View
18
Download
0
Category
Preview:
Citation preview
Junos®OS
Dynamic VPN Feature Guide for SRX SeriesGateway Devices
Release
12.1X46-D10
Modified: 2016-07-07
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Junos®OS Dynamic VPN Feature Guide for SRX Series Gateway Devices
12.1X46-D10Copyright © 2016, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2016, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Part 1 Overview
Chapter 1 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Dynamic VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Dynamic VPN Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Grouping of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
IKE and IPsec Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Enabling Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding Remote Client Access to the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding Dynamic VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Dynamic VPN Proposal Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Understanding URL Separation for J-Web and Dynamic VPN . . . . . . . . . . . . . . . . 10
Changes in the Web Access Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2 Local Authentication and Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding Local Authentication and Address Assignment . . . . . . . . . . . . . . . 13
Chapter 3 Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Group IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 4 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Understanding Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
iiiCopyright © 2016, Juniper Networks, Inc.
Part 2 Configuration
Chapter 5 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Example: Configuring Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Example: Configuring Unique URLs for J-Web and Dynamic VPN . . . . . . . . . . . . . 34
Chapter 6 Local Authentication and Address Assignment . . . . . . . . . . . . . . . . . . . . . . . 39
Example: Configuring Local Authentication and Address Pool . . . . . . . . . . . . . . . 39
Chapter 7 Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Example: Configuring a Group IKE ID for Multiple Users . . . . . . . . . . . . . . . . . . . . . 43
Example: Configuring Individual IKE IDs for Multiple Users . . . . . . . . . . . . . . . . . . 49
Chapter 8 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Security Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
[edit security dynamic-vpn] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
access-profile (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
access-profile (Security IKE Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
clients (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
config-check (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
dynamic-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
force-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
ike (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
interface (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
ipsec (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
ipsec-vpn (Security Dynamic VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
remote-exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
remote-protected-resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
traceoptions (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
user (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
user-groups (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
xauth-attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 9 Configuration Statements for Remote Client Authentication andAddresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Access Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
address-assignment (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
firewall-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
profile (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Chapter 10 Configuration Statements for URL Separation for J-Web and DynamicVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
system-generated-certificate (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . 95
wan-acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
web-management (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Copyright © 2016, Juniper Networks, Inc.iv
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Part 3 Administration
Chapter 11 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Junos Pulse Client Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Deploying Junos Pulse Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Junos Pulse Interface and Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Junos Pulse Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Junos Pulse Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Junos Pulse Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Junos Pulse Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Managing Junos Pulse Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Add a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Connect to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Disconnect from an Active Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
View Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Edit Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Forget Saved Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Delete a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Troubleshoot a Junos Pulse Connection Issue . . . . . . . . . . . . . . . . . . . . . . . . 113
Annotate Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Set Log Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Save Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
View Component Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 12 Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Access Manager Client-Side System Requirements . . . . . . . . . . . . . . . . . . . . . . . 117
Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Chapter 13 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
clear security dynamic-vpn all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
clear security dynamic-vpn user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
show network-access address-assignment pool (View) . . . . . . . . . . . . . . . . . . . 126
show security dynamic-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
show security dynamic-vpn client version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
show security dynamic-vpn users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
show security dynamic-vpn users terse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
show security ike active-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
show security ike security-associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
show security ipsec security-associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Part 4 Troubleshooting
Chapter 14 Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Access Manager Client-Side Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Troubleshooting Access Manager Client-Side Problems . . . . . . . . . . . . . . . . . . . 158
Part 5 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
vCopyright © 2016, Juniper Networks, Inc.
Table of Contents
Copyright © 2016, Juniper Networks, Inc.vi
Dynamic VPN Feature Guide for SRX Series Gateway Devices
List of Figures
Part 1 Overview
Chapter 1 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Using a VPN Tunnel to Enable Remote Access to a Corporate
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Part 2 Configuration
Chapter 5 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 2: Dynamic VPN Deployment Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
viiCopyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.viii
Dynamic VPN Feature Guide for SRX Series Gateway Devices
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 1 Overview
Chapter 1 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Case 1: J-Web and Dynamic VPN Do Not Share the Same Interface . . . . . 11
Table 4: Case 2: J-Web and Dynamic VPN Share the Same Interface . . . . . . . . . . . 11
Part 2 Configuration
Chapter 5 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 5: Remote Client Authentication and Address Assignment
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 6: VPN Tunnel Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 7: Dynamic VPN Configuration for Remote Clients . . . . . . . . . . . . . . . . . . . . 28
Chapter 7 Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 8: Group IKE ID VPN Tunnel Configuration Parameters . . . . . . . . . . . . . . . . 44
Table 9: Group IKE ID Dynamic VPN Configuration for Remote Clients . . . . . . . . . 44
Table 10: RADIUS Server User Authentication (Group IKE ID) . . . . . . . . . . . . . . . . 45
Table 11: Client 1 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Table 12: Client 2 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 13: RADIUS Server User Authentication (Individual IKE ID) . . . . . . . . . . . . . 52
Part 3 Administration
Chapter 11 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Table 14: Junos Pulse Client Hardware and Software Requirements . . . . . . . . . . 105
Table 15: Junos Pulse Troubleshooting Information . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 12 Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Table 16: Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Table 17: Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . 120
Chapter 13 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Table 18: show network-access address-assignment pool Output Fields . . . . . . 126
Table 19: show security dynamic-policies Output Fields . . . . . . . . . . . . . . . . . . . . 127
Table 20: show security dynamic-vpn users Output Fields . . . . . . . . . . . . . . . . . . 133
Table 21: show security dynamic-vpn users terse Output Fields . . . . . . . . . . . . . . 135
Table 22: show security ike security-associations Output Fields . . . . . . . . . . . . . 139
ixCopyright © 2016, Juniper Networks, Inc.
Table 23: show security ipsec security-associations . . . . . . . . . . . . . . . . . . . . . . . 146
Part 4 Troubleshooting
Chapter 14 Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 24: Dynamic VPN Client-Side Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Copyright © 2016, Juniper Networks, Inc.x
Dynamic VPN Feature Guide for SRX Series Gateway Devices
About the Documentation
• Documentation and Release Notes on page xi
• Supported Platforms on page xi
• Using the Examples in This Manual on page xii
• Documentation Conventions on page xiii
• Documentation Feedback on page xv
• Requesting Technical Support on page xvi
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®
technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• SRX550
• SRX220
• SRX110
• SRX650
• SRX100
• SRX240
• SRX210
xiCopyright © 2016, Juniper Networks, Inc.
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the loadmerge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the loadmerge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the loadmerge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {scripts {commit {file ex-script.xsl;
}}
}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;
}}
}}
2. Merge the contents of the file into your routing platform configuration by issuing the
loadmerge configuration mode command:
[edit]user@host# loadmerge /var/tmp/ex-script.confload complete
Copyright © 2016, Juniper Networks, Inc.xii
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]user@host# edit system scripts[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
loadmerge relative configuration mode command:
[edit system scripts]user@host# loadmerge relative /var/tmp/ex-script-snippet.confload complete
For more information about the load command, see the CLI User Guide.
Documentation Conventions
Table 1 on page xiv defines notice icons used in this guide.
xiiiCopyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xiv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure the machine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2016, Juniper Networks, Inc.xiv
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• The console port is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between the mutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame line as the configuration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Represents graphical user interface (GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
xvCopyright © 2016, Juniper Networks, Inc.
About the Documentation
• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on the Web or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2016, Juniper Networks, Inc.xvi
Dynamic VPN Feature Guide for SRX Series Gateway Devices
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xviiCopyright © 2016, Juniper Networks, Inc.
About the Documentation
Copyright © 2016, Juniper Networks, Inc.xviii
Dynamic VPN Feature Guide for SRX Series Gateway Devices
PART 1
Overview
• Dynamic VPN on page 3
• Local Authentication and Address Assignment on page 13
• Group and Shared IKE IDs on page 15
• Junos Pulse Client on page 19
1Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.2
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 1
Dynamic VPN
• Dynamic VPN Overview on page 3
• Understanding Dynamic VPN Enhancements on page 5
• Understanding Remote Client Access to the VPN on page 6
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Proposal Sets on page 9
• Understanding URL Separation for J-Web and Dynamic VPN on page 10
Dynamic VPNOverview
Supported Platforms SRX100, SRX210, SRX240, SRX650
Virtual private network (VPN) tunnels enable users to securely access assets such as
e-mail servers and application servers that reside behind a firewall. End-to-site VPN
tunnels are particularly helpful to remote users such as telecommuters because a single
tunnel enables access to all of the resources on a network—the users do not need to
configure individual access settings to each application and server. See Figure 1 on page 4.
