ON THIS PAGE
Local User Authentication Using Pre-shared Key
In this configuration, you use the username and password for local user authentication. This configuration option does not allow you to change or recover your credentials without interacting with the firewall administrator, hence we do not recommended this authentication method. Instead, we recommend you to use External User Authentication Using RADIUS method.
We assume that you have completed the basic setup of your SRX Series devices, including interfaces, zones, and security policies as illustrated in the Deployment Scenario for Juniper Secure Connect.
For information about prerequisites, see System Requirements.
You must ensure that the SRX Series device uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, it is important that you read the instructions in Prerequisites for Deploying Juniper Secure Connect.
Configure Juniper Secure Connect VPN Settings
To configure VPN settings using the J-Web interface:
- Log in to your SRX Series device using J-Web interface.
Figure 1 shows J-Web login page.
After logging in successfully, you land on the Basic Settings page.
Figure 2 shows an example of the J-Web Configure tab.
- In the J-Web side pane, click VPN.
Figure 3 shows an example of the J-Web Configure tab where VPN is selected.
After you click VPN, the IPsec VPN page appears.
Figure 4 shows an example of the IPsec VPN page.
At the right corner of the page, select Create VPN > Remote Access > Juniper Secure Connect to create the IPsec VPN setting for Juniper Secure Connect. The Create Remote Access (Juniper Secure Connect) page appears.
Figure 5 shows an example to create remote access VPN.
Figure 6 shows an example of the create remote access page with pre-shared key authentication method.
- On the Create Remote Access (Juniper Secure Connect) page
(see Figure 7):
Enter the name for the Remote Access Connection (this is, the name that will be displayed on the End Users Realm Name in Juniper Secure Connect application) and a description.
The routing mode is set to Traffic Selector (Auto Route Insertion) by default.
Select the authentication method. For this example, let’s select Pre-shared Key from the drop-down list.
Select Yes to create the firewall policy automatically using the Auto-create Firewall Policy option.
- Click Remote User icon to configure the Juniper
Secure Connect application settings.
Figure 8 shows an example of the Remote User page.
Configure the remote user client by selecting the options on the Remote User page and then clicking OK :
Table 1 summarizes the remote user settings options.
Table 1: Remote User Settings Options
Remote User Settings
The Default Profile is enabled by default. If you do not want this profile to be the default profile, click the toggle button.
If you enable Default Profile for the VPN connection profile, Juniper Secure Connect automatically selects default profile as realm name (in this example: https://18.104.22.168/). In this case, it is optional to enter the realm name in Juniper Secure Connect.
If you disable Default Profile for the VPN connection profile, you must enter the realm name along with the gateway address (in this example: https://22.214.171.124/JUNIPER_SECURE_CONNECT) in Juniper Secure Connect.
To establish the client connection manually or automatically, select the appropriate option.
If you select Manual, then in the Juniper Secure Connect application, to establish a connection, you must either click the toggle button or select Connection > Connect from the menu.
If you select Always, then Juniper Secure Connect automatically establishes the connection.
Android device: If you use or select Always, then the configuration is downloaded from the first used SRX device. If the first SRX device configuration changes or if you connect to a new SRX device, the configuration does not get downloaded to the Juniper Secure Connect application.
This means that once you connect in the Always mode using the Android device, any configuration changes in the SRX device do not take effect on Juniper Secure Connect.
To enable support for SSL VPN connection from the Juniper Secure Connect application to the SRX Series devices, click the toggle button. Use this option when IPsec ports are not allowed. By enabling SSL VPN, the client has the flexibility in connecting the SRX Series devices. By default, SSL VPN is enabled.
This option is disabled by default. If you enable this option, when you click connect in Juniper Secure Connect, Juniper Secure Connect displays an authentication prompt.
This option allows the user to protect their credentials using the operating system’s built-in biometric authentication support.
Dead Peer Detection
Dead Peer Detection (DPD) is enabled by default to allow the client to detect if the SRX Series device is reachable and if the device is not reachable, disable the connection till reachability is restored.
This option allows users to logon to the local Windows system through an already established VPN tunnel (using Windows Pre-Logon), so that it is authenticated to the central Windows domain or Active Directory.
- Click Local Gateway to configure the Local
Figure 9 shows an example of the local gateway configuration settings.
