Create a Remote Access VPN—Juniper Secure Connect
You are here: Network > VPN > IPsec VPN.
Juniper Secure Connect is Juniper’s client-based SSL-VPN solution that offers secure connectivity for your network resources.
Juniper Secure Connect provides secure remote access for the users to connect to the corporate networks and resources remotely using the Internet. Juniper Secure Connect downloads the configuration from SRX Services devices and chooses the most effective transport protocols during connection establishment to deliver a great administrator and user experience.
To create a remote access VPN for Juniper secure connect:
Field |
Action |
---|---|
Name |
Enter a name for the remote access connection. This name will be displayed as the end users realm name in the Juniper Secure Connect Client. |
Description |
Enter a description. This description will be used for the IKE and IPsec proposals, policies, remote access profile, client configuration, and NAT rule set. During edit the IPsec policy description will be displayed. IPsec policy and remote access profile descriptions will be updated. |
Routing Mode |
This option is disabled for the remote access. Default mode is Traffic Selector (Auto Route Insertion). |
Authentication Method |
Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:
|
Auto-create Firewall Policy |
If you select Yes, a firewall policy is automatically created between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address. Another firewall policy will be created visa-versa. If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work. Note:
If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway. |
Remote User |
Displays the remote user icon in the topology. Click the icon to configure the Juniper Secure Connect client settings. For more information on the fields, see Table 2. Note:
The J-Web UI displays the remote user's URL once local gateway is configured. |
Local Gateway |
Displays the local gateway icon in the topology. Click the icon to configure the local gateway. For more information on the fields, see Table 3. |
IKE and IPsec Settings |
Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values. For more information on the fields, see Table 6. Note:
|
Field |
Action |
---|---|
Default Profile |
Enable this option to use the configured VPN name as remote access default profile. Note:
|
Connection Mode |
Select one of the following options from the list to establish the Juniper Secure Connect client connection:
The default connection mode is Manual. |
SSL VPN |
Enable this option to establish SSL VPN connection from the Juniper Secure Connect Client to the SRX Series device. By default, this option is enabled. Note:
This is a fallback option when IPsec ports are not reachable. |
Biometric authentication |
Enable this option to authenticate the client system using unique configured methods. An authentication prompt is displayed when you connect in the client system. The VPN connection will only be initiated after successful authentication through the method configured for Windows Hello (fingerprint recognition, face recognition, PIN entry, and so on). Windows Hello must be preconfigured on the client system if the Biometric authentication option is enabled. |
Dead Peer Detection |
Enable the dead peer detection (DPD) option to allow the Juniper Secure Connect client to detect if the SRX Series device is reachable. Disable this option to allow the Juniper Secure Connect client to detect till the SRX Series device connection reachability is restored. This option is enabled by default. |
DPD Interval |
Enter the amount of time that the peer waits for traffic from its destination peer before sending a dead-peer-detection (DPD) request packet. The Range is 2 through 60 seconds and default is 60 seconds. |
DPD Threshold |
Enter the maximum number of unsuccessful dead peer detection (DPD) requests to be sent before the peer is considered unavailable. The Range is 1 through 5 and default is 5. |
Certificates |
Enable Certificates to configure certificate options on Secure Client Connect. Note:
This option is available only if you select the Certificate Based authentication method. |
Expiry Warning |
Enable this option to display the certificate expiry warning on the Secure Connect Client. This option is enabled by default. Note:
This option is available only if you enable Certificates. |
Warning Interval |
Enter the interval (days) at which the warning to be displayed. Range is 1 through 90. Default value is 60. Note:
This option is available only if you enable Certificates. |
Pin Req Per Connection |
Enable this option to enter the certificate pin on very connection. This option is enabled by default. Note:
This option is available only if you enable Certificates. |
EAP-TLS |
Enable this option for the authentication process. IKEv2 requires EAP for user authentication. SRX Series device cannot act as an EAP server. An external RADIUS server must be used for IKEv2 EAP to do the EAP authentication. SRX will act as a pass-through authenticator relaying EAP messages between the Juniper Secure Connect client and the RADIUS server. This option is enabled by default. Note:
This option is available only if you select the Certificate Based authentication method. |
Save username |
Starting in Junos OS Release 22.1R1, you can enable this option to save the remote username. |
Save password |
Starting in Junos OS Release 22.1R1, you can enable this option to save both the remote username and password. |
Windows Logon |
Enable this option to provide users to securely log on to the Windows domain before logging on to the Windows system. The client supports domain logon using a credential service provider after establishing a VPN connection to the company network. |
Domain Name |
Enter the system domain name on to which the Users Machine logs. |
Mode |
Select one of the following options from the list to log on to Windows domain.
