Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a Remote Access VPN—Juniper Secure Connect

You are here: VPN > IPsec VPN.

Juniper Secure Connect is Juniper’s client-based SSL-VPN solution that offers secure connectivity for your network resources.

Juniper Secure Connect provides secure remote access for the users to connect to the corporate networks and resources remotely using the Internet. Juniper Secure Connect downloads the configuration from SRX Services devices and chooses the most effective transport protocols during connection establishment to deliver a great administrator and user experience.

To create a remote access VPN for Juniper secure connect:

  1. Choose Create VPN > Remote Access > Juniper Secure Connect on the upper right-side of the IPsec VPN page.

    The Create Remote Access (Juniper Secure Connect) page appears.

  2. Complete the configuration according to the guidelines provided in Table 1 through Table 6.

    The VPN connectivity will change from grey to blue line in the topology to show that the configuration is complete.

  3. Click Save to complete Secure Connect VPN Configuration and associated policy if you have selected the auto policy creation option.

    If you want to discard your changes, click Cancel.

Table 1: Fields on the Create Remote Access (Juniper Secure Connect) Page

Field

Action

Name

Enter a name for the remote access connection. This name will be displayed as the end users realm name in the Juniper Secure Connect Client.

Description

Enter a description. This description will be used for the IKE and IPsec proposals, policies, remote access profile, client configuration, and NAT rule set.

During edit the IPsec policy description will be displayed. IPsec policy and remote access profile descriptions will be updated.

Routing Mode

This option is disabled for the remote access.

Default mode is Traffic Selector (Auto Route Insertion).

Authentication Method

Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:

  • Pre-shared Key (default method)—Specifies that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers with each other. The same key must be configured for each peer. This is the default method.

  • Certificate Based—Specifies the type of digital signatures, which are certificates that confirm the identity of the certificate holder.

    The supported signature is rsa-signatures. rsa-signatures specifies that a public key algorithm, which supports encryption and digital signatures, is used.

Auto-create Firewall Policy

If you select Yes, a firewall policy is automatically created between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address.

Another firewall policy will be created visa-versa.

If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work.

Note:

If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway.

Remote User

Displays the remote user icon in the topology. Click the icon to configure the Juniper Secure Connect client settings.

For more information on the fields, see Table 2.

Note:

The J-Web UI displays the remote user's URL once local gateway is configured.

Local Gateway

Displays the local gateway icon in the topology. Click the icon to configure the local gateway.

For more information on the fields, see Table 3.

IKE and IPsec Settings

Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values.

For more information on the fields, see Table 6.

Note:
  • J-Web supports only one custom IKE proposal and does not support the predefined proposal-set. Upon edit and save, J-Web deletes the predefined proposal set if configured.

  • On the remote gateway of the VPN tunnel, you must configure the same custom proposal and policy.

  • Upon edit, J-Web shows the first custom IKE and IPsec proposal when more than one custom proposal is configured.

Table 2: Fields on the Remote User Page

Field

Action

Default Profile

Enable this option to use the configured VPN name as remote access default profile.

Note:
  • This option is not available if the default profile is configured.

  • You must enable the default profile. If not enabled, configure the default profile under VPN > IPsec VPN > Global Settings > Remote Access VPN.

Connection Mode

Select one of the following options from the list to establish the Juniper Secure Connect client connection:

  • Manual—You need manually connect to the VPN tunnel every time you log in.

  • Always—You are automatically connected to the VPN tunnel every time you log in.

The default connection mode is Manual.

SSL VPN

Enable this option to establish SSL VPN connection from the Juniper Secure Connect Client to the SRX Series device.

By default, this option is enabled.

Note:

This is a fallback option when IPsec ports are not reachable.

Biometric authentication

Enable this option to authenticate the client system using unique configured methods.

An authentication prompt is displayed when you connect in the client system. The VPN connection will only be initiated after successful authentication through the method configured for Windows Hello (fingerprint recognition, face recognition, PIN entry, and so on).

Windows Hello must be preconfigured on the client system if the Biometric authentication option is enabled.

Dead Peer Detection

Enable the dead peer detection (DPD) option to allow the Juniper Secure Connect client to detect if the SRX Series device is reachable.

Disable this option to allow the Juniper Secure Connect client to detect till the SRX Series device connection reachability is restored.

This option is enabled by default.

DPD Interval

Enter the amount of time that the peer waits for traffic from its destination peer before sending a dead-peer-detection (DPD) request packet. The Range is 2 through 60 seconds and default is 60 seconds.

DPD Threshold

Enter the maximum number of unsuccessful dead peer detection (DPD) requests to be sent before the peer is considered unavailable. The Range is 1 through 5 and default is 5.

