SRX Dynamic VPN Deployment
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
#Use pre-shared keys
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$iqP5At0RhrtpvWn"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname trustynet.com
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
#The connection limit should not be larger than the number of installed licenses
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
#Specify the interface to listen for connections
set security ike gateway dyn-vpn-local-gw external-interface fe-0/0/0.0
#Xauth profile determines how to authenticate the user, assign addresses and access parameters
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
#Define the IPSEC vpn
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
#Enable IKE and HTTPS on external interface for VPN termination:
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
set access profile dyn-vpn-access-profile client test firewall-user password "$9$gFoUjk.PQ36q.1RcyKv"
set access profile dyn-vpn-access-profile client user1 firewall-user password "$9$9L2bAO1EcyKWLhcYgaZji"
#This access profile uses local authentication and address assignment by pointing to a local address pool
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range low 10.10.10.10
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range high 10.10.10.20
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
#Finally note how the access profile is used for web-auth (for the dynamic-vpn portal)
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
#This profile should be the same as the one used for xauth
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 192.168.5.0/24
set security dynamic-vpn clients all remote-protected-resources 192.168.8.0/24
#Destinations matching the exceptions will not be tunneled and will be sent out in cleat text
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
#Specify a list of clients, with the ipsec vpn used
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user test
set security dynamic-vpn clients all user user1
Note:
#Define an url for HTTPS J-WEB management access:
set system services web-management management-url mgmt.
run show security ike active-peer
run show security ipsec security-associations
run show security dynamic-vpn users
1. Configure VPN tunnel:
#Use aggressive modeset security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
#Use pre-shared keys
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$iqP5At0RhrtpvWn"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname trustynet.com
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
#The connection limit should not be larger than the number of installed licenses
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
#Specify the interface to listen for connections
set security ike gateway dyn-vpn-local-gw external-interface fe-0/0/0.0
#Xauth profile determines how to authenticate the user, assign addresses and access parameters
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
#Define the IPSEC vpn
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
#Enable IKE and HTTPS on external interface for VPN termination:
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
2. Configuring the authentication and IP address assignment parameters
#This access profile has the following clientsset access profile dyn-vpn-access-profile client test firewall-user password "$9$gFoUjk.PQ36q.1RcyKv"
set access profile dyn-vpn-access-profile client user1 firewall-user password "$9$9L2bAO1EcyKWLhcYgaZji"
#This access profile uses local authentication and address assignment by pointing to a local address pool
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range low 10.10.10.10
set access address-assignment pool dyn-vpn-address-pool family inet range dvpn-range high 10.10.10.20
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8/32
#Finally note how the access profile is used for web-auth (for the dynamic-vpn portal)
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
3. Associating VPNs users with dynamic-vpn configurations
#Specify the authentication profile used for the dyn-vpn portal#This profile should be the same as the one used for xauth
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 192.168.5.0/24
set security dynamic-vpn clients all remote-protected-resources 192.168.8.0/24
#Destinations matching the exceptions will not be tunneled and will be sent out in cleat text
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
#Specify a list of clients, with the ipsec vpn used
set security dynamic-vpn clients all ipsec-vpn dyn-vpn
set security dynamic-vpn clients all user test
set security dynamic-vpn clients all user user1
Note:
#Define an url for HTTPS J-WEB management access:
set system services web-management management-url mgmt.
Troubleshooting:
run show security ike security-associationsrun show security ike active-peer
run show security ipsec security-associations
run show security dynamic-vpn users
Comments
Post a Comment