|
Disconnect at Logoff |
Enable this option to shut down the connection when the system switches to hibernation or standby mode. When the system resumes from hibernation or standby mode the connection has to be re-established. |
Flush Credential at Logoff |
Enable this option to delete username and password from the cache. You must reenter the username and password. |
Lead Time Duration |
Enter the lead time duration to initialize time between network logon and domain logon. After the connection is set up, the Windows logon will only be executed after the initialization time set here has elapsed. |
EAP Authentication |
Enable this option to execute EAP authentication prior to the destination dialog in the credential provider. Then, system will ask for the necessary PIN, regardless of whether EAP will be required for subsequent dial-in. If this option is disabled, then EAP authentication will be executed after the destination selection. |
Auto Dialog Open |
Enable this option to select whether a dialog should open automatically for connection establishment to a remote domain. If this option is disabled, then the password and PIN for the client will only be queried after the Windows logon. |
Field |
Action |
---|---|
Gateway is behind NAT |
Enable this option when the local gateway is behind a NAT device. |
NAT IP Address |
Enter the public (NAT) IP address of the SRX Series device. Note:
This option is available only when Gateway is behind NAT is enabled. You can configure an IPv4 address to reference the NAT device. |
IKE ID |
This field is mandatory. Enter the IKE ID in the format user@example.com. |
External Interface |
Select an outgoing interface from the list for which the client will connect to. The list contains all available IP addresses if more than one IPv4 address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway. |
Tunnel Interface |
Select an interface from the list for the client to connect to. Click Add to add a new interface. The Create Tunnel Interface page appears. For more information on creating a new tunnel interface, see Table 4. Click Edit to edit the selected tunnel interface. |
Pre-shared Key |
Enter one of the following values of the preshared key:
Note:
This option is available if the authentication method is Pre-shared Key. |
Local certificate |
Select a local certificate from the list. Local certificate lists only the RSA certificates. To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate. To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate. Note:
This option is available if the authentication method is Certificated Based. |
Trusted CA/Group |
Select a trusted Certificate Authority/group profile from the list. To add a CA profile, click Add CA Profile. For more information on adding a CA profile, see Add a Certificate Authority Profile. Note:
This option is available if the authentication method is Certificated Based. |
User Authentication |
This field is mandatory. Select the authentication profile from the list that will be used to authenticate user accessing the remote access VPN. Click Add to create a new Profile. For more information on creating a new access profile, see Add an Access Profile. |
SSL VPN Profile |
Select the SSL VPN Profile from the list that will be used to terminate the remote access connections. To create a new SSL VPN profile:
|
Source NAT Traffic |
This option is enabled by default. All traffic from the Juniper Secure Connect client is NATed to the selected interface by default. If disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly. |
Interface |
Select an interface from the list through which the source NAT traffic pass through. |
Protected Networks |
Click +. The Create Protected Networks page appears. |
Create Protected Networks | |
Zone |
Select a security zone from the list that will be used as a source zone in the firewall policy. |
Global Address |
Select the addresses from the Available column and then click the right arrow to move it to the Selected column. Click Add to select the networks the Client can connect to. The Create Global Address page appears. For more information on the fields, see Table 5. |
Edit |
Select the protected network you want to edit and click on the pencil icon. The Edit Protected Networks page appears with editable fields. |
Delete |
Select the protected network you want to edit and click on the delete icon. The confirmation message pops up. Click Yes to delete the protected network. |
Field |
Action |
---|---|
Interface Unit |
Enter the logical unit number. |
Description |
Enter a description for the logical interface. |
Zone |
Select a zone from the list to add it to the tunnel interface. This zone is used in the auto-creation of the firewall policy. Click Add to add a new zone. Enter zone name and description and click OK on the Create Security Zone page. |
Routing Instance |
Select a routing instance from the list. Note:
The default routing instance, primary, refers to the main inet.0 routing table in the logical system. |
Field |
Action |
---|---|
Name |
Enter a name for the global address. The name must be a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum. |
IP Type |
Select IPv4. |
IPv4 | |
IPv4 Address |
Enter a valid IPv4 address. |
Subnet |
Enter the subnet for IPv4 address. |
Field |
Action |
---|---|
IKE Settings Note:
The following parameters are generated automatically and are not displayed in the J-Web UI:
|
|
Encryption Algorithm |
Select the appropriate encryption mechanism from the list. Default value is AES-CBC 256-bit. |
Authentication Algorithm |
Select the authentication algorithm from the list. For example, SHA 256-bit. |
DH group |
A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19. |
Lifetime Seconds |
Select a lifetime duration (in seconds) of an IKE security association (SA). Default value is 28,800 seconds. Range: 180 through 86,400 seconds. |
Dead Peer Detection |
Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer. |
DPD Mode |
Select one of the options from the list:
|
DPD Interval |
Select an interval (in seconds) to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds. |
DPD Threshold |
Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times. |
Advance Configuration (Optional) | |
NAT-T |
Enable this option for IPsec traffic to pass through a NAT device. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series devices. |
NAT Keep Alive |
Select appropriate keepalive interval in seconds. Range: 1 to 300. If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices. |
IKE Connection Limit |
Enter the number of concurrent connections that the VPN profile supports. Range is 1 through 4294967295. When the maximum number of connections is reached, no more remote access user (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations. |
IKEv2 Fragmentation |
This option is enabled by default. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. Note:
This option is available if the authentication method is Certificated Based. |
IKEv2 Fragment Size |
Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to IPv4 message. Range: 570 to 1320 bytes. Default value is 576 bytes. Note:
This option is available if the authentication method is Certificated Based. |
IPsec Settings Note:
The authentication method is Pre-Shared Key or Certificate Based, it automatically generates protocol as ESP. |
|
Encryption Algorithm |
Select the encryption method. Default value is AES-GCM 256-bit. |
Authentication Algorithm |
Select the IPsec authentication algorithm from the list. For example, HMAC-SHA-256-128. Note:
This option is available when the encryption algorithm is not gcm. |
Perfect Forward Secrecy |
Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time. Note:
group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed. |
Lifetime Seconds |
Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds. |
Lifetime Kilobytes |
Select the lifetime (in kilobytes) of an IPsec SA. Default is 256kb. Range: 64 through 4294967294. |
Advanced Configuration | |
Anti Replay |
IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number. This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers. Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality. |
Install Interval |
Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10 seconds. |
Idle Time |
Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds. |
DF Bit |
Select how the device handles the Don't Fragment (DF) bit in the outer header:
|
Copy Outer DSCP |
This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules. |