Certificates

Enable Certificates to configure certificate options on Secure Client Connect.

Note:

This option is available only if you select the Certificate Based authentication method.

Expiry Warning

Enable this option to display the certificate expiry warning on the Secure Connect Client.

This option is enabled by default.

Note:

This option is available only if you enable Certificates.

Warning Interval

Enter the interval (days) at which the warning to be displayed.

Range is 1 through 90. Default value is 60.

Note:

This option is available only if you enable Certificates.

Pin Req Per Connection

Enable this option to enter the certificate pin on very connection.

This option is enabled by default.

Note:

This option is available only if you enable Certificates.

EAP-TLS

Enable this option for the authentication process. IKEv2 requires EAP for user authentication. SRX Series device cannot act as an EAP server. An external RADIUS server must be used for IKEv2 EAP to do the EAP authentication. SRX will act as a pass-through authenticator relaying EAP messages between the Juniper Secure Connect client and the RADIUS server.

This option is enabled by default.

Note:

This option is available only if you select the Certificate Based authentication method.

Windows Logon

Enable this option to provide users to securely log on to the Windows domain before logging on to the Windows system. The client supports domain logon using a credential service provider after establishing a VPN connection to the company network.

Domain Name

Enter the system domain name on to which the Users Machine logs.

Mode

Select one of the following options from the list to log on to Windows domain.

  • Manual—You must manually enter your logon data on the Windows logon screen.

  • Automatic—The client software transfers the data entered here to the Microsoft logon interface (Credential Provider) without your action.

Disconnect at Logoff

Enable this option to shut down the connection when the system switches to hibernation or standby mode. When the system resumes from hibernation or standby mode the connection has to be re-established.

Flush Credential at Logoff

Enable this option to delete username and password from the cache. You must reenter the username and password.

Lead Time Duration

Enter the lead time duration to initialize time between network logon and domain logon.

After the connection is set up, the Windows logon will only be executed after the initialization time set here has elapsed.

EAP Authentication

Enable this option to execute EAP authentication prior to the destination dialog in the credential provider. Then, system will ask for the necessary PIN, regardless of whether EAP will be required for subsequent dial-in.

If this option is disabled, then EAP authentication will be executed after the destination selection.

Auto Dialog Open

Enable this option to select whether a dialog should open automatically for connection establishment to a remote domain.

If this option is disabled, then the password and PIN for the client will only be queried after the Windows logon.

Table 3: Fields on the Local Gateway Page

Field

Action

Gateway is behind NAT

Enable this option when the local gateway is behind a NAT device.

NAT IP Address

Enter the public (NAT) IP address of the SRX Series device.

Note:

This option is available only when Gateway is behind NAT is enabled. You can configure an IPv4 address to reference the NAT device.

IKE ID

This field is mandatory. Enter the IKE ID in the format user@example.com.

External Interface

Select an outgoing interface from the list for which the client will connect to.

The list contains all available IP addresses if more than one IPv4 address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway.

Tunnel Interface

Select an interface from the list for the client to connect to.

Click Add to add a new interface. The Create Tunnel Interface page appears. For more information on creating a new tunnel interface, see Table 4.

Click Edit to edit the selected tunnel interface.

Pre-shared Key

Enter one of the following values of the preshared key:

  • ascii-text—ASCII text key.

  • hexadecimal—Hexadecimal key.

Note:

This option is available if the authentication method is Pre-shared Key.

Local certificate

Select a local certificate from the list.

Local certificate lists only the RSA certificates.

To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate.

Note:

This option is available if the authentication method is Certificated Based.

Trusted CA/Group

Select a trusted Certificate Authority/group profile from the list.

To add a CA profile, click Add CA Profile. For more information on adding a CA profile, see Add a Certificate Authority Profile.

Note:

This option is available if the authentication method is Certificated Based.

User Authentication

This field is mandatory. Select the authentication profile from the list that will be used to authenticate user accessing the remote access VPN.

Click Add to create a new Profile. For more information on creating a new access profile, see Add an Access Profile.

SSL VPN Profile

Select the SSL VPN Profile from the list that will be used to terminate the remote access connections.

To create a new SSL VPN profile:

  1. Click Add.

  2. Enter the following details:

    • Name—Enter the name for an SSL VPN profile.

    • Logging—Enable this option to log for SSL VPN.

    • SSL Termination Profile—Select an SSL termination profile from the list.

      To add a new SSL termination profile:

      1. Click Add.

        The Create SSL Termination Profile page appears.

      2. Enter the following details:

        • Name—Enter a name for the SSL termination profile.

