Remote Access VPNs with NCP Exclusive Remote Access Client

 

The NCP Exclusive Remote Access Client is part of the NCP Exclusive Remote Access solution for Juniper SRX Series Gateways. The VPN client is only available with NCP Exclusive Remote Access Management. Use the NCP Exclusive Client to establish secure, IPsec -based data links from any location when connected with SRX Series Gateways.

Understanding IPsec VPNs with NCP Exclusive Remote Access Client

This section describes IPsec VPN support on SRX Series devices for NCP Exclusive Remote Access Client software.

NCP Exclusive Remote Access Client

Users running NCP Exclusive Remote Access Client software on Windows and MAC OS devices can establish IKEv1 or IKEv2 IPsec VPN connections with SRX Series devices. NCP Exclusive Remote Access Client software is available for download at https://www.ncp-e.com/ncp-exclusive-remote-access-client/.

Licensing

A two-user license is supplied by default on an SRX Series device. A license is required for additional users. Contact your Juniper Networks representative for license information.

Licensing is based on the number of users. For example, if the number of licenses installed is for 100 users, then 100 different users can establish VPN connections. Because of traffic selectors, each user can establish multiple tunnels. When a user disconnects, their license is released one minute after the IKE and IPsec security associations (SAs) expire.

License enforcement is verified only after Phase 2 negotiation is completed. This means that a remote access user can connect to the SRX Series device and IKE and IPsec SAs can be established, but if the user exceeds the licensed user limit, the user is disconnected.

Licensing for vSRX instances is subscription-based: connected remote access users are not disconnected immediately when an installed license expires. When a remote access user disconnects and the corresponding IKE and IPsec SAs expire, subsequent reconnection of the user depends on whether the currently installed license is expired or not.

AutoVPN

The NCP Exclusive Remote Access Client is supported with AutoVPN in point-to-point secure tunnel interface mode. AutoVPN is only supported on route-based IPsec VPNs on the SRX Series device.

Traffic Selectors

Traffic selectors configured on the SRX Series device and the NCP client determine the client traffic that is sent through the IPsec VPN tunnel. Traffic in and out of the tunnel is allowed only for the negotiated traffic selectors. If the route lookup for a packet’s destination address points to an st0 interface (on which traffic selectors are configured) and the packet’s traffic selector does not match the negotiated traffic selector, the packet is dropped. Multiple Phase 2 IPsec SAs and auto route insertion (ARI) are supported with the NCP Exclusive Remote Access Client. Traffic selector flexible match with port and protocols is not supported. For this feature, the remote address of the traffic selector must be 0.0.0.0/0.

In many cases, all traffic from remote access clients is sent through VPN tunnels. The local address configured in the traffic selector can be 0.0.0.0/0 or a specific address, as explained in the next sections.

Configuring a traffic selector on the SRX Series device with the remote address 0.0.0.0/0 is supported for NCP Exclusive Remote Access Client connections. After VPN negotiation is completed, the remote address for the traffic selector is expected to be a single IP address (the address of the remote access client assigned by either a RADIUS server or the local address pool).

Split Tunneling

Split tunneling uses a shorter prefix than 0.0.0.0/0 as the protected resource’s address for the local address in a traffic selector configured on the SRX Series device. A corresponding traffic selector can be configured on the remote access client. The SRX Series device allows traffic on the VPN tunnel that matches the results of the flexible match from both traffic selectors. If the traffic selector configured on the remote access client cannot be matched with the traffic selector configured on the SRX Series device, tunnel negotiation fails. For IKEv1, the local and remote addresses in the client's traffic selector configuration must be the same addresses or a subset of the addresses in the corresponding traffic selector configured on the SRX Series device.

Multiple Subnetworks

On the SRX Series device, one traffic selector can be configured for each protected subnetwork. Subnetworks cannot overlap. On the NCP Exclusive Remote Access Client, one traffic selector must be configured for each traffic selector configured on the SRX Series device. Addresses that are configured in the split tunnel window of the NCP Exclusive Remote Access Client are used as the client's remote traffic selector; these addresses must be the same addresses or a subset of the addresses in the corresponding traffic selector configured on the SRX Series device. One IPsec SA pair is created for each traffic selector.

NCP Exclusive Remote Access Client Authentication

There are two forms of extended authentication of the NCP Exclusive Remote Access Client, depending on the IKE version of the client:

  • IKEv1 NCP Exclusive Remote Access Client authentication is supported with XAuth using either a RADIUS server or a local access profile. For IKEv1 remote access connections, preshared keys are used for IKE Phase 1 authentication. Extended Authentication (XAuth) is used to authenticate the remote access user. The SRX Series device must be configured for IKE aggressive mode.

    Note

    For the IKEv1 NCP Exclusive Remote Access Client, preshared key authentication is supported with AutoVPN. For AutoVPN deployments that do not use user-based authentication, only certificate authentication is supported.