If you enable Gateway is behind NAT, a text box appears. In the text box, enter the NAT IP address. We support only IPv4 addresses. NAT address is the external address.
In the External Interface field, select the IP address for the clients to connect. You must enter this same IP address (in this example: https://126.96.36.199/) for the Gateway Address field in the Juniper Secure Connect application.
If you enable Gateway is behind NAT, then the NAT IP address becomes the gateway address.
From the Tunnel Interface drop-down list, select an interface to bind it to the route-based VPN. Alternatively click Add. If you click Add, the Create Tunnel Interface page appears.
Figure 10 shows an example of the Create Tunnel Interface page.
The next available ST0 logical interface number is displayed in the Interface Unit field and you can enter a description for this interface. Select the zone to add this tunnel interface to. If Auto-create Firewall Policy (in Create Remote Access page) is set to Yes, the firewall policy uses this zone. Click OK.
Enter the preshared key in either ASCII or hexadecimal format.
From the User Authentication drop-down list, select an existing access profile or click Add to create a new access profile. If you click Add, the Create Access Profile page appears.
Figure 11 shows an example of the Create Access Profile page.
Enter the access profile name. From the Address Assignment drop-down list, select an address pool or click Create Address Pool. If you click Create Address Pool, the Create Address Pool page appears.
Figure 12 shows an example of the Create Address Pool page.
Enter the details for the local IP pool that is in the VPN policy for the clients. Enter a name for the IP address pool.
Enter the network address that you use for the address assignment.
Enter your DNS server address. Enter WINS server details, if required. Now click the add icon (+) to create the address range to assign IP addresses to the clients.
Enter the name, and the lower and higher limits. After entering the details, click OK.
Select the Local check box to create local authentication user, where all the authentication details are stored on the SRX Series devices. If you click the add icon (+), the Create Local Authentication User window appears.
Figure 13 shows an example Create Local Authentication User page.
Enter a username and password, and then click OK. Click OK again to complete the access profile configuration.
From the SSL VPN Profile drop-down list, select an existing profile or click Add to create a new SSL VPN profile. If you click Add, the Add SSL VPN Profile page appears.
Figure 14 shows an example of the Add SSL VPN Profile page.
On the Add SSL VPN Profile page, you can configure the SSL VPN profile. Enter the SSL VPN profile name in the Name field, and enable logging using the toggle, if required. In the SSL Termination Profile field, select the SSL termination profile from the drop-down list. SSL termination is a process where the SRX Series devices acts as an SSL proxy server, and terminates the SSL session from the client. If you want to create a new SSL termination profile, click Add. The Create SSL Termination Profile page appears.
Figure 15 shows an example of the Create SSL Termination Profile page.
Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series devices. Click Add to add a new server certificate or click Import to import the server certificate. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.
The Source NAT Traffic option is enabled by default. When Source NAT Traffic is enabled, all traffic from the Juniper Secure Connect application is NATed to the selected interface by default. Click the toggle button to disable the Source NAT Traffic option. If the option is disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly.
Under Protected Networks, click add icon (+) to select the networks that the Juniper Secure Connect application can connect to.
Figure 16 shows an example of the Create Protected Networks page.
By default, any network 0.0.0.0/0 is allowed. If you configure a specific network, split tunneling for Juniper Secure Connect application is enabled. If you retain the default value, you can restrict access to your defined networks by adjusting the firewall policy from the client network. Click OK, and the selected networks are now in the list of protected networks. Click OK to complete the local gateway configuration.
Figure 17 shows an example of successful completion of remote access configuration with remote user and local gateway.
IKE Settings and IPsec Settings are advanced options. J-Web is already configured with default values for the IKE and IPsec parameters. It is not mandatory to configure these settings.
- You can now find the URL for the remote users to connect
to. Copy and store this URL for sharing with your remote users. You
need only the /xxxx information if this configuration is not your
Figure 18 highlights the URL that remote user must enter in the Gateway address field in Juniper Secure Connect application to establish remote access connection.
Click Save to complete the Juniper Secure Connect VPN configuration and associated policy if you have selected the auto policy creation option.
Click the highlighted Commit button (at the top right of the page next to Feedback Button) to commit the configuration.
Download and install Juniper Secure Connect application on the client machine. Launch Juniper Secure Connect and connect to the gateway address of the SRX Series device. See Juniper Secure Connect User Guide for more details.