3Copyright © 2016, Juniper Networks, Inc.
Figure 1: Using a VPN Tunnel to Enable Remote Access to a CorporateNetwork
The dynamic VPN feature (also known as remote access VPN or IPsec VPN client) further
simplifies remote access by enabling users to establish Internet Protocol Security (IPsec)
VPN tunnels without having to manually configure VPN settings on their PCs or laptops.
Instead, authenticated users can simply download the VPN client software to their
computers. This Layer 3 remote access client uses client-side configuration settings that
it receives from the server to create and manage a secure end-to-site VPN tunnel to the
server.
NOTE: If more than two simultaneous user connections are required, adynamicVPN licensemustbe installed. ThedynamicVPNfeature is disabledby default on the device. To enable dynamic VPN, youmust configure thefeature using the dynamic-vpn configuration statement at the [edit security]
hierarchy level. See the Installation and Upgrade Guide for Security Devicesfor information about installing andmanaging licenses.
RelatedDocumentation
Understanding URL Separation for J-Web and Dynamic VPN on page 10•
• Dynamic VPN Configuration Overview on page 23
• Understanding Dynamic VPN Tunnels on page 7
• Understanding Remote Client Access to the VPN on page 6
• Access Manager Client-Side System Requirements on page 117
Copyright © 2016, Juniper Networks, Inc.4
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Understanding Dynamic VPN Enhancements
Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX550, SRX650
• Grouping of Users on page 5
• IKE and IPsec Configuration Validation on page 6
• Enabling Dynamic VPN on page 6
• Traceoptions on page 6
Grouping of Users
Prior to Junos OS Release 12.1X44-D10, dynamic VPN configuration requires that users
be configured in two locations:
• The client option at the [edit access profile profile-name] hierarchy level is used in the
authentication of a dynamic VPN user.
• The user option at the [edit security dynamic-vpn clients configuration-name] hierarchy
level is used to associate a client VPN configuration with a user.
As of Junos OS Release 12.1X44-D10, the configuration of dynamic VPN users and the
association of users with a client VPN are simplified.
There are two cases to consider when configuring dynamic VPN:
• When users are configured locally, they are configured at the [edit access profile
profile-name client client-name] hierarchy level and arranged into user groups using the
client-group configuration option.
• Users can be configured on an external authentication server, such as a RADIUS server.
Users configured on an external authentication server do not need to be configured at
the [edit access profile profile-name] hierarchy level.
The user group needs to be specified in the dynamic VPN configuration so that a user
can be associated with a client configuration. You specify a user group with theuser-groups
option at the [edit security dynamic-vpn clients configuration-name] hierarchy level.
When a user is authenticated, the user group is included in the authentication reply. This
information is extracted and user groups configured at the [edit security dynamic-vpn
clients configuration-name] hierarchy level are searched to determine which client
configuration to retrieve and return to the client for tunnel establishment.
If a user is associated with more than one user group, the first matching user group
configuration is used. If a user creates a second connection, then the next matching user
group configuration is used. Subsequent user connections use the next matching user
group configuration until there are no more matching configurations.
5Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Dynamic VPN
IKE and IPsec Configuration Validation
A configuration check can be performed to verify that all IKE and IPsec parameters needed
for dynamic VPN are correctly configured. If the configuration is invalid for IKE or IPsec,
an error message is displayed.
NOTE: Configuration checks are off by default. You enable configurationchecks by using the set security dynamic-vpn config-check command.
Enabling Dynamic VPN
As of Junos OS Release 12.1X44 D10, you do not need to configure Web management
services to enable dynamic VPN.
NOTE: Existing configurations that had the loopback interface set to disableWebmanagementnowenableWebmanagementon the loopback interface.
The Appweb server is started when Web management is not configured. Other Web
management configuration parameters that are needed to start the Appweb server have
default operations:
• A system-generated certificate is used by default for HTTPS.
• The default value for limits debug level is 9 for the Web server.
Traceoptions
Administrators can configure the traceoptionsstatement at the [editsecuritydynamic-vpn]
hierarchy level to log dynamic VPN messages.
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Understanding Remote Client Access to the VPN on page 6
• Example: Configuring Unique URLs for J-Web and Dynamic VPN on page 34
Understanding Remote Client Access to the VPN
Supported Platforms SRX100, SRX210, SRX240, SRX650
A common dynamic VPN deployment is to provide VPN access to remote clients
connected through a public network such as the Internet. IPsec access is provided through
a gateway on the Juniper Networks device. Client software such as Pulse Secure (formerly
called Junos Pulse) can be used for VPN access.
Copyright © 2016, Juniper Networks, Inc.6
Dynamic VPN Feature Guide for SRX Series Gateway Devices
NOTE: Pulse Secure client software can be obtained from the JuniperNetworks Download Software site athttps://www.juniper.net/support/downloads/?p=pulse.
The following describes the process for a remote client to access the VPN:
1. The remote client contacts the Web portal by establishing an HTTP or HTTPS
connection to the interface on the SRX Series device that is configured to terminate
the VPN tunnels.
2. The remote client is redirected to the Web portal for authentication, where users are
prompted to enter their credentials.
3. Upon successful authentication, the server determines if client software is installed
in the remote client and if the software is the most recent version. If the remote client
does not have the client software installed or the installed software is an older version,
new software is installed in the remote client. The client software is launched and a
new authentication takes place.
4. Upon successful authentication, the remote client downloads the latest configuration
options from the server. This ensures that the remote client always has the most
recent configuration when it attempts to build a tunnel.
5. A new authentication is performed using IPsec extended authentication (XAuth). An
IP address is assigned to the remote client from a local address pool or through an
external RADIUS server. Upon successful authentication and address assignment, a
tunnel is established.
After VPN software is installed on the remote client, the user can access the VPN by
either logging in to the Web portal or launching the client software directly. In either case,
the remote client authenticates with the Juniper Networks device and downloads the
latest available configuration for the client.
NOTE: When launching newly installed client software, the user must firstclose theWeb browser windowwith the browser’s close button.
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Dynamic VPN Configuration Overview on page 23
• Understanding Dynamic VPN Tunnels on page 7
• Example: Configuring Dynamic VPN on page 25
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Understanding Dynamic VPN Tunnels
Supported Platforms SRX100, SRX210, SRX240, SRX650
7Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Dynamic VPN
Dynamic VPN tunnels are configured in the same way as traditional IPsec VPN tunnels.
However, not all IPsec VPN options are supported.
The following list describes the requirements and supported options when configuring
dynamic VPN tunnels:
• Only policy-based VPNs are supported. Route-based VPNs are not supported with
dynamic VPN tunnels. Traffic allowed from the VPN can be controlled by pushing
routes to the remote client as part of the client’s configuration.
• Dynamic VPN tunnels must be configured with extended authentication (XAuth). This
can be done using local authentication or an external RADIUS server. XAuth is required
to obtain username and password information during IPsec negotiation and to push
an IP address to the remote client. For local authentication, the IP addresses assigned
to remote clients can be drawn from a local pool. Optionally, DNS and WINS server
addresses may also be pushed to the remote client.
• Only preshared keys are supported for Phase 1 authentication with dynamic VPN
tunnels. The same preshared key can be used for all remote clients because a different
username and password is assigned to each remote client.
• When a dynamic VPN client negotiates an AutoKey IKE tunnel with a preshared key,
aggressive mode must be used. Therefore, you must always configure aggressive mode
with dynamic VPN tunnels.
• Shared or group IKE IDs can be used to configure a single VPN that is shared by all
remote clients. When a single VPN is shared, the total number of simultaneous
connections to the gateway cannot be greater than the number of dynamic VPN
licenses installed. When configuring a shared or group IKE ID gateway, you can configure
the maximum number of connections to be greater than the number of installed
dynamic VPN licenses. However, if a new connection exceeds the number of licensed
connections, the connection will be denied.
