Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Dynamic VPNs with Pulse Secure Clients

 

Dynamic VPN enables Pulse Secure clients to establish IPsec VPN tunnels to SRX services gateways without manually configuring VPN settings on their PCs. User authentication is supported through a RADIUS server or a local IP address pool.

Dynamic VPN Overview

A VPN tunnels enable users to securely access assets such as e-mail servers and application servers that reside behind a firewall. End-to-site VPN tunnels are particularly helpful to remote users such as telecommuters because a single tunnel enables access to all of the resources on a network—the users do not need to configure individual access settings to each application and server. See Figure 1.

Figure 1: Using a VPN Tunnel to Enable Remote Access to a Corporate Network
Using a VPN Tunnel
to Enable Remote Access to a Corporate Network

The dynamic VPN feature is also known as remote access VPN or IPsec VPN client. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices. Pulse Secure client software is used for VPN access. User authentication is supported through an external RADIUS server or a local IP address pool configured on the SRX gateway. The Layer 3 remote access client uses client-side configuration settings that it receives from the SRX Series gateway to create and manage a secure end-to-site VPN tunnel to the gateway.

If more than two simultaneous user connections are required, a dynamic VPN license must be installed on the SRX Series gateway. See the Software Installation and Upgrade Guide for information about installing and managing licenses. The maximum number of user connections supported depends on the SRX Series device.

The dynamic VPN feature is disabled by default on the device. To enable dynamic VPN, you must configure the feature using the dynamic-vpn configuration statement at the [edit security] hierarchy level.

Understanding Dynamic VPN Tunnel Support

Dynamic VPN tunnels are configured in the same way as traditional IPsec VPN tunnels. However, not all IPsec VPN options are supported. This feature is supported on SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM, and SRX650 devices.

The following list describes the requirements and supported options when configuring dynamic VPN tunnels:

  • Only policy-based VPNs are supported. Route-based VPNs are not supported with dynamic VPN tunnels. Routing protocols are not supported.

  • Only IKEv1 is supported. IKEv2 is not supported.

  • Only IPv4 traffic and IPv4-in-IPv4 tunnels are supported. IPv6 traffic and tunnels are not supported.

  • Only preshared keys are supported for authentication. PKI is not supported.

  • Aggressive mode is supported for IKE phase 1 exchanges. Main mode is not supported.

  • VPN traffic can only be initiated from the remote client. VPN traffic initiated from the SRX gateway is not supported.

  • Dead peer detection (DPD) is supported. VPN monitoring is not supported.

  • Extended authentication (XAuth) with mode configuration is supported.

  • Authentication is supported from a local profile. Attributes can be provided from a local address pool. Authentication and attributes can be provided from a RADIUS server.

  • Chassis clusters are supported.

  • NAT-T is supported.

  • IKE in virtual routers or in virtual routing and forwarding instances is supported.

  • AutoVPN is not supported.

  • Auto route insertion (ARI) is not supported.

  • Administrator rights are required to install Pulse client software, administrator rights are required.

  • Users need to reauthenticate during IKE phase 1 rekeys. The rekey time is configurable.

Shared or group IKE IDs can be used to configure a single VPN that is shared by all remote clients. When a single VPN is shared, the total number of simultaneous connections to the gateway cannot be greater than the number of dynamic VPN licenses installed. When configuring a shared or group IKE ID gateway, you can configure the maximum number of connections to be greater than the number of installed dynamic VPN licenses. However, if a new connection exceeds the number of licensed connections, the connection will be denied. You can view dynamic VPN license information with the show system license usage command.

Understanding Remote Client Access to the VPN

A common dynamic VPN deployment is to provide VPN access to remote clients connected through a public network such as the Internet. IPsec access is provided through a gateway on the Juniper Networks device. Pulse Secure client software is used for VPN access. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Note

Pulse Secure client software can be obtained from the Juniper Networks Download Software site at https://www.juniper.net/support/downloads/?p=pulse#sw.

The following describes the process for a Pulse Secure remote client to access the VPN:

Note

For detailed instructions about connecting the remote client program to the SRX Series device, see KB17641. Also see the Pulse Secure documentation for current client information.

  1. The user downloads and installs the Pulse Secure client software onto their device.
  2. The user starts the Pulse Secure remote client program.

