Remote Access VPNs with NCP Exclusive Remote Access Client
The NCP Exclusive Remote Access Client is part of the NCP Exclusive Remote Access solution for Juniper SRX Series Gateways. The VPN client is only available with NCP Exclusive Remote Access Management. Use the NCP Exclusive Client to establish secure, IPsec -based data links from any location when connected with SRX Series Gateways.
Understanding IPsec VPNs with NCP Exclusive Remote Access Client
This section describes IPsec VPN support on SRX Series devices for NCP Exclusive Remote Access Client software.
- NCP Exclusive Remote Access Client
- Licensing
- AutoVPN
- Traffic Selectors
- NCP Exclusive Remote Access Client Authentication
- Remote Access Client Attribute and IP Address Assignment
- Supported Features
- Caveats
NCP Exclusive Remote Access Client
Users running NCP Exclusive Remote Access Client software on Windows and MAC OS devices can establish IKEv1 or IKEv2 IPsec VPN connections with SRX Series devices. NCP Exclusive Remote Access Client software can be downloaded from the NCP Products.
Licensing
A two-user license is supplied by default on an SRX Series device. A license is required for additional users. Contact your Juniper Networks representative for all remote access licensing.
Licensing is based on the number of users. For example, if the number of licenses installed is for 100 users, then 100 different users can establish VPN connections. Because of traffic selectors, each user can establish multiple tunnels. When a user disconnects, their license is released one minute after the IKE and IPsec security associations (SAs) expire.
License enforcement is verified only after Phase 2 negotiation is completed. This means that a remote access user can connect to the SRX Series device and IKE and IPsec SAs can be established, but if the user exceeds the licensed user limit, the user is disconnected.
Licensing for vSRX instances is subscription-based: connected remote access users are not disconnected immediately when an installed license expires. When a remote access user disconnects and the corresponding IKE and IPsec SAs expire, subsequent reconnection of the user depends on whether the currently installed license is expired or not.
AutoVPN
The NCP Exclusive Remote Access Client is supported with AutoVPN in point-to-point secure tunnel interface mode. AutoVPN is only supported on route-based IPsec VPNs on the SRX Series device.
Traffic Selectors
Traffic selectors configured on the SRX Series device and the NCP client determine the client traffic that is sent through the IPsec VPN tunnel. Traffic in and out of the tunnel is allowed only for the negotiated traffic selectors. If the route lookup for a packet’s destination address points to an st0 interface (on which traffic selectors are configured) and the packet’s traffic selector does not match the negotiated traffic selector, the packet is dropped. Multiple Phase 2 IPsec SAs and auto route insertion (ARI) are supported with the NCP Exclusive Remote Access Client. Traffic selector flexible match with port and protocols is not supported. For this feature, the remote address of the traffic selector must be 0.0.0.0/0.
In many cases, all traffic from remote access clients is sent through VPN tunnels. The local address configured in the traffic selector can be 0.0.0.0/0 or a specific address, as explained in the next sections.
Configuring a traffic selector on the SRX Series device with the remote address 0.0.0.0/0 is supported for NCP Exclusive Remote Access Client connections. After VPN negotiation is completed, the remote address for the traffic selector is expected to be a single IP address (the address of the remote access client assigned by either a RADIUS server or the local address pool).
Split Tunneling
Split tunneling uses a shorter prefix than 0.0.0.0/0 as the protected resource’s address for the local address in a traffic selector configured on the SRX Series device. A corresponding traffic selector can be configured on the remote access client. The SRX Series device allows traffic on the VPN tunnel that matches the results of the flexible match from both traffic selectors. If the traffic selector configured on the remote access client cannot be matched with the traffic selector configured on the SRX Series device, tunnel negotiation fails. For IKEv1, the local and remote addresses in the client's traffic selector configuration must be the same addresses or a subset of the addresses in the corresponding traffic selector configured on the SRX Series device.
Multiple Subnetworks
On the SRX Series device, one traffic selector can be configured for each protected subnetwork. Subnetworks cannot overlap. On the NCP Exclusive Remote Access Client, one traffic selector must be configured for each traffic selector configured on the SRX Series device. Addresses that are configured in the split tunnel window of the NCP Exclusive Remote Access Client are used as the client's remote traffic selector; these addresses must be the same addresses or a subset of the addresses in the corresponding traffic selector configured on the SRX Series device. One IPsec SA pair is created for each traffic selector.
