Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Dynamic VPN

Requirements

1. Configure network interfaces on the device. See Junos OS Interfaces Library for Security Devices.
2. Create security zones and assign interfaces to them. See “Understanding Security Zones” on page 111.
3. If there will be more than two simultaneous user connections, install a Dynamic VPN license in the device. See Installation and Upgrade Guide for Security Devices.
4. Read Dynamic VPN Configuration Overview.

Overview

A common deployment scenario for dynamic VPN is to provide VPN access to remote clients that are connected through a public network such as the Internet. A public IP address is assigned to one of the gateway’s interfaces; this interface is normally part of the untrust zone. After the client software is installed, the remote user can access the VPN by either logging in to a Web portal or by launching the client directly. In either case, the remote client authenticates with the SRX Series device and downloads the latest configuration available.

Figure 1 illustrates this deployment topology. The ge-0/0/15.0 interface on the SRX Series device is the termination point for the dynamic VPN tunnel. Remote clients in the untrust zone access the ge-0/0/15.0 interface through an HTTP or HTTPS connection.

Figure 1: Dynamic VPN Deployment Topology

In this example, XAuth client authentication is performed locally and client IP addresses are assigned from an address pool configured on the SRX Series device. See Table 1.

Then, standard proposal sets are used for both IKE and IPsec negotiations. For dynamic VPN tunnels, aggressive mode must be configured and only preshared keys are supported for Phase 1 authentication. A group IKE ID is used and the maximum number of connections is set to 10. Because dynamic VPNs must be policy-based VPNs, a security policy must be configured to forward traffic to the tunnel. IKE and HTTPS traffic must be allowed for host inbound traffic.See Table 2.

Finally, the XAuth profile configured for remote clients is specified for the dynamic VPN. Remote users are associated with the configured IPsec VPN. Also configured are remote protected resources (the destination addresses of traffic that is always sent through the tunnel) and remote exceptions (the destination addresses of traffic that is sent in cleartext instead of through the tunnel). See Table 3.

Configuration

• Configuring the Remote User Authentication and Address Assignment
• Configuring the VPN Tunnel
• Associate the Dynamic VPN with Remote Clients

Configuring the Remote User Authentication and Address Assignment

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

1. Create the address assignment pool.
   [edit access address-assignment]user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24user@host# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
2. Configure the XAuth profile.
   [edit access]user@host# set profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"user@host# set profile dyn-vpn-access-profile client client2 firewall-user password "$ABC123"user@host# set profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
3. Configure Web authentication using the XAuth profile.
   [edit access firewall-authentication]user@host# set web-authentication default-profile dyn-vpn-access-profile

Results

From configuration mode, confirm your configuration by entering the show access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring the VPN Tunnel

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

1. Configure the IKE policy.
   [edit security ike]user@host# set policy ike-dyn-vpn-policy mode aggressiveuser@host# set policy ike-dyn-vpn-policy proposal-set standarduser@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"
2. Configure the IKE gateway.
   [edit security ike]user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyuser@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpnuser@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-iduser@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0user@host# set gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
3. Configure IPsec.
   [edit security ipsec]user@host# set policy ipsec-dyn-vpn-policy proposal-set standarduser@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gwuser@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
4. Configure the security policy.
   [edit security policies from-zone untrust to-zone trust]user@host# set policy dyn-vpn-policy match source-address any destination-address any application anyuser@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
5. Configure host inbound traffic.
   [edit security zones security-zone untrust interfaces ge-0/0/15.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services ping

Results

From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Associate the Dynamic VPN with Remote Clients

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

1. Specify the access profile to use with dynamic VPN.
   [edit security dynamic-vpn]user@host# set access-profile dyn-vpn-access-profile
2. Configure the clients who can use the dynamic VPN.
   [edit security dynamic-vpn]user@host# set clients all ipsec-vpn dyn-vpnuser@host# set clients all user client1 user@host# set clients all user client2 user@host# set clients all remote-protected-resources 10.0.0.0/8user@host# set clients all remote-exceptions 0.0.0.0/0

Results

From configuration mode, confirm your configuration by entering the show security dynamic-vpn command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Dynamic VPN tunnels can be monitored with the same commands used to monitor traditional IPsec VPN tunnels. To confirm that the configuration is working properly, perform these tasks:

• Verifying IKE Phase 1 Status
• Verifying Connected Clients and Assigned Addresses
• Verifying IPsec Phase 2 Status
• Verifying Concurrent Connections and Parameters for Each User

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status of the security associations.

Action

From operational mode, enter the show security ike security-associations command.

 
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
18      172.19.100.99   UP     37b45aa1469e488b  7d4454404002e2e6  Aggressive

Verifying Connected Clients and Assigned Addresses

Purpose

Verify that the remote clients and the IP addresses assigned to them are using XAuth.

Action

From operational mode, enter the show security ike active-peer command.

Remote Address           Port     Peer IKE-ID       XAUTH username       Assigned IP
172.19.100.99            500      testdynvpn        test                 10.10.10.2  

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status of the security associations.

Action

From operational mode, enter the show security ipsec security-associations command.

  Total active tunnels: 1
  ID         Gateway       Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <133955586 172.19.100.99 500 ESP:aes-128/sha1 9c23b7a9 2862/  449996 -  root
  >133955586 172.19.100.99 500 ESP:aes-128/sha1 c72c8f88 2862/  449996 -  root

Verifying Concurrent Connections and Parameters for Each User

Purpose

Verify the number of concurrent connections and the negotiated parameters for each user.

Action

From operational mode, enter the show security dynamic-vpn users command.

User: test , User group: group-one, Number of connections: 1
    Remote IP: 172.19.100.99
    IPSEC VPN: dyn-vpn
    IKE gateway: dyn-vpn-local-gw
    IKE ID   : testdynvpn
    IKE Lifetime: 28800
    IPSEC Lifetime: 3600
    Status: CONNECTED