NOTE: When the device disconnects abruptly, it will not release the userlicense immediately. This results in unavailability of licenses to new users.You can reduce the IPsec SA lifetime to a smaller value to reduce the delayof licenses to new users.
• The dynamic VPN client supports the following algorithms: MD5, SHA-1, DES, 3DES,
AES (with 96-bit, 128-bit, and 256-bit keys). The dynamic VPN client supports DH
groups 1,2, and 5. Tunnel negotiations will fail if other values are configured on the
Juniper Networks device.
• Either proposal sets or custom proposals may be configured for IKE and IPsec
negotiations. If there is a list of custom proposals referenced from the IKE or IPsec
policy, only the first proposal is sent to the client and other proposals in the list are
ignored.
Copyright © 2016, Juniper Networks, Inc.8
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• The same access profile should be used for both IKE and dynamic VPN tunnels. Doing
so avoids unpredictable behavior if the tunnel goes down unexpectedly or the client
crashes.
• The number of user licenses must be equal to the number of dynamic VPN client
connections. For example, if you have 10 user licenses, you can make 10 dynamic VPN
client connections. When you make the 11th dynamic VPN client connection, the
connection will be denied.
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Dynamic VPN Configuration Overview on page 23
• Example: Configuring Dynamic VPN on page 25
• Understanding IKE and IPsec Packet Processing
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Dynamic VPN Proposal Sets
Supported Platforms SRX100, SRX210, SRX240, SRX650
Configuring custom Internet Key Exchange (IKE) and IP Security (IPsec) proposals for
IKE and IPsec policies can be tedious and time-consuming when there are many dynamic
VPN clients. The administrator can select basic, compatible, or standard proposal sets
for dynamic VPN clients. Each proposal set consists of two or more predefined proposals.
The server selects one predefined proposal from the set and pushes it to the client in the
client configuration. The client uses this proposal in negotiations with the server to
establish the connection.
The default values for IKE and IPsec security association (SA) rekey timeout are as
follows:
• For IKE SAs, the rekey timeout is 28,800 seconds.
• For IPsec SAs, the rekey timeout is 3600 seconds.
NOTE: Because proposal-set configuration does not allow for configurationof rekey timeout, these values are included in the client configuration that issent to the client at client download time.
The basic use cases for proposals are as follows:
• IKE and IPsec both use proposal sets.
The server selects a predefined proposal from the proposal set and sends it to the
client, along with the default rekey timeout value.
• IKE uses a proposal set, and IPsec uses a custom proposal.
9Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Dynamic VPN
The server sends a predefined IKE proposal from the configured IKE proposal set to
the client, along with the default rekey timeout value. For IPsec, the server sends the
setting that is configured in the IPsec proposal.
• IKE uses a custom proposal, and IPsec uses a proposal set.
The server sends a predefined IPsec proposal from the configured IPsec proposal set
to the client, along with the default rekey timeout value. For IKE, the server sends the
setting that is configured in the IKE proposal.
NOTE: If IPsec uses a standard proposal set and perfect forward secrecy(PFS) is not configured, then the default PFS is set as group2. For otherproposal sets, PFSwill not be set, because it is not configured. Also, for theIPsec proposal set, the group configuration in ipsec policy
perfect-forward-secrecykeysoverrides theDiffie-Hellman(DH)groupsetting
in the proposal sets.
Because the client accepts only one proposal for negotiating tunnel establishment with
the server, the server internally selects one proposal from the proposal set to send to the
client. The selected proposal for each set is listed as follows:
For IKE
• Sec-level basic: preshared key, g1, des, sha1
• Sec-level compatible: preshared key, g2, 3des, sha1
• Sec-level standard: preshared key, g2, aes128, sha1
For IPsec
• Sec-level basic: esp, no pfs (if not configured) or groupx (if configured), des, sha1
• Sec-level compatible: esp, no pfs (if not configured) or groupx (if configured), 3des,
sha1
• Sec-level standard: esp, g2 (if not configured) or groupx (if configured), aes128, sha1
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Understanding URL Separation for J-Web and Dynamic VPN
Supported Platforms SRX100, SRX210, SRX240, SRX650
This feature prevents the dynamic VPN users from accessing J-Web accidentally or
intentionally. Unique URLs for J-Web and dynamic VPN add support to the webserver
for parsing all the HTTP requests it receives. The webserver also provides access
permission based on the interfaces enabled for J-Web and dynamic VPN.
• Changes in the Web Access Behavior on page 11
Copyright © 2016, Juniper Networks, Inc.10
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Changes in theWeb Access Behavior
Table 3 on page 11 and Table 4 on page 11 illustrate the changes in the web access
behavior when J-Web and dynamic VPN do not share and share the same interface.
Table 3: Case 1: J-Web and Dynamic VPNDoNot Share the Same Interface
http(s)://serverhost//dynamic-vpn
http(s)://serverhost//configured attributehttp(s)://server hostScenario
Navigates to the dynamicVPN login page
Navigates to the J-Web loginpage if the attribute is configured,else to the Page Not Found page
Navigates to the J-Web loginpage on the J-Web enabledinterface or to the dynamic VPNlogin page on the dynamic VPNenabled interface depending onthe server host chosen.
J-Web is enabled, anddynamic VPN is configured.
Navigates to the PageNot Found page
Navigates to the Page Not Foundpage
Navigates to the Page Not Foundpage
J-Web is not enabled, anddynamic VPN is notconfigured.
Navigates to the PageNot Found page.
Navigates to the J-Web loginpage if the J-Web attribute isconfigured, else to the Page NotFound page
Navigates to the J-Web loginpage
J-Web is enabled, anddynamic VPN is notconfigured.
Navigates to the dynamicVPN login page
Navigates to the Page Not Foundpage
Navigates to the dynamic VPNlogin page
J-Web is not enabled, anddynamic VPN is configured.
Table 4: Case 2: J-Web and Dynamic VPN Share the Same Interface
http(s)://serverhost//dynamic-vpn
http(s)://server host//configuredattributehttp(s)://server hostScenario
Navigates to the dynamicVPN login page
Navigates to the J-Web login pageif the attribute is configured, or tothe Page Not Found page
Navigates to the dynamicVPN login page
J-Web is enabled, anddynamic VPN is configured.
Navigates to the Page NotFound page
Navigates to the Page Not Foundpage
Navigates to the Page NotFound page
J-Web is not enabled, anddynamic VPN is notconfigured.
Navigates to the Page NotFound page.
Navigates to the J-Web login pageif the J-Web attribute is configured,else to the Page Not Found page
Navigates to the J-Weblogin page
J-Web is enabled, anddynamic VPN is notconfigured.
Navigates to the dynamicVPN login page
Navigates to the Page Not Foundpage
Navigates to the dynamicVPN login page
J-Web is not enabled, anddynamic VPN is configured.
RelatedDocumentation
• Dynamic VPN Overview on page 3
• Understanding Remote Client Access to the VPN on page 6
• Example: Configuring Unique URLs for J-Web and Dynamic VPN on page 34
11Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Dynamic VPN
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.12
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 2
Local Authentication and AddressAssignment
• Understanding Local Authentication and Address Assignment on page 13
Understanding Local Authentication and Address Assignment
Supported Platforms SRX100, SRX210, SRX240, SRX650
A client application can request an IP address on behalf of a client. This request is made
at the same time as the client authentication request. Upon successful authentication
of the client, an IP address can be assigned to the client from a predefined address pool
or a specific IP address can be assigned. Other attributes, such as WINS or DNS server
IP addresses, can also be provided to the client.
Address pools are defined with the pool configuration statement at the [edit access
address-assignment] hierarchy level. An address pool definition contains network
information (IP address with optional netmask), optional range definitions, and DHCP
or XAuth attributes that can be returned to the client. If all addresses in a pool are
assigned, a new request for a client address will fail even if the client is successfully
authenticated.
Access profiles are defined with the profile configuration statement at the [edit access]
hierarchy. A defined address pool can be referenced in an access profile configuration.