NCP Exclusive Remote Access Client Authentication
There are two forms of extended authentication of the NCP Exclusive Remote Access Client, depending on the IKE version of the client:
IKEv1 NCP Exclusive Remote Access Client authentication is supported with XAuth using either a RADIUS server or a local access profile. For IKEv1 remote access connections, preshared keys are used for IKE Phase 1 authentication. Extended Authentication (XAuth) is used to authenticate the remote access user. The SRX Series device must be configured for IKE aggressive mode.
For the IKEv1 NCP Exclusive Remote Access Client, preshared key authentication is supported with AutoVPN. For AutoVPN deployments that do not use user-based authentication, only certificate authentication is supported.
IKEv2 NCP Exclusive Remote Access Client authentication requires a RADIUS server that supports EAP. The SRX Series device acts as a pass-through authenticator to relay EAP messages between the NCP Exclusive Remote Access Client and the RADIUS server. The following EAP authentication types are supported:
EAP-MSCHAPv2
A primary session key must be generated by the RADIUS server for EAP-MSCHAPv2.
EAP-MD5
EAP-TLS
For the IKEv2 NCP Exclusive Remote Access Client, a digital certificate is used to authenticate the SRX Series device. Extensible Authentication Protocol (EAP) is used to authenticate the remote access client.
Remote Access Client Attribute and IP Address Assignment
Attribute Assignment
For IKEv1 or IKEv2 remote access clients, attributes can be assigned through a RADIUS server or through local network attributes configuration. If a RADIUS server is used for authentication but no network attributes are assigned, network attributes (including IP addresses) can be configured locally if needed.
The following client attributes are based on RFC 2865, Virtual Private Networks Identifier, and are supported with IKEv1 and IKEv2 NCP Exclusive Remote Access Client:
Framed-IP-Address
Framed-IP-Netmask
The following Juniper vendor-specific attributes (VSAs) are supported with IKEv1 and IKEv2 NCP Exclusive Remote Access Client:
Juniper-Primary-DNS
Juniper-Primary-Wins
Juniper-Secondary-DNS (only available with IKEv2)
Juniper-Secondary-Wins (only available with IKEv2)
The VSA Juniper-Local-Group-Name is not supported.
IP Address Assignment
If an IP address is allocated from both a local address pool and by a RADIUS server, the IP address allocated by the RADIUS server takes precedence. If the RADIUS server does not return an IP address and there is a user-configured local address pool, an IP address is assigned to the remote client from the local pool.
The number of addresses in the local address pool or RADIUS server address pool should be larger than the number of remote access client users. This is because when a user disconnects, it can take up to one minute for the user to be logged off.
When an IP address is assigned from an external RADIUS server or a local address pool, an IP address with a 32-bit mask is passed to the NCP Exclusive Remote Access Client. After the tunnel is established, auto route insertion (ARI) automatically inserts a static route to the remote client’s IP address so that traffic from behind the SRX Series device can be sent into the VPN tunnel to the client’s IP address.
The configured traffic selectors might not cover the IP addresses allocated by the RADIUS server or a local address pool. In this case, a remote client may not be able to reach an IP address for another remote client in the subnetwork through a VPN tunnel. A traffic selector must be explicitly configured that matches the IP address allocated to the other remote client by the RADIUS server or local address pool.
Supported Features
The following features are supported on the SRX Series device with the NCP Exclusive Remote Access Client:
Traffic initiation from the SRX Series device as well as the NCP Exclusive Remote Access Client
Remote access clients behind a NAT device (NAT-T)
Dead peer detection
Chassis cluster configuration of the SRX Series device
Caveats
The following features are not supported on the SRX Series device with the NCP Exclusive Remote Access Client:
Routing protocols
AutoVPN with the st0 interface in point-to-multipoint mode
Auto Discovery VPN (ADVPN)
IKEv2 EAP with preshared keys
The IKEv2 NCP Exclusive Remote Access Client must use certificates for authenticating the SRX Series device.