    In the Pulse Secure remote client program, the user does the following:

    1. Click Add connection.
    2. For Type, select Firewall (SRX).
    3. For Name, enter the hostname of the SRX gateway.Note

      On the SRX Series device, this hostname is configured with the set security ike gateway gateway-name dynamic hostname hostname command. The SRX administrator must provide the hostname to remote users.

    4. For Server URL Name, enter the IP address of the SRX gateway.Note

      On the SRX Series device, this IP address is the IP address of the external-interface configured with the set security ike gateway gateway-name command. The SRX administrator must provide the IP address to remote users.

  3. Click Add, then click Connect. The Pulse Secure remote client program connects to the SRX Series using HTTPS.
  4. Enter your username and password when prompted. Configuration information is downloaded from the SRX Series device to the remote client to enable the client to establish an IKE SA with the SRX Series device.
  5. If you are accessing dynamic VPN for the first time, enter your user credentials again to establish an IPsec SA. An IP address is assigned to the remote client from a local address pool or from an external RADIUS server. Note

    The user credentials you enter in step 4 are used to download the configuration to the remote client and establish an IKE SA between the client and the SRX Series device. The user credentials entered in this step are used to establish an IPsec SA. The user credentials can be the same or different, based on the configuration on the SRX Series device.

  6. Upon successful authentication and address assignment, a tunnel is established.

Dynamic VPN Proposal Sets

This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices. Configuring custom Internet Key Exchange (IKE) and IP Security (IPsec) proposals for IKE and IPsec policies can be tedious and time-consuming when there are many dynamic VPN clients. The administrator can select basic, compatible, or standard proposal sets for dynamic VPN clients. Each proposal set consists of two or more predefined proposals. The server selects one predefined proposal from the set and pushes it to the client in the client configuration. The client uses this proposal in negotiations with the server to establish the connection.

The default values for IKE and IPsec security association (SA) rekey timeout are as follows:

  • For IKE SAs, the rekey timeout is 28,800 seconds.

  • For IPsec SAs, the rekey timeout is 3600 seconds.

Note

Because proposal set configuration does not allow for configuration of rekey timeout, these values are included in the client configuration that is sent to the client at client download time.

The basic use cases for proposals are as follows:

  • IKE and IPsec both use proposal sets.

    The server selects a predefined proposal from the proposal set and sends it to the client, along with the default rekey timeout value.

  • IKE uses a proposal set, and IPsec uses a custom proposal.

    The server sends a predefined IKE proposal from the configured IKE proposal set to the client, along with the default rekey timeout value. For IPsec, the server sends the setting that is configured in the IPsec proposal.

  • IKE uses a custom proposal, and IPsec uses a proposal set.

    The server sends a predefined IPsec proposal from the configured IPsec proposal set to the client, along with the default rekey timeout value. For IKE, the server sends the setting that is configured in the IKE proposal.

Note

If IPsec uses a standard proposal set and perfect forward secrecy (PFS) is not configured, then the default Perfect Forward Secrecy (PFS) is group2. For other proposal sets, PFS will not be set, because it is not configured. Also, for the IPsec proposal set, the group configuration in ipsec policy perfect-forward-secrecy keys overrides the Diffie-Hellman (DH) group setting in the proposal sets.

Because the client accepts only one proposal for negotiating tunnel establishment with the server, the server internally selects one proposal from the proposal set to send to the client. The selected proposal for each set is listed as follows:

For IKE

  • Sec-level basic: preshared key, g1, des, sha1

  • Sec-level compatible: preshared key, g2, 3des, sha1

  • Sec-level standard: preshared key, g2, aes128, sha1

For IPsec

  • Sec-level basic: esp, no pfs (if not configured) or groupx (if configured), des, sha1

  • Sec-level compatible: esp, no pfs (if not configured) or groupx (if configured), 3des, sha1

  • Sec-level standard: esp, g2 (if not configured) or groupx (if configured), aes128, sha1

Dynamic VPN Configuration Overview

Dynamic VPN allows you to provide IPsec access for remote users to a gateway on a Juniper Networks device. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

There are two cases to consider when configuring dynamic VPN:

  • When users are configured locally, they are configured at the [edit access profile profile-name client client-name] hierarchy level and arranged into user groups using the client-group configuration option.

