Zach Gibbs, Content Developer, Juniper Networks

Configuring Juniper Secure Connect: CLI

Learning Bytes Security
Zach Gibbs Headshot
Slide of network topology with a heading of “Configuring Juniper Secure Connect: CLI.” The left side shows a Remote Worker icon, an Internet cloud, a server icon, and a branch icon. Text says, “Remote Worker, Internet, Untrust Zone, vSRX-1, User Zone, Server Zone, Server-1, and Branch. Right side has a bullet list that says, “Criteria for example, User the CLI to configure Juniper Secure Connect, Use local authentication, Remote workers, Need to access Server-1, Should not be able to access devices in the Users zone.”

Juniper Learning Bytes: How to configure Secure Connect using Junos CLI

New to Juniper Secure Connect? Then you’ll want to check out this Learning Byte with Juniper’s Zach Gibbs to see firsthand how to configure it using the Junos CLI. This is part one. 

Show more

You’ll learn

  • Criteria for the setup, including local authentication and remote workers 

  • How to tell the SRX-1 device to use the certificate for web management 

  • Configure a net policy for VPN traffic coming from remote worker 

Who is this for?

Network Professionals Security Professionals


Zach Gibbs Headshot
Zach Gibbs
Content Developer, Juniper Networks



00:00 [Music]

