Saturday, August 22, 2015

EASY - DYNAMIC SSL VPN on SRX210


Juniper Networks SRX, branch and campus series, support Dynamic SSL VPN out of the box.

While this is a licensed service it comes with two FREE licenses on the device, which is PERFECT for SOHO or Branch office remote access.

The devices that support this are:
·      SRX100
·      SRX110
·      SRX210
·      SRX220
·      SRX240
·      SRX550
·      SRX650

Check the software for support details but most all of the devices support dyn-vpn after 10.0

user@srx> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  dynamic-vpn                           0            2           0    permanent
  ax411-wlan-ap                        0            2           0    permanent

I'll post both the JUNOS default Hierarchy and the Set Based JUNOS output in this 

user@srx> show configuration groups DYNVPN | display set
set groups DYNVPN security ike policy ike-dyn-vpn-policy mode aggressive
set groups DYNVPN security ike policy ike-dyn-vpn-policy proposal-set standard
set groups DYNVPN security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$su2oZjT3n60OLx7dYgJGD"
set groups DYNVPN security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic connections-limit 2
set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set groups DYNVPN security ike gateway dyn-vpn-local-gw external-interface fe-0/0/2.0
set groups DYNVPN security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
set groups DYNVPN security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set groups DYNVPN security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set groups DYNVPN security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set groups DYNVPN security dynamic-vpn access-profile dyn-vpn-access-profile
set groups DYNVPN security dynamic-vpn clients all remote-protected-resources 192.168.20.0/24
set groups DYNVPN security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set groups DYNVPN security dynamic-vpn clients all ipsec-vpn dyn-vpn
set groups DYNVPN security dynamic-vpn clients all user client1
set groups DYNVPN security dynamic-vpn clients all user client2
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match source-address any
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match destination-address any
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ping
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ssh
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ike
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-https
set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set groups DYNVPN access profile dyn-vpn-access-profile client client1 firewall-user password "$9Q3/AuQFA0OByrs2gaDi.P5Qz3"
set groups DYNVPN access profile dyn-vpn-access-profile client client2 firewall-user password "$9$4Ia3/.P39CAIRNdVsoJDik.mf"
set groups DYNVPN access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet network 192.168.14.0/30
set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
set groups DYNVPN access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

userr@srx > show configuration groups
DYNVPN {
    security {
        ike {
            policy ike-dyn-vpn-policy {
                mode aggressive;
                proposal-set standard;
                pre-shared-key ascii-text "$9$sFikT3nLx7dYgJGD"; ## SECRET-DATA
            }
            gateway dyn-vpn-local-gw {
                ike-policy ike-dyn-vpn-policy;
                dynamic {
                    hostname dynvpn;
                    connections-limit 2;
                    ike-user-type group-ike-id;
                }
                external-interface fe-0/0/2.0;
                xauth access-profile dyn-vpn-access-profile;
            }
        }
        ipsec {
            policy ipsec-dyn-vpn-policy {
                proposal-set standard;
            }
            vpn dyn-vpn {
                ike {
                    gateway dyn-vpn-local-gw;
                    ipsec-policy ipsec-dyn-vpn-policy;
                }
            }
        }
        dynamic-vpn {
            access-profile dyn-vpn-access-profile;
            clients {
                all {
                    remote-protected-resources {
                        192.168.20.0/24;
                    }
                    remote-exceptions {
                        0.0.0.0/0;
                    }
                    ipsec-vpn dyn-vpn;
                    user {
                        user1;
                        user2;
                    }
                }
            }
        }
        policies {
            from-zone untrust to-zone lab {
                policy dyn-vpn-policy {
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ping junos-ssh junos-ike junos-https ];
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn dyn-vpn;
                            }
                        }
                    }
                }
            }
        }
    }
    access {
        profile dyn-vpn-access-profile {
            client client1 {
                firewall-user {
                    password "$9$U8jkmTyrs2gaDi.P5Qz3"; ## SECRET-DATA
                }
            }
            client client2 {
                firewall-user {
                    password "$9$49CAIVsoJDik.mf"; ## SECRET-DATA
                }
            }
            address-assignment {
                pool dyn-vpn-address-pool;
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool {
                family inet {
                    network 192.168.14.0/30;
                    xauth-attributes {
                        primary-dns 4.2.2.2/32;
                    }
                }
            }
        }
        firewall-authentication {
            web-authentication {
                default-profile dyn-vpn-access-profile;
            }
        }
    }
}

Now with Pulse Secure (previously known as JUNOS Pulse) you configure the information and hit connect. Once connected you will have a secure tunnel.

A quick $ifconfig utun1 on my mac shows:

utun1: flags=8051 mtu 1500
                  inet 192.168.14.1 --> 192.168.14.1 netmask 0xffffffff

OR

You can also just point your web browser at your external IP and log in as well but Pulse Secure is very easy to use.




Now that you have your tunnel up you are authorized to access your protected devices remotely.

You will notice I used a group configuration to place the DYNVPN settings into. I did this so I can turn it on when I need it and leave it off when I don’t. I don’t want to expose the web interface to the public Internet when I am not using it.

By placing the configuration into a group I can just enable it with
#set apply-groups DYNVPN
#commit

and disable by
#deactivate apply-groups DYNVPN
#commit


The point of this post is that not only will the SRX protect your SOHO, Branch Office or Campus exceptionally well but also it provides additional features such as Dynamic VPN, UTM, AV IPS.






Posted by at No comments:
Subscribe to: Posts (Atom)