Remote Access VPN - CLI | Link to YouTube Video |
---|---|
Configuration Steps | |
Step 1. Configure User access profile and IP Address Pool Step 2. Configure IPSec Phase 1 Step 3. Configure IPSec Phase 2 Step 4. Configure Dynamic VPN Parameters Step 5. Configure Security Policy Step 6. Verifying IPSec Connection | |
Configuration # Step 1. Configure User access profile and IP Address Pool # ---------------------------------------------------------- # IP Address Pool set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24 set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8 # Client Access profile or end-user access profile: username and password + IP@ pool mapping set access profile RA-NCP-Profile client NCP-user1 firewall-user password lab123 set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool # create Secure Tunnel interface or st0.1 set interface st0 unit 1 family inet # security zone allow ( ike not for st0.1 ) # Also st0.1 could be in a separate VPN Zone set security zone security-zone untrust host-inbound-traffic system-services ike set security zone security-zone untrust interfaces st0.1 set security zone security-zone untrust interfaces ge-0/0/2.0 # Step 2. Configure IKE or IPSec Phase 1 # -------------------------------- # Proposal set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys set security ike proposal RA-NCP-IKE-Pro dh-group group19 set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256 set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc # Policy set security ike policy RA-NCP-IKE-Pol mode aggressive set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text juniper123 # Gateway set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pol set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net" set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id set security ike gateway RA-NCP-GW external-interface ge-0/0/2 set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile set security ike gateway RA-NCP-GW version v1-only # Step 3. Configure IPSec Phase 2 # -------------------------------- # Porposal set security ipsec proposal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm # Policy set security ipsec policy RA-NCP-IPsec-Pol perfect-forward-secrecy keys group19 set security ipsec policy RA-NCP-IPsec-Pol proposal-set RA-NCP-IPsec-Pro # Step 4. Configure Dynamic VPN Parameters # ---------------------------------------- # vpn set security ipsec vpn RA-NCP-VPN bind-interface st0.1 set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 # Step 5. Configure Security Policy # --------------------------------- set security address-book Server address lubuntu 10.0.2.3/32 set security zones security-zone servers set security policies from-zone untrust to-zone servers policy RA-NCP-Access match source-address any destination-address Server application any set security policies from-zone untrust to-zone servers policy RA-NCP-Access then permit | |
Show commands | |
show security ike security-associations 10.100.10.1 detail Exchange type: aggressive show security ipsec security-associations vpn-name RA-NCP-VPN phase 2 security assocation show security ike active-peer details Peer IKE-ID used | |
show security ike active-peer aaa-username bob | |
show subscribers client-type xauth show subscribers client-type xauth username bob <detail. | |
General
Content
Integrations