00:11 hello

00:12 my name is zach gibbs and i'm a content

00:15 developer

00:15 with n education services inside juniper

00:19 networks

00:20 and today we will be going through the

00:22 configuring

00:23 juniper secure connect cli part one

00:26 learning byte

00:27 okay so here is our example and first

00:29 let's look at the

00:30 topology we have on the left and here we

00:33 have srx1

00:34 and srx1 it is the perimeter firewall

00:38 for our business and we have two zones

00:40 we have the users

00:41 zone and the servers zone and the user's

00:44 zone

00:44 is the zone that anybody who comes into

00:47 work into the office

00:49 that's going to be the zone they're in

00:51 and then we have the

00:52 servers zone which has a server probably

00:55 more than one server

00:56 but in our example we just have server

00:58 one and that is going to have services

01:01 that the workers need to use whether

01:03 they're in at the office or they're

01:05 working remotely

01:06 and so with that server one it has an ip

01:08 address of 10.60.100 and that's going to

01:11 be important

01:12 because what we want to do is we want to

01:14 set juniper secure connect up

01:16 to allow remote access for remote

01:18 workers we can see the remote worker

01:20 there at the top

01:21 and we need to allow remote access in to

01:24 the server one ip address

01:26 now with that we don't want the remote

01:28 worker to be able to access

01:30 hosts in the user zone and so we're

01:33 going to have to do some split tunneling

01:34 and so with this we're going to use the

01:36 cli to configure juniper secure connect

01:39 we're going to use

01:40 local authentication and then kind of

01:43 as we talked about beforehand we'll need

01:45 access to server one for the remote

01:47 workers

01:47 and they shouldn't be able to access

01:49 anything in the user's zone and one

01:51 thing i want to point out before we jump

01:53 to the cli

01:54 of srx1 is that this is a two-part

01:57 learning byte and so we'll go through

01:59 part of the configuration in this

02:01 learning byte

02:02 and then in the follow-up learning bytes

02:03 we'll go through a second configuration

02:06 all right so without further delay let's

02:07 go ahead and jump to srx1 and get this

02:10 started

02:12 all right so here is srx1 and to begin

02:15 we need to configure a local certificate

02:17 we're going to need to use this local

02:19 certificate for our remote worker to

02:21 connect into and they'll be able to use

02:23 that local certificate now you could

02:25 import a trusted cert

02:26 instead but yeah since we're a small

02:29 little mom and pop shop i guess you

02:31 could say in this example we're going to

02:32 do the free way of doing it

02:35 okay so first to begin we need to create

02:38 the key pairs

02:40 and generate key pairs size

02:43 i will go 248 for the size

02:47 type rsa and certificate id we're gonna

02:50 go with juniper

02:52 it'll be let's say one two three

02:55 and that'll take just a second and we're

02:57 done there

02:58 now we need to create the certificate

03:00 using those certificate keys

03:02 so we'll do request security pki local

03:05 certificate

03:06 generate self-signed certificate id

03:09 we'll say juniper lb-123 it's got to be

03:13 the name of that key pair

03:15 and then we'll specify a subject we're

03:16 just going to say dc equals

03:19 juniper cn equals edu

03:23 and then domain name

03:27 ip address now this is actually very

03:30 important that we add an ip address here

03:31 and this needs to be the ip address

03:33 of the external facing interface and i

03:35 didn't tell you that beforehand but the

03:37 ip address that is the external facing

03:39 ip address is

03:44 and that'll just take a second and we're

03:45 done there so we could do the

03:47 show security pki local certificate

03:51 all or just enter there we go

03:54 and we can see our new certificate here

03:56 and so great

03:57 that's exactly what we should see it's

03:59 good for five years before we have to do

04:01 this again so

04:02 and this will last a little while okay

04:04 next let's go ahead and jump into

04:05 configuration mode

04:06 and tell the srx1 device to use that

04:10 certificate

04:10 for web management it's going to be on

04:14 our system

04:15 services web management https

04:18 and then we're going to specify it as

04:20 the pki local certificate

04:22 and then the next thing we want to do is

