Create a Remote Access VPN—Juniper Secure Connect

You are here: Network > VPN > IPsec VPN.

Juniper Secure Connect is Juniper’s client-based SSL-VPN solution that offers secure connectivity for your network resources.

Juniper Secure Connect provides secure remote access for the users to connect to the corporate networks and resources remotely using the Internet. Juniper Secure Connect downloads the configuration from SRX Services devices and chooses the most effective transport protocols during connection establishment to deliver a great administrator and user experience.

To create a remote access VPN for Juniper secure connect:

Choose Create VPN > Remote Access > Juniper Secure Connect on the upper right-side of the IPsec VPN page.
The Create Remote Access (Juniper Secure Connect) page appears.
Complete the configuration according to the guidelines provided in Table 1 through Table 6.
The VPN connectivity will change from grey to blue line in the topology to show that the configuration is complete.
Click Save to complete Secure Connect VPN Configuration and associated policy if you have selected the auto policy creation option.
If you want to discard your changes, click Cancel.

Table 1: Fields on the Create Remote Access (Juniper Secure Connect) Page
Field	Action
Name	Enter a name for the remote access connection. This name will be displayed as the end users realm name in the Juniper Secure Connect Client.
Description	Enter a description. This description will be used for the IKE and IPsec proposals, policies, remote access profile, client configuration, and NAT rule set. During edit the IPsec policy description will be displayed. IPsec policy and remote access profile descriptions will be updated.
Routing Mode	This option is disabled for the remote access. Default mode is Traffic Selector (Auto Route Insertion).
Authentication Method	Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages: Pre-shared Key (default method)—Specifies that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers with each other. The same key must be configured for each peer. This is the default method. Certificate Based—Specifies the type of digital signatures, which are certificates that confirm the identity of the certificate holder. The supported signature is rsa-signatures. rsa-signatures specifies that a public key algorithm, which supports encryption and digital signatures, is used.
Auto-create Firewall Policy	If you select Yes, a firewall policy is automatically created between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address. Another firewall policy will be created visa-versa. If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work. Note: If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway.
Remote User	Displays the remote user icon in the topology. Click the icon to configure the Juniper Secure Connect client settings. For more information on the fields, see Table 2. Note: The J-Web UI displays the remote user's URL once local gateway is configured.
Local Gateway	Displays the local gateway icon in the topology. Click the icon to configure the local gateway. For more information on the fields, see Table 3.
IKE and IPsec Settings	Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values. For more information on the fields, see Table 6. Note: J-Web supports only one custom IKE proposal and does not support the predefined proposal-set. Upon edit and save, J-Web deletes the predefined proposal set if configured. On the remote gateway of the VPN tunnel, you must configure the same custom proposal and policy. Upon edit, J-Web shows the first custom IKE and IPsec proposal when more than one custom proposal is configured.