Policy-based VPN
IPv6 traffic
VPN monitoring
Next-hop tunnel binding (NHTB), both auto and manual
Multiple traffic selectors in negotiation
Traffic selectors received from the NCP Exclusive Remote Access Client in the same virtual router must not contain overlapping IP addresses
See Also
Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client
In many public hotspot environments, UDP traffic is blocked while TCP connections over port 443 are normally allowed. For these environments, SRX Series devices can support SSL Remote Access VPNs by encapsulating IPsec messages within a TCP connection. This implementation is compatible with the third-party NCP Exclusive Remote Access Client. This section describes the support for NCP Exclusive Remote Access Client on SRX Series devices.
- Benefits of SSL Remote Access VPNs with NCP Exclusive Remote Access Client
- NCP Exclusive Remote Access Client
- Licensing
- Operation
- Supported Features
- Caveats
Benefits of SSL Remote Access VPNs with NCP Exclusive Remote Access Client
Secure remote access is ensured even when a device between the client and the gateway blocks Internet Key Exchange (IKE) (UDP port 500).
Users retain secure access to business applications and resources in all working environments.
NCP Exclusive Remote Access Client
Users running NCP Exclusive Remote Access Client software on Windows, macOS, Apple iOS, and Android devices can establish TCP connections over port 443 with SRX Series devices to exchange encapsulated IPsec traffic.
NCP Exclusive Remote Access Client runs in either of the two following modes:
NCP Path Finder v1, which supports IPsec messages encapsulated within a TCP connection over port 443
NCP Path Finder v2, which supports IPsec messages with an SSL/TLS connection (NCP Path Finder v2 uses TLSv1.0.)
A proper SSL handshake takes place using RSA certificates. IPsec messages are encrypted with keys exchanged during the SSL handshake. This results in double encryption, once for the SSL tunnel and again for the IPsec tunnel.
For NCP Path Finder v2 mode support, RSA certificates have to be loaded on the SRX Series device and an SSL termination profile that references the certificate must be configured.
The NCP Exclusive Remote Access Client provides a fallback mechanism in case regular IPsec connection attempts fail due to firewall or proxy servers blocking the IPsec traffic. The NCP Path Finder v2 mode is an enhancement offering full TLS communication, which will not be blocked by highly restrictive application level firewall or proxies. If a regular IPsec connection cannot be established, then the NCP Exclusive Remote Access Client will automatically switch to NCP Path Finder v1 mode. If the client still cannot get through to the gateway, NCP will enable NCP Path Finder v2 mode using the full TLS negotiation.
Licensing
A two-user license is supplied by default on an SRX Series device. A license must be purchased and installed for additional concurrent users.
Operation
On an SRX Series device, a TCP encapsulation profile defines the data encapsulation operation for remote access clients. Multiple TCP encapsulation profiles can be configured to handle different sets of clients. For each profile, the following information is configured:
Name of the profile.
Optional logging of remote access client connections.
Tracing options.
SSL termination profile for SSL connections.
TCP connections from NCP Exclusive Remote Access Client are accepted on port 443 on the SRX Series device.
The TCP encapsulation profile is configured with the tcp-encap statement at the [edit security] hierarchy level. The
encapsulation profile is then specified with the tcp-encap-profile statement at the [edit security ike gateway gateway-name] hierarchy level. You include the TCP encapsulation profile
in the IKE gateway configuration. For example:
user@host#set security tcp-encap profile ncpuser@host#set security tcp-encap profile ncp ssl-profile RemoteAccessuser@host#set security ike gateway RA tcp-encap-profile ncpuser@host#set security zones security-zone zone-name interfaces interface-name host-inbound-traffic system-services ikeuser@host#set security zones security-zone zone-name interfaces interface-name host-inbound-traffic system-services tcp-encap
Supported Features
The following features are supported on an SRX Series device with NCP Exclusive Remote Access Client:
AutoVPN in point-to-point mode with IPsec tunnels based on traffic selectors
Traffic initiation from devices behind the gateway on an SRX Series device
Dead peer detection
Chassis cluster configuration of an SRX Series device
Caveats
TCP connections from NCP Exclusive Remote Access Clients use
port 443 on SRX Series devices. The J-Web device management port should
be changed from default port 443, tcp-encap must be configured for
host-inbound system services. Use the set security zones security-zone zone host-inbound-traffic system-services tcp-encap command. (IKE must also be configured for host-inbound system services
using the set security zones security-zone zone host-inbound-traffic system-services ike command.)