  • Users can be configured on an external authentication server, such as a RADIUS server. Users configured on an external authentication server do not need to be configured at the [edit access profile profile-name] hierarchy level.

For locally-configured users, the user group needs to be specified in the dynamic VPN configuration so that a user can be associated with a client configuration. You specify a user group with the user-groups option at the [edit security dynamic-vpn clients configuration-name] hierarchy level.

When a user is authenticated, the user group is included in the authentication reply. This information is extracted and user groups configured at the [edit security dynamic-vpn clients configuration-name] hierarchy level are searched to determine which client configuration to retrieve and return to the client for tunnel establishment.

If a user is associated with more than one user group, the first matching user group configuration is used. If a user creates a second connection, then the next matching user group configuration is used. Subsequent user connections use the next matching user group configuration until there are no more matching configurations.

The following procedure lists the tasks for configuring dynamic VPN.

  1. Configure authentication and address assignment for the remote clients:

    1. Configure an XAuth profile to authenticate users and assign addresses. Either local authentication or an external RADIUS server can be used. Use the profile configuration statement at the [edit access] hierarchy level to configure the XAuth profile.

    2. Assign IP addresses from a local address pool if local authentication is used. Use the address-assignment pool configuration statement at the [edit access] hierarchy level. A subnet or a range of IP addresses can be specified. IP addresses for DNS and WINS servers can also be specified.

  2. Configure the VPN tunnel:

    1. Configure the IKE policy. The mode must be aggressive. Basic, compatible, or standard proposal sets can be used. Only preshared keys are supported for Phase 1 authentication. Use the policy configuration statement at the [edit security ike] hierarchy level.

    2. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can configure the maximum number of simultaneous connections to the gateway. Use the gateway configuration statement at the [edit security ike] hierarchy level.

    3. Configure the IPsec VPN. Basic, compatible, or standard proposal sets can be specified with the policy configuration statement at the [edit security ipsec] hierarchy level. Use the vpn configuration statement at the [edit security ipsec] hierarchy level to configure the IPsec gateway and policy.

      Note

      A configuration check can be performed to verify that all IKE and IPsec parameters needed for dynamic VPN are correctly configured. If the configuration is invalid for IKE or IPsec, an error message is displayed. You enable the configuration check with the set security dynamic-vpn config-check command.

    4. Configure a security policy to allow traffic from the remote clients to the IKE gateway. Use the policy configuration statement at the [edit security policies from-zone zone to-zone zone] hierarchy level.

      Note

      Configure the security policy with the match criteria source-address any, destination-address any, and application any and the action permit tunnel ipsec-vpn with the name of the dynamic VPN tunnel. Place this policy at the end of the policy list.

    5. Configure host inbound traffic to allow specific traffic to reach the device from systems that are connected to its interfaces. For example, IKE and HTTPS traffic must be allowed. See Understanding How to Control Inbound Traffic Based on Traffic Types.

    6. (Optional) If the client address pool belongs to a subnet that is directly connected to the device, the device would need to respond to ARP requests to addresses in the pool from other devices in the same zone. Use the proxy-arp configuration statement at the [edit security nat] hierarchy level. Specify the interface that directly connects the subnet to the device and the addresses in the pool.

  3. Associate the dynamic VPN with remote clients:

    1. Specify the access profile for use with dynamic VPN. Use the access-profile configuration statement at the [edit security dynamic-vpn] hierarchy level.

    2. Configure the clients who can use the dynamic VPN. Specify protected resources (traffic to the protected resource travels through the specified dynamic VPN tunnel and is therefore protected by the firewall’s security policies) or exceptions to the protected resources list (traffic that does not travel through the dynamic VPN tunnel and is sent in cleartext). These options control the routes that are pushed to the client when the tunnel is up, therefore controlling the traffic that is send through the tunnel. Use the clients configuration statement at the [edit security dynamic-vpn] hierarchy level.

