SRX dial-up VPN (NCP )
Win XP SP3 Japanese Ed. NCP IPSec client Hub L3 SW SRX100 Policy base VPN fe-0/0/0 vlan.0 Win 2003 SVR.216 172.27.24.0/24.254.254.1.1.100 100.100.100.0/24 192.168.1.0/24 Test devices SRX100 JUNOS 10.2 Client Windows XP SP3 Japanese Edition NCP client Ver.9.20 Build 33 Windows 7 Ultimate Japanese Edition NCP client Ver.9.20 Build 33 2 Copyright 2010 Juniper Networks, Inc. www.juniper.net
PRESHARED-KEY SRX IKE 1 IKE 2 VPN Xauth IKE 1 Aggressive Preshared-key DH group 2 AES128bit SHA1 IKE 2 ESP AES128bit SHA1 PFS DH-group2 Xauth Radius 3 Copyright 2010 Juniper Networks, Inc. www.juniper.net
SRX - IKE 1 2 - (PRESHARED-KEY) ike { proposal pre-g2-aes128-sha { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; policy NCP_ike_policy { mode aggressive; proposals pre-g2-aes128-sha; pre-shared-key ascii-text "$9$jbkmT69pRhrz3hrev7Nik."; ## SECRET-DATA gateway NCP_p1 { ike-policy NCP_ike_policy; dynamic { user-at-hostname "user01@juniper.local"; dead-peer-detection; external-interface fe-0/0/0.0; xauth access-profile radius-auth; ipsec { proposal g2-esp-aes128-sha { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; policy NCP_ipsec_policy { perfect-forward-secrecy { keys group2; proposals g2-esp-aes128-sha; vpn NCP_p2 { ike { gateway NCP_p1; ipsec-policy NCP_ipsec_policy; 4 Copyright 2010 Juniper Networks, Inc. www.juniper.net
SRX XAUTH - (PRESHARED-KEY) policies { from-zone untrust to-zone trust { policy NCP_IPSec { match { source-address any; destination-address any; application any; then { permit { tunnel { ipsec-vpn NCP_p2; log { session-init; access { profile radius-auth { authentication-order radius; radius-server { 172.27.24.201 { secret "$9$V.sgJikP36AGD6Ap0hcbs2"; ## SECRET-DATA source-address 100.100.100.1; 5 Copyright 2010 Juniper Networks, Inc. www.juniper.net
SRX (PRESHARED-KEY) [edit] root@srx100-vpn# show display set no-more set version 10.2B3.3 set system host-name SRX100-vpn set system time-zone Asia/Tokyo set system root-authentication encrypted-password "$1$xDjciVll$zJ38YGxJgNRtlsS77Wdko1" set system name-server 172.27.24.201 "$1$AVWl7szn$EtuXUTHqnLgb1JKK1j/Ob1" set system services ssh set system services telnet set system services web-management http interface vlan.0 set system services web-management https system-generated-certificate set system services web-management https interface vlan.0 set interfaces interface-range interfaces-trust member fe-0/0/1 set interfaces interface-range interfaces-trust member fe-0/0/2 set interfaces interface-range interfaces-trust member fe-0/0/3 set interfaces interface-range interfaces-trust member fe-0/0/4 set interfaces interface-range interfaces-trust member fe-0/0/5 set interfaces interface-range interfaces-trust member fe-0/0/6 set interfaces interface-range interfaces-trust member fe-0/0/7 set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust set interfaces fe-0/0/0 unit 0 family inet address 100.100.100.1/24 set interfaces vlan unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 100.100.100.254 set protocols stp set security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keys set security ike proposal pre-g2-aes128-sha dh-group group2 set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1 set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbc set security ike policy NCP_ike_policy mode aggressive set security ike policy NCP_ike_policy proposals pre-g2-aes128-sha set security ike policy NCP_ike_policy pre-shared-key ascii-text "$9$jbkmT69pRhrz3hrev7Nik." 6 Copyright 2010 Juniper Networks, Inc. www.juniper.net