You can also bind a specific IP address to a client in an access profile with the xauth
ip-address address option. The IP address must be in the range of addresses specified in
the address pool. It must also be different from the IP address specified with the host
configuration statement at the [edit access profile address-assignment pool pool-name
family inet] hierarchy level. For any application, if one IP address has been assigned, it
will not be reassigned again until it is released.
RelatedDocumentation
• Example: Configuring Local Authentication and Address Pool on page 39
• Dynamic VPN Overview on page 3
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Configuration Overview on page 23
13Copyright © 2016, Juniper Networks, Inc.
• Example: Configuring Dynamic VPN on page 25
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.14
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 3
Group and Shared IKE IDs
• Understanding Group and Shared IKE IDs on page 15
Understanding Group and Shared IKE IDs
Supported Platforms SRX100, SRX210, SRX240, SRX650
With dynamic VPN, a unique Internet Key Exchange (IKE) ID is used for each user
connection. When there are a large number of users who need to access the VPN,
configuring an individual IKE gateway, IPsec VPN, and a security policy for each user can
be cumbersome. The group IKE ID and shared IKE ID features allow a number of users
to share an IKE gateway configuration, thus reducing the number of VPN configurations
required.
NOTE: We recommend that you configure group IKE IDs for dynamic VPNdeployments because group IKE IDs provide a unique preshared key and IKEID for each user.
This topic includes the following sections:
• Group IKE IDs on page 15
• Shared IKE IDs on page 16
Group IKE IDs
When group IKE IDs are configured, the IKE ID of each user is a concatenation of a
user-specific part and a part that is common to all group IKE ID users. For example, the
user Bob might use ”Bob.example.net“ as his full IKE ID, where ”.example.net“ is common
to all users. The full IKE ID is used to uniquely identify each user connection.
Although group IKE IDs do not require XAuth, XAuth is required by dynamic VPN to retrieve
network attributes like client IP addresses. A warning is displayed if XAuth is not configured
for a dynamic VPN that uses group IKE IDs.
NOTE: Werecommendthatusersuse thesamecredentials forbothWebAuthand XAuth authentication when group IKE IDs are configured.
15Copyright © 2016, Juniper Networks, Inc.
Multiple users can use the same group IKE ID, but a single user cannot use the same
group IKE ID for different connections. If a user needs to have connections from different
remote clients, they need to have different group IKE IDs configured, one for each
connection. If a user only has one group IKE ID configured and attempts a second
connection from another PC, the first connection will be terminated to allow the second
connection to go through.
To configure a group IKE ID:
• Configure ike-user-type group-ike-id at the [edit security ike gateway gateway-name
dynamic] hierarchy level.
• Configure the hostname configuration statement at the [edit security ike gateway
gateway-name dynamic] hierarchy level. This configuration is the common part of the
full IKE ID for all users.
• Configure the pre-shared-key configuration statement at the [edit security ike policy
policy-name] hierarchy level. The configured preshared key is used to generate the
actual preshared key.
Shared IKE IDs
When a shared IKE ID is configured, all users share a single IKE ID and a single IKE
preshared key. Each user is authenticated through the mandatory XAuth phase, where
the credentials of individual users are verified either with an external RADIUS server or
with a local access database. XAuth is required for shared IKE IDs.
The XAuth user name together with the configured shared IKE ID is used to distinguish
between different user connections. Because the user name is used to identify each user
connection, both the WebAuth user name and XAuth user name must be the same.
Multiple users can use the same shared IKE ID, but a single user cannot use the same
shared IKE ID for different connections. If a user needs to have connections from different
remote clients, they need to have different shared IKE IDs configured, one for each
connection. If a user has only one shared IKE ID configured and attempts a second
connection from another client, the first connection will be terminated to allow the second
connection to go through. Also, because the user name is needed to identify each user
connection along with the IKE ID, the user must use the same credentials for both
WebAuth and XAuth authentication.
To configure a shared IKE ID:
• Configure ike-user-type shared-ike-id at the [edit security ike gateway gateway-name
dynamic] hierarchy level.
• Configure the hostname configuration statement at the [edit security ike gateway
gateway-namedynamic] hierarchy level. The configured hostname is shared by all users
configured in the dynamic VPN access profile.
• Configure the pre-shared-key configuration statement at the [edit security ike policy
policy-name] hierarchy level. The configured preshared key is shared by all users
configured in the dynamic VPN access profile.
Copyright © 2016, Juniper Networks, Inc.16
Dynamic VPN Feature Guide for SRX Series Gateway Devices
RelatedDocumentation
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Configuration Overview on page 23
• Example: Configuring a Group IKE ID for Multiple Users on page 43
• Example: Configuring Individual IKE IDs for Multiple Users on page 49
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
17Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Group and Shared IKE IDs
Copyright © 2016, Juniper Networks, Inc.18
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 4
Junos Pulse Client
• Understanding Junos Pulse Client on page 19
Understanding Junos Pulse Client
Supported Platforms SRX100, SRX210, SRX240, SRX650
Junos Pulse is an extensible multiservice network client that supports integrated
connectivity, location-aware network access, application acceleration, security, and
selected third-party services. (For more information about Junos Pulse features, see the
Junos Pulse Administration Guide.)
Junos Pulse supports remote virtual private network (VPN) tunnel connectivity to SRX
Series gateways that are running Junos OS. To configure a firewall access environment
for Junos Pulse clients, you must configure the VPN settings on the SRX Series gateway
and create and deploy a firewall connection on the Junos Pulse client.
For SRX Series devices running Junos OS Release10.2 through 10.4, Junos Pulse is
supported but must be deployed separately. In Junos OS Release 11.1 and later, if the
Pulse client does not exist on the client machine, the Pulse client is automatically
downloaded and installed when you log into an SRX Series device. If the Pulse client
exists on the client machine, you must launch the Pulse client.
RelatedDocumentation
• Dynamic VPN Overview on page 3
• Junos Pulse Client Installation Requirements on page 105
• Deploying Junos Pulse Client Software on page 106
19Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.20
Dynamic VPN Feature Guide for SRX Series Gateway Devices
PART 2
Configuration
• Dynamic VPN on page 23
• Local Authentication and Address Assignment on page 39
• Group and Shared IKE IDs on page 43
• Configuration Statements on page 61
• Configuration Statements for Remote Client Authentication and Addresses on page 77
• Configuration Statements for URL Separation for J-Web and Dynamic VPN on page 95
21Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.22
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 5
Dynamic VPN
• Dynamic VPN Configuration Overview on page 23
• Example: Configuring Dynamic VPN on page 25
• Example: Configuring Unique URLs for J-Web and Dynamic VPN on page 34
Dynamic VPN Configuration Overview
Supported Platforms SRX100, SRX210, SRX240, SRX650
A dynamic VPN allows administrators to provide IPsec access to a gateway on a Juniper
Networks device while also providing a way to distribute the Dynamic VPN software to
remote clients through the use of a Web portal.
The following procedure lists the tasks for configuring a dynamic VPN.
1. Configure authentication and address assignment for the remote clients:
a. Configure an XAuth profile to authenticate users and assign addresses. Either local
authentication or an external RADIUS server may be used. Use the profile
configuration statement at the [edit access] hierarchy level to configure the XAuth
profile.
To use the XAuth profile for Web authentication, use the web-authentication
configuration statement at the [editaccess firewall-authentication] hierarchy level.
b. Assign IP addresses from a local address pool if local authentication is used. Use
theaddress-assignmentpoolconfiguration statement at the [editaccess] hierarchy
level. A subnet or a range of IP addresses can be specified. IP addresses for DNS
and WINS servers may also be specified.
2. Configure the VPN tunnel:
a. Configure the IKE policy. The mode must be aggressive. Basic, compatible, or
standard proposal sets may be used. Only preshared keys are supported for Phase
1 authentication. Use the policy configuration statement at the [edit security ike]
hierarchy level.
b. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can
configure the maximum number of simultaneous connections to the gateway. Use
the gateway configuration statement at the [edit security ike] hierarchy level.