Table 2: Fields on the Remote User Page
Field	Action
Default Profile	Enable this option to use the configured VPN name as remote access default profile. Note: This option is not available if the default profile is configured. You must enable the default profile. If not enabled, configure the default profile under VPN > IPsec VPN > Global Settings > Remote Access VPN.
Connection Mode	Select one of the following options from the list to establish the Juniper Secure Connect client connection: Manual—You need manually connect to the VPN tunnel every time you log in. Always—You are automatically connected to the VPN tunnel every time you log in. The default connection mode is Manual.
SSL VPN	Enable this option to establish SSL VPN connection from the Juniper Secure Connect Client to the SRX Series device. By default, this option is enabled. Note: This is a fallback option when IPsec ports are not reachable.
Biometric authentication	Enable this option to authenticate the client system using unique configured methods. An authentication prompt is displayed when you connect in the client system. The VPN connection will only be initiated after successful authentication through the method configured for Windows Hello (fingerprint recognition, face recognition, PIN entry, and so on). Windows Hello must be preconfigured on the client system if the Biometric authentication option is enabled.
Dead Peer Detection	Enable the dead peer detection (DPD) option to allow the Juniper Secure Connect client to detect if the SRX Series device is reachable. Disable this option to allow the Juniper Secure Connect client to detect till the SRX Series device connection reachability is restored. This option is enabled by default.
DPD Interval	Enter the amount of time that the peer waits for traffic from its destination peer before sending a dead-peer-detection (DPD) request packet. The Range is 2 through 60 seconds and default is 60 seconds.
DPD Threshold	Enter the maximum number of unsuccessful dead peer detection (DPD) requests to be sent before the peer is considered unavailable. The Range is 1 through 5 and default is 5.
Certificates	Enable Certificates to configure certificate options on Secure Client Connect. Note: This option is available only if you select the Certificate Based authentication method.
Expiry Warning	Enable this option to display the certificate expiry warning on the Secure Connect Client. This option is enabled by default. Note: This option is available only if you enable Certificates.
Warning Interval	Enter the interval (days) at which the warning to be displayed. Range is 1 through 90. Default value is 60. Note: This option is available only if you enable Certificates.
Pin Req Per Connection	Enable this option to enter the certificate pin on very connection. This option is enabled by default. Note: This option is available only if you enable Certificates.
EAP-TLS	Enable this option for the authentication process. IKEv2 requires EAP for user authentication. SRX Series device cannot act as an EAP server. An external RADIUS server must be used for IKEv2 EAP to do the EAP authentication. SRX will act as a pass-through authenticator relaying EAP messages between the Juniper Secure Connect client and the RADIUS server. This option is enabled by default. Note: This option is available only if you select the Certificate Based authentication method.
Windows Logon	Enable this option to provide users to securely log on to the Windows domain before logging on to the Windows system. The client supports domain logon using a credential service provider after establishing a VPN connection to the company network.
Domain Name	Enter the system domain name on to which the Users Machine logs.
Mode	Select one of the following options from the list to log on to Windows domain. Manual—You must manually enter your logon data on the Windows logon screen. Automatic—The client software transfers the data entered here to the Microsoft logon interface (Credential Provider) without your action.
Disconnect at Logoff	Enable this option to shut down the connection when the system switches to hibernation or standby mode. When the system resumes from hibernation or standby mode the connection has to be re-established.
Flush Credential at Logoff	Enable this option to delete username and password from the cache. You must reenter the username and password.
Lead Time Duration	Enter the lead time duration to initialize time between network logon and domain logon. After the connection is set up, the Windows logon will only be executed after the initialization time set here has elapsed.
EAP Authentication	Enable this option to execute EAP authentication prior to the destination dialog in the credential provider. Then, system will ask for the necessary PIN, regardless of whether EAP will be required for subsequent dial-in. If this option is disabled, then EAP authentication will be executed after the destination selection.
Auto Dialog Open	Enable this option to select whether a dialog should open automatically for connection establishment to a remote domain. If this option is disabled, then the password and PIN for the client will only be queried after the Windows logon.

Table 3: Fields on the Local Gateway Page
Field	Action
Gateway is behind NAT	Enable this option when the local gateway is behind a NAT device.
NAT IP Address	Enter the public (NAT) IP address of the SRX Series device. Note: This option is available only when Gateway is behind NAT is enabled. You can configure an IPv4 address to reference the NAT device.
IKE ID	This field is mandatory. Enter the IKE ID in the format user@example.com.
External Interface	Select an outgoing interface from the list for which the client will connect to. The list contains all available IP addresses if more than one IPv4 address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway.
Tunnel Interface	Select an interface from the list for the client to connect to. Click Add to add a new interface. The Create Tunnel Interface page appears. For more information on creating a new tunnel interface, see Table 4. Click Edit to edit the selected tunnel interface.
Pre-shared Key	Enter one of the following values of the preshared key: ascii-text—ASCII text key. hexadecimal—Hexadecimal key. Note: This option is available if the authentication method is Pre-shared Key.
Local certificate	Select a local certificate from the list. Local certificate lists only the RSA certificates. To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate. To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate. Note: This option is available if the authentication method is Certificated Based.
Trusted CA/Group	Select a trusted Certificate Authority/group profile from the list. To add a CA profile, click Add CA Profile. For more information on adding a CA profile, see Add a Certificate Authority Profile. Note: This option is available if the authentication method is Certificated Based.
User Authentication	This field is mandatory. Select the authentication profile from the list that will be used to authenticate user accessing the remote access VPN. Click Add to create a new Profile. For more information on creating a new access profile, see Add an Access Profile.
SSL VPN Profile	Select the SSL VPN Profile from the list that will be used to terminate the remote access connections. To create a new SSL VPN profile: Click Add. Enter the following details: Name—Enter the name for an SSL VPN profile. Logging—Enable this option to log for SSL VPN. SSL Termination Profile—Select an SSL termination profile from the list. To add a new SSL termination profile: Click Add. The Create SSL Termination Profile page appears. Enter the following details: Name—Enter a name for the SSL termination profile. Server Certificate—Select a server certificate from the list. To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate. To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate. Click OK. Click OK. Click OK.
Source NAT Traffic	This option is enabled by default. All traffic from the Juniper Secure Connect client is NATed to the selected interface by default. If disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly.
Interface	Select an interface from the list through which the source NAT traffic pass through.
Protected Networks	Click +. The Create Protected Networks page appears.
Create Protected Networks
Zone	Select a security zone from the list that will be used as a source zone in the firewall policy.
Global Address	Select the addresses from the Available column and then click the right arrow to move it to the Selected column. Click Add to select the networks the Client can connect to. The Create Global Address page appears. For more information on the fields, see Table 5.
Edit	Select the protected network you want to edit and click on the pencil icon. The Edit Protected Networks page appears with editable fields.
Delete	Select the protected network you want to edit and click on the delete icon. The confirmation message pops up. Click Yes to delete the protected network.