04:24 we want to configure

04:26 a nat policy and this is not a net

04:28 policy for hosts coming

04:29 out of the trusted network the user zone

04:32 to the internet zone

04:34 this is going to be a policy that is

04:37 going to be applied

04:38 to the vpn traffic that's coming from

04:40 their remote worker

04:42 and the reason behind that well we could

04:43 actually set up a static route but the

04:45 remote

04:46 worker is going to be using a different

04:48 subnet than what we have in our network

04:50 and so the hosts aren't going to know

04:51 how to get to that they won't know that

04:53 they need to put that traffic

04:55 that is or the return traffic that is

04:56 safe for the server one device

04:59 it won't know that we need to put that

05:00 in the vpn tunnel for this to work

05:03 correctly

05:04 and so we could do a static route for

05:06 that traffic or the easy way to do it is

05:08 to create a

05:09 source nat rule that sourcenaps it to a

05:11 local interface

05:13 and so we're going to go to security net

05:16 source

05:17 ruleset we'll just call this ra lb

05:19 remote access learningbyte

05:21 and we're going to say fromzone it's

05:22 going to come in from the vpn zone

05:24 that's already configured

05:27 then we're going to say two zone servers

05:31 and then we need to create a rule called

05:33 ra lb

05:35 dash rule and we're saying match

05:38 source address just anything that'll

05:40 match it

05:41 because we're only going to have that

05:43 specific traffic coming

05:45 in through the vpn zone going to the

05:48 servers

05:48 zone and then we'll say set then

05:51 sourcenet interface so it'll

05:53 net the traffic to the interface

05:56 that is in the server zone

06:04 we actually have a couple different

06:05 interfaces there so which interface is

06:07 it going to use

06:10 i think it's gige002 yes that's the

06:12 interface that it will use to get

06:14 to the server one device since that

06:16 server one ip address is

06:19 and that other interface is actually my

06:20 mistake i put an interface in there that

06:22 i didn't mean to have in there so

06:24 please just ignore that okay so next

06:26 let's go ahead and configure the

06:27 security policies

06:33 we need to configure something from the

06:35 servers

06:36 zone to the vpn zone policy we'll just

06:39 call this

06:41 ri-lb-1 just kind of generic there

06:45 then we need to set some match criteria

06:49 or set any any any and then

06:53 set then permit actually i made a small

06:55 mistake there i do

06:56 want to make this a little more specific

07:00 and so we want to say source address

07:04 get rid of the match on any there

07:07 and we want to have this match on the

07:09 server one source address now that's an

07:11 address book entry that i created

07:12 earlier

07:13 and so that's just going to match on

07:14 that server one address so it's coming

07:16 from server one

07:18 from the server zone going to the vpn

07:20 zone then allow the traffic

07:22 and this will allow the server to

07:25 initiate traffic

07:26 to the remote worker

07:31 we're going to say from zone vpn so this

07:34 is going to be the remote worker going

07:35 to the server

07:36 zone

07:40 let's call this rlb2 for the policy

07:44 we're gonna say the source address of

07:46 any now we could actually specify the

07:48 network that we're using for the pool

07:50 but that's not necessary in this regards

07:52 destination address server one

07:56 and then application any

08:02 then we'll permit that and then next

08:05 we need to configure the security zones

08:08 with some host inbound traffic

08:12 so we need to configure the untrust zone

08:15 which is the zone pointed towards the

08:17 internet

08:18 system services we need to have ike and

08:22 then

08:22 tcp encapsulation and then https

08:26 and then you can see that we have that

08:28 configuration everything looks good

08:30 there

08:31 and then we need to set the

08:34 vpn zone to use the st0

08:38 interface and we don't need to enable

08:41 any sort of inbound traffic host inbound

08:43 traffic on that

08:44 interface or that zone and the next we

08:46 need to go to the access hierarchy

08:49 and we need to configure an address

08:51 assignment pool

08:52 and this is the pool we're going to use

08:53 to hand out ip addresses

08:55 for users using that tunnel so remote

08:57 workers using that tunnel

08:59 just call this ra pull dash lb

