/
dynamic VPN / IPsec configuration

dynamic VPN / IPsec configuration

Owned by Jean-luc KRIKER
Last updated: Sept 27, 2020

https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1401&pFName=Internet%20Protocol%20Security%20(IPsec)%20VPN


Access profiles, also known as client profiles, contain the parameters to grant access and provide basic service to a subscriber during initial login. 

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-dynamic-profiles-compare.html




access profile ( client profile)
set access profile <profilename>
set access profile <profilename> client <clientmname> firewall-user password <password>

#define and use @IP pool:
set access address-assignment pool mypool family inet network 10.100.100.0/24
set access profile myprofile address-assignment pool mypool

#
set access address-assignment pool mypool family inet xauth-attributes primary-dns 8.8.8.8
access profile options 
root@SRX1500-2# set access profile myprofile ?
Possible completions:
> accounting           Specifies the accounting options
> address-assignment   Address assignment pool
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ authentication-order  Order in which authentication mechanisms are used
+ charging-service-list  List of used 3gpp charging servicess
> client               Entity requesting access
> client-name-filter   Restrictions on client names
> domain-name-server   Default DNS server's IPv4 address
> domain-name-server-inet  DNS server's IPv4 address
> domain-name-server-inet6  DNS server's IPv6 address
> jsrc                 Set of JSRC configurations
> ldap-options         Lightweight Directory Access Protocol options
> ldap-server          Lightweight Directory Access Protocol server
> local                Set configuration for local reporting
+ preauthentication-order  Order in which preauthentication mechanisms are used
> radius               Set of RADIUS configurations
> radius-options       RADIUS options
> radius-server        RADIUS server configuration
> session-options      Options for an authenticated client's session
> wins-server          Default WINS server's IPv4 address

Configuration Steps

Step 1. Configure Dynamic VPN Users and IP Address Pool

Step 2. Configure IPSec Phase 1

Step 3. Configure IPSec Phase 2

Step 4. Configure Dynamic VPN Parameters

Step 5. Configure Security Policy

Step 6. Verifying IPSec Connection

1- Configure Dynamic VPN Users and IP Address Pool
  1. access profile <dyn-profile> client        < username, password + IP pool >
  2. access address-assignment pool       < name, ip pool , dns >
  3. access firewall-authentication
2- Configure IPSec Phase 1
  1. ike proposal   < auth-method, dh-group, auth-algo, encryp-algo >    for the control channel encryption
  2. ike policy    < mode, ike proposal, pre-shared-key >
  3. ike gateway    < ike policy, dyn hostname, dyn ike-user-type, xauth access-profile>
3- Configure IPSec Phase 2
  1. ipsec proposal  < protocol, auth-algo, encryp-algo >                           for the Data encryption
  2. ipsec policy     < ipsec proposal , pfs key group >
  3. ipsec vpn      < ike gateway , ipsec-policy > 
4- Configure Dynamic VPN Parameters dynamic-vpn  < access-profile, clients all remote-protected-resources/servers  remote-exceptions , ipsec-vpn , client user >
5- Configure Security Policypolicies from-zone untrust to-zone trust   < match any/any/any, then tunnel ipsec-vpn > 
untrust zonehost-inbound traffic < system-services https allow ipsec ? >
Step 6. Verifying IPSec Connection

show security dynamic-vpn users
show security dynamic-vpn client version
show security ike active-peer
show security ike security-associations
show security ipsec security-associations


on Windows:

route print -4




Full Config

Dynamic VPN - CLI (Feb 5, 2020)

Dynamic VPN CLI 5 Feb 2020 
# Step 1. Configure Dynamic VPN Users and IP Address Pool
# -------------------------------------------------------
set access profile Dyn-Pulse-profile client Pulse-user1 firewall-user password lab123
set access profile Dyn-Pulse-profile address-assignment pool Dyn-Pulse-pool
set access address-assignment pool Dyn-Pulse-pool family inet network 192.168.1.0/24
#set access address-assignment pool Dyn-Pulse-pool family inet xauth-attributes primary-dns 192.168.100.1/32
set access firewall-authentication web-authentication default-profile Dyn-Pulse-profile


# Step 2. Configure IPSec Phase 1
# --------------------------------

set security ike policy Dyn-Pulse-ike-policy mode aggressive
set security ike policy Dyn-Pulse-ike-policy proposal-set standard
set security ike policy Dyn-Pulse-ike-policy pre-shared-key ascii-text juniper123
#set security ike policy Dyn-Pulse-ike-policy description “Dynamic P2 Policy”
#set security ike policy Dyn-Pulse-ike-policy proposals Dynamic-VPN-P1-Proposal

set security ike gateway Dyn-Pulse-GW ike-policy Dyn-Pulse-ike-policy
set security ike gateway Dyn-Pulse-GW dynamic hostname Dyn-pluse.juniper
set security ike gateway Dyn-Pulse-GW dynamic ike-user-type group-ike-id
set security ike gateway Dyn-Pulse-GW external-interface ereth1.0
set security ike gateway Dyn-Pulse-GW aaa access-profile Dyn-Pulse-profile


# Step 3. Configure IPSec Phase 2
# --------------------------------

set security ipsec policy Dyn-Pulse-IPsec-Pol proposal-set standard

set security ipsec vpn Dyn-Pulse-VPN ike gateway Dyn-Pulse-GW
set security ipsec vpn Dyn-Pulse-VPN ike ipsec-policy Dyn-Pulse-IPsec-Pol


# Step 4. Configure Dynamic VPN Parameters
# -----------------------------------------

set security dynamic-vpn  access-profile Dyn-Pulse-profile
# split tunnel
set security dynamic-vpn clients all remote-protected-resources 192.168.30.0/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
# no split tunnel
# set security dynamic-vpn clients all remote-protected-resources 0/0
set security dynamic-vpn clients all ipsec-vpn Dyn-Pulse-VPN
set security dynamic-vpn clients all user Pulse-user1


# Step 5. Configure Security Policy
# --------------------------------
set security zone Untrusted interface ge-0/0/1.0 host-inbound-traffic system-services ike
set security zone Untrusted interface ge-0/0/1.0 host-inbound-traffic system-services https

set security policies from-zone untrust to-zone trust policy Dyn-Pulse-VPN match source-address any
set security policies from-zone untrust to-zone trust policy Dyn-Pulse-VPN match destination-address any
set security policies from-zone untrust to-zone trust policy Dyn-Pulse-VPN match application any
set security policies from-zone untrust to-zone trust policy Dyn-Pulse-VPN then permit tunnel ipsec-vpn Dyn-Pulse-VPN

Implementing Dynamic VPNs (Aug 13, 2015)


Aug 13, 2015 
.

Related content

2- Dynamic VPN or Remote Access VPN or IPsec VPN + Pulse Secure Client
2- Dynamic VPN or Remote Access VPN or IPsec VPN + Pulse Secure Client
Juniper Security
More like this
4- SRX IPsec VPN and SSL VPN
4- SRX IPsec VPN and SSL VPN
Juniper Security
More like this
Remote access IPsec Configureation
Remote access IPsec Configureation
Juniper Security
More like this
5- Site-to-Site VPN IPsec Configuration between 2 firewall
5- Site-to-Site VPN IPsec Configuration between 2 firewall
Juniper Security
More like this
IPS using jweb
IPS using jweb
Juniper Security
More like this
generate and enroll certificate to CA server
generate and enroll certificate to CA server
Juniper Security
More like this