        • Server Certificate—Select a server certificate from the list.

          To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

          To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate.

        • Click OK.

      3. Click OK.

  3. Click OK.

Source NAT Traffic

This option is enabled by default.

All traffic from the Juniper Secure Connect client is NATed to the selected interface by default.

If disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly.

Interface

Select an interface from the list through which the source NAT traffic pass through.

Protected Networks

Click +. The Create Protected Networks page appears.

Create Protected Networks

Zone

Select a security zone from the list that will be used as a source zone in the firewall policy.

Global Address

Select the addresses from the Available column and then click the right arrow to move it to the Selected column.

Click Add to select the networks the Client can connect to.

The Create Global Address page appears. For more information on the fields, see Table 5.

Edit

Select the protected network you want to edit and click on the pencil icon.

The Edit Protected Networks page appears with editable fields.

Delete

Select the protected network you want to edit and click on the delete icon.

The confirmation message pops up.

Click Yes to delete the protected network.

Table 4: Fields on the Create Tunnel Interface Page

Field

Action

Interface Unit

Enter the logical unit number.

Description

Enter a description for the logical interface.

Zone

Select a zone from the list to add it to the tunnel interface.

This zone is used in the auto-creation of the firewall policy.

Routing Instance

Select a routing instance from the list.

Note:

The default routing instance, primary, refers to the main inet.0 routing table in the logical system.

Table 5: Fields on the Create Global Address Page

Field

Action

Name

Enter a name for the global address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

IP Type

Select IPv4.

IPv4

IPv4 Address

Enter a valid IPv4 address.

Subnet

Enter the subnet for IPv4 address.

Table 6: IKE and IPsec Settings

Field

Action

IKE Settings
Note:

The following parameters are generated automatically and are not displayed in the J-Web UI:

  • If the authentication method is Pre-Shared Key, the IKE version is v1, ike-user-type is shared-ike-id, and mode is Aggressive.

  • If the authentication method is Certificate Based, the IKE version is v2, ike-user-type is shared-ike-id, and mode is Main.

Encryption Algorithm

Select the appropriate encryption mechanism from the list.

Default value is AES-CBC 256-bit.

Authentication Algorithm

Select the authentication algorithm from the list. For example, SHA 256-bit.

DH group

A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19.

Lifetime Seconds

Select a lifetime duration (in seconds) of an IKE security association (SA).

Default value is 28,800 seconds. Range: 180 through 86,400 seconds.

Dead Peer Detection

Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer.

DPD Mode

Select one of the options from the list:

  • optimized—Send probes only when there is outgoing traffic and no incoming data traffic - RFC3706 (default mode).

  • probe-idle-tunnel—Send probes same as in optimized mode and also when there is no outgoing and incoming data traffic.

  • always-send—Send probes periodically regardless of incoming and outgoing data traffic.

DPD Interval

Select an interval (in seconds) to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds.

DPD Threshold

Select a number from 1 to 5 to set the failure DPD threshold.

This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.

Advance Configuration (Optional)

NAT-T

Enable this option for IPsec traffic to pass through a NAT device.

NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series devices.

NAT Keep Alive

Select appropriate keepalive interval in seconds. Range: 1 to 300.

If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices.

IKE Connection Limit

Enter the number of concurrent connections that the VPN profile supports.

Range is 1 through 4294967295.

When the maximum number of connections is reached, no more remote access user (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations.

IKEv2 Fragmentation

This option is enabled by default. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated.

Note:

This option is available if the authentication method is Certificated Based.

IKEv2 Fragment Size

Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments.

The size applies to IPv4 message. Range: 570 to 1320 bytes.

Default value is 576 bytes.

Note:

This option is available if the authentication method is Certificated Based.

IPsec Settings
Note:

The authentication method is Pre-Shared Key or Certificate Based, it automatically generates protocol as ESP.

Encryption Algorithm

Select the encryption method. Default value is AES-GCM 256-bit.

Authentication Algorithm

Select the IPsec authentication algorithm from the list. For example, HMAC-SHA-256-128.

Note:

This option is available when the encryption algorithm is not gcm.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19.

PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time.

Note:

group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed.

Lifetime Seconds

Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds.

Lifetime Kilobytes

Select the lifetime (in kilobytes) of an IPsec SA. Default is 256kb. Range: 64 through 4294967294.

Advanced Configuration

Anti Replay

IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number.

This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers.

Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality.

Install Interval

Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10 seconds.

Idle Time

Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds.

DF Bit

Select how the device handles the Don't Fragment (DF) bit in the outer header:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Copy Outer DSCP

This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.