Tunnels that use TCP connections might not survive ISSU if the dead peer detection (DPD) timeout is not large enough. To survive ISSU, increase the DPD timeout to a value greater than 120 seconds. The DPD timeout is a product of the configured DPD interval and threshold. For example, if the DPD interval is 32 and the threshold is 4, the timeout is 128.
The default DPD settings on the NCP Exclusive Remote Access Client specify sending messages at 20-second intervals for a maximum of eight times. When chassis cluster failover occurs, the SRX Series devices might not recover within the parameters specified by the DPD settings and the tunnel goes down. In this case, increase the DPD interval on the NCP Exclusive Remote Access Client to 60 seconds.
NAT-T is disabled during negotiation with clients where the configuration uses tcp-encap, because NAT-T is not required for these tunnels.
The following features are not supported on an SRX Series device with NCP Exclusive Remote Access Clients:
Routing protocols
AutoVPN with the st0 interface in point-to-multipoint mode
Auto Discovery VPN (ADVPN)
Policy-based VPN
IPv6 traffic
VPN monitoring
Next-hop tunnel binding (NHTB), both automatic and manual
See Also
Example: Configuring the SRX Series Device for NCP Exclusive Remote Access Clients
This example shows how to configure an SRX Series device or a vSRX instance to support IKEv2 IPsec VPN connections from NCP Exclusive Remote Access Clients. The configuration also supports TCP encapsulated traffic from NCP Exclusive Remote Access Clients.
Requirements
This example uses the following hardware and software components:
Supported SRX Series device or vSRX instance running Junos OS Release 15.1X49-D80 or later.
NCP Exclusive Remote Access Client software must be downloaded on supported user devices.
A two-user license is supplied by default on an SRX Series device. A license must be purchased and installed for additional users. Contact your Juniper Networks representative for all remote access licensing
Before you begin:
On the SRX Series device:
Configure network interfaces.
TCP connections from NCP Exclusive Remote Access Clients use port 443 on SRX Series devices. Device management on TCP connections, such as J-Web, can use port 443 on SRX Series devices. TCP encapsulation system service must be configured for host inbound traffic on the zone in which NCP Exclusive Remote Access Client connections are received (the untrust zone in this example). If J-Web is used on port 443, Web management system service must be configured for host inbound traffic on the required zone.
Configure the NCP Exclusive Remote Access Client. See the documentation for the NCP Exclusive Remote Access Client for information on how to do this.
The configuration of the NCP Exclusive Remote Access Client profile must match the VPN configuration on the SRX Series device.
In this example, an external RADIUS server (such as an Active Directory server) authenticates IKEv2 Exclusive Remote Access Client users using the EAP-TLS protocol. In this example, the RADIUS server is configured with the IP address 192.0.2.12. See your RADIUS server documentation for information on configuring user authentication.
Overview
In this example, IKEv2 Exclusive Remote Access Client users are authenticated with an external RADIUS server using EAP-TLS. An authenticated client is assigned an IP address and a primary DNS server from a local address pool configured on the SRX Series device. The traffic selector is configured with 0.0.0.0/0 for the remote and local addresses, which means that any traffic is permitted on the tunnel.
TCP encapsulation and IKE host inbound system services are configured on the untrust security zone. If J-Web is used on port 443, HTTPS host inbound system service should also be configured.
In this example, the security policies permit all traffic. More restrictive security policies should be configured for production environments.
Table 1 shows the IKE and IPSec values configured on the SRX Series device to support NCP Exclusive Remote Access Client connections in this example.
Option |
Value |
|---|---|
IKE proposal: |
|
Authentication method |
rsa-signatures |
Diffie-Hellman (DH) group |
group19 |
Encryption algorithm |
aes-256-gcm |
IKE policy: |
|
Certificate |
local-certificate |
IKE gateway: |
|
Dynamic |
user-at-hostname |
IKE user type |
group-ike-id |
Version |
v2-only |
IPsec proposal: |
|
Protocol |
esp |
Encryption algorithm |
aes-256-gcm |
IPsec policy: |
|
Perfect Forward Secrecy (PFS) group |
group19 |
Topology
Figure 1 shows the network connections in this example.
