Create a Remote Access VPN—NCP Exclusive Client
You are here: Network > VPN > IPsec VPN.
The NCP Exclusive Remote Access Client is part of the NCP Exclusive Remote Access solution for Juniper SRX Series Gateways. The VPN client is only available with NCP Exclusive Remote Access Management. Use the NCP Exclusive Client to establish secure, IPsec-based data links from any location when connected with SRX Series Gateways.
To create a remote access VPN for Juniper secure connect:
Field |
Action |
---|---|
Name |
Enter a name for the remote access connection. This name will be displayed as the end users connection name in the NCP exclusive client. |
Description |
Enter a description. This description will be used for the IKE and IPsec proposals, policies, remote access profile, client configuration, and NAT rule set. During edit the IPsec policy description will be displayed. IPsec policy and remote access profile descriptions will be updated. |
Routing Mode |
This option is disabled for the remote access. Default mode is Traffic Selector (Auto Route Insertion). |
Authentication Method |
Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:
|
Auto-create Firewall Policy |
If you select Yes, a firewall policy is automatically created between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address. Another firewall policy will be created visa-versa. If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work. Note:
If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway. |
Remote User |
Displays the remote user icon in the topology. This option is disabled. |
Local Gateway |
Displays the local gateway icon in the topology. Click the icon to configure the local gateway. For more information on the fields, see Table 2. |
IKE and IPsec Settings |
Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values. For more information on the fields, see Table 5. Note:
|
Field |
Action |
---|---|
Gateway is behind NAT |
Enable this option when the local gateway is behind a NAT device. |
NAT IP Address |
Enter the public (NAT) IP address of the SRX Series Firewall. Note:
This option is available only when Gateway is behind NAT is enabled. You can configure an IPv4 address to reference the NAT device. |
IKE ID |
This field is mandatory. Enter the IKE ID in the format user@example.com. |
External Interface |
Select an outgoing interface from the list for which the client will connect to. The list contains all available IP addresses if more than one IPv4 address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway. |
Tunnel Interface |
Select an interface from the list for the client to connect to. Click Add to add a new interface. The Create Tunnel Interface page appears. For more information on creating a new tunnel interface, see Table 3. Click Edit to edit the selected tunnel interface. |
Pre-shared Key |
Enter one of the following values of the preshared key:
Note:
This option is available if the authentication method is Pre-shared Key. |
Local certificate |
Select a local certificate from the list. Local certificate lists only the RSA certificates. To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate. To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate. Note:
This option is available if the authentication method is Certificated Based. |
Trusted CA/Group |
Select a trusted Certificate Authority/group profile from the list. To add a CA profile, click Add CA Profile. For more information on adding a CA profile, see Add a Certificate Authority Profile. Note:
This option is available if the authentication method is Certificated Based. |
User Authentication |
This field is mandatory. Select the authentication profile from the list that will be used to authenticate user accessing the remote access VPN. Click Add to create a new Profile. For more information on creating a new access profile, see Add an Access Profile. |
SSL VPN Profile |
Select the SSL VPN Profile from the list that will be used to terminate the remote access connections. To create a new SSL VPN profile:
|
Source NAT Traffic |
This option is enabled by default. All traffic from the Juniper Secure Connect client is NATed to the selected interface by default. If disabled, you must ensure that you have a route from your network pointing to the SRX Series Firewalls for handling the return traffic correctly. |
Interface |
Select an interface from the list through which the source NAT traffic pass through. |
Protected Networks |
Click +. The Create Protected Networks page appears. |
Create Protected Networks | |
Zone |
Select a security zone from the list that will be used as a source zone in the firewall policy. |
Global Address |
Select the addresses from the Available column and then click the right arrow to move it to the Selected column. Click Add to select the networks the Client can connect to. The Create Global Address page appears. For more information on the fields, see Table 4. |
Edit |
Select the protected network you want to edit and click on the pencil icon. The Edit Protected Networks page appears with editable fields. |
Delete |
