Category Archives: Juniper

Juniper Dynamic Web VPN for SRX platforms

I had a customer who wanted to have VPN access to their remote office.  They have a SRX210, the lower end SRX platform.  He wanted to use a classic type of client VPN style similar to a ASA with the any connect essentials(which I am not a fan of).  I had never set this up before.. without the power of Google, I would have never known about this.

So with an SRX it includes this beautiful feature called a Dynamic VPN.  A user can connect using theirr web browser to an outside interface / untrust interface.  The prompt will look like the following.

Once the user is logged in the SRX will instruct the user to download a client similar to Junipers SSL VPN client.  Once the file is downloaded it will create a interface on the PC allowing access to that remote subnet.

This is a interesting feature not a whole lot of people knew about including myself until last week.  This is like a watered down version of their SSL VPN which I am a huge fan of.  The SRX210 I was using will allow only 2 users on at one given time with the license otherwise additional licenses will have to be bought.  I could not find anywhere within the SRX that will allow remote authenication via Radius, Active Directory.  Very interesting as it is completely free as it is, its a feature worth checking out.  Here is my config.. atleast as much as I can paste!  I did everything from the CLI.  Reading through the configuration it looks even easier to go web based for this setup.  After my config a link to Junipers KB article about a dynamic VPN.

    }                               
        policy ike_pol_wizard_dyn_vpn { 
            mode aggressive;            
            proposal-set compatible;    
            pre-shared-key ascii-text "$9$yZYlv87-b2oZ"; ## SECRET-DATA
        }                               

        gateway gw_wizard_dyn_vpn {
            ike-policy ike_pol_wizard_dyn_vpn;
            dynamic {
                hostname iss-fw;
                connections-limit 50;
                ike-user-type group-ike-id;
            }
            external-interface fe-0/0/0.0;
            xauth access-profile remote_access_profile;
        }                            

        vpn wizard_dyn_vpn {            
            ike {                       
                gateway gw_wizard_dyn_vpn;
                ipsec-policy ipsec_pol_wizard_dyn_vpn;

            policy policy_in_wizard_dyn_vpn {
                match {                 
                    source-address any; 
                    destination-address any;
                    application any;    
                }                       
                then {                  
                    permit {            
                        tunnel {        
                            ipsec-vpn wizard_dyn_vpn;

   dynamic-vpn {                       
        access-profile remote_access_profile;
        clients {                       
            wizard-dyn-group {          
                remote-protected-resources {
                    10.10.150.0/24;     
                }                       
                ipsec-vpn wizard_dyn_vpn;
                user {                                
                    dan.test;           

access {                                
    profile remote_access_profile {     
        client Amcoy {                  
            firewall-user {             
                password "aaahhh"; ## SECRET-DATA
            }                           
        }                               
        client test.user {               
            firewall-user {             
                password "blaaaahhh"; ## SECRET-DATA
            }                           
        }                               
        address-assignment {            
            pool dyn-vpn-address-pool;  
        }                               
    }                                   
    address-assignment {                
        pool dyn-vpn-address-pool {     
            family inet {               
                network 10.10.150.0/24; 
            }                           
        }                               
    }                                   
    firewall-authentication {           
        web-authentication {            
            default-profile remote_access_profile;
        }                               
    }                                   
}

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf
Advertisements

Passed JNCIA-JUNOS!

I have been lacking some blog posts here…. actually working in the networking field is hard enough.  I went on vacation 3 weeks ago, I wish I could go back.  Long story short, I found a Craigslist add for a guy who wanted to get rid of sold old network books for free so of course I went there to pick up some really old stuff, its amazing how things change.  When I went to pick up the books off of the guy he had the following book….

I took this book on vacation and read it a good 3-4 hours a day.  Talking with a co worker he had told me he passed the test and it was rather easy.  This book was published in 2002?  The book mainly dealt with M series routers which we still use, so I knew a good amount that was already in the book.  I learned a lot of things I did not about Juniper Architecture.

After reading the book, and spending time on Junipers fast track site which has all the tools needed to pass this exam… their fast track site is far superior to Ciscos documentation.

I spent a while virtualizing a Juniper router at home within VMware Workstation.  Which can be found here  http://ahsantasneem.blogspot.com/2010/08/howto-juniper-olive-using-vmware.html  I would make sure to load a older version first then upgrade.  Also,  another mistake I made was doing this in Linux.  I could not get the virtual serial port to work properly so I moved it to one of my unix boxes.  But, it was interesting since putting it on my management network I was able to use it with my dynamips box!

Junipers test engine is a little slow but it works better than Cisco’s legacy crap.  The test passing score is only a 66%

if I was to do it again I would

-Read Juniper Networks Routers

-Virtualize

-Read Junipers Fast Track site for JN0-101

-Practice Exams on Junipers site!