Configuration
Enroll Certificates in the SRX Series Device
Step-by-Step Procedure
In this example, the first step is to enroll a certificate authority (CA) certificate and a local certificate in the SRX Series device. The local certificate is used to authenticate the SRX Series device to remote clients using a Microsoft Certificate Authority. Else the URL below will be different. Keep in mind that below example require the CA server to support SCEP.
Configure the CA profile.
The configuration of the CA profile depends on the CA server used. In this example, CRL is used to check certificate revocation. Use the appropriate enrollment and CRL URLs for your environment.
[edit] user@host# set security pki ca-profile CA_Server ca-identity CA_Server user@host# set security pki ca-profile CA_Server enrollment url http://192.0.2.12/certsrv/mscep/mscep.dll user@host# set security pki ca-profile CA_Server revocation-check crl url http://192.0.2.12/crl user@host$
commitThe CA profile configuration must be committed before you can proceed.
Enroll the CA certificate.
user@host> request security pki ca-certificate enroll ca-profile CA_Server
Type yes at the prompt to load the CA certificate, if the value is trusted.
Verify the CA certificate by checking its revocation status.
user@host> request security pki ca-certificate verify ca-profile CA_Server
Generate a key pair for the local certificate.
user@host> request security pki generate-key-pair certificate-id RemoteAccessNCP size 2048 bytes type rsa
Enroll the local certificate. In this example, the certificate is enrolled using Simple Certificate Enrollment Protocol (SCEP).
user@host> request security pki local-certificate enroll scep ca-profile CA_Server certificate-id RemoteAccessNCP domain-name example.net subject DC=example.net,L=Sunnyvale,O=example,OU=example challenge-password <password>
Verify the local certificate by checking its revocation status.
user@host> request security pki local-certificate verify certificate-id RemoteAccessNCP
Configure the SRX Series Device for Remote Clients
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set access address-assignment pool RA_LOCAL-IP-POOL family inet network 198.51.100.0/24 set access address-assignment pool RA_LOCAL-IP-POOL family inet range REMOTEACCESS low 198.51.100.10 set access address-assignment pool RA_LOCAL-IP-POOL family inet range REMOTEACCESS high 198.51.100.254 set access address-assignment pool RA_LOCAL-IP-POOL family inet xauth-attributes primary-dns 192.0.2.12/32 set access profile RA_EXTERNAL-AUTH authentication-order radius set access profile RA_EXTERNAL-AUTH address-assignment pool RA_LOCAL-IP-POOL set access profile RA_EXTERNAL-AUTH radius-server 192.0.2.12 secret "$ABC123" set security tcp-encap profile NCP set services ssl termination profile RemoteAccess server-certificate RemoteAccessNCP set security tcp-encap profile NCP ssl-profile RemoteAccess set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24 set interfaces ge-0/0/2 unit 0 family inet address 192.0.2.3/24 set interfaces st0 unit 0 family inet set security ike proposal CERT-DH19-AES256GCM authentication-method rsa-signatures set security ike proposal CERT-DH19-AES256GCM dh-group group19 set security ike proposal CERT-DH19-AES256GCM encryption-algorithm aes-256-gcm set security ike policy RA_IKEv2_EXT-AUTH proposals CERT-DH19-AES256GCM set security ike policy RA_IKEv2_EXT-AUTH certificate local-certificate RemoteAccessNCP set security ike gateway RA_IKEv2_EXT-AUTH ike-policy RA_IKEv2_EXT-AUTH set security ike gateway RA_IKEv2_EXT-AUTH dynamic user-at-hostname "remoteuser@example.net" set security ike gateway RA_IKEv2_EXT-AUTH dynamic ike-user-type group-ike-id set security ike gateway RA_IKEv2_EXT-AUTH external-interface ge-0/0/1.0 set security ike gateway