Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »



Remote Access VPN - CLI

Link to YouTube Video

Configuration Steps



Step 1. Configure User access profile and IP Address Pool

Step 2. Configure IPSec Phase 1

Step 3. Configure IPSec Phase 2

Step 4. Configure Dynamic VPN Parameters

Step 5. Configure Security Policy

Step 6. Verifying IPSec Connection






Configuration
# Step 1. Configure User access profile and IP Address Pool
# ----------------------------------------------------------

# IP Address Pool
set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24
set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8

# Client Access profile or end-user access profile: username and password + IP@ pool mapping
set access profile RA-NCP-Profile client NCP-user1 firewall-user password lab123
set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool

# create Secure Tunnel interface or st0.1
set interface st0 unit 1 family inet 

# security zone allow ( ike not for st0.1 ) # Also st0.1 could be in a separate VPN Zone
set security zone security-zone Untrust host-inbound traffic system-services ike
set security zone security-zone Untrust interfaces st0.1
set security zone security-zone Untrust interfaces ge-0/0/2.0



# Step 2. Configure IKE or IPSec Phase 1
# --------------------------------

# Proposal
set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys
set security ike proposal RA-NCP-IKE-Pro dh-group group19
set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256
set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc

# Policy
set security ike policy RA-NCP-IKE-Pol mode aggressive
set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro
set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text juniper123

# Gateway 
set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pro
set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net"
set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id
set security ike gateway RA-NCP-GW external-interface ge-0/0/2
set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile
set security ike gateway RA-NCP-GW version v1-only
 

# Step 3. Configure IPSec Phase 2
# --------------------------------

# Porposal
set security ipsec propocal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm

# Policy
set security ipsec policy RA-NCP-IPsec-Pol perfect-forwarding-secrecy keys group19
set security ipsec policy RA-NCP-IPsec-Pol proposal-set RA-NCP-IPsec-Pro

# Step 4. Configure Dynamic VPN Parameters
# ----------------------------------------

# vpn
set security ipsec vpn RA-NCP-VPN bind-interface st0.1 
set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW
set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol
set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0

# Step 5. Configure Security Policy
# ---------------------------------

set security policies from-zone untrust to-zone Servers policy RA-NCP-Access match source-address any destination-address Server application any
set security policies from-zone untrust to-zone Servers policy RA-NCP-Access then permit



 
Show commands

show security ike security-associations  10.100.10.1 detail 

        Exchange type: aggressive
        Local IP / Remote IP@
        Remote Access Client Info: Exclusive Client ( from NCP-E)
        Peer ike-id: user@LB.net

show security ipsec security-associations vpn-name RA-NCP-VPN

       phase 2 security assocation

 show security ike active-peer details

      Peer IKE-ID used
      Assigned network attributes ( IP@< netmask,  DNS, . . . )



show security ike active-peer aaa-username bob



show subscribers client-type xauth

show subscribers client-type xauth username bob <detail.





  • No labels