Configure Dynamic (Remote Access) VPN in Juniper SRX

Spread the love




Dynamic VPN or Remote Access VPN is a feature available in branch series SRX. By default, branch series SRX gateways come pre-installed with two dynamic VPN licenses. So by default, only two remote users can have dynamic VPN simultaneously. You can purchase additional license for more dynamic VPN users. Dynamic VPN is used by users from Internet to access the corporate LANs. The required VPN client for user’s machine can be downloaded from SRX’s web interface and is automatically installed. When the user logs into the SRX’s dynamic VPN web page, the VPN session on user’s PC is initiated and required VPN client is automatically downloaded without user interaction. You can also manually download and install JunOS Pulse which is a VPN client application. In this post, I will show steps to configure Dynamic (Remote Access) VPN in Juniper SRX.

Configure Dynamic (Remote Access) VPN in Juniper SRX

To view the existing license information, type show system license command as shown below. As you can see the number of dynamic-vpn installed license is 2 and the expiry is permanent.

Configure Dynamic (Remote Access) VPN in Juniper SRX

The diagram below is our scenario for dynamic access VPN. Here, 10.0.0.0/24 is the protected network. We have Active Directory Domain Controller in the network. We want users to be able to access this protected network from the Internet.



Configure Dynamic (Remote Access) VPN in Juniper SRX

Step 1. Configure Dynamic VPN Users and IP Address Pool

set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rd
set access profile Dynamic-XAuth client Steve firewall-user password P@ssw0rd
set access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool
set access address-assignment pool Dynamic-VPN-Pool family inet network 192.168.1.0/24
set access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.0.0.10/32
set access firewall-authentication web-authentication default-profile Dynamic-XAuth

Step 2. Configure IPSec Phase 1

set security ike proposal Dynamic-VPN-P1-Proposal description “Dynamic P1 Proposal”
set security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys
set security ike proposal Dynamic-VPN-P1-Proposal dh-group group2
set security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1
set security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc
set security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200
set security ike policy Dynamic-VPN-P2-Policy mode aggressive
set security ike policy Dynamic-VPN-P2-Policy description “Dynamic P2 Policy”
set security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal
set security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123
set security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy
set security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname mustbegeek.com
set security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id
set security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0/0/0.0
set security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth

Step 3. Configure IPSec Phase 2

set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposal
set security ipsec proposal Dynamic-P2-Proposal protocol esp
set security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600
set security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5
set security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal
set security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway
set security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy
set security ipsec vpn Dynamic-VPN establish-tunnels immediately

Step 4. Configure Dynamic VPN Parameters

set security dynamic-vpn force-upgrade
set security dynamic-vpn access-profile Dynamic-XAuth
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn Dynamic-VPN
set security dynamic-vpn clients all user Jed
set security dynamic-vpn clients all user Steve

Step 5. Configure Security Policy

set security policies from-zone untrust to-zone trust policy Dynamic-VPN match source-address any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match destination-address any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN match application any
set security policies from-zone untrust to-zone trust policy Dynamic-VPN then permit tunnel ipsec-vpn Dynamic-VPN

Step 6. Verifying IPSec Connection

root@SRX240> show security dynamic-vpn users
root@SRX240> show security dynamic-vpn client version
root@SRX240> show security ike active-peer
root@SRX240> show security ike security-associations
root@SRX240> show security ipsec security-associations

You can download and install JunOS Pulse client application on user PCs. JunOS Pulse is a VPN client from Juniper. Users out on the internet can use this tool to connect to VPN. To use this tool, click Add (+) button. Uner type, choose SRX. Then type name of the connection. Type IP address or domain name of the SRX device. And then, click Add button.

JunOS

After creating a new connection, click Connect button. The client will now attempt to connect.

Junos Pulse

Click Connect again on certificate warning. Now type username and password to connect to VPN.

JunOS Pulse 4

In this way you can configure dynamic VPN in Juniper SRX and use JunOS Pulse to connect to VPN.

 




The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top