Remote Access VPN - CLI | Link to YouTube Video |
---|---|
Configuration Steps | |
Step 1. Configure User profile and IP Address Pool Step 2. Configure IPSec Phase 1 Step 3. Configure IPSec Phase 2 Step 4. Configure Dynamic VPN Parameters Step 5. Configure Security Policy Step 6. Verifying IPSec Connection | |
Configuration # Step 1. Configure User profile and IP Address Pool set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24 set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8 # Client profile or end-user profile: username and password + IP@ pool mapping set access profile RA-NCP-Profile client NCP-user1 firewall-user password lab123 set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool # create st0 interface set interface st0 unit 1 family inet # security zone allow ( ike not for st0 ) set security zone security-zone Untrust host-inbound traffic system-services ike set security zone security-zone Untrust interfaces st0.1 # Step 2. Configure IPSec Phase 1 # Step 2. Configure IKE or IPSec Phase 1 # -------------------------------- set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys set security ike proposal RA-NCP-IKE-Pro dh-group group19 set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256 set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc set security ike policy RA-NCP-IKE-Pol mode aggressive set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text juniper123 set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pro set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net" set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id set security ike gateway RA-NCP-GW external-interface ge-0/0/2 set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile set security ike gateway RA-NCP-GW version v1-only # Step 3. Configure IPSec Phase 2 # -------------------------------- set security ipsec propocal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm set security ipsec policy RA-NCP-IPsec-Pol perfect-forwarding-secrecy keys group19 set security ipsec policy RA-NCP-IPsec-Pol proposal-set RA-NCP-IPsec-Pro set security ipsec vpn RA-NCP-VPN bind-interface st0.1 set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 # Step 5. Configure Security Policy # -------------------------------- set security policies from-zone untrust to-zone Servers policy RA-NCP-Access match source-address any destination-address Server application any set security policies from-zone untrust to-zone Servers policy RA-NCP-Access then permit | |
Show commands | |
show security ike security-associations 10.100.10.1 detail Exchange type: aggressive show security ipsec security-associations vpn-name RA-NCP-VPN phase 2 security assocation show security ike active-peer details Peer IKE-ID used | |
show security ike active-peer aaa-username bob | |
show subscribers client-type xauth show subscribers client-type xauth username bob <detail. | |
General
Content
Integrations