  4. To log dynamic VPN messages, configure the traceoptions statement at the [edit security dynamic-vpn] hierarchy level.

Understanding Local Authentication and Address Assignment

This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices. A client application can request an IP address on behalf of a client. This request is made at the same time as the client authentication request. Upon successful authentication of the client, an IP address can be assigned to the client from a predefined address pool or a specific IP address can be assigned. Other attributes, such as WINS or DNS server IP addresses, can also be provided to the client.

Address pools are defined with the pool configuration statement at the [edit access address-assignment] hierarchy level. An address pool definition contains network information (IP address with optional netmask), optional range definitions, and DHCP or XAuth attributes that can be returned to the client. If all addresses in a pool are assigned, a new request for a client address will fail even if the client is successfully authenticated.

Access profiles are defined with the profile configuration statement at the [edit access] hierarchy. A defined address pool can be referenced in an access profile configuration.

You can also bind a specific IP address to a client in an access profile with the xauth ip-address address option. The IP address must be in the range of addresses specified in the address pool. It must also be different from the IP address specified with the host configuration statement at the [edit access profile address-assignment pool pool-name family inet] hierarchy level. For any application, if one IP address has been assigned, it will not be reassigned again until it is released.

Understanding Group and Shared IKE IDs

This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices. With dynamic VPN, a unique Internet Key Exchange (IKE) ID is used for each user connection. When there are a large number of users who need to access the VPN, configuring an individual IKE gateway, IPsec VPN, and a security policy for each user can be cumbersome. The group IKE ID and shared IKE ID features allow a number of users to share an IKE gateway configuration, thus reducing the number of VPN configurations required.

Note

We recommend that you configure group IKE IDs for dynamic VPN deployments because group IKE IDs provide a unique preshared key and IKE ID for each user.

This topic includes the following sections:

Group IKE IDs

When group IKE IDs are configured, the IKE ID of each user is a concatenation of a user-specific part and a part that is common to all group IKE ID users. For example, the user Bob might use ”Bob.example.net“ as his full IKE ID, where ”.example.net“ is common to all users. The full IKE ID is used to uniquely identify each user connection.

Although group IKE IDs do not require XAuth, XAuth is required by dynamic VPN to retrieve network attributes like client IP addresses. A warning is displayed if XAuth is not configured for a dynamic VPN that uses group IKE IDs.

Note

We recommend that users use the same credentials for both WebAuth and XAuth authentication when group IKE IDs are configured.

Multiple users can use the same group IKE ID, but a single user cannot use the same group IKE ID for different connections. If a user needs to have connections from different remote clients, they need to have different group IKE IDs configured, one for each connection. If a user only has one group IKE ID configured and attempts a second connection from another PC, the first connection will be terminated to allow the second connection to go through.

To configure a group IKE ID:

  • Configure ike-user-type group-ike-id at the [edit security ike gateway gateway-name dynamic] hierarchy level.

  • Configure the hostname configuration statement at the [edit security ike gateway gateway-name dynamic] hierarchy level. This configuration is the common part of the full IKE ID for all users.

  • Configure the pre-shared-key configuration statement at the [edit security ike policy policy-name] hierarchy level. The configured preshared key is used to generate the actual preshared key.

Shared IKE IDs

When a shared IKE ID is configured, all users share a single IKE ID and a single IKE preshared key. Each user is authenticated through the mandatory XAuth phase, where the credentials of individual users are verified either with an external RADIUS server or with a local access database. XAuth is required for shared IKE IDs.

The XAuth user name together with the configured shared IKE ID is used to distinguish between different user connections. Because the user name is used to identify each user connection, both the WebAuth user name and XAuth user name must be the same.

Multiple users can use the same shared IKE ID, but a single user cannot use the same shared IKE ID for different connections. If a user needs to have connections from different remote clients, they need to have different shared IKE IDs configured, one for each connection. If a user has only one shared IKE ID configured and attempts a second connection from another client, the first connection will be terminated to allow the second connection to go through. Also, because the user name is needed to identify each user connection along with the IKE ID, the user must use the same credentials for both WebAuth and XAuth authentication.

To configure a shared IKE ID:

  • Configure ike-user-type shared-ike-id at the [edit security ike gateway gateway-name dynamic] hierarchy level.

  • Configure the hostname configuration statement at the [edit security ike gateway gateway-name dynamic] hierarchy level. The configured hostname is shared by all users configured in the dynamic VPN access profile.