Select the protected network you want to edit and click on the delete icon. The confirmation message pops up. Click Yes to delete the protected network. |
Field |
Action |
---|---|
Interface Unit |
Enter the logical unit number. |
Description |
Enter a description for the logical interface. |
Zone |
Select a zone from the list to add it to the tunnel interface. This zone is used in the auto-creation of the firewall policy. Click Add to add a new zone. Enter zone name and description and click OK on the Create Security Zone page. |
Routing Instance |
Select a routing instance from the list. Note:
The default routing instance, primary, refers to the main inet.0 routing table in the logical system. |
Field |
Action |
---|---|
Name |
Enter a name for the global address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum. |
IP Type |
Select IPv4. |
IPv4 | |
IPv4 Address |
Enter a valid IPv4 address. |
Subnet |
Enter the subnet for IPv4 address. |
Field |
Action |
---|---|
IKE
Settings Note:
The following parameters are generated automatically and are not displayed in the J-Web UI:
|
|
Encryption Algorithm |
Select the appropriate encryption mechanism from the list. Default value is AES-CBC 256-bit. |
Authentication Algorithm |
Select the authentication algorithm from the list. For example, SHA 256-bit. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports SHA 512-bit authentication algorithm for junos-ike package installed devices. |
DH group |
A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports group 15, group 16, and group 21 DH groups for junos-ike package installed devices. |
Lifetime Seconds |
Select a lifetime duration (in seconds) of an IKE security association (SA). Default value is 28,800 seconds. Range: 180 through 86,400 seconds. |
Dead Peer Detection |
Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer. |
DPD Mode |
Select one of the options from the list:
|
DPD Interval |
Select an interval (in seconds) to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds. |
DPD Threshold |
Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times. |
Advance Configuration (Optional) | |
NAT-T |
Enable this option for IPsec traffic to pass through a NAT device. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series Firewalls. |
NAT Keep Alive |
Select appropriate keepalive interval in seconds. Range: 1 to 300. If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices. |
IKE Connection Limit |
Enter the number of concurrent connections that the VPN profile supports. Range is 1 through 4294967295. When the maximum number of connections is reached, no more remote access user (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations. |
IKEv2 Fragmentation |
This option is enabled by default. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. Note:
This option is available if the authentication method is Certificated Based. |
IKEv2 Fragment Size |
Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to IPv4 message. Range: 570 to 1320 bytes. Default value is 576 bytes. Note:
This option is available if the authentication method is Certificated Based. |
IPsec Settings | |
Encryption Algorithm |
Select the encryption method. Default value is AES-GCM 256-bit. |
Authentication Algorithm |
Select the IPsec authentication algorithm from the list. For example, HMAC-SHA-256-128. Note:
This option is available when the encryption algorithm is not gcm. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports HMAC-SHA 384 and HMAC-SHA 512 authentication algorithm for junos-ike package installed devices. |
Perfect Forward Secrecy |
Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time. Note:
group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports group 15, group 16, and group 21 PFS for junos-ike package installed devices. |
Lifetime Seconds |
Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds. |
Lifetime Kilobytes |
Select the lifetime (in kilobytes) of an IPsec SA. Default is 256kb. Range: 64 through 4294967294. |
Advanced Configuration | |
Anti Replay |
IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number. This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers. Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality. |
Install Interval |
Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10. |
Idle Time |
Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds. |
DF Bit |
Select how the device handles the Don't Fragment (DF) bit in the outer header:
|
Copy Outer DSCP |
This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules. |
ICMP big packet warning |
Use this option to enable or disable sending ICMP packet too big notifications for IPv6 packets. Note:
This option is available only for junos-ike package installed devices. |
ESN |
Enable this to allow IPsec to use 64-bit sequence number. If ESN is not enabled, 32-bit sequence number will be used by default. Ensure ESN is not enabled when anti-replay is disabled. Note:
This option is available only for junos-ike package installed devices. |
Tunnel MTU |
Enter the maximum transmit packet size for IPsec tunnels. Range: 256 through 9192. Note:
This option is available only for junos-ike package installed devices. |