23Copyright © 2016, Juniper Networks, Inc.
c. Configure the IPsec VPN. Basic, compatible, or standard proposal sets may be
specified with the policy configuration statement at the [edit security ipsec]
hierarchy level. Use the vpn configuration statement at the [edit security ipsec]
hierarchy level to configure the IPsec gateway and policy.
d. Configure a security policy to allow traffic from the remote clients to the IKE
gateway. Use the policy configuration statement at the [edit security policies
from-zone zone to-zone zone] hierarchy level.
NOTE: Configure the security policy with thematch criteriasource-address any, destination-address any, and application any and
the action permit tunnel ipsec-vpnwith the name of the dynamic VPN
tunnel. Place this policy at the end of the policy list.
e. Configure host inbound traffic to allow specific traffic to reach the device from
systems that are connected to its interfaces. For example, IKE and HTTPS traffic
must be allowed. SeeUnderstandingHowtoControl InboundTraffic BasedonTraffic
Types.
f. (Optional) If the client address pool belongs to a subnet that is directly connected
to the device, the device would need to respond to ARP requests to addresses in
the pool from other devices in the same zone. Use the proxy-arp configuration
statement at the [edit securitynat] hierarchy level. Specify the interface that directly
connects the subnet to the device and the addresses in the pool.
3. Associate the dynamic VPN with remote clients:
a. Specify the access profile for use with dynamic VPN. Use the access-profile
configuration statement at the [edit security dynamic-vpn] hierarchy level.
b. Configure the clients who can use the dynamic VPN. Specify protected resources
(traffic to the protected resource travels through the specified dynamic VPN tunnel
and is therefore protected by the firewall’s security policies) or exceptions to the
protected resources list (traffic that does not travel through the dynamic VPN
tunnel and is sent in cleartext). These options control the routes that are pushed
to the client when the tunnel is up, therefore controlling the traffic that is send
through the tunnel. Use the clients configuration statement at the [edit security
dynamic-vpn] hierarchy level.
NOTE: TheWeb portal requires that HTTPS is enabled on the JuniperNetworksdevice. If HTTPS is already enabled for J-Webaccess, no furtheraction is required.
Copyright © 2016, Juniper Networks, Inc.24
Dynamic VPN Feature Guide for SRX Series Gateway Devices
NOTE: If userswill log in to the server by running thePulse client softwareinstead of connecting to the server through HTTP/HTTPS, use theforce-upgrade configuration statement at the [edit security dynamic-vpn]
hierarchy level. This configuration automatically upgrades the client’ssoftwarewhen amore recent version is available. If you do not enable thisoption, theuser isgivenachoice tomanuallyupgradetheclient’s softwarewhen amore recent version is available.
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Understanding Dynamic VPN Tunnels on page 7
• Example: Configuring Dynamic VPN on page 25
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Example: Configuring Dynamic VPN
Supported Platforms SRX100, SRX210, SRX240, SRX650
This example shows how to configure a dynamic VPN on a Juniper Networks device to
provide VPN access to remote clients.
• Requirements on page 25
• Overview on page 25
• Configuration on page 28
• Verification on page 33
Requirements
Before you begin:
1. Configure network interfaces on the device. See JunosOS Interfaces Library for Security
Devices.
2. Create security zones and assign interfaces to them. See “Understanding Security
Zones” on page 111.
3. If there will be more than two simultaneous user connections, install a Dynamic VPN
license in the device. See Installation and Upgrade Guide for Security Devices.
4. Read “Dynamic VPN Configuration Overview” on page 23.
Overview
A common deployment scenario for dynamic VPN is to provide VPN access to remote
clients that are connected through a public network such as the Internet. A public IP
address is assigned to one of the gateway’s interfaces; this interface is normally part of
the untrust zone. After the client software is installed, the remote user can access the
VPN by either logging in to a Web portal or by launching the client directly. In either case,
25Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
the remote client authenticates with the SRX Series device and downloads the latest
configuration available.
Figure 2 on page 26 illustrates this deployment topology. The ge-0/0/15.0 interface on
the SRX Series device is the termination point for the dynamic VPN tunnel. Remote clients
in the untrust zone access the ge-0/0/15.0 interface through an HTTP or HTTPS
connection.
Figure 2: Dynamic VPNDeployment Topology
ge-0/0/15.0SRX Series device
g030
693
Trustzone
10.0.1.0/24
Untrustzone
Client 1
Client N
Internet
In this example, XAuth client authentication is performed locally and client IP addresses
are assigned from an address pool configured on the SRX Series device. See
Table 5 on page 27.
Then, standard proposal sets are used for both IKE and IPsec negotiations. For dynamic
VPN tunnels, aggressive mode must be configured and only preshared keys are supported
for Phase 1 authentication. A group IKE ID is used and the maximum number of connections
is set to 10. Because dynamic VPNs must be policy-based VPNs, a security policy must
be configured to forward traffic to the tunnel. IKE and HTTPS traffic must be allowed for
host inbound traffic.See Table 6 on page 27.
Finally, the XAuth profile configured for remote clients is specified for the dynamic VPN.
Remote users are associated with the configured IPsec VPN. Also configured are remote
protected resources (the destination addresses of traffic that is always sent through the
Copyright © 2016, Juniper Networks, Inc.26
Dynamic VPN Feature Guide for SRX Series Gateway Devices
tunnel) and remote exceptions (the destination addresses of traffic that is sent in cleartext
instead of through the tunnel). See Table 7 on page 28.
Table 5: Remote Client Authentication and Address Assignment Configuration
Configuration ParametersNameFeature
• Addresses: 10.10.10.0/24
• DNS server address: 4.2.2.2/32.
dyn-vpn-address-poolIP address pool
• Remote client username: 'client1' with password $ABC123
• Remote client username: 'client2' with password $ABC123
• IP address pool reference: dyn-vpn-address-pool
• This profile is the default profile for web authentication.
dyn-vpn-access-profileXAuth profile
Table 6: VPN Tunnel Configuration Parameters
Configuration ParametersNameFeature
• Mode: aggressive
• Proposal set: standard
• Preshared key: (ASCII) $ABC123
ike-dyn-vpn-policyIKE policy (Phase 1)
• IKE policy reference: ike-dyn-vpn-policy
• Dynamic hostname: dynvpn
• IKE user type: group IKE ID
• Maximum number of concurrent connections: 10
• External interface: ge-0/0/15.0
• Access profile reference: dyn-vpn-access-profile
dyn-vpn-local-gwIKE gateway (Phase 1)
Proposal set: standardipsec-dyn-vpn-policyIPsec policy (Phase 2)
• IKE gateway reference: dyn-vpn-local-gw
• IPsec policy reference: ipsec-dyn-vpn-policy
dyn-vpnIPsec VPN (Phase 2)
• Match criteria:
• source address any
• destination address any
• application any
• Permit action: tunnel ipsec-vpn dyn-vpn
dyn-vpn-policySecurity policy (permits trafficfrom the untrust zone to the trustzone)
Allow the following types of traffic to the ge-0/0/15.0 interfacein the untrust zone:
• IKE
• HTTPS
• ping
• SSH
Host inbound traffic
27Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
Table 7: Dynamic VPN Configuration for Remote Clients
Configuration ParametersNameFeature
Access profile reference: dyn-vpn-access-profileAccess profile for remote clients
• IPsec VPN reference: dyn-vpn
• User name reference: client1 and client2
• Remote protected resources: 10.0.0.0/8
• Remote exceptions: 0.0.0.0/0
allRemote clients
Configuration
• Configuring the Remote User Authentication and Address Assignment on page 28
• Configuring the VPN Tunnel on page 29
• Associate the Dynamic VPN with Remote Clients on page 32
Configuring the Remote User Authentication and Address Assignment
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
setaccessprofiledyn-vpn-access-profileclientclient1 firewall-userpassword"$ABC123"setaccessprofiledyn-vpn-access-profileclientclient2 firewall-userpassword"$ABC123"setaccessprofiledyn-vpn-access-profileaddress-assignmentpooldyn-vpn-address-poolset access address-assignment pool dyn-vpn-address-pool family inet network10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributesprimary-dns 4.2.2.2/32
set access firewall-authentication web-authentication default-profiledyn-vpn-access-profile
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure remote user authentication and address assignment:
