Versions Compared

Version Old Version 13 New Version 14
Changes made by

Jean-luc KRIKER

Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Widget Connector
urlhttps://www.youtube.com/watch?v=J1C4300zMBU


Access profiles, also known as client profiles, contain the parameters to grant access and provide basic service to a subscriber during initial login. 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-dynamic-profiles-compare.html





Code Block
titleaccess profile ( client profile)
set access profile <profilename>
set access profile <profilename> client <clientmname> firewall-user password <password>

#define and use @IP pool:
set access address-assignment pool mypool family inet network 10.100.100.0/24
set access profile myprofile address-assignment pool mypool

#
set access address-assignment pool mypool family inet xauth-attributes primary-dns 8.8.8.8


Code Block
titleaccess profile options
collapsetrue
root@SRX1500-2# set access profile myprofile ?
Possible completions:
> accounting           Specifies the accounting options
> address-assignment   Address assignment pool
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ authentication-order  Order in which authentication mechanisms are used
+ charging-service-list  List of used 3gpp charging servicess
> client               Entity requesting access
> client-name-filter   Restrictions on client names
> domain-name-server   Default DNS server's IPv4 address
> domain-name-server-inet  DNS server's IPv4 address
> domain-name-server-inet6  DNS server's IPv6 address
> jsrc                 Set of JSRC configurations
> ldap-options         Lightweight Directory Access Protocol options
> ldap-server          Lightweight Directory Access Protocol server
> local                Set configuration for local reporting
+ preauthentication-order  Order in which preauthentication mechanisms are used
> radius               Set of RADIUS configurations
> radius-options       RADIUS options
> radius-server        RADIUS server configuration
> session-options      Options for an authenticated client's session
> wins-server          Default WINS server's IPv4 address



Configuration Steps

Step 1. Configure Dynamic VPN Users and IP Address Pool

Step 2. Configure IPSec Phase 1

Step 3. Configure IPSec Phase 2

Step 4. Configure Dynamic VPN Parameters

Step 5. Configure Security Policy

Step 6. Verifying IPSec Connection

1- Configure Dynamic VPN Users and IP Address Pool
  1. access profile <dyn-profile> client        < username, password + IP pool >
  2. access address-assignment pool       < name, ip pool , dns >
  3. access firewall-authentication
2- Configure IPSec Phase 1
  1. ike proposal   < auth-method, dh-group, auth-algo, encryp-algo >    for the control channel encryption
  2. ike policy    < mode, ike proposal, pre-shared-key >
  3. ike gateway    < ike policy, dyn hostname, dyn ike-user-type, xauth access-profile>
3- Configure IPSec Phase 2
  1. ipsec proposal  < protocol, auth-algo, encryp-algo >                           for the Data encryption
  2. ipsec policy     < ipsec proposal , pfs key group >
  3. ipsec vpn      < ike gateway , ipsec-policy > 
4- Configure Dynamic VPN Parameters dynamic-vpn  < access-profile, clients all remote-protected-resources/servers  remote-exceptions , ipsec-vpn , client user >
5- Configure Security Policypolicies from-zone untrust to-zone trust   < match any/any/any, then tunnel ipsec-vpn > 
untrust zonehost-inbound traffic < system-services https allow ipsec ? >
Step 6. Verifying IPSec Connection

show security dynamic-vpn users
show security dynamic-vpn client version
show security ike active-peer
show security ike security-associations
show security ipsec security-associations


on Windows:

route print -4




Full Config

https://www.youtube.com/watch?v=zc-raMM31aM&ab_channel=JuniperNetworks

Code Block
titleDynamic VPN CLI 5 Feb 2020
collapsetrue
set access profile Dyn-Pulse-profile client Pulse-user1 firewall-user password lab123
set access profile Dyn-Pulse-profile address-assignment pool Dyn-Pulse-pool
set access address-assignment pool Dyn-Pulse-pool family inet network 192.168.1.0/24
#set access address-assignment pool Dyn-Pulse-pool family inet xauth-attributes primary-dns 192.168.100.1/32
set access firewall-authentication web-authentication default-profile Dyn-Pulse-profile