Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a Remote Access VPN—NCP Exclusive Client

You are here: Network > VPN > IPsec VPN.

The NCP Exclusive Remote Access Client is part of the NCP Exclusive Remote Access solution for Juniper SRX Series Gateways. The VPN client is only available with NCP Exclusive Remote Access Management. Use the NCP Exclusive Client to establish secure, IPsec-based data links from any location when connected with SRX Series Gateways.

To create a remote access VPN for Juniper secure connect:

  1. Choose Create VPN > Remote Access > NCP Exclusive Client on the upper right-side of the IPsec VPN page.

    The Create Remote Access (NCP Exclusive Client) page appears.

  2. Complete the configuration according to the guidelines provided in Table 1 through Table 5.

    The VPN connectivity will change from grey to blue line in the topology to show that the configuration is complete.

  3. Click Save to save the changes.

    If you want to discard your changes, click Cancel.

Table 1: Fields on the Create Remote Access (NCP Exclusive Client) Page

Field

Action

Name

Enter a name for the remote access connection. This name will be displayed as the end users connection name in the NCP exclusive client.

Description

Enter a description. This description will be used for the IKE and IPsec proposals, policies, remote access profile, client configuration, and NAT rule set.

During edit the IPsec policy description will be displayed. IPsec policy and remote access profile descriptions will be updated.

Routing Mode

This option is disabled for the remote access.

Default mode is Traffic Selector (Auto Route Insertion).

Authentication Method

Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:

  • Pre-shared Key (default method)—Specifies that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers with each other. The same key must be configured for each peer. This is the default method.

  • Certificate Based—Types of digital signatures, which are certificates that confirm the identity of the certificate holder.

    The supported signature is rsa-signatures. rsa-signatures specifies that a public key algorithm, which supports encryption and digital signatures, is used.

Auto-create Firewall Policy

If you select Yes, a firewall policy is automatically created between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address.

Another firewall policy will be created visa-versa.

If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work.

Note:

If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway.

Remote User

Displays the remote user icon in the topology.

This option is disabled.

Local Gateway

Displays the local gateway icon in the topology. Click the icon to configure the local gateway.

For more information on the fields, see Table 2.

IKE and IPsec Settings

Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values.

For more information on the fields, see Table 5.

Note:
  • J-Web supports only one custom IKE proposal and does not support the predefined proposal-set. Upon edit and save, J-Web deletes the predefined proposal set if configured.

  • On the remote gateway of the VPN tunnel, you must configure the same custom proposal and policy.

  • Upon edit, J-Web shows the first custom IKE and IPsec proposal when more than one custom proposal is configured.

Table 2: Fields on the Local Gateway Page

Field

Action

Gateway is behind NAT

Enable this option when the local gateway is behind a NAT device.

NAT IP Address

Enter the public (NAT) IP address of the SRX Series device.

Note:

This option is available only when Gateway is behind NAT is enabled. You can configure an IPv4 address to reference the NAT device.

IKE ID

This field is mandatory. Enter the IKE ID in the format user@example.com.

External Interface

Select an outgoing interface from the list for which the client will connect to.

The list contains all available IP addresses if more than one IPv4 address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway.

Tunnel Interface

Select an interface from the list for the client to connect to.

Click Add to add a new interface. The Create Tunnel Interface page appears. For more information on creating a new tunnel interface, see Table 3.

Click Edit to edit the selected tunnel interface.

Pre-shared Key

Enter one of the following values of the preshared key:

  • ascii-text—ASCII text key.

  • hexadecimal—Hexadecimal key.

Note:

This option is available if the authentication method is Pre-shared Key.

Local certificate

Select a local certificate from the list.

Local certificate lists only the RSA certificates.

To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate.

Note:

This option is available if the authentication method is Certificated Based.

Trusted CA/Group

Select a trusted Certificate Authority/group profile from the list.

To add a CA profile, click Add CA Profile. For more information on adding a CA profile, see Add a Certificate Authority Profile.

Note:

This option is available if the authentication method is Certificated Based.

User Authentication

This field is mandatory. Select the authentication profile from the list that will be used to authenticate user accessing the remote access VPN.

Click Add to create a new Profile. For more information on creating a new access profile, see Add an Access Profile.

SSL VPN Profile

Select the SSL VPN Profile from the list that will be used to terminate the remote access connections.

To create a new SSL VPN profile:

  1. Click Add.

  2. Enter the following details:

    • Name—Enter the name for an SSL VPN profile.

    • Logging—Enable this option to log for SSL VPN.

    • SSL Termination Profile—Select an SSL termination profile from the list.

