn-gw-ali
set security ipsec vpn dynamic-vpn-ali ike ipsec-policy ipsec-dvpn

Dynamic VPN configuration:

set security dynamic-vpn access-profile user-auth-profile
set security dynamic-vpn clients dynamic-vpn remote-protected-resources 172.16.16.0/0
set security dynamic-vpn clients dynamic-vpn remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients dynamic-vpn ipsec-vpn dynamic-vpn-ali
set security dynamic-vpn clients dynamic-vpn user allien

Policy configuration:

set security policies from-zone untrust to-zone trust policy dvpn-ali match source-address any
set security policies from-zone untrust to-zone trust policy dvpn-ali match destination-address any
set security policies from-zone untrust to-zone trust policy dvpn-ali match application any
set security policies from-zone untrust to-zone trust policy dvpn-ali then permit tunnel ipsec-vpn dynamic-vpn-ali

1 comment:

  1. Hi, what about the radius side?

    Kind regards.

    ReplyDelete