  • IKEv2 NCP Exclusive Remote Access Client authentication requires a RADIUS server that supports EAP. The SRX Series device acts as a pass-through authenticator to relay EAP messages between the NCP Exclusive Remote Access Client and the RADIUS server. The following EAP authentication types are supported:

    • EAP-MSCHAPv2

      Note

      A master session key must be generated by the RADIUS server for EAP-MSCHAPv2.

    • EAP-MD5

    • EAP-TLS

    For the IKEv2 NCP Exclusive Remote Access Client, a digital certificate is used to authenticate the SRX Series device. Extensible Authentication Protocol (EAP) is used to authenticate the remote access client.

Remote Access Client Attribute and IP Address Assignment

Attribute Assignment

For IKEv1 or IKEv2 remote access clients, attributes can be assigned through a RADIUS server or through local network attributes configuration. If a RADIUS server is used for authentication but no network attributes are assigned, network attributes (including IP addresses) can be configured locally if needed.

The following client attributes are based on RFC 2865, Virtual Private Networks Identifier, and are supported with IKEv1 and IKEv2 NCP Exclusive Remote Access Client:

  • Framed-IP-Address

  • Framed-IP-Netmask

The following Juniper vendor-specific attributes (VSAs) are supported with IKEv1 and IKEv2 NCP Exclusive Remote Access Client:

  • Juniper-Primary-DNS

  • Juniper-Primary-Wins

  • Juniper-Secondary-DNS (only available with IKEv2)

  • Juniper-Secondary-Wins (only available with IKEv2)

Note

The VSA Juniper-Local-Group-Name is not supported.

IP Address Assignment

If an IP address is allocated from both a local address pool and by a RADIUS server, the IP address allocated by the RADIUS server takes precedence. If the RADIUS server does not return an IP address and there is a user-configured local address pool, an IP address is assigned to the remote client from the local pool.

Note

The number of addresses in the local address pool or RADIUS server address pool should be larger than the number of remote access client users. This is because when a user disconnects, it can take up to one minute for the user to be logged off.

When an IP address is assigned from an external RADIUS server or a local address pool, an IP address with a 32-bit mask is passed to the NCP Exclusive Remote Access Client. After the tunnel is established, auto route insertion (ARI) automatically inserts a static route to the remote client’s IP address so that traffic from behind the SRX Series device can be sent into the VPN tunnel to the client’s IP address.

The configured traffic selectors might not cover the IP addresses allocated by the RADIUS server or a local address pool. In this case, a remote client may not be able to reach an IP address for another remote client in the subnetwork through a VPN tunnel. A traffic selector must be explicitly configured that matches the IP address allocated to the other remote client by the RADIUS server or local address pool.

Supported Features

The following features are supported on the SRX Series device with the NCP Exclusive Remote Access Client:

  • Traffic initiation from the SRX Series device as well as the NCP Exclusive Remote Access Client

  • Remote access clients behind a NAT device (NAT-T)

  • Dead peer detection

  • Chassis cluster configuration of the SRX Series device

Caveats

The following features are not supported on the SRX Series device with the NCP Exclusive Remote Access Client:

  • Routing protocols

  • AutoVPN with the st0 interface in point-to-multipoint mode

  • Auto Discovery VPN (ADVPN)

  • IKEv2 EAP with preshared keys

    Note

    The IKEv2 NCP Exclusive Remote Access Client must use certificates for authenticating the SRX Series device.

  • Policy-based VPN

  • IPv6 traffic

  • VPN monitoring

  • Next-hop tunnel binding (NHTB), both auto and manual

  • Multiple traffic selectors in negotiation

  • Traffic selectors received from the NCP Exclusive Remote Access Client in the same virtual router must not contain overlapping IP addresses

Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client

In many public hotspot environments, UDP traffic is blocked while TCP connections over port 443 are normally allowed. For these environments, SRX Series devices can support SSL Remote Access VPNs by encapsulating IPsec messages within a TCP connection. This implementation is compatible with the third-party NCP Exclusive Remote Access Client. This section describes the support for NCP Exclusive Remote Access Client on SRX Series devices.

Benefits of SSL Remote Access VPNs with NCP Exclusive Remote Access Client

  • Secure remote access is ensured even when a device between the client and the gateway blocks Internet Key Exchange (IKE) (UDP port 500).

  • Users retain secure access to business applications and resources in all working environments.

NCP Exclusive Remote Access Client

Users running NCP Exclusive Remote Access Client software on Windows, macOS, Apple iOS, and Android devices can establish TCP connections over port 443 with SRX Series devices to exchange encapsulated IPsec traffic.