  • Configure the pre-shared-key configuration statement at the [edit security ike policy policy-name] hierarchy level. The configured preshared key is shared by all users configured in the dynamic VPN access profile.

Example: Configuring Dynamic VPN

This example shows how to configure a dynamic VPN on a Juniper Networks device to provide VPN access to remote clients. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Requirements

Before you begin:

  1. Configure network interfaces on the device. See Interfaces Feature Guide for Security Devices.
  2. Create security zones and assign interfaces to them. See “Understanding Security Zones” on page 111.
  3. If there will be more than two simultaneous user connections, install a Dynamic VPN license in the device. See Software Installation and Upgrade Guide.

Overview

A common deployment scenario for dynamic VPN is to provide VPN access to remote clients that are connected through a public network such as the Internet. A public IP address is assigned to one of the gateway’s interfaces; this interface is normally part of the untrust zone. After the client software is installed, the remote user can access the VPN by either logging in to the Web portal or by launching the client directly. In either case, the remote client authenticates with the SRX Series device and downloads the latest configuration available.

Figure 2 illustrates this deployment topology. The ge-0/0/15.0 interface on the SRX Series device is the termination point for the dynamic VPN tunnel. Remote clients in the untrust zone access the ge-0/0/15.0 interface through a Pulse Secure client.

Figure 2: Dynamic VPN Deployment Topology
 Dynamic VPN Deployment Topology

In this example, XAuth client authentication is performed locally and client IP addresses are assigned from an address pool configured on the SRX Series device. See Table 1.

Then, standard proposal sets are used for both IKE and IPsec negotiations. For dynamic VPN tunnels, aggressive mode must be configured and only preshared keys are supported for Phase 1 authentication. A group IKE ID is used and the maximum number of connections is set to 10. Because dynamic VPNs must be policy-based VPNs, a security policy must be configured to forward traffic to the tunnel. IKE and HTTPS traffic must be allowed for host inbound traffic.See Table 2.

Finally, the XAuth profile configured for remote clients is specified for the dynamic VPN. Remote users are associated with the configured IPsec VPN. Also configured are remote protected resources (the destination addresses of traffic that is always sent through the tunnel) and remote exceptions (the destination addresses of traffic that is sent in cleartext instead of through the tunnel). See Table 3.

Table 1: Remote Client Authentication and Address Assignment Configuration

Feature

Name

Configuration Parameters

IP address pool

dyn-vpn-address-pool

  • Addresses: 10.10.10.0/24

  • DNS server address: 192.0.2.1/32.

XAuth profile

dyn-vpn-access-profile

  • Remote client username: 'client1' with password $ABC123

  • Remote client username: 'client2' with password $ABC456

  • IP address pool reference: dyn-vpn-address-pool

  • This profile is the default profile for web authentication.

Table 2: VPN Tunnel Configuration Parameters

Feature

Name

Configuration Parameters

IKE policy (Phase 1)

ike-dyn-vpn-policy

  • Mode: aggressive

  • Proposal set: standard

  • Preshared key: (ASCII) $ABC789

IKE gateway (Phase 1)

dyn-vpn-local-gw

  • IKE policy reference: ike-dyn-vpn-policy

  • Dynamic hostname: dynvpn

  • IKE user type: group IKE ID

  • Maximum number of concurrent connections: 10

  • External interface: ge-0/0/15.0

  • Access profile reference: dyn-vpn-access-profile

IPsec policy (Phase 2)

ipsec-dyn-vpn-policy

Proposal set: standard

IPsec VPN (Phase 2)

dyn-vpn

  • IKE gateway reference: dyn-vpn-local-gw

  • IPsec policy reference: ipsec-dyn-vpn-policy

Security policy (permits traffic from the untrust zone to the trust zone)

dyn-vpn-policy

  • Match criteria:

    • source address any

    • destination address any

    • application any

  • Permit action: tunnel ipsec-vpn dyn-vpn

Host inbound traffic

Allow the following types of traffic to the ge-0/0/15.0 interface in the untrust zone:

  • IKE

  • HTTPS

  • ping

Table 3: Dynamic VPN Configuration for Remote Clients

Feature

Name

Configuration Parameters

Access profile for remote clients

Access profile reference: dyn-vpn-access-profile

Remote clients

all

  • IPsec VPN reference: dyn-vpn

  • User name reference: client1 and client2

  • Remote protected resources: 10.0.0.0/8

  • Remote exceptions: 0.0.0.0/0

Configuration

Configuring the Remote User Authentication and Address Assignment

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure remote user authentication and address assignment:

  1. Create the address assignment pool.
  2. Configure the XAuth profile.
  3. Configure Web authentication using the XAuth profile.

