Juniper Dynamic Web VPN for SRX platforms

I had a customer who wanted to have VPN access to their remote office.  They have a SRX210, the lower end SRX platform.  He wanted to use a classic type of client VPN style similar to a ASA with the any connect essentials(which I am not a fan of).  I had never set this up before.. without the power of Google, I would have never known about this.

So with an SRX it includes this beautiful feature called a Dynamic VPN.  A user can connect using theirr web browser to an outside interface / untrust interface.  The prompt will look like the following.

Once the user is logged in the SRX will instruct the user to download a client similar to Junipers SSL VPN client.  Once the file is downloaded it will create a interface on the PC allowing access to that remote subnet.

This is a interesting feature not a whole lot of people knew about including myself until last week.  This is like a watered down version of their SSL VPN which I am a huge fan of.  The SRX210 I was using will allow only 2 users on at one given time with the license otherwise additional licenses will have to be bought.  I could not find anywhere within the SRX that will allow remote authenication via Radius, Active Directory.  Very interesting as it is completely free as it is, its a feature worth checking out.  Here is my config.. atleast as much as I can paste!  I did everything from the CLI.  Reading through the configuration it looks even easier to go web based for this setup.  After my config a link to Junipers KB article about a dynamic VPN.

    }                               
        policy ike_pol_wizard_dyn_vpn { 
            mode aggressive;            
            proposal-set compatible;    
            pre-shared-key ascii-text "$9$yZYlv87-b2oZ"; ## SECRET-DATA
        }                               

        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname iss-fw;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface fe-0/0/0.0;
            xauth access-profile remote_access_profile;
        }                            

        vpn wizard_dyn_vpn {            
            ike {                       
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;

            policy policy_in_wizard_dyn_vpn {
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit {            
                        tunnel {        
                            ipsec-vpn wizard_dyn_vpn;

   dynamic-vpn {                       
        access-profile remote_access_profile;
        clients {                       
            wizard-dyn-group {          
                remote-protected-resources {
                    10.10.150.0/24;     
                }                       
                ipsec-vpn wizard_dyn_vpn;
                user {                                
                    dan.test;           

access {                                
    profile remote_access_profile {     
        client Amcoy {                  
            firewall-user {             
                password "aaahhh"; ## SECRET-DATA
            }                           
        }                               
        client test.user {               
            firewall-user {             
                password "blaaaahhh"; ## SECRET-DATA
            }                           
        }                               
        address-assignment {            
            pool dyn-vpn-address-pool;  
        }                               
    }                                   
    address-assignment {                
        pool dyn-vpn-address-pool {     
            family inet {               
                network 10.10.150.0/24; 
            }                           
        }                               
    }                                   
    firewall-authentication {           
        web-authentication {            
            default-profile remote_access_profile;
        }                               
    }                                   
}

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf
Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Celinda  On April 16, 2013 at 12:29 pm

    Hi are using WordPress for your blog platform?
    I’m new to the blog world but I’m trying to get started and create
    my own. Do you require any coding expertise to make your own blog?
    Any help would be greatly appreciated!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: