Understanding Junos OS Enforcer Implementations Using IPsec

To configure an SRX Series or J Series device to act as a Junos OS Enforcer using IPsec, you must:

• Include the identity configured under the security IKE gateway. The identity is a string such as “gateway1.juniper.net”, where gateway1.juniper.net distinguishes between IKE gateways. (The identities specify for which tunnel traffic is intended.)
• Include the preshared seed. This generates the preshared key from the full identity of the remote user for phase 1 credentials.
• Include the RADIUS shared secret. This allows the Infranet Controller to accept RADIUS packets for extended authentication (XAuth) from the Junos OS Infranet Enforcer.

When configuring IPsec between the Infranet Controller, the Odyssey Access Client, and the SRX or J Series device, you should note that the following are IKE (or phase 1) proposal methods or protocol configurations that are supported from the Infranet Controller to the Odyssey Access Client:

• IKE proposal: authentication-method pre-shared-keys (you must specify pre-shared-keys)
• IKE policy:
  • mode aggressive (you must use aggressive mode)
  • pre-shared-key ascii-text key (only ASCII text preshared-keys are supported)
• IKE gateway: dynamic
  • hostname identity (you must specify a unique identity among gateways)
  • ike-user-type group-ike-id (you must specify group-ike-id)
  • xauth access-profile profile (you must specify xauth)

The following are IPsec (or phase 2) proposal methods or protocol configurations that are supported from the Infranet Controller to the Odyssey Access Client.

• IPsec proposal: protocol esp (you must specify esp)
• IPsec VPN: establish-tunnels immediately (you must specify establish-tunnels immediately)

Only one IPsec VPN tunnel is supported per from-zone to to-zone security policy. This is a limitation on the Infranet Controller. Junos OS security policies enable you to define multiple policies differentiated by different source addresses, destination addresses, or both. The Infranet Controller, however, cannot differentiate such configurations. If you enable multiple policies in this manner, the Infranet Controller could potentially identify the incorrect IKE gateway.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Unified Access Control Administration Guide
• Understanding Junos OS Enforcer Policy Enforcement
• VPN Overview
• Security Policies Overview
• Example: Configuring the Device as a Junos OS Enforcer Using IPsec (CLI)