1. Create the address assignment pool.
[edit access address-assignment]user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24user@host#setpooldyn-vpn-address-pool family inetxauth-attributesprimary-dns4.2.2.2/32
2. Configure the XAuth profile.
[edit access]user@host# setprofiledyn-vpn-access-profile client client1 firewall-userpassword"$$ABC123"
user@host#setprofiledyn-vpn-access-profile clientclient2 firewall-userpassword"$ABC123"
Copyright © 2016, Juniper Networks, Inc.28
Dynamic VPN Feature Guide for SRX Series Gateway Devices
user@host# set profile dyn-vpn-access-profile address-assignment pooldyn-vpn-address-pool
3. Configure Web authentication using the XAuth profile.
[edit access firewall-authentication]user@host# set web-authentication default-profile dyn-vpn-access-profile
Results From configuration mode, confirm your configuration by entering the show access
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]user@host# show accessprofile dyn-vpn-access-profile {client client1 {firewall-user {password "$ABC123"; ## SECRET-DATA
}}client client2 {firewall-user {password "$ABC123"; ## SECRET-DATA
}}address-assignment {pool dyn-vpn-address-pool;
}}address-assignment {pool dyn-vpn-address-pool {family inet {network 10.10.10.0/24;xauth-attributes {primary-dns 4.2.2.2/32;
}}
}}firewall-authentication {web-authentication {default-profile dyn-vpn-access-profile;
}}
If you are done configuring the device, enter commit from configuration mode.
Configuring the VPN Tunnel
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
[edit]
29Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
set security ike policy ike-dyn-vpn-policymode aggressiveset security ike policy ike-dyn-vpn-policy proposal-set standardset security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyset security ike gateway dyn-vpn-local-gw dynamic hostname dynvpnset security ike gateway dyn-vpn-local-gw dynamic connections-limit 10set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-idset security ike gateway dyn-vpn-local-gw external-interface ge-0/0/15.0set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profileset security ipsec policy ipsec-dyn-vpn-policy proposal-set standardset security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gwset security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policyset security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchsource-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchdestination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchapplication any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permittunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ike
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services https
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ping
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ssh
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure the VPN tunnel:
1. Configure the IKE policy.
[edit security ike]user@host# set policy ike-dyn-vpn-policymode aggressiveuser@host# set policy ike-dyn-vpn-policy proposal-set standarduser@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"
2. Configure the IKE gateway.
[edit security ike]user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyuser@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpnuser@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-iduser@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0user@host# set gateway dyn-vpn-local-gw xauth access-profiledyn-vpn-access-profile
3. Configure IPsec.
[edit security ipsec]user@host# set policy ipsec-dyn-vpn-policy proposal-set standard
Copyright © 2016, Juniper Networks, Inc.30
Dynamic VPN Feature Guide for SRX Series Gateway Devices
user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gwuser@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
4. Configure the security policy.
[edit security policies from-zone untrust to-zone trust]user@host#setpolicydyn-vpn-policymatchsource-addressanydestination-addressany application any
user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
5. Configure host inbound traffic.
[edit security zones security-zone untrust interfaces ge-0/0/15.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services pinguser@host# set host-inbound-traffic system-services ssh
Results From configuration mode, confirm your configuration by entering the show security ike,
show security ipsec, show security policies, and show security zones commands. If the
output does not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]user@host# show security ikepolicy ike-dyn-vpn-policy {mode aggressive;proposal-set standard;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}gateway dyn-vpn-local-gw {ike-policy ike-dyn-vpn-policy;dynamic {hostname dynvpn;connections-limit 10;ike-user-type group-ike-id;
}external-interface ge-0/0/15.0;xauth access-profile dyn-vpn-access-profile;
}
[edit]user@host# show security ipsecpolicy ipsec-dyn-vpn-policy {proposal-set standard;
}vpn dyn-vpn {ike {gateway dyn-vpn-local-gw;ipsec-policy ipsec-dyn-vpn-policy;
}}
[edit]user@host# show security policiesfrom-zone untrust to-zone trust {policy dyn-vpn-policy {
31Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
match {source-address any;destination-address any;application any;
}then {permit {tunnel {ipsec-vpn dyn-vpn;
}}
}}
[edit]user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/15.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;
}}
}}
}
If you are done configuring the device, enter commit from configuration mode.
Associate the Dynamic VPNwith Remote Clients
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set security dynamic-vpn access-profile dyn-vpn-access-profileset security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0set security dynamic-vpn clients all ipsec-vpn dyn-vpnset security dynamic-vpn clients all user client1set security dynamic-vpn clients all user client2
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To associate the dynamic VPN with remote clients:
1. Specify the access profile to use with dynamic VPN.
[edit security dynamic-vpn]
Copyright © 2016, Juniper Networks, Inc.32
Dynamic VPN Feature Guide for SRX Series Gateway Devices
user@host# set access-profile dyn-vpn-access-profile
2. Configure the clients who can use the dynamic VPN.
[edit security dynamic-vpn]user@host# set clients all ipsec-vpn dyn-vpnuser@host# set clients all user client1user@host# set clients all user client2user@host# set clients all remote-protected-resources 10.0.0.0/8user@host# set clients all remote-exceptions 0.0.0.0/0
Results From configuration mode, confirm your configuration by entering the show security
dynamic-vpn command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]user@host# show security dynamic-vpnaccess-profile dyn-vpn-access-profile;clients {all {remote-protected-resources {10.0.0.0/8;
}remote-exceptions {0.0.0.0/0;
}ipsec-vpn dyn-vpn;user {client1;client2;
}}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Dynamic VPN tunnels can be monitored with the same commands used to monitor
traditional IPsec VPN tunnels. To confirm that the configuration is working properly,
perform these tasks:
• Verifying IKE Phase 1 Status on page 33
• Verifying Connected Clients and Assigned Addresses on page 34
• Verifying IPsec Phase 2 Status on page 34
• Verifying Concurrent Connections and Parameters for Each User on page 34
Verifying IKE Phase 1 Status
Purpose Verify the IKE Phase 1 status of the security associations.
Action From operational mode, enter the show security ike security-associations command.
user@host> show security ike security-associations
33Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
Index Remote Address State Initiator cookie Responder cookie Mode18 172.19.100.99 UP 37b45aa1469e488b 7d4454404002e2e6 Aggressive
Verifying Connected Clients and Assigned Addresses
Purpose Verify that the remote clients and the IP addresses assigned to them are using XAuth.
Action From operational mode, enter the show security ike active-peer command.
user@host> show security ike active-peerRemote Address Port Peer IKE-ID XAUTH username Assigned IP172.19.100.99 500 testdynvpn test 10.10.10.2
Verifying IPsec Phase 2 Status
Purpose Verify the IPsec Phase 2 status of the security associations.
Action From operational mode, enter the showsecurity ipsecsecurity-associations command.
user@host> show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <133955586 172.19.100.99 500 ESP:aes-128/sha1 9c23b7a9 2862/ 449996 - root >133955586 172.19.100.99 500 ESP:aes-128/sha1 c72c8f88 2862/ 449996 - root
Verifying Concurrent Connections and Parameters for Each User
Purpose Verify the number of concurrent connections and the negotiated parameters for each
user.
Action From operational mode, enter the show security dynamic-vpn users command.
user@host> show security dynamic-vpn usersUser: test , User group: group-one, Number of connections: 1 Remote IP: 172.19.100.99 IPSEC VPN: dyn-vpn IKE gateway: dyn-vpn-local-gw IKE ID : testdynvpn IKE Lifetime: 28800 IPSEC Lifetime: 3600 Status: CONNECTED
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Configuration Overview on page 23
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Example: Configuring Unique URLs for J-Web and Dynamic VPN
Supported Platforms SRX100, SRX210, SRX240, SRX650
Copyright © 2016, Juniper Networks, Inc.34
Dynamic VPN Feature Guide for SRX Series Gateway Devices
This example shows how to prevent J-Web access when both J-Web and dynamic VPN
are enabled on the same interface.