RA_IKEv2_EXT-AUTH aaa access-profile RA_EXTERNAL-AUTH set security ike gateway RA_IKEv2_EXT-AUTH version v2-only set security ike gateway RA_IKEv2_EXT-AUTH tcp-encap-profile NCP set security ipsec proposal ESP-AES256GCM protocol esp set security ipsec proposal ESP-AES256GCM encryption-algorithm aes-256-gcm set security ipsec policy RemoteAccess perfect-forward-secrecy keys group19 set security ipsec policy RemoteAccess proposals ESP-AES256GCM set security ipsec vpn RA_IKEv2_EXT-AUTH bind-interface st0.0 set security ipsec vpn RA_IKEv2_EXT-AUTH ike gateway RA_IKEv2_EXT-AUTH set security ipsec vpn RA_IKEv2_EXT-AUTH ike ipsec-policy RemoteAccess set security ipsec vpn RA_IKEv2_EXT-AUTH traffic-selector NO-SPLIT local-ip 0.0.0.0/0 set security ipsec vpn RA_IKEv2_EXT-AUTH traffic-selector NO-SPLIT remote-ip 0.0.0.0/0 set security zones security-zone Untrust interfaces ge-0/0/1.0 set security zones security-zone Untrust host-inbound-traffic system-services ike set security zones security-zone Untrust host-inbound-traffic system-services tcp-encap set security zones security-zone Trust interfaces ge-0/0/2.0 set security zones security-zone VPN interfaces st0.0 set security address-book global address RemoteAccessNetworks 198.51.100.0/24 set security policies from-zone VPN to-zone Trust policy 1 match source-address RemoteAccessNetworks set security policies from-zone VPN to-zone Trust policy 1 match destination-address any set security policies from-zone VPN to-zone Trust policy 1 match application any set security policies from-zone VPN to-zone Trust policy 1 then permit set security policies from-zone VPN to-zone Trust policy 1 then log session-init set security policies from-zone VPN to-zone Trust policy 1 then log session-close set security policies from-zone Trust to-zone VPN policy 1 match source-address any set security policies from-zone Trust to-zone VPN policy 1 match destination-address RemoteAccessNetworks set security policies from-zone Trust to-zone VPN policy 1 match application any set security policies from-zone Trust to-zone VPN policy 1 then permit set security policies from-zone Trust to-zone VPN policy 1 then log session-init set security policies from-zone Trust to-zone VPN policy 1 then log session-close
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the SRX Series device to support NCP Exclusive Remote Access Clients:
Configure the local address pool.
[edit access address-assignment pool RA_LOCAL-IP-POOL] user@host# set family inet network 198.51.100.0/24 user@host# set family inet range REMOTEACCESS low 198.51.100.10 user@host# set family inet range REMOTEACCESS high 198.51.100.254 user@host# set family inet xauth-attributes primary-dns 192.0.2.12/32
Configure the local access profile.
[edit access profile RA_EXTERNAL-AUTH] user@host# set authentication-order radius user@host# set address-assignment pool RA_LOCAL-IP-POOL user@host# set radius-server 192.0.2.12 secret “$ABC123”
Configure the TCP encapsulation profile.
[edit] user@host# set security tcp-encap profile NCP
Create SSL termination profile.
[edit] user@host# set services ssl termination profile RemoteAccess server-certificate RemoteAccessNCP
When SSL termination profile is not configured then the only NCP Path Finder v1 mode is supported. NCP Path Finder v2 support needs SSL termination profile configured. NCP Path Finder v1 is supported when SSL termination profile is configured.
Attach SSL profile to tcp-encap profile.
[edit] user@host# set security tcp-encap profile NCP ssl-profile RemoteAccess
Configure interfaces.
[edit interfaces] user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24 user@host# set interfaces ge-0/0/2 unit 0 family inet address 192.0.2.3/24 user@host# set interfaces st0 unit 0 family inet
Configure the IKE proposal, policy, and gateways.