Results

From configuration mode, confirm your configuration by entering the show access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the VPN Tunnel

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the VPN tunnel:

  1. Configure the IKE policy.
  2. Configure the IKE gateway.
  3. Configure IPsec.
  4. Configure the security policy.
  5. Configure host inbound traffic.

Results

From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Associate the Dynamic VPN with Remote Clients

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To associate the dynamic VPN with remote clients:

  1. Specify the access profile to use with dynamic VPN.
  2. Configure the clients who can use the dynamic VPN.

Results

From configuration mode, confirm your configuration by entering the show security dynamic-vpn command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Dynamic VPN tunnels can be monitored with the same commands used to monitor traditional IPsec VPN tunnels. To confirm that the configuration is working properly, perform these tasks:

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status of the security associations.

Action

From operational mode, enter the show security ike security-associations command.

user@host> show security ike security-associations

Verifying Connected Clients and Assigned Addresses

Purpose

Verify that the remote clients and the IP addresses assigned to them are using XAuth.

Action

From operational mode, enter the show security ike active-peer command.

user@host> show security ike active-peer

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status of the security associations.

Action

From operational mode, enter the show security ipsec security-associations command.

user@host> show security ipsec security-associations

Verifying Concurrent Connections and Parameters for Each User

Purpose

Verify the number of concurrent connections and the negotiated parameters for each user.

Action

From operational mode, enter the show security dynamic-vpn users command.

user@host> show security dynamic-vpn users

Example: Configuring Local Authentication and Address Pool

This example shows how to create an address pool and how to assign client IP addresses in an access profile. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Requirements

Before you begin, configure primary and secondary DNS and WINS servers and assign IP addresses to them.

Overview

This example creates an address pool xauth1 that consists of the IP addresses in the 192.0.2.0/24 subnet. The xauth1 pool also assigns IP addresses for primary and secondary DNS and WINS servers.

The access profile dvpn-auth references the xauth1 pool. The dvpn-auth access profile configures two clients:

  • jason: The IP address 192.0.2.1 is bound to this client. Upon successful authentication, the client is assigned the IP address 192.0.2.1. If the client logs in again before logging out, the client is assigned an IP address from the xauth1 pool.

  • jacky: Upon successful authentication, the client is assigned an IP address from the xauth1 pool.

In addition, the dvpn-auth access profile specifies that password authentication is used to verify clients at login. Additional authentication methods can be specified; the software tries the authentication methods in order, from first to last, for each client login attempt.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure an address pool and an access profile that uses the address pool:

  1. Create the address pool.
  2. Configure the access profile.

Results

From configuration mode, confirm your configuration by entering the show access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Address Assignment

Purpose

Verify address assignment. For XAuth, the hardware address is always shown as NA. If a static IP address is assigned to a specific user, the user name and profile name (in the format user@profile) is displayed in the "Host/User" column. If a client is assigned an IP address from the pool, the username is displayed; if the username does not exist, NA is displayed. For other applications (for example, DHCP), the hostname is displayed if configured; if the hostname is not configured, NA is displayed.

Action

From operational mode, enter the show network-access address-assignment pool command.

user@host> show network-access address-assignment pool xauth1

Example: Configuring a Group IKE ID for Multiple Users

This example shows how to configure a group IKE ID that is used by multiple users. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Requirements

Before you begin:

Overview

In this example, you configure two remote dynamic VPN users who use a single IKE ID and a single IKE preshared key (see Table 4 and Table 5). An external RADIUS server is used to authenticate users and assign IP addresses to clients (see Table 6).