• Requirements on page 35
• Overview on page 35
• Configuration on page 35
Requirements
Before you begin, verify if J-Web and dynamic VPN are configured on the same interface.
To verify the configuration, use the following commands:
• show security ike
• show system services web-management
Overview
The configuration attribute management-url at the [edit system services
web-management]hierarchy level controls J-Web access when both J-Web and dynamic
VPN are enabled on the same interface.
Dynamic VPN must have the configured HTTPS certificate and the webserver to
communicate with the client. Therefore, the configuration at the [edit system services
web-management] hierarchy level required to start the Appweb webserver cannot be
deleted or deactivated.
You can also enable trace options for dynamic VPN, assign debug levels for the Appweb
process, and configure the maximum number of sessions that the web-management
command can allow with the session-limits configuration option.
Configuration
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit system services
web-management] hierarchy level, and then enter commit from configuration mode.
set traceoptions level allset traceoptions flag allset management-url jwebset https system-generated-certificateset limits debug-level 9set session session-limit 7
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure URL separation for J-Web and dynamic VPN when both J-Web and dynamic
VPN are enabled on the same interface:
1. Configure the device to debug output at all levels.
35Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
[edit system services web-management traceoptions]user@host# set level all
2. Enable trace flags for all system services and for dynamic VPN.
[edit system services web-management traceoptions]user@host# set flag all
3. Configure the management URL path for Web management access.
[edit system services web-management]user@host# setmanagement-url jweb
4. Configure the HTTPS certificate.
[edit system services web-management]user@host# set https system-generated-certificate
5. Configure the debug level for the Appweb process.
[edit system services web-management]user@host# set limits debug-level 9
6. Configure the maximum number of sessions that Web management can allow.
[edit system services web-management]user@host# set session session-limit 7
Results From configuration mode, confirm your configuration by entering the showsytemservices
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]user@host# show system servicesssh;telnet;web-management {traceoptions {level all;flag all;
}management-url jweb;http {interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0];
}https {system-generated-certificate;
}limits {debug-level 9;
}session {session-limit 7;
}}
If you are done configuring the device, enter commit from configuration mode.
Copyright © 2016, Juniper Networks, Inc.36
Dynamic VPN Feature Guide for SRX Series Gateway Devices
RelatedDocumentation
• Understanding URL Separation for J-Web and Dynamic VPN on page 10
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
37Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Dynamic VPN
Copyright © 2016, Juniper Networks, Inc.38
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 6
Local Authentication and AddressAssignment
• Example: Configuring Local Authentication and Address Pool on page 39
Example: Configuring Local Authentication and Address Pool
Supported Platforms SRX100, SRX210, SRX240, SRX650
This example shows how to create an address pool and how to assign client IP addresses
in an access profile.
Requirements
Before you begin, configure primary and secondary DNS and WINS servers and assign IP
addresses to them.
Overview
This example creates an address pool xauth1 that consists of the IP addresses in the
40.0.0.0/24 subnet. The xauth1pool also assigns IP addresses for primary and secondary
DNS and WINS servers.
The access profile dvpn-auth references the xauth1 pool. The dvpn-auth access profile
configures two clients:
• jason: The IP address 40.0.0.1 is bound to this client. Upon successful authentication,
the client is assigned the IP address 40.0.0.1. If the client logs in again before logging
out, the client is assigned an IP address from the xauth1 pool.
• jacky: Upon successful authentication, the client is assigned an IP address from the
xauth1 pool.
In addition, the dvpn-auth access profile specifies that password authentication is used
to verify clients at login. Additional authentication methods may be specified; the software
tries the authentication methods in order, from first to last, for each client login attempt.
Configuration
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
39Copyright © 2016, Juniper Networks, Inc.
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set access profile dvpn-auth authentication-order passwordset access profile dvpn-auth client jacky firewall-user password "$ABC123"set access profile dvpn-auth client jason xauth ip-address 40.0.0.1/32set access profile dvpn-auth client jason firewall-user password "$ABC123"set access profile dvpn-auth address-assignment pool xauth1set access address-assignment pool xauth1 family inet network 40.0.0.0/24set access address-assignment pool xauth1 family inet xauth-attributes primary-dns40.0.0.250/32
set access address-assignment pool xauth1 family inet xauth-attributes secondary-dns40.0.0.251/32
set access address-assignment pool xauth1 family inet xauth-attributes primary-wins40.0.0.253/32
set access address-assignment pool xauth1 family inet xauth-attributes secondary-wins40.0.0.254/32
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure an address pool and an access profile that uses the address pool:
1. Create the address pool.
[edit access address-assignment]user@host# set pool xauth1 family inet network 40.0.0.0/24 xauth-attributesprimary-dns 40.0.0.250 secondary-dns 40.0.0.251 primary-wins 40.0.0.253secondary-wins 40.0.0.254
2. Configure the access profile.
[edit access]user@host# set profile dvpn-auth address-assignment pool xauth1user@host# set profile dvpn-auth authentication-order passworduser@host# set profile dvpn-auth client jason xauth ip-address 40.0.0.1user@host# set profile dvpn-auth client jason firewall-user password jasonuser@host# set profile dvpn-auth client jacky firewall-user password jacky
Results From configuration mode, confirm your configuration by entering the show access
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@host# show accessprofile dvpn-auth {authentication-order password;client jacky {firewall-user {password "$ABC123"; ## SECRET-DATA
}}client jason {xauth {ip-address 40.0.0.1/32;
}
Copyright © 2016, Juniper Networks, Inc.40
Dynamic VPN Feature Guide for SRX Series Gateway Devices
firewall-user {password "$ABC123"; ## SECRET-DATA
}}address-assignment {pool xauth1;
}}address-assignment {pool xauth1 {family inet {network 40.0.0.0/24;xauth-attributes {primary-dns 40.0.0.250/32;secondary-dns 40.0.0.251/32;primary-wins 40.0.0.253/32;secondary-wins 40.0.0.254/32;
}}
}}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
• Verifying Address Assignment on page 41
Verifying Address Assignment
Purpose Verify address assignment. For XAuth, the hardware address is always shown as NA. If
a static IP address is assigned to a specific user, the user name and profile name (in the
format user@profile) is displayed in the "Host/User" column. If a client is assigned an IP
address from the pool, the username is displayed; if the username does not exist, NA is
displayed. For other applications (for example, DHCP), the hostname is displayed if
configured; if the hostname is not configured, NA is displayed.
Action From operational mode, enter the show network-access address-assignment poolcommand.
user
user@host> show network-access address-assignment pool xauth1IP address Hardware address Host/User Type40.0.0.1 NA jason@dvpn-auth XAUTH40.0.0.2 NA jacky XAUTH
RelatedDocumentation
• Understanding Local Authentication and Address Assignment on page 13
• Dynamic VPN Overview on page 3
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Configuration Overview on page 23
41Copyright © 2016, Juniper Networks, Inc.
Chapter 6: Local Authentication and Address Assignment
• Example: Configuring Dynamic VPN on page 25
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.42
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 7
Group and Shared IKE IDs
• Example: Configuring a Group IKE ID for Multiple Users on page 43
• Example: Configuring Individual IKE IDs for Multiple Users on page 49
Example: Configuring a Group IKE ID for Multiple Users
Supported Platforms SRX100, SRX210, SRX240, SRX650
This example shows how to configure a group IKE ID that is used by multiple users.
• Requirements on page 43
• Overview on page 43
• Configuration on page 45
• Verification on page 49
Requirements
Before you begin:
1. Configure network interfaces on the device. See the Junos OS Interfaces Library for
Security Devices.
2. Create security zones and assign interfaces to them. SeeUnderstandingSecurity Zones.
3. If there will be more than two simultaneous user connections, install a Dynamic VPN
license in the device. See Installation and Upgrade Guide for Security Devices.
4. Read “Dynamic VPN Configuration Overview” on page 23.
Overview
In this example, you configure two remote dynamic VPN users who use a single IKE ID
and a single IKE preshared key (see Table 8 on page 44 and Table 9 on page 44). An
external RADIUS server is used to authenticate users and assign IP addresses to clients
(see Table 10 on page 45).
43Copyright © 2016, Juniper Networks, Inc.