NCP Exclusive Remote Access Client runs in either of the two following modes:

  • NCP Path Finder v1, which supports IPsec messages encapsulated within a TCP connection over port 443

  • NCP Path Finder v2, which supports IPsec messages with an SSL/TLS connection (NCP Path Finder v2 uses TLSv1.0.)

A proper SSL handshake takes place using RSA certificates. IPsec messages are encrypted with keys exchanged during the SSL handshake. This results in double encryption, once for the SSL tunnel and again for the IPsec tunnel.

Note

For NCP Path Finder v2 mode support, RSA certificates have to be loaded on the SRX Series device and an SSL termination profile that references the certificate must be configured.

The NCP Exclusive Remote Access Client provides a fallback mechanism in case regular IPsec connection attempts fail due to firewall or proxy servers blocking the IPsec traffic. The NCP Path Finder v2 mode is an enhancement offering full TLS communication, which will not be blocked by highly restrictive application level firewall or proxies. If a regular IPsec connection cannot be established, then the NCP Exclusive Remote Access Client will automatically switch to NCP Path Finder v1 mode. If the client still cannot get through to the gateway, NCP will enable NCP Path Finder v2 mode using the full TLS negotiation.

Licensing

A two-user license is supplied by default on an SRX Series device. A license must be purchased and installed for additional concurrent users.

Operation

On an SRX Series device, a TCP encapsulation profile defines the data encapsulation operation for remote access clients. Multiple TCP encapsulation profiles can be configured to handle different sets of clients. For each profile, the following information is configured:

  • Name of the profile.

  • Optional logging of remote access client connections.

  • Tracing options.

  • SSL termination profile for SSL connections.

Note

TCP connections from NCP Exclusive Remote Access Client are accepted on port 443 on the SRX Series device.

The TCP encapsulation profile is configured with the tcp-encap statement at the [edit security] hierarchy level. The encapsulation profile is then specified with the tcp-encap-profile statement at the [edit security ike gateway gateway-name] hierarchy level. You include the TCP encapsulation profile in the IKE gateway configuration. For example:

Supported Features

The following features are supported on an SRX Series device with NCP Exclusive Remote Access Client:

  • AutoVPN in point-to-point mode with IPsec tunnels based on traffic selectors

  • Traffic initiation from devices behind the gateway on an SRX Series device

  • Dead peer detection

  • Chassis cluster configuration of an SRX Series device

Caveats

TCP connections from NCP Exclusive Remote Access Clients use port 443 on SRX Series devices. The J-Web device management port should be changed from default port 443, tcp-encap must be configured for host-inbound system services. Use the set security zones security-zone zone host-inbound-traffic system-services tcp-encap command. (IKE must also be configured for host-inbound system services using the set security zones security-zone zone host-inbound-traffic system-services ike command.)

Note

NCP Exclusive Remote Access Clients and J-Web connections cannot use the same TCP port 443.

Tunnels that use TCP connections might not survive ISSU if the dead peer detection (DPD) timeout is not large enough. To survive ISSU, increase the DPD timeout to a value greater than 120 seconds. The DPD timeout is a product of the configured DPD interval and threshold. For example, if the DPD interval is 32 and the threshold is 4, the timeout is 128.

The default DPD settings on the NCP Exclusive Remote Access Client specify sending messages at 20-second intervals for a maximum of eight times. When chassis cluster failover occurs, the SRX Series devices might not recover within the parameters specified by the DPD settings and the tunnel goes down. In this case, increase the DPD interval on the NCP Exclusive Remote Access Client to 60 seconds.

NAT-T is disabled during negotiation with clients where the configuration uses tcp-encap, because NAT-T is not required for these tunnels.

The following features are not supported on an SRX Series device with NCP Exclusive Remote Access Clients:

  • Routing protocols

  • AutoVPN with the st0 interface in point-to-multipoint mode

  • Auto Discovery VPN (ADVPN)

  • Policy-based VPN

  • IPv6 traffic

  • VPN monitoring

  • Next-hop tunnel binding (NHTB), both automatic and manual

Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients

This example shows how to configure an SRX Series device or a vSRX instance to support IKEv2 IPsec VPN connections from NCP Exclusive Remote Access Clients. The configuration also supports TCP encapsulated traffic from NCP Exclusive Remote Access Clients.

Requirements

This example uses the following hardware and software components:

  • Supported SRX Series device or vSRX instance running Junos OS Release 15.1X49-D80 or later.

  • NCP Exclusive Remote Access Client software must be downloaded on supported user devices.

A two-user license is supplied by default on an SRX Series device. A license must be purchased and installed for additional users. Contact your Juniper Networks representative for license information.

Before you begin:

  • On the SRX Series device:

    • Configure network interfaces.