[edit security ike proposal CERT-DH19-AES256GCM] user@host# set authentication-method rsa-signatures user@host# set dh-group group19 user@host# set encryption-algorithm aes-256-gcm [edit security ike policy RA_IKEv2_EXT-AUTH] user@host# set proposals CERT-DH19-AES256_SHA256 user@host# set certificate local-certificate RemoteAccessNCP [edit security ike gateway RA_IKEv2_EXT-AUTH] user@host# set ike-policy RA_IKEv2_EXT-AUTH user@host# set dynamic user-at-hostname "remoteuser@example.com" user@host# set dynamic ike-user-type group-ike-id user@host# set external-interface ge-0/0/1.0 user@host# set aaa access-profile RA_EXTERNAL-AUTH user@host# set version v2-only user@host# set tcp-encap-profile NCP
Configure the IPsec proposal, policy, and VPN.
[edit security ipsec proposal ESP-AES256GCM] user@host# set protocol esp user@host# set encryption-algorithm aes-256-gcm [edit security ipsec policy RemoteAccess] user@host# set perfect-forward-secrecy keys group19 user@host# set proposals ESP-AES256GCM [edit security ipsec vpn RA_IKEv2_EXT-AUTH] user@host# set bind-interface st0.0 user@host# set ike gateway RA_IKEv2_EXT-AUTH user@host# set ike ipsec-policy RemoteAccess user@host# set traffic-selector NO-SPLIT local-ip 0.0.0.0/0 user@host# set traffic-selector NO-SPLIT remote-ip 0.0.0.0/0
Configure zones.
[edit security zones security-zone Untrust] user@host# set interfaces ge-0/0/1.0 user@host# set host-inbound-traffic system-services ike user@host# set host-inbound-traffic system-services tcp-encap [edit security zones security-zone Trust] user@host# set interfaces ge-0/0/2.0 [edit security zones security-zone VPN] user@host# set interfaces st0.0
Configure an address book for the IP addresses assigned to remote access users.
[edit security address-book global] user@host# set address RemoteAccessNetworks 198.51.100.0/24
Configure security policies.
[edit security policies from-zone VPN to-zone Trust] user@host# set policy 1 match source-address RemoteAccessNetworks user@host# set policy 1 match destination-address any user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set policy 1 then log session-init user@host# set policy 1 then log session-close [edit security policies from-zone Trust to-zone VPN] user@host# set policy 1 match source-address any user@host# set policy 1 match destination-address RemoteAccessNetworks user@host# set policy 1 match application any user@host# set policy 1 then permit user@host# set policy 1 then log session-init user@host# set policy 1 then log session-close
Results
From configuration mode, confirm your configuration
by entering the show access and show security commands. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@host# show access
profile RA_EXTERNAL-AUTH {
authentication-order radius;
radius-server {
198.51.100.169 {
port 1812;
secret 192.0.2.12 secret "$ABC123"; ## SECRET-DATA
}
}
}
address-assignment {
pool RA_LOCAL-IP-POOL {
family inet {
network 198.51.100.0/24;
xauth-attributes {
primary-dns 192.0.2.12/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile xauth-users;
}
}
user@host# show security
pki {
ca-profile root-ca {
ca-identity root-ca;
revocation-check {
disable;
}
}
ca-profile CA_Server {
ca-identity CA_Server;
enrollment {
url http://192.0.2.12/certsrv/mscep/mscep.dll;
}
revocation-check {
crl {
url http://192.0.2.12/crl;
}
}
}
traceoptions {
flag all;
}
}
ike {
traceoptions {
file size 100m;
flag all;
level 15;
}
proposal CERT-DH19-AES256GCM {
authentication-method rsa-signatures;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy RA_IKEv2_EXT-AUTH {
proposals CERT-DH19-AES256GCM;
certificate {
local-certificate RemoteAccessNCP;
}
}
gateway RA_IKEv2_EXT-AUTH {
ike-policy RA_IKEv2_EXT-AUTH;
dynamic {
user-at-hostname "remoteuser@example.net";
ike-user-type group-ike-id;
}
dead-peer-detection {
always-send;
interval 60;
threshold 5;
}
external-interface ge-0/0/1.0;
aaa {
access-profile RA_EXTERNAL-AUTH;
}
version v2-only;
tcp-encap-profile NCP;
}
}
ipsec {
proposal ESP-AES256GCM {
protocol esp;
encryption-algorithm aes-256-gcm;
}
policy RemoteAccess {
perfect-forward-secrecy {
keys group19;
}
proposals ESP-AES256GCM;