      To add a new SSL termination profile:

      1. Click Add.

      2. Enter the following details:

        • Name—Enter a name for the SSL termination profile.

        • Server Certificate—Select a server certificate from the list.

          To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

          To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate.

        • Click OK.

      3. Click OK.

  3. Click OK.

Source NAT Traffic

This option is enabled by default.

All traffic from the Juniper Secure Connect client is NATed to the selected interface by default.

If disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly.

Interface

Select an interface from the list through which the source NAT traffic pass through.

Protected Networks

Click +. The Create Protected Networks page appears.

Create Protected Networks

Zone

Select a security zone from the list that will be used as a source zone in the firewall policy.

Global Address

Select the addresses from the Available column and then click the right arrow to move it to the Selected column.

Click Add to select the networks the Client can connect to.

The Create Global Address page appears. For more information on the fields, see Table 4.

Edit

Select the protected network you want to edit and click on the pencil icon.

The Edit Protected Networks page appears with editable fields.

Delete

Select the protected network you want to edit and click on the delete icon.

The confirmation message pops up.

Click Yes to delete the protected network.

Table 3: Fields on the Create Tunnel Interface Page

Field

Action

Interface Unit

Enter the logical unit number.

Description

Enter a description for the logical interface.

Zone

Select a zone from the list to add it to the tunnel interface.

This zone is used in the auto-creation of the firewall policy.

Click Add to add a new zone. Enter zone name and description and click OK on the Create Security Zone page.

Routing Instance

Select a routing instance from the list.

Note:

The default routing instance, primary, refers to the main inet.0 routing table in the logical system.

Table 4: Fields on the Create Global Address Page

Field

Action

Name

Enter a name for the global address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

IP Type

Select IPv4.

IPv4

IPv4 Address

Enter a valid IPv4 address.

Subnet

Enter the subnet for IPv4 address.

Table 5: IKE and IPsec Settings

Field

Action

IKE Settings
Note:

The following parameters are generated automatically and are not displayed in the J-Web UI:

  • If the authentication method is Pre-Shared Key, the IKE version is 1, ike-user-type is shared-ike-id, and mode is Aggressive.

  • If the authentication method is Certificate Based, the IKE version is 2, ike-user-type is group-ike-id, and mode is Main.

Encryption Algorithm

Select the appropriate encryption mechanism from the list.

Default value is AES-CBC 256-bit.

Authentication Algorithm

Select the authentication algorithm from the list. For example, SHA 256-bit.

DH group

A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19.

Lifetime Seconds

Select a lifetime duration (in seconds) of an IKE security association (SA).

Default value is 28,800 seconds. Range: 180 through 86,400 seconds.

Dead Peer Detection

Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer.

DPD Mode

Select one of the options from the list:

  • optimized—Send probes only when there is outgoing traffic and no incoming data traffic - RFC3706 (default mode).

  • probe-idle-tunnel—Send probes same as in optimized mode and also when there is no outgoing and incoming data traffic.

  • always-send—Send probes periodically regardless of incoming and outgoing data traffic.

DPD Interval

Select an interval (in seconds) to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds.

DPD Threshold

Select a number from 1 to 5 to set the failure DPD threshold.

This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.

Advance Configuration (Optional)

NAT-T

Enable this option for IPsec traffic to pass through a NAT device.

NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series devices.

NAT Keep Alive

Select appropriate keepalive interval in seconds. Range: 1 to 300.

If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices.

IKE Connection Limit

Enter the number of concurrent connections that the VPN profile supports.

Range is 1 through 4294967295.

When the maximum number of connections is reached, no more remote access user (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations.

IKEv2 Fragmentation

This option is enabled by default. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated.

Note:

This option is available if the authentication method is Certificated Based.

IKEv2 Fragment Size

Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments.

The size applies to IPv4 message. Range: 570 to 1320 bytes.

Default value is 576 bytes.

Note:

This option is available if the authentication method is Certificated Based.

IPsec Settings

Encryption Algorithm

Select the encryption method. Default value is AES-GCM 256-bit.

Authentication Algorithm

Select the IPsec authentication algorithm from the list. For example, HMAC-SHA-256-128.

Note:

This option is available when the encryption algorithm is not gcm.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19.

PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time.

Note:

group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed.

Lifetime Seconds

Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds.

Lifetime Kilobytes

Select the lifetime (in kilobytes) of an IPsec SA. Default is 256kb. Range: 64 through 4294967294.

Advanced Configuration

Anti Replay

IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number.

This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers.

Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality.

Install Interval

Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10.

Idle Time

Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds.

DF Bit

Select how the device handles the Don't Fragment (DF) bit in the outer header:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Copy Outer DSCP

This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.