SRX DYNAMIC VPN
Dynamic VPN Dynamic VPN IPSec VPN PC SRX IPSec VPN SRX PC IPSec 2 Copyright 2010 Juniper Networks, Inc. www.juniper.net
DYNAMIC VPN Netscreen Remote(NS-R) (NS-R) PC SRX Dynamic VPN SRX ( ) Dynamic VPN 2 2 2 ) 3 Copyright 2010 Juniper Networks, Inc. www.juniper.net
DYNAMIC VPN CLI lab@srx100> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] JUNOS224896 xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx ( ) JUNOS224896: successfully added add license complete (no errors) ( ) control D lab@srx100> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed dynamic-vpn 0 25 0 permanent ax411-wlan-ap 0 2 0 permanent Licenses installed: License identifier: JUNOS224896 License version: 2 Valid for device: AU0809AF0005 Features: dynamic-vpn-25-user - Dynamic VPN permanent lab@srx100> 4 Copyright 2010 Juniper Networks, Inc. www.juniper.net
S/W Windows XP Windows Vista H/W Windows Dynamic VPN Administrator VPN Administrator Windows 7 (32bit, 64bit) JUNOS Pulse VPN JUNOS Pulse URL (Juniper CSC ) http://www.juniper.net/support/products/pulse/#sw 5 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Xauth VPN IP Radius (10.4 Radius ) Shared IKE (10.4 ) PFS(perfect forward secrecy) IKE/IPSEC security proposal (10.4 proposals ) IKE ID FQDN NAT-Traversal SRX IP NAT VPN IP NAT SRX BB /FW NAT NAT NG BB /FW NAT NAT OK Dynamic VPN Pulse 6 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Dynamic VPN : Step 1. Access profile Step 2. Security zones Web Step 3. IKE(proposal, policy, gateway) Step 4. IPSec(proposal, policy, vpn) Step 5. VPN Client Step 6. Security policy JUNOS 10.4 JUNOS 10.3 Dynamic VPN Pulse 7 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step1. Access Profile (1/2) access { address-assignment { pool vpn-pool { family inet { network 192.168.125.0/24; range address-range1 { low 192.168.125.11; high 192.168.125.20; xauth-attributes { primary-dns 192.168.25.250/32; secondary-dns 192.168.25.251/32; primary-wins 192.168.25.250/32; secondary-wins 192.168.25.251/32; VPN IP VPN DND/WINS 8 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step1. Access Profile (2/2) access { profile user-access-profile { client user1 { firewall-user { password "**********"; ## SECRET-DATA client user2 { firewall-user { password ********** ; ## SECRET-DATA address-assignment { pool vpn-pool; firewall-authentication { web-authentication { default-profile user-access-profile; / 9 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step2. Security zone Web system { services { web-management { management-url kanri http { interface ge-0/0/1.0; https { system-generated-certificate; interface ge-0/0/0.0; ( ) security { zones { security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ike; J-Web ( ) J-Web I/F Dynamic VPN J-Web I/F Untrust I/F https(dynamic VPN Web ) ike trust ge-0/0/1 SRX untrust ge-0/0/0 10 Copyright 2010 Juniper Networks, Inc. www.juniper.net BB / FW NAT Dynamic VPN Pulse
( )management-url 10.3 management-url web-management https SRX Interface IP (J-Web) Dynamic VPN (J-Web) http(s)://<srx IP >/<management-url> system { services { web-management { management-url kanri; http { interface vlan.10; https { system-generated-certificate; interface ge-0/0/0.0; J-Web URL URL Dynamic VPN page not found DVPN Client VPN Tunnel Untrust ge-0/0/0 SRX Trust vlan.10 (MGMT) Server J-Web access through VPN https://<untrust_ip>/kanri * https://<trust_ip>/kanri http://<trust_ip>/ http://<trust_ip>/kanri 11 Copyright 2010 Juniper Networks, Inc. www.juniper.net (*) https://<untrust_ip>/kanri VPN
Step3. IKE security { ike { proposal ike-prop1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 86400; policy ike-policy1 { mode aggressive; proposals ike-prop1; pre-shared-key ascii-text **********"; ## SECRET-DATA gateway gw1 { ike-policy ike-policy1; dynamic { hostname vpnuser.jnpr.local; connections-limit 10; ike-user-type shared-ike-id; external-interface ge-0/0/0; xauth access-profile user-access-profile; shared-ike 12 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step4. IPSec security { ipsec { proposal ipsec-prop1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; lifetime-seconds 3600; policy ipsec-policy1 { perfect-forward-secrecy { keys group2; proposals ipsec-prop1; vpn remote-vpn { ike { gateway gw1; ipsec-policy ipsec-policy1; 13 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step5. VPN Client security { dynamic-vpn { access-profile user-access-profile; clients { cfg1 { remote-protected-resources { 172.27.24.0/24; remote-exceptions { 0.0.0.0/0; ipsec-vpn remote-vpn; user { user1; user2; VPN( ) VPN( ) 14 Copyright 2010 Juniper Networks, Inc. www.juniper.net
Step6. Security Policy security { policies { from-zone untrust to-zone trust { policy vpn { match { source-address any; destination-address any; application any; then { permit { tunnel { ipsec-vpn remote-vpn; 15 Copyright 2010 Juniper Networks, Inc. www.juniper.net
(1/5) 1. Web https://x.x.x.x/dynamic-vpn 2. ID/ 16 Copyright 2010 Juniper Networks, Inc. www.juniper.net
(2/5) 3. Dynamic VPN ( Administrator Windows ) 17 Copyright 2010 Juniper Networks, Inc. www.juniper.net