}
vpn RA_IKEv2_EXT-AUTH {
bind-interface st0.0;
ike {
gateway RA_IKEv2_EXT-AUTH;
ipsec-policy RemoteAccess;
}
traffic-selector NO-SPLIT {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}
}
}
address-book {
global {
address RemoteAccessNetworks 198.51.100.0/24;
}
}
flow {
traceoptions {
file flowd size 1g files 2;
flag all;
trace-level {
detail;
}
}
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
tcp-session {
maximum-window 1M;
}
}
policies {
from-zone VPN to-zone Trust {
policy 1 {
match {
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Trust to-zone VPN {
policy 1 {
match {
source-address any;
destination-address RemoteAccessNetworks;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
tcp-encap {
traceoptions {
file tcp-encap-log;
level verbose;
flag all;
}
profile NCP {
ssl-profile RemoteAccess;
}
}
traceoptions {
file ipsec size 10m;
flag all;
}
zones {
security-zone Untrust {
host-inbound-traffic {
system-services {
ike;
tcp-encap;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone Trust {
interfaces {
ge-0/0/2.0;
}
}
security-zone VPN {
interfaces {
st0.0;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying That IKE SAs Are Established
- Verifying Remote Users and Their IP Connections
- Verifying TCP Encapsulation Sessions
Verifying That IKE SAs Are Established
Purpose
Display information about IKE SAs.
Action
From operational mode, enter the show security
ike security-associations command.
user@host> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2203522 UP c31358637e7a8e0d ac2aba751adeea8a IKEv2 198.51.100.200
From operational mode, enter the show security ike security-associations
detail command.
user@host> show security ike security-associations detail
IKE peer 172.16.12.200, Index 2203522, Gateway Name: RA_IKEv2_EXT-AUTH
Role: Responder, State: UP
Initiator cookie: c31358637e7a8e0d, Responder cookie: ac2aba751adeea8a
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 192.0.1:500, Remote: 192.51.100.200:10952
Lifetime: Expires in 28719 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Exclusive Client
Peer ike-id: remoteuser@example.net
AAA assigned IP: 198.51.100.23
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-gcm
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-19
Traffic statistics:
Input bytes : 3384
Output bytes : 4923
Input packets: 9
Output packets: 13
Input fragmentated packets: 2
Output fragmentated packets: 7
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 192.51.100:500, Remote: 192.51.100.200:10952
Local identity: 192.51.100.59
Remote identity: remoteuser@example.net
Flags: IKE SA is created
Verifying Remote Users and Their IP Connections
Purpose
Display the list of connected active users with details about the peer addresses and ports they are using.
Action
From operational mode, enter the show security
ike active-peer command.
user@host> show security ike active-peer Remote Address Port Peer IKE-ID AAA username Assigned IP 192.51.100.200 56789 remoteuser@example.net bob 192.51.100.23
From operational mode, enter the show security ike active-peer
detail command.
user@host> show security ike active-peer detail Peer address: 192.0.2.200, Port: 56789, Peer IKE-ID : remoteuser@example.net AAA username: bob Assigned network attributes: IP Address : 192.0.2.23 , netmask : 233.252.0.0 DNS Address : 192.0.2.12 , DNS2 Address : 0.0.0.0 WINS Address : 0.0.0.0 , WINS2 Address : 0.0.0.0 Previous Peer address : 0.0.0.0, Port : 0 Active IKE SA indexes : 42203522 IKE SA negotiated : 1 IPSec tunnels active : 1, IPSec Tunnel IDs : 67108891
Verifying TCP Encapsulation Sessions
Purpose
Display information about TCP encapsulation sessions.
Action
From operational mode, enter the show security
tcp-encap connections command.
user@host> show security tcp-encap connections
Location: FPC: 0, PIC: 0, PIC-NAME: fpc0
Total active connections: 1
Session-Id Client Gateway
2 NCP-Pathfinder-v2 203.0.113.0From operational mode, enter the show security tcp-encap
statistics command.
user@host> show security tcp-encap statistics Location: FPC: 0, PIC: 0, PIC-NAME: fpc0 TCP encapsulation statistics: Policy Matched: 4 TCP sessions: 4