Table 4: Fields on the Create Tunnel Interface Page
Field	Action
Interface Unit	Enter the logical unit number.
Description	Enter a description for the logical interface.
Zone	Select a zone from the list to add it to the tunnel interface. This zone is used in the auto-creation of the firewall policy. Click Add to add a new zone. Enter zone name and description and click OK on the Create Security Zone page.
Routing Instance	Select a routing instance from the list. Note: The default routing instance, primary, refers to the main inet.0 routing table in the logical system.

Table 5: Fields on the Create Global Address Page
Field	Action
Name	Enter a name for the global address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.
IP Type	Select IPv4.
IPv4
IPv4 Address	Enter a valid IPv4 address.
Subnet	Enter the subnet for IPv4 address.

Table 6: IKE and IPsec Settings
Field	Action
IKE Settings Note: The following parameters are generated automatically and are not displayed in the J-Web UI: If the authentication method is Pre-Shared Key, the IKE version is v1, ike-user-type is shared-ike-id, and mode is Aggressive. If the authentication method is Certificate Based, the IKE version is v2, ike-user-type is shared-ike-id, and mode is Main.
Encryption Algorithm	Select the appropriate encryption mechanism from the list. Default value is AES-CBC 256-bit.
Authentication Algorithm	Select the authentication algorithm from the list. For example, SHA 256-bit.
DH group	A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19.
Lifetime Seconds	Select a lifetime duration (in seconds) of an IKE security association (SA). Default value is 28,800 seconds. Range: 180 through 86,400 seconds.
Dead Peer Detection	Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer.
DPD Mode	Select one of the options from the list: optimized—Send probes only when there is outgoing traffic and no incoming data traffic - RFC3706 (default mode). probe-idle-tunnel—Send probes same as in optimized mode and also when there is no outgoing and incoming data traffic. always-send—Send probes periodically regardless of incoming and outgoing data traffic.
DPD Interval	Select an interval (in seconds) to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds.
DPD Threshold	Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.
Advance Configuration (Optional)
NAT-T	Enable this option for IPsec traffic to pass through a NAT device. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series devices.
NAT Keep Alive	Select appropriate keepalive interval in seconds. Range: 1 to 300. If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices.
IKE Connection Limit	Enter the number of concurrent connections that the VPN profile supports. Range is 1 through 4294967295. When the maximum number of connections is reached, no more remote access user (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations.
IKEv2 Fragmentation	This option is enabled by default. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. Note: This option is available if the authentication method is Certificated Based.
IKEv2 Fragment Size	Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to IPv4 message. Range: 570 to 1320 bytes. Default value is 576 bytes. Note: This option is available if the authentication method is Certificated Based.
IPsec Settings Note: The authentication method is Pre-Shared Key or Certificate Based, it automatically generates protocol as ESP.
Encryption Algorithm	Select the encryption method. Default value is AES-GCM 256-bit.
Authentication Algorithm	Select the IPsec authentication algorithm from the list. For example, HMAC-SHA-256-128. Note: This option is available when the encryption algorithm is not gcm.
Perfect Forward Secrecy	Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time. Note: group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed.
Lifetime Seconds	Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds.
Lifetime Kilobytes	Select the lifetime (in kilobytes) of an IPsec SA. Default is 256kb. Range: 64 through 4294967294.
Advanced Configuration
Anti Replay	IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number. This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers. Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality.
Install Interval	Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10 seconds.
Idle Time	Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds.
DF Bit	Select how the device handles the Don't Fragment (DF) bit in the outer header: clear—Clear (disable) the DF bit from the outer header. This is the default. copy—Copy the DF bit to the outer header. set—Set (enable) the DF bit in the outer header.
Copy Outer DSCP	This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.

Create a Remote Access VPN—Juniper Secure Connect

Related Documentation