Table 4: Group IKE ID VPN Tunnel Configuration Parameters

Feature

Name

Configuration Parameters

IKE policy (Phase 1)

clientpol-group

  • Mode: aggressive

  • Proposal set: compatible

  • Preshared key: (ASCII) for-everyone-in-access-profile

IKE gateway (Phase 1)

groupgw

  • IKE policy reference: clientpol-group

  • Dynamic hostname: example.net

  • IKE user type: group IKE ID

  • Maximum number of concurrent connections: 50

  • External interface: ge-0/0/0.0

  • Access profile reference: radius-profile

IPsec policy (Phase 2)

client1vpnPol

Proposal set: compatible

IPsec VPN (Phase 2)

groupvpn

  • IKE gateway reference: groupgw

  • IPsec policy reference: client1vpnPol

Security policy (permits traffic from the untrust zone to the trust zone)

group-sec-policy

  • Match criteria:

    • source address any

    • destination address any

    • application any

  • Permit action: tunnel ipsec-vpn groupvpn

Host inbound traffic

Allow the following types of traffic to the ge-0/0/0.0 interface in the untrust zone:

  • IKE

  • HTTPS

  • ping

  • SSH

Table 5: Group IKE ID Dynamic VPN Configuration for Remote Clients

Feature

Name

Configuration Parameters

Access profile for remote clients

Access profile reference: radius-profile

Remote clients

groupcfg

  • IPsec VPN reference: groupvpn

  • User name reference: derek and chris

  • Remote protected resources: 10.100.100.0/24

  • Remote exceptions: 0.0.0.0/0, 192.0.2.1/24, 0.0.0.0/32

Table 6: RADIUS Server User Authentication (Group IKE ID)

Feature

Name

Configuration Parameters

XAuth profile

radius-profile

  • RADIUS is the authentication method used to verify user credentials.

  • The RADIUS server IP address is 10.100.100.250 and the password is “$ABC123”.

  • This profile is the default profile for Web authentication.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a group IKE ID for multiple users:

  1. Configure the XAuth profile.
  2. Configure the IKE policy.
  3. Configure the IKE gateway.
  4. Configure IPsec.
  5. Configure the security policy.
  6. Configure host inbound traffic.
  7. Specify the access profile to use with dynamic VPN.
  8. Configure the clients who can use the dynamic VPN.

Results

From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, show security zones, and show security dynamic-vpn commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Dynamic VPN tunnels can be monitored with the same commands used to monitor traditional IPsec VPN tunnels. To confirm that the configuration is working properly, perform these tasks:

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status of the security associations.

Action

From operational mode, enter the show security ike security-associations command.

Verifying Connected Clients and Assigned Addresses

Purpose

Verify that the remote clients and the IP addresses assigned to them are using XAuth.

Action

From operational mode, enter the show security ike active-peer command.

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status of the security associations.

Action

From operational mode, enter the show security ipsec security-associations command.

Verifying Concurrent Connections and Parameters for Each User

Purpose

Verify the number of concurrent connections and the negotiated parameters for each user.

Action

From operational mode, enter the show security dynamic-vpn users command.

Example: Configuring Individual IKE IDs for Multiple Users

This example shows how to configure individual IKE IDs for multiple users. This feature is supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.

Note

When there are a large number of users who need to access the VPN, configuring an individual IKE gateway, IPsec VPN, and a security policy for each user can be cumbersome. The group IKE ID feature allows a number of users to share an IKE gateway configuration, thus reducing the number of VPN configurations required.

Requirements

Before you begin:

Overview

The following example shows the configuration for two remote dynamic VPN users. For each user, an IKE policy and gateway, IPsec policy and VPN, and a security policy must be configured (see Table 7 and Table 8). An external RADIUS server is used to authenticate users and assign IP addresses to clients (see Table 9).