    Note

    TCP connections from NCP Exclusive Remote Access Clients use port 443 on SRX Series devices. Device management on TCP connections, such as J-Web, can use port 443 on SRX Series devices. TCP encapsulation system service must be configured for host inbound traffic on the zone in which NCP Exclusive Remote Access Client connections are received (the untrust zone in this example). If J-Web is used on port 443, Web management system service must be configured for host inbound traffic on the required zone.

  • Configure the NCP Exclusive Remote Access Client. See the documentation for the NCP Exclusive Remote Access Client for information on how to do this.

    Note

    The configuration of the NCP Exclusive Remote Access Client profile must match the VPN configuration on the SRX Series device.

  • In this example, an external RADIUS server (such as an Active Directory server) authenticates IKEv2 Exclusive Remote Access Client users using the EAP-TLS protocol. In this example, the RADIUS server is configured with the IP address 192.0.2.12. See your RADIUS server documentation for information on configuring user authentication.

Overview

In this example, IKEv2 Exclusive Remote Access Client users are authenticated with an external RADIUS server using EAP-TLS. An authenticated client is assigned an IP address and a primary DNS server from a local address pool configured on the SRX Series device. The traffic selector is configured with 0.0.0.0/0 for the remote and local addresses, which means that any traffic is permitted on the tunnel.

TCP encapsulation and IKE host inbound system services are configured on the untrust security zone. If J-Web is used on port 443, HTTPS host inbound system service should also be configured.

Note

In this example, the security policies permit all traffic. More restrictive security policies should be configured for production environments.

Table 1 shows the IKE and IPSec values configured on the SRX Series device to support NCP Exclusive Remote Access Client connections in this example.

Table 1: IKE and IPSec Options on the SRX Series Device for NCP Exclusive Remote Access Client Connections

Option

Value

IKE proposal:

Authentication method

rsa-signatures

Diffie-Hellman (DH) group

group19

Encryption algorithm

aes-256-gcm

IKE policy:

Certificate

local-certificate

IKE gateway:

Dynamic

user-at-hostname

IKE user type

group-ike-id

Version

v2-only

IPsec proposal:

Protocol

esp

Encryption algorithm

aes-256-gcm

IPsec policy:

Perfect Forward Secrecy (PFS) group

group19

Topology

Figure 1 shows the network connections in this example.

Figure 1: NCP Exclusive Remote Client Connection to the SRX Series VPN Gateway
 NCP Exclusive Remote
Client Connection to the SRX Series VPN Gateway

Configuration

Enroll Certificates in the SRX Series Device

Step-by-Step Procedure

In this example, the first step is to enroll a certificate authority (CA) certificate and a local certificate in the SRX Series device. The local certificate is used to authenticate the SRX Series device to remote clients using a Microsoft Certificate Authority. Else the URL below will be different. Keep in mind that below example require the CA server to support SCEP.

  1. Configure the CA profile.

    The configuration of the CA profile depends on the CA server used. In this example, CRL is used to check certificate revocation. Use the appropriate enrollment and CRL URLs for your environment.

    The CA profile configuration must be committed before you can proceed.

  2. Enroll the CA certificate.

    Type yes at the prompt to load the CA certificate, if the value is trusted.

  3. Verify the CA certificate by checking its revocation status.
  4. Generate a key pair for the local certificate.
  5. Enroll the local certificate. In this example, the certificate is enrolled using Simple Certificate Enrollment Protocol (SCEP).
  6. Verify the local certificate by checking its revocation status.

Configure the SRX Series Device for Remote Clients

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the SRX Series device to support NCP Exclusive Remote Access Clients:

  1. Configure the local address pool.
  2. Configure the local access profile.
  3. Configure the TCP encapsulation profile.
  4. Create SSL termination profile.
    Note

    When SSL termination profile is not configured then the only NCP Path Finder v1 mode is supported. NCP Path Finder v2 support needs SSL termination profile configured. NCP Path Finder v1 is supported when SSL termination profile is configured.

  5. Attach SSL profile to tcp-encap profile.
  6. Configure interfaces.
  7. Configure the IKE proposal, policy, and gateways.
  8. Configure the IPsec proposal, policy, and VPN.
  9. Configure zones.
  10. Configure an address book for the IP addresses assigned to remote access users.
  11. Configure security policies.

Results

From configuration mode, confirm your configuration by entering the show access and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying That IKE SAs Are Established

Purpose

Display information about IKE SAs.

Action

From operational mode, enter the show security ike security-associations command.

From operational mode, enter the show security ike security-associations detail command.

Verifying Remote Users and Their IP Connections

Purpose

Display the list of connected active users with details about the peer addresses and ports they are using.

Action

From operational mode, enter the show security ike active-peer command.

From operational mode, enter the show security ike active-peer detail command.

Verifying TCP Encapsulation Sessions

Purpose

Display information about TCP encapsulation sessions.

Action

From operational mode, enter the show security tcp-encap connections command.

From operational mode, enter the show security tcp-encap statistics command.