09:03 just have to specify pool first

09:08 and set family inet specify a network

09:16 you want to specify a range of what

09:18 we're going to use in that network for

09:19 the pool

09:23 and we're going to say a low range of

09:27 and a high range of

09:30 and then we'll say family i

09:32 net we need to set one more thing the x

09:34 auth attributes we need to set a primary

09:36 dns

09:38 we're just going to use google dns and

09:40 next we need to

09:41 create a profile that we'll be using now

09:43 this is where we're going to house the

09:45 usernames and passwords

09:47 remember we're using local

09:48 authentication this is great if you

09:50 don't have some sort of radius server or

09:52 some other sort of authentication that

09:54 happens off the box so this would be a

09:56 small mom-and-pop shop

09:57 maybe a few dozen workers or whatnot you

09:59 really wouldn't want to use this

10:01 solution

10:01 if you had hundreds of workers

10:09 i'll say client so this is the username

10:11 say lab that's our

10:13 username we always use in ed services

10:15 i'm gonna say firewall user

10:17 we're going to specify a password and

10:19 then we need to

10:20 specify the address assignment pool that

10:22 was ra-pull

10:25 lb and then we need to

10:28 set the firewall authentication web

10:30 authentication we need to set the

10:32 default profile to what we just

10:33 configured there

10:37 and oh i did forget one thing real quick

10:39 we need to configure the sd0 interface

10:42 easy to forget part of this

10:43 configuration just family inet no i p

10:46 address let's go ahead and commit that

10:47 again

10:48 and commit and quit

10:52 okay so with this we have the topology

10:55 you see here and srx1 is connected to

10:58 the internet we have the users

11:00 zone and the servers zone and

11:03 recall what we want to do is have the

11:05 remote worker have

11:06 access to server one using juniper

11:09 secure connect and we're using the cli

11:11 to configure this

11:12 and in the previous learning byte we set

11:15 up

11:16 the local certificate we then configured

11:19 source nat for the vpn traffic coming

11:22 into server one

11:23 and then we configured the security

11:25 policies as well as the security zones

11:28 the sd0 interface and then the access

11:31 profile which

11:32 contains our users and user names and

11:34 also the

11:35 ip information that we will be assigning

11:38 to those remote workers

11:39 as they access the vpn so with that

11:42 let's go ahead and jump back to

11:44 srx1 and get this going

11:47 all right so here is srx1 and we first

11:50 need to jump into configuration mode

11:53 and then go to services and configure

11:54 the ssl termination profile

11:59 and we're going to configure i will call

12:02 this

12:02 srs term lb and then we have to

12:05 reference the server certificate

12:07 that we created in the last learning

12:09 byte

12:10 and then we need to

12:14 configure the tcp encapsulation to use

12:17 that ssl termination profile

12:20 and we'll call this profile ssl dash

12:23 pro lb and we'll specify the ssl profile

12:28 and then next we need to jump into

12:31 the ike configuration and configure what

12:34 we need to do here

12:34 now when we do this we can configure a

12:37 proposal and then reference that

12:39 proposal in a policy but we don't need

12:41 to do that and for the sake of time

12:43 i'm just going to use a proposal set

12:45 inside a

12:46 policy and so we'll go policy

12:49 r a lv and we'll say mode

12:52 we need to set this to aggressive mode

12:55 set proposal

12:57 set we can use the compatible and

12:59 standard

13:00 those two work fine we cannot use the

13:02 basic and the prime 128

13:04 prime 256 and suite b gcm 128 and suite

13:08 b gcm 256

13:10 will not work with this type of vpn so

13:12 let's go ahead and use the

13:14 standard proposal set and then we need

13:17 to set a pre-shared key

13:18 so say ascii text specify lab123

13:22 and then we need to configure the

13:23 gateway

13:29 then we can specify the ike policy that

13:32 we just created

13:34 and then we have to say dynamic user at

13:37 host name

13:38 say lab at

13:42 then also under dynamic we need to set

13:44 the ike

13:45 user type we have to set the shared ike

13:48 id

13:50 and then let's go ahead and set some

13:51 dead peer detection this is not

13:53 strictly needed but it's good to have

13:56 say optimized

13:57 interval 10 threshold 5.

