Create a Remote Access VPN—Juniper Secure Connect

Juniper Secure Connect is Juniper Networks’s client-based SSL-VPN solution that offers secure remote access for your network resources. Juniper Secure Connect downloads the configuration from SRX Services devices and chooses the most effective transport protocols during connection establishment.

Before You Begin

Read the IPSec VPN overview and view the field descriptions to understand your current data set. See IPsec VPN Overview .
Create addresses and address sets. See Create Addresses or Address Groups.
Create VPN profiles. See Creating VPN Profiles.
Define extranet devices. See Create Extranet Devices.

Select SRX > IPsec VPN > IPsec VPNs.

The IPsec VPNs page opens.
Click Create > Remote Access Juniper Secure Connect.

The Create Remote Access VPN page opens.
Complete the IPsec VPN configuration parameters according to the guidelines provided in Table 1.

Note:
Click View IKE/IPsec Settings to view or edit VPN profiles. If the VPN profile is default, you can edit the configurations. If the profile is shared, you can only view the configurations.

The VPN connectivity will change from gray to blue line in the topology to show that the configuration is complete. The topology displayed is only for representation.
Click Save.

Table 1: Create Remote Access VPN Page Settings
Settings	Guidelines
Name	Enter a unique string of maximum 63 alphanumeric characters without spaces. The string can contain colons, periods, dashes, and underscores.
Description	Enter a description containing maximum 255 characters for the VPN.
Routing Topology	Select Traffic Selector (Auto Route Insertion). A traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.
VPN Profile	Select a VPN profile from the drop-down list based on the deployment scenario. The Inline profile is applicable to a particular IPsec VPN only. You can view and edit the details by clicking View IKE/IPsec settings on the Create IPsec VPN page. The Shared profile can be used by one or more IPsec VPNs. You can only view the details of the shared profiles by clicking View IKE/IPsec settings on the Create IPsec VPN page.
Authentication Method	Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages. Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. RSA Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures is used.
Max Transmission Unit	Select the maximum transmission unit (MTU) in bytes. MTU defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68 to 9192 bytes, and the default value is 1500 bytes.
Pre-shared Key	Establish a VPN connection using pre-shared keys, which is essentially a password that is same for both parties. Select the type of pre-shared key you want to use: Autogenerate—Select if you want to automatically generate a unique key per tunnel. When selected, the Generate Unique key per tunnel option is automatically enabled. If you disable the Generate Unique key per tunnel option, Juniper Security Director Cloud generates a single key for all tunnels. Manual—Select to enter the key manually. By default, the manual key is masked. Pre-shared keys are applicable only if the authentication method is pre-shared-based.
Client Settings	Modify the default client profile and define a local gateway. To modify the default client profile: Select the default profile in the Client Settings section. Click the pencil icon. The Remote User page opens. Configure the parameters as described in Table 2. To define a local gateway: Click the + sign in the Local Gateway section. The Add Device page opens. Configure the device parameters as described in Table 3. Click OK.

Table 2: Remote User Page Settings
Settings	Guidelines
Connection Mode	Select one of the following options from the list to establish the Juniper Secure Connect client connection: Manual—You need to manually connect to the VPN tunnel every time you log in. Always—You are automatically connected to the VPN tunnel every time you log in. The default connection mode is Manual.
SSL VPN	Enable this option to establish SSL VPN connection from the Juniper Secure Connect Client to the SRX Series Firewall. This is a fallback option when IPsec ports are not reachable. By default,this option is enabled.
Biometric Authentication	Enable this option to authenticate the client system using unique configured methods. An authentication prompt is displayed when you connect in the client system. The VPN connection will only be initiated after successful authentication through the method configured for Windows Hello (fingerprint recognition, face recognition, PIN entry, and so on). Windows Hello must be preconfigured on the client system if the Biometric authentication option is enabled.
Dead Peer Detection	Enable this option to allow the Juniper Secure Connect client to detect if the SRX Series Firewall is reachable. Disable this option to allow the Juniper Secure Connect client to detect till the SRX Series Firewall connection reachability is restored. This option is enabled by default.
DPD Mode	Select a DPD Mode. Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode. Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity. Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.
DPD Interval	Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds with a valid range of 2 to 60 seconds.
DPD Threshold	Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1 to 5.
Certificates	The option to configure the security certificates. Expiry Warning—When enabled, you receive certificate expiration warning when the certificate is about to expire. This option is enabled by default. Warning Interval—Enter the interval in days when you want the warning to be displayed. Pin Req Per Connection—When enabled, you must enter the certificate PIN for every connection. This option is enabled by default.
EAP-TLS	The option to use the EAP-TLS authentication method to validate the security certificates. This option is enabled by default.
Window logon	Enable this option to provide users to securely log on to the Windows domain before logging on to the Windows system. The client supports domain login using a credential service provider after establishing a VPN connection to the company network.

