Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Local User Authentication Using Pre-shared Key (CLI Procedure)

Overview

In this configuration, you use the username and password for local user authentication. This configuration option does not allow you to change or recover your credentials without interacting with the firewall administrator, hence we do not recommend this authentication method. Instead, we recommend you to use External User Authentication Using RADIUS method.

We assume that you have completed the basic setup of your SRX Series Firewalls, including interfaces, zones, and security policies as illustrated in the Figure 1.

Figure 1: Topology Topology

For information about prerequisites, see System Requirements for Juniper Secure Connect.

You must ensure that the SRX Series Firewall uses either a signed certificate or a self-signed certificate instead of the default system-generated certificate. Before you start configuring Juniper Secure Connect, you must bind the certificate to the SRX Series Firewall by executing the following command:

For example:

Where SRX_Certificate is the self-signed certificate.

CLI Quick Configuration

To quickly configure this example on your SRX Series Firewalls, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step-Procedure

To configure VPN settings using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).
  2. Enter the configuration mode.
  3. Configure remote access VPN.
    Condition

    For deploying Juniper Secure Connect, you must create a self-signed certificate and bind the certificate to the SRX Series Firewall. For more information, see Preparing Juniper Secure Connect Configuration.

    IKE Configuration:

    1. Configure IKE proposal.
      • Define IKE proposal authentication method, Diffie-Hellman group, and authentication algorithm.
      • Configure pre-shared-keys as the authentication method.

        Enter the key in ASCII format. We do not support hexadecimal format for remote-access VPN.

    2. Configure IKE policy.

      Set the IKE Phase 1 policy mode, reference to the IKE proposal, and IKE Phase 1 policy authentication method.

    3. Configure IKE gateway options. See dynamic.

      If you do not configure the DPD values and the version information, the Junos OS assigns the default value for these options. See dead-peer-detection.

      Configure external interface IP address for the clients to connect. You must enter this same IP address (in this example: 192.0.2.0) for the Gateway Address field in the Juniper Secure Connect application. See gateway.

    IPsec Configuration:

    1. Configure IPsec proposal.
    2. Configure IPsec policy.
      • Specify IPsec phase 2 PFS to use Diffie-Hellman group 19.
      • Specify IPsec Phase 2 proposal reference.

    IPsec VPN Configuration:

    1. Configure IPsec VPN parameters. See vpn (Security).
    2. Configure VPN traffic selectors. See traffic-selector.
  4. Configure the remote user client options.
    1. Configure remote access profile. See remote-access.
    2. Configure remote access client configuration. See client-config.

    Table 1 summarizes the remote user settings options.

    Table 1: Remote User Settings Options

    Remote User Settings

    Description

    connection-mode

    To establish the client connection manually or automatically, configure the appropriate option.

    • If you configure manual option, then in the Juniper Secure Connect application, to establish a connection, you must either click the toggle button or select Connection > Connect from the menu.

    • If you configure Always option, then Juniper Secure Connect automatically establishes the connection.

    Known Limitation:

    Android device: If you use or select Always, then the configuration is downloaded from the first used SRX device. If the first SRX Series Firewall configuration changes or if you connect to a new SRX device, the configuration does not get downloaded to the Juniper Secure Connect application.

    This means that once you connect in the Always mode using the Android device, any configuration changes in the SRX Series Firewall do not take effect on Juniper Secure Connect.

    dead-peer-detection

    Dead Peer Detection (DPD) is enabled by default to allow the client to detect if the SRX Series Firewall is reachable and if the device is not reachable, disable the connection till reachability is restored.

    default -profile

    If you configure a VPN connection profile as a default-profile, then you must enter only the gateway address in the Juniper Secure Connect application. It is optional to enter the realm name in Juniper Secure Connect application, as the application automatically selects default profile as realm name. In this example, enter ra.example.com in the Gateway Address field of the Juniper Secure Connect application.

    Note:

    Starting in Junos OS Release 23.1R1, we’ve hidden the default-profile option at the [edit security remote-access] hierarchy level. In releases before Junos OS Release 23.1R1, you use this option to specify one of the remote-access profiles as the default profile in Juniper Secure Connect. But with changes to the format of remote-access profile names, we no longer require the default-profile option.

    We’ve deprecated default-profile option—rather than immediately removing it—to provide backward compatibility and a chance to make your existing configuration conform to the changed configuration. You’ll receive a warning message if you continue to use the default-profile option in your configuration. However existing deployments are not affected if you modify the current configuration. See default-profile (Juniper Secure Connect).

  5. Configure the local gateway.
    1. Create address pool for client dynamic-IP assignment. See address-assignment (Access).
      • Enter the network address that you use for the address assignment.

      • Enter your DNS server address. Enter WINS server details, if required. Create the address range to assign IP addresses to the clients.

      • Enter the name, and the lower and higher limits.

    2. Create access profile. Enter the details for the local IP pool that is in the VPN policy for the clients. Enter a name for the IP address pool.

      Enter a username and password for SRX local authentication of client credentials.

    3. Create SSL termination profile. SSL termination is a process where the SRX Series Firewalls acts as an SSL proxy server, and terminates the SSL session from the client. Enter the name for the SSL termination profile and select the server certificate that you use for the SSL termination on the SRX Series Firewalls. The server certificate is a local certificate identifier. Server certificates are used to authenticate the identity of a server.
    4. Create SSL VPN profile. See tcp-encap.
    5. Create firewall policies.
      Create the security policy to permit traffic from the trust zone to the VPN zone.
      Create the security policy to permit traffic from the VPN zone to the trust zone.
  6. Configure Ethernet interface information.

    Configure st0 interface with the family set as inet.

  7. Configure security zones.

    For host-inbound-traffic the required minimum configuration:

    1. system-services - On the VPN zone, select ike to allow VPN service and https to allow HTTPS connection to push the initial configuration to Juniper Secure Connect Application. On the trust zone, select https.

    2. protocols - None for the basic configuration.

      See system-services and protocols.

    In the configuration example we mention all system-services and protocols. But, we recommend you to allow only necessary services and protocols.

  8. Remote access configuration with remote user and local gateway is configured successfully.
  9. Launch the Juniper Secure Connect application and provide the same IP address that you configured for external IP address in the Gateway Address field in the Juniper Secure Connect application.

    In this example, you’ve configured 192.0.2.0 as the external interface IP address for the clients to connect. You must enter this same IP address (192.0.2.0) for the Gateway Address field in the Juniper Secure Connect application.

Result

From operational mode, confirm your configuration by entering the show security, show access, and show services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Make sure that you already have a server certificate to attach with the SSL termination profile.

When you are done configuring the feature on your device, enter commit from configuration mode.