14:01 we'll set the external interface and

14:02 this is going to be gigi001

14:06 set the local address

14:10 now you might remember in the last

14:12 learning byte when we configured

14:14 the certificate we had to set an ip

14:17 address of

14:20 and that needs to match with what we're

14:21 doing here that's very important

14:24 then for aaa authentication we're going

14:25 to set the access profile that we

14:27 configured

14:28 and then we're gonna say version one

14:31 only

14:33 and then we're gonna specify that tcp

14:34 encapsulation profile

14:37 and then we need to configure ipsec

14:41 and just like with ike we could specify

14:44 our

14:44 our own proposal but we don't need to do

14:46 that and for the sake of time we'll just

14:48 specify a proposal set and so

14:51 edit policy we'll configure the policy

14:54 called relb

14:56 ipsec and then we need to configure the

14:59 vpn

15:00 i mean the say perfect forward secrecy

15:08 group 19 for the keys and we'll set the

15:11 proposal

15:12 set to use as standard

15:18 and then we create the vpn or the vpn

15:21 parameters set the byte interface to st0

15:25 set the df fit to clear

15:29 and that's not necessary but it is

15:31 helpful so it's recommended

15:33 and then we can set the

15:36 ike gateway as well as the ipsec

15:40 policy and then we need to set a traffic

15:43 selector we'll have a traffic selector

15:45 local ip we need to call it something

15:48 first we'll say ts1

15:50 localip

15:54 and remote ip

15:57 uh 0.0.0 and this will

16:00 only allow traffic that is destined and

16:03 coming from

16:04 the server to go through this tunnel and

16:07 then we need to configure the remote

16:08 access information

16:14 first we configure the client config

16:18 and connection mode we'll set that to

16:20 manual dead pair detection

16:23 interval 60 threshold 5

16:26 and then we set the remote access

16:28 profile

16:29 and we're going to call this ra-lv-123

16:33 and we're going to say the ipsec vpn

16:34 we're going to be using

16:37 and then the access profile that we

16:40 configured earlier

16:42 and then the client configuration

16:47 and then we have to set the default

16:49 profile

16:50 and that's that profile we just

16:52 configured and actually i just realized

16:55 i made a mistake with the configuration

16:56 in this

16:57 friendly configuration warning lets us

16:59 know that yeah i made that mistake so

17:01 what we need to do is we need to adjust

17:04 the ike proposal and it actually needs

17:07 to be a custom proposal not a proposal

17:08 set

17:09 and so what we need to do is jump up to

17:13 security ike proposal and we're going to

17:16 call this re-lv

17:18 dash ike pro

17:21 and then we need to set the

17:22 authentication method

17:25 to pre-shared keys the dh group to group

17:27 19

17:29 and then the authentication

17:32 algorithm to say

17:36 sha256 encryption algorithm to aes

17:41 256 cbc

17:44 and then uh we can set a lifetime this

17:47 is not totally necessary but it's

17:49 good practice and then uh go up one

17:52 go to the policy ralb for the policy

17:55 name

17:56 and then we're gonna delete those

17:57 proposals set that we're using

18:00 and then set the proposal that we just

18:02 configured

18:05 and then let's commit that configuration

18:06 jump out to operational mode

18:08 and now let's go ahead and jump to the

18:11 remote worker device and see how this

18:14 works

18:15 all right so here is our remote worker

18:18 device

18:18 and to begin let's see if we can

18:20 actually reach that server without first

18:23 logging into the vpn

18:28 and looks like it's not going to work

18:30 and that's okay that's what we want we

18:32 don't want

18:32 anyone on the internet to be able to

18:34 access our local server right

18:36 so let's go ahead and kill that ping and

18:38 then we'll go ahead and start up the vpn

18:42 you can see here on your connection

18:43 profile i've done this before so we're

18:45 going to create a new connection though

18:48 and normally you'd have to fill out this

18:49 gateway address but since i've done this

18:51 before on this device it's already

18:53 pre-populated but

18:54 normally we need to type all that out

18:57 and notice how this is the external ip

18:59 address

19:00 of that interface that we configured and

19:02 so let's go ahead and do this and click

19:04 the connection button

19:05 and we're asked to sign in

19:08 and see here we are presented with a

19:10 security certificate warning

19:12 and that's because our local certificate

19:14 that we configured is not a

19:16 trusted certificate but we know we

19:18 configured it so we can trust it so

19:20 we'll accept this

19:26 you can see it's attempting to connect

19:27 tunnel is set up

19:30 and now it is established let's go ahead

19:33 and pull that back out

19:36 we can see here that this looks good we

19:38 can see that we're online nothing's

19:40 being transmitted yet

19:41 and that's okay because we haven't sent

19:43 anything so let's go ahead and pull up

19:45 this command window and attempt to ping

19:47 the server

19:48 and that looks a lot better we can

19:50 actually reach the server so

19:52 great so let's look at the client

19:55 and we can see that we have some

19:56 transmitted bytes and some received

19:58 bytes and that's exactly what we want to

19:59 see and and those aren't bytes not

20:01 packets so it's the cumulative

20:03 bytes that were sent and received and

20:04 that's perfect and one other quick thing

20:06 is i want to show you if i disconnect

20:10 then reconnect we have to first enter

20:13 our

20:14 credentials and then we don't have to

20:17 accept that certificate since it's

20:19 already been

20:20 accepted so we're good there and one

20:22 last quick thing let's jump back to

20:24 vsrx1 and look

20:26 at a few verification commands

20:29 so here let's go ahead and show the

20:31 security ike security associations

20:34 and we can see here that we do have one

20:37 client connecting and we can see that

20:38 the remote address is so

20:42 that's the actual ip address

20:43 that the remote client is connecting

20:45 from and then we can show the

20:47 show security ipsec security

20:49 associations and we'll see

20:50 similar type of output but we can see

20:53 the ike

20:54 and ipsec security associations are up

20:57 and functioning

20:58 and then one last quick thing you can

21:00 look at the ipsec statistics

21:02 and we can see that some packets were

21:04 sent and received and

21:05 everything looks good things are working

21:07 as expected

21:09 so that brings us to the end of this

21:11 learning byte and in this learning byte

21:13 we talked about how to configure and

21:15 verify

21:16 juniper secure connect using the junos

21:18 cli

21:19 so as always thanks for watching visit

21:22 the juniper education services website

21:25 to learn more about courses view our

21:28 full range of classroom

21:30 online and e-learning courses

21:33 learning paths industry segment and

21:35 technology specific

21:37 training paths juniper networks

21:40 certification program

21:41 the ultimate demonstration of your

21:43 confidence and

21:45 the training community from forums to

21:47 social media

21:48 join the discussion

Show more