Table 7: Client 1 Configuration Parameters

Feature

Name

Configuration Parameters

IKE policy (Phase 1)

client1pol

  • Mode: aggressive

  • Proposal set: compatible

  • Preshared key: (ASCII) for-client1

IKE gateway (Phase 1)

client1gw

  • IKE policy reference: client1pol

  • Dynamic hostname: example.net

  • External interface: ge-0/0/0.0

  • Access profile reference: radius-profile

IPsec policy (Phase 2)

client1vpnPol

Proposal set: compatible

IPsec VPN (Phase 2)

client1vpn

  • IKE gateway reference: client1gw

  • IPsec policy reference: client1vpnPol

Security policy (permits traffic from the untrust zone to the trust zone)

client1-policy

  • Match criteria:

    • source address any

    • destination address any

    • application any

  • Permit action: tunnel ipsec-vpn client1vpn

Host inbound traffic

Allow the following types of traffic to the ge-0/0/0.0 interface in the untrust zone:

  • IKE

  • HTTPS

  • ping

  • SSH

Access profile for remote clients

Access profile reference: radius-profile

Remote clients

cfg1

  • IPsec VPN reference: client1vpn

  • User name reference: derek

  • Remote protected resources: 10.100.100.0/24

  • Remote exceptions: 0.0.0.0/0, 192.0.2.1/24, 0.0.0.0/32

Table 8: Client 2 Configuration Parameters

Feature

Name

Configuration Parameters

IKE policy (Phase 1)

client2pol

  • Mode: aggressive

  • Proposal set: compatible

  • Preshared key: (ASCII) for-client2

IKE gateway (Phase 1)

client2gw

  • IKE policy reference: client2pol

  • Dynamic hostname: example.net

  • External interface: ge-0/0/0.0

  • Access profile reference: radius-profile

IPsec policy (Phase 2)

client2vpnPol

Proposal set: compatible

IPsec VPN (Phase 2)

client2vpn

  • IKE gateway reference: client2gw

  • IPsec policy reference: client2vpnPol

Security policy (permits traffic from the untrust zone to the trust zone)

client2-policy

  • Match criteria:

    • source address any

    • destination address any

    • application any

  • Permit action: tunnel ipsec-vpn client2vpn

Host inbound traffic

Allow the following types of traffic to the ge-0/0/0.0 interface in the untrust zone:

  • IKE

  • HTTPS

  • ping

  • SSH

Access profile for remote clients

Access profile reference: radius-profile

Remote clients

cfg2

  • IPsec VPN reference: client2vpn

  • User name reference: chris

  • Remote protected resources: 10.100.100.0/24

  • Remote exceptions: 0.0.0.0/0, 192.0.2.1/24

Table 9: RADIUS Server User Authentication (Individual IKE ID)

Feature

Name

Configuration Parameters

XAuth profile

radius-profile

  • RADIUS is the authentication method used to verify user credentials.

  • RADIUS server IP address is 10.100.100.250 and the password is “$ABC123”.

  • This profile is the default profile for Web authentication.

Configuration

Configuring the XAuth Profile

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the XAuth profile:

  1. Configure the access profile.
  2. Configure Web authentication using the XAuth profile.

Results

From configuration mode, confirm your configuration by entering the show access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Client 1

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure dynamic VPN for a single user:

  1. Configure the IKE policy.
  2. Configure the IKE gateway.
  3. Configure IPsec.
  4. Configure the security policy.
  5. Configure host inbound traffic.
  6. Specify the access profile to use with dynamic VPN.
  7. Configure the clients who can use the dynamic VPN.

Results

From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, show security zones, and show security dynamic-vpn commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Client 2

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure dynamic VPN for a single user:

  1. Configure the IKE policy.
  2. Configure the IKE gateway.
  3. Configure IPsec.
  4. Configure the security policy.
  5. Configure host inbound traffic.
  6. Specify the access profile to use with dynamic VPN.
  7. Configure the clients who can use the dynamic VPN.

Results

From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, show security zones, and show security dynamic-vpn commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Dynamic VPN tunnels can be monitored with the same commands used to monitor traditional IPsec VPN tunnels. To confirm that the configuration is working properly, perform these tasks:

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status of the security associations.

Action

From operational mode, enter the show security ike security-associations command.

Verifying Connected Clients and Assigned Addresses

Purpose

Verify that the remote clients and the IP addresses assigned to them are using XAuth.

Action

From operational mode, enter the show security ike active-peer command.

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status of the security associations.

Action

From operational mode, enter the show security ipsec security-associations command.

Verifying Concurrent Connections and Parameters for Each User

Purpose

Verify the number of concurrent connections and the negotiated parameters for each user.

Action

From operational mode, enter the show security dynamic-vpn users command.