Table 3: Add Device Page Settings
Settings	Guidelines
External Interface	Select the outgoing interface for IKE security associations (SAs). This interface is associated with a zone that acts as its carrier, providing firewall security for it.
Tunnel Zone	Select the tunnel zone. Tunnel zones are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPsec traffic. Tunnel zones also provide flexibility in combining tunnel interfaces with VPN tunnels.
User Authentication	Select the authentication profile from the list that will be used to authenticate a user accessing the remote access VPN. Click Add to create a new access profile. Note: LDAP authentication is not supported in a remote VPN.
SSL VPN Profile	Select an SSL VPN profile from the list to terminate the remote access connection. To create a new SSL VPN profile: Click Add. The Add SSL VPN Profile page opens. Enter the SSL VPN profile name. Enable Logging option to log SSL VPN events. Enter a SSL termination profile name. Select a server certificate. Click OK.
Certificate	Select a certificate to authenticate the virtual private network (VPN) initiator and recipient.
Trusted CA/Group	Select the CA profile from the list to associate it with the local certificate. This is applicable when authentication method is RSA-Signatures.
Protected Networks	Configure the addresses type for the selected device to protect one area of the network from the other. You can also create addresses by clicking Add New Address.

Table 4: View IKE/IPsec Settings
Settings	Guidelines
IKE Settings
IKE Version	Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.
Mode	Select an IKE policy mode. Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. This mode also provides identity protection. Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection. Mode is applicable when the IKE Version is V1.
Encryption Algorithm	Select the appropriate encryption mechanism.
Authentication Algorithm	Select an algorithm. The device uses this algorithm to verify the authenticity and integrity of a packet.
Deffie Hellman group	Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Lifetime Seconds	Select a lifetime of an IKE security association (SA). The valid range is from 180 to 86400 seconds.
Dead Peer Detection	Enable this option to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.
DPD Mode	Select a DPD Mode. Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode. Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity. Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.
DPD Interval	Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds with a valid range of 2 to 60 seconds.
DPD Threshold	Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1 to 5.
Advance Settings
General IKE ID	Enable this option to accept peer IKE ID This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.
IKEv2 Re Authentication	Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0. The valid range is 0 to 100.
IKEv2 Re Fragmentation Support	Enable this option to split a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.
IKEv2 Re-fragment Size	Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4. The valid range is 570 to 1320.
IKE ID	Select one of the following options: None Distinguished name Hostname IPv4 address E-mail Address IKE ID is applicable only when General IKE ID is disabled.
NAT-T	Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.
Keep Alive	Select a period in seconds to keep the connection alive. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. The valid range is from 1 to 300 seconds.
IPsec Settings
Protocol	Select the required protocol to establish the VPN. ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication. AH—The Authentication Header (AH) protocol provides data integrity and data authentication.
Encryption Algorithm	Select the encryption method. This is applicable if the Protocol is ESP.
Authentication Algorithm	Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.
Perfect Forward Secrecy	Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.
Establish Tunnel	Select an option to specify when IKE is activated. Immediately—IKE is activated immediately after VPN configuration changes are committed. On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.
Advance Settings
VPN Monitor	Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.
Optimized	Enable this option to optimize VPN monitoring and configure SRX Series Firewalls to send ICMP echo requests, also called pings, only when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewalls considers the tunnel to be active and do not send pings to the peer.
Anti Replay	Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet. IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers. Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality. By default, Anti-Replay detection is enabled.
Install interval	Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.
Idle Time	Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received.
DF Bit	Select an option to process the Don’t Fragment (DF) bit in IP messages. Clear—Disable the DF bit from the IP messages. This is the default option. Copy—Copy the DF bit to the IP messages. Set—Enable the DF bit in the IP messages.
Copy Outer DSCP	Enable this option to allow copying of the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.
Lifetime Seconds	Select a lifetime of an IKE security association (SA). The valid range is from 180 to 86400 seconds.
Lifetime Kilobytes	Select the lifetime in kilobytes of an IPsec security association (SA). The valid range is from 64 to 4294967294 kilobytes.