0- Installing vSRX and SRX
vmware DHCP service and vmnetcfg.exe tool
Remote Access VPN - CLI | Link to YouTube Video |
|---|
| NCP-e client | https://www.ncp-e.com/en/login/exclusive-remote-access/ - ZIP file
- and EXE ( or unpackage )
|
| Configuration Steps |
|
| Step 1. Configure User access profile and IP Address Pool Step 2. Configure IPSec Phase 1 Step 3. Configure IPSec Phase 2 Step 4. Configure Dynamic VPN Parameters Step 5. Configure Security Policy Step 6. Verifying IPSec Connection |
|
|
|
|
|
# Step 1. Configure User access profile and IP Address Pool
# ----------------------------------------------------------
# IP Address Pool
set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24
set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8
# Client Access profile or end-user access profile: username and password + IP@ pool mapping
set access profile RA-NCP-Profile client NCP-user1 firewall-user password lab123
set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool
# create Secure Tunnel interface or st0.1
set interface st0 unit 1 family inet
# security zone allow ( ike not for st0.1 ) # Also st0.1 could be in a separate VPN Zone
set security zone security-zone untrust host-inbound-traffic system-services ike
set security zone security-zone untrust interfaces st0.1
set security zone security-zone untrust interfaces ge-0/0/2.0
# Step 2. Configure IKE or IPSec Phase 1
# --------------------------------
# Proposal
set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys
set security ike proposal RA-NCP-IKE-Pro dh-group group19
set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256
set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc
# Policy
set security ike policy RA-NCP-IKE-Pol mode aggressive
set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro
set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text juniper123
# Gateway
set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pol
set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net"
set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id
set security ike gateway RA-NCP-GW external-interface ge-0/0/2
set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile
set security ike gateway RA-NCP-GW version v1-only
# Step 3. Configure IPSec Phase 2
# --------------------------------
# Porposal
set security ipsec proposal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm
# Policy
set security ipsec policy RA-NCP-IPsec-Pol perfect-forward-secrecy keys group19
set security ipsec policy RA-NCP-IPsec-Pol proposal-set RA-NCP-IPsec-Pro
# Step 4. Configure Dynamic VPN Parameters
# ----------------------------------------
# vpn
set security ipsec vpn RA-NCP-VPN bind-interface st0.1
set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW
set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol
set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0
# Step 5. Configure Security Policy
# ---------------------------------
set security address-book Server address lubuntu 10.0.2.3/32
set security zones security-zone servers
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match source-address any destination-address Server application any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access then permit
|
enable policy from untrust to trust |
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match source-address any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match destination-address any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match application any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access then permit
set security policies from-zone untrust to-zone trust policy Allow_all match source-address any
set security policies from-zone untrust to-zone trust policy Allow_all match destination-address any
set security policies from-zone untrust to-zone trust policy Allow_all match application any
set security policies from-zone untrust to-zone trust policy Allow_all then permit
set security policies from-zone untrust to-zone trust policy Allow_all then log session-init
set security policies from-zone untrust to-zone trust policy Allow_all then log session-close
|
| on lubuntu | 1- enable SSH: lubuntu 20 live ssh and root remote access 2- add static route back to the windows client : ip route and static route sudo ip route add 192.168.100.0/24 via 10.0.2.2 dev ens38
lubuntu@lubuntu:~$ ip route
default via 192.168.235.2 dev ens33 proto dhcp metric 102
10.0.2.0/24 dev ens38 proto kernel scope link src 10.0.2.3 metric 101
192.168.100.0/24 via 10.0.2.2 dev ens38
192.168.235.0/24 dev ens33 proto kernel scope link src 192.168.235.129 metric 102
|
| full config of SRX |
root@vsrx1> show configuration | display set
set version 20.3R1.8
set system host-name vsrx1
set system root-authentication encrypted-password "$6$odFzKsnx$Adik5fz/.7Yhg7OxltL10BKzvIog8inZ/JNRFozmIehDnlac1z600.9PCO4/uFIfoecOBUAzWljZttW4pPZjZ."
set system services ssh root-login allow
set system services netconf ssh
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security log mode stream
set security log format syslog
set security log report
set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys
set security ike proposal RA-NCP-IKE-Pro dh-group group19
set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256
set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc
set security ike policy RA-NCP-IKE-Pol mode aggressive
set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro
set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text "$9$D3H.5n/tIEyQFEylKx7jHqmQF69A01R"
set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pol
set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net"
set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id
set security ike gateway RA-NCP-GW external-interface ge-0/0/2
set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile
set security ike gateway RA-NCP-GW version v1-only
set security ipsec proposal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm
set security ipsec policy RA-NCP-IPsec-Pol perfect-forward-secrecy keys group19
set security ipsec vpn RA-NCP-VPN bind-interface st0.1
set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW
set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol
set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0
set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS remote-ip 0.0.0.0/0
set security address-book ServerBook address lubuntu1 10.0.2.3/32
set security address-book ServerBook address lubuntu2 10.0.2.4/32
set security address-book ServerBook address-set lubuntuAS address lubuntu1
set security address-book ServerBook address-set lubuntuAS address lubuntu2
set security address-book ServerBook attach zone trust
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match source-address any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match destination-address any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access match application any
set security policies from-zone untrust to-zone servers policy RA-NCP-Access then permit
set security policies from-zone untrust to-zone trust policy Allow_all match source-address any
set security policies from-zone untrust to-zone trust policy Allow_all match destination-address lubuntuAS
set security policies from-zone untrust to-zone trust policy Allow_all match application any
set security policies from-zone untrust to-zone trust policy Allow_all then permit
set security policies from-zone untrust to-zone trust policy Allow_all then log session-init
set security policies from-zone untrust to-zone trust policy Allow_all then log session-close
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces st0.1
set security zones security-zone servers
set interfaces ge-0/0/1 unit 0 family inet address 10.0.2.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.0.3.2/24
set interfaces fxp0 unit 0 family inet dhcp
set interfaces st0 unit 1 family inet
set access profile RA-NCP-Profile client NCP-user1 firewall-user password "$9$g34ZjHkPTQnjiApB1hc"
set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool
set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24
set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8/32
set routing-instances ri-ge3 interface ge-0/0/3.0
set routing-instances ri-ge3 instance-type virtual-router
|
| NCP-e CLient setup |
|
|---|
| Create a New connect: Configuration > Profile: Add > name= RA-NCP-LB ( LB for Learning Byte) |
| Communication Medium: LAN (over IP) GW / tunnel endpoint: 10.0.3.2 no certiifcate for Authentication VPN user ID: NCP-user1 / lab123 |
| DFS-grpu: group19 local IDE (IKE): user@LB.net
|
| Edit Profile | IPsec general Settings: Exch Mode: aggressive ( behind NAT modem ) IKE Policy: PSK IKEv2 DH Group: DH19 PFS Group: DH19 (prime256v1 )
|
| Identities: Pre-shared key: secret: juniper123
|
| Show commands |
|
| show security ike security-associations 10.100.10.1 detail Exchange type: aggressive
Local IP / Remote IP@
Remote Access Client Info: Exclusive Client ( from NCP-E)
Peer ike-id: user@LB.net show security ipsec security-associations vpn-name RA-NCP-VPN phase 2 security assocation show security ike active-peer details Peer IKE-ID used
Assigned network attributes ( IP@< netmask, DNS, . . . )
|
| show security ike active-peer aaa-username bob
|
| show subscribers client-type xauth show subscribers client-type xauth username bob <detail.
|
|
|