SRX (PRESHARED-KEY) set security ike gateway NCP_p1 ike-policy NCP_ike_policy set security ike gateway NCP_p1 dynamic user-athostname "user01@juniper.local" set security ike gateway NCP_p1 dead-peer-detection set security ike gateway NCP_p1 external-interface fe- 0/0/0.0 set security ike gateway NCP_p1 xauth access-profile radius-auth set security ipsec proposal g2-esp-aes128-sha protocol esp set security ipsec proposal g2-esp-aes128-sha authentication-algorithm hmac-sha1-96 set security ipsec proposal g2-esp-aes128-sha encryptionalgorithm aes-128-cbc set security ipsec policy NCP_ipsec_policy perfectforward-secrecy keys group2 set security ipsec policy NCP_ipsec_policy proposals g2- esp-aes128-sha set security ipsec vpn NCP_p2 ike gateway NCP_p1 set security ipsec vpn NCP_p2 ike ipsec-policy set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.0 set security zones security-zone untrust address-book address 172.27.24.216 32.0.0.0/32 set security zones security-zone untrust screen untrustscreen set security zones security-zone untrust host-inboundtraffic system-services all set security zones security-zone untrust host-inboundtraffic system-services ike set security zones security-zone untrust interfaces fe- 0/0/0.0 7 Copyright 2010 Juniper Networks, Inc. www.juniper.net set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone untrust to-zone trust policy NCP_IPSec match source-address any set security policies from-zone untrust to-zone trust policy NCP_IPSec match destination-address any set security policies from-zone untrust to-zone trust policy NCP_IPSec match application any set security policies from-zone untrust to-zone trust policy NCP_IPSec then permit tunnel ipsec-vpn NCP_p2 set security policies from-zone untrust to-zone trust policy NCP_IPSec then log session-init set access profile radius-auth authentication-order radius set access profile radius-auth radius-server 172.27.24.201 secret "$9$V.sgJikP36AGD6Ap0hcbs2" set access profile radius-auth radius-server 172.27.24.201 source-address 100.100.100.1 set vlans vlan-trust vlan-id 2 set vlans vlan-trust l3-interface vlan.0
IPSEC (NCP) Profile name ( ) Communication Medium LAN Default Profile after System Reboot 8 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) Connection Mode 9 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) Gateway (Tunnel Endpoint) SRX IP IKE Policy IKE P1 IPSec Policy IKE P2 Exch Mode Main/Aggressive mode PFS Group DH Policy Lifetime P1/P2 Policy Editor P1/P2 10 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) IPsec Compression IPsec compression Disable DPD (Dead Peer Detection) DPD UDP Encapsulation 11 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) Local Identity (IKE) IKE ID ID Preshared Key Extend Authentication (XAUTH) Xauth ID 12 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) Assignment of the Private IP Address IP modeconfig IKE config mode DNS/WINS servers DNS 13 Copyright 2010 Juniper Networks, Inc. www.juniper.net
IPSEC (NCP) Connection Established 14 Copyright 2010 Juniper Networks, Inc. www.juniper.net
XAUTH ( ) access { profile Local-auth { authentication-order password; client ipsec01 { firewall-user { password "$9$7MdwgGDkTz6oJz69A1INdb"; ## SECRET-DATA User 15 Copyright 2010 Juniper Networks, Inc. www.juniper.net
BACKUP SLIDE using certificate
1. CA 2. 3. 4. CA 5. # set security pki ca-profile private-ca ca-identity "COLORS CLASS 1 CA! CA > request security pki ca-certificate load filename rubyca.pem ca-profile private-ca! CA > request security pki generate-key-pair certificate-id srx100-vpn size 2048! > request security pki generate-certificate-request certificate-id srx100-vpn domain-name srx100- vpn.juniper.local ip-address 100.100.10 0.1 email vpn-admin@juniper.local subjec t CN=srx100- vpn.juniper.local,ou=remotevpn,ou=srx,o="juniper Networks",L=Shinju ku,st=tokyo,c=jp! (CSR) > request security pki local-certificate load certificat e load certificate-id srx100-vpn file name srx100- vpn.pem! 18 Copyright 2010 Juniper Networks, Inc. www.juniper.net