(3/5) 4. PC SRX Accept IPSec 18 Copyright 2010 Juniper Networks, Inc. www.juniper.net
(4/5) 5. IPSec ID/ 6. 7. virtual adapter protected resource PC ( ) 8. protected resource 19 Copyright 2010 Juniper Networks, Inc. www.juniper.net
(5/5) 2 Windows Access Manager VPN 20 Copyright 2010 Juniper Networks, Inc. www.juniper.net
PC (VPN ) C: Documents and Settings admin>ipconfig /all Windows IP Configuration Host Name............ : winxp Primary Dns Suffix....... : Node Type............ : Hybrid IP Routing Enabled........ : No WINS Proxy Enabled........ : No DNS Suffix Search List...... : localdomain Ethernet adapter : Connection-specific DNS Suffix. : localdomain Description........... : VMware Accelerated AMD PCNet Adapter Physical Address......... : 00-0C-29-C0-B6-30 Dhcp Enabled........... : Yes Autoconfiguration Enabled.... : Yes IP Address............ : 192.168.56.138 Subnet Mask........... : 255.255.255.0 Default Gateway......... : 192.168.56.2 DHCP Server........... : 192.168.56.254 DNS Servers........... : 192.168.56.2 Primary WINS Server....... : 192.168.56.2 Lease Obtained.......... : 2010 10 27 20:09:43 Lease Expires.......... : 2010 10 27 20:39:43 C: Documents and Settings admin> 21 Copyright 2010 Juniper Networks, Inc. www.juniper.net
PC (VPN ) C: Documents and Settings admin>route print =========================================================================== Interface List 0x1... MS TCP Loopback interface 0x20002...00 0c 29 c0 b6 30... AMD PCNET Family PCI Ethernet Adapter =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.56.2 192.168.56.138 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.56.0 255.255.255.0 192.168.56.138 192.168.56.138 10 192.168.56.138 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.56.255 255.255.255.255 192.168.56.138 192.168.56.138 10 224.0.0.0 240.0.0.0 192.168.56.138 192.168.56.138 10 255.255.255.255 255.255.255.255 192.168.56.138 192.168.56.138 1 Default Gateway: 192.168.56.2 =========================================================================== Persistent Routes: None C: Documents and Settings admin> 22 Copyright 2010 Juniper Networks, Inc. www.juniper.net
PC (VPN ) C: Documents and Settings admin>ipconfig /all ( I/F ) Ethernet adapter Juniper Network Agent Virtual Adapter: Connection-specific DNS Suffix. : Description........... : Juniper Networks Virtual Adapter - Physical Address......... : 02-05-85-7F-EB-80 Dhcp Enabled........... : No IP Address............ : 192.168.125.13 Subnet Mask........... : 255.255.255.0 Default Gateway......... : DNS Servers........... : 192.168.25.251 Primary WINS Server....... : 192.168.25.251 C: Documents and Settings admin> 23 Copyright 2010 Juniper Networks, Inc. www.juniper.net
PC (VPN ) C: Documents and Settings admin>route print =========================================================================== Interface List 0x1... MS TCP Loopback interface 0x20002...00 0c 29 c0 b6 30... AMD PCNET Family PCI Ethernet Adapter - 0x90004...02 05 85 7f eb 80... Juniper Networks Virtual Adapter - =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 255.255.255.255 192.168.56.2 192.168.56.138 10 0.0.0.0 0.0.0.0 192.168.56.2 192.168.56.138 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 172.27.24.0 255.255.255.0 192.168.125.13 192.168.125.13 1 172.27.66.55 255.255.255.255 192.168.56.2 192.168.56.138 10 192.168.56.0 255.255.255.0 192.168.56.138 192.168.56.138 10 192.168.56.138 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.56.255 255.255.255.255 192.168.56.138 192.168.56.138 10 192.168.125.0 255.255.255.0 192.168.125.13 192.168.125.13 10 192.168.125.13 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.125.255 255.255.255.255 192.168.125.13 192.168.125.13 10 224.0.0.0 240.0.0.0 192.168.56.138 192.168.56.138 10 224.0.0.0 240.0.0.0 192.168.125.13 192.168.125.13 10 255.255.255.255 255.255.255.255 192.168.56.138 192.168.56.138 1 255.255.255.255 255.255.255.255 192.168.125.13 192.168.125.13 1 Default Gateway: 192.168.56.2 =========================================================================== Persistent Routes: None 24 Copyright 2010 Juniper Networks, Inc. www.juniper.net VPN
SRX VPN root@srx210-2# run show security dynamic-vpn users User: user1, Number of connections: 1 Remote IP: 172.27.66.51 IPSEC VPN: remote-vpn IKE gateway: gw1 IKE ID : vpnusers.jnpr.local IKE Lifetime: 86400 IPSEC Lifetime: 3600 Status: CONNECTED User: user2, Number of connections: 1 Remote IP: 172.27.66.51 IPSEC VPN: remote-vpn IKE gateway: gw1 IKE ID : vpnusers.jnpr.local IKE Lifetime: 86400 IPSEC Lifetime: 3600 Status: CONNECTED [edit] root@srx210-2# 25 Copyright 2010 Juniper Networks, Inc. www.juniper.net
SRX VPN root@srx210-2# run show security dynamic-vpn users terse User Remote IP IKE ID Status IKE Lifetime IPSEC Lifetime Client Config Name Time Established user1 172.27.66.51 vpnusers.jnpr.local CONNECTED 86400 3600 cfg1 Wed Oct 27 12:12:06 2010 user2 172.27.66.51 vpnusers.jnpr.local CONNECTED 86400 3600 cfg1 Wed Oct 27 12:17:26 2010 [edit] root@srx210-2# Web Dynamic VPN 26 Copyright 2010 Juniper Networks, Inc. www.juniper.net