Table 8: Group IKE ID VPN Tunnel Configuration Parameters
Configuration ParametersNameFeature
• Mode: aggressive
• Proposal set: compatible
• Preshared key: (ASCII) for-everyone-in-access-profile
clientpol-groupIKE policy (Phase 1)
• IKE policy reference: clientpol-group
• Dynamic hostname: example.net
• IKE user type: group IKE ID
• Maximum number of concurrent connections: 50
• External interface: ge-0/0/0.0
• Access profile reference: radius-profile
groupgwIKE gateway (Phase 1)
Proposal set: compatibleclient1vpnPolIPsec policy (Phase 2)
• IKE gateway reference: groupgw
• IPsec policy reference: client1vpnPol
groupvpnIPsec VPN (Phase 2)
• Match criteria:
• source address any
• destination address any
• application any
• Permit action: tunnel ipsec-vpn groupvpn
group-sec-policySecurity policy (permits trafficfrom the untrust zone to the trustzone)
Allow the following types of traffic to the ge-0/0/0.0 interface inthe untrust zone:
• IKE
• HTTPS
• ping
• SSH
Host inbound traffic
Table 9: Group IKE ID Dynamic VPN Configuration for Remote Clients
Configuration ParametersNameFeature
Access profile reference: radius-profileAccess profile for remote clients
• IPsec VPN reference: groupvpn
• User name reference: derek and chris
• Remote protected resources: 10.100.100.0/24
• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32
groupcfgRemote clients
Copyright © 2016, Juniper Networks, Inc.44
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 10: RADIUS Server User Authentication (Group IKE ID)
Configuration ParametersNameFeature
• RADIUS is the authentication method used to verify user credentials.
• The RADIUS server IP address is 10.100.100.250 and the password is secret.
• This profile is the default profile for Web authentication.
radius-profileXAuth profile
Configuration
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set access profile radius-profile authentication-order radiusset access profile radius-profile radius-server 10.100.100.250 secret "$ABC123"set access firewall-authentication web-authentication default-profile radius-profileset security ike policy clientpol-groupmode aggressiveset security ike policy clientpol-group proposal-set compatibleset security ike policy clientpol-group pre-shared-key ascii-text "$ABC123"set security ike gateway groupgw ike-policy clientpol-groupset security ike gateway groupgw dynamic hostname example.netset security ike gateway groupgw dynamic connections-limit 50set security ike gateway groupgw dynamic ike-user-type group-ike-idset security ike gateway groupgw external-interface ge-0/0/0.0set security ike gateway groupgw xauth access-profile radius-profileset security ipsec policy client1vpnPol proposal-set compatibleset security ipsec vpn groupvpn ike gateway groupgwset security ipsec vpn groupvpn ike ipsec-policy client1vpnPolset security policies from-zone untrust to-zone trust policy group-sec-policymatchsource-address any
set security policies from-zone untrust to-zone trust policy group-sec-policymatchdestination-address any
set security policies from-zone untrust to-zone trust policy group-sec-policymatchapplication any
set security policies from-zone untrust to-zone trust policy group-sec-policy then permittunnel ipsec-vpn groupvpn
set security dynamic-vpn access-profile radius-profileset security dynamic-vpn clients groupcfg remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients groupcfg remote-exceptions 0.0.0.0/0set security dynamic-vpn clients groupcfg remote-exceptions 1.1.1.1/24set security dynamic-vpn clients groupcfg remote-exceptions 0.0.0.0/32set security dynamic-vpn clients groupcfg ipsec-vpn groupvpnset security dynamic-vpn clients groupcfg user chrisset security dynamic-vpn clients groupcfg user derekset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ssh
45Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a group IKE ID for multiple users:
1. Configure the XAuth profile.
[edit access]user@host# set profile radius-profile authentication-order radiususer@host# set profile radius-profile radius-server 10.100.100.250 secret secretuser@host# set firewall-authentication web-authentication default-profileradius-profile
2. Configure the IKE policy.
[edit security ike]user@host# set policy clientpol-groupmode aggressiveuser@host# set policy clientpol-group proposal-set compatibleuser@host# set policy clientpol-group pre-shared-key ascii-textfor-everyone-in-access-profile
3. Configure the IKE gateway.
[edit security ike]user@host# set gateway groupgw ike-policy clientpol-groupuser@host# set gateway groupgw dynamic hostname example.netuser@host# set gateway groupgw dynamic ike-user-type group-ike-iduser@host# set gateway groupgw dynamic connections-limit 50user@host# set gateway groupgw external-interface ge-0/0/0.0user@host# set gateway groupgw xauth access-profile radius-profile
4. Configure IPsec.
[edit security ipsec]user@host# set policy client1vpnPol proposal-set compatibleuser@host# set vpn groupvpn ike gateway groupgwuser@host# set vpn groupvpn ike ipsec-policy client1vpnPol
5. Configure the security policy.
[edit security policies from-zone untrust to-zone trust]user@host# set policy group-sec-policymatch source-address anydestination-address any application any
user@host# set policy group-sec-policy then permit tunnel ipsec-vpn groupvpn
6. Configure host inbound traffic.
[edit security zones security-zone untrust interfaces ge-0/0/0.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services pinguser@host# set host-inbound-traffic system-services ssh
7. Specify the access profile to use with dynamic VPN.
[edit security dynamic-vpn]user@host# set access-profile radius-profile
8. Configure the clients who can use the dynamic VPN.
Copyright © 2016, Juniper Networks, Inc.46
Dynamic VPN Feature Guide for SRX Series Gateway Devices
[edit security dynamic-vpn]user@host# set clients groupcfg ipsec-vpn groupvpnuser@host# set clients groupcfg user derekuser@host# set clients groupcfg user chrisuser@host# set clients groupcfg remote-protected-resources 10.100.100.0/24user@host# set clients groupcfg remote-exceptions 0.0.0.0/0user@host# set clients groupcfg remote-exceptions 1.1.1.1/24user@host# set clients groupcfg remote-exceptions 0.0.0.0/32
Results From configuration mode, confirm your configuration by entering the show security ike,
show security ipsec, show security policies, show security zones, and show security
dynamic-vpncommands. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show accessprofile radius-profile {authentication-order radius;radius-server {10.100.100.250 secret "$ABC123"; ## SECRET-DATA
}}firewall-authentication {web-authentication {default-profile radius-profile;
}}
user@host# show security ikeike {policy clientpol-group {mode aggressive;proposal-set compatible;pre-shared-key ascii-text"$ABC123"; ## SECRET-DATA
}gateway groupgw {ike-policy clientpol-group;dynamic {hostname example.net;connections-limit 50;ike-user-type group-ike-id;
}external-interface ge-0/0/0.0;xauth access-profile radius-profile;
}}user@host# show security ipsecipsec {policy client1vpnPol {proposal-set compatible;
}vpn groupvpn {ike {gateway groupgw;ipsec-policy client1vpnPol;
}
47Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
}}user@host# show security policiesfrom-zone untrust to-zone trust {policy group-sec-policy {match {source-address any;destination-address any;application any;
}then {permit {tunnel {ipsec-vpn groupvpn;
}}
}}
}}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;
}}
}}
}user@host# show security dynamic-vpndynamic-vpn {access-profile radius-profile;clients {groupcfg {remote-protected-resources {10.100.100.0/24;
}remote-exceptions {0.0.0.0/0;1.1.1.1/24;0.0.0.0/32;
}ipsec-vpn groupvpn;user {chris;derek;
}}
}}
Copyright © 2016, Juniper Networks, Inc.48
Dynamic VPN Feature Guide for SRX Series Gateway Devices
If you are done configuring the device, enter commit from configuration mode.
Verification
Dynamic VPN tunnels can be monitored with the same commands used to monitor
traditional IPsec VPN tunnels. To confirm that the configuration is working properly,
perform these tasks:
• Verifying IKE Phase 1 Status on page 49
• Verifying Connected Clients and Assigned Addresses on page 49
• Verifying IPsec Phase 2 Status on page 49
• Verifying Concurrent Connections and Parameters for Each User on page 49
Verifying IKE Phase 1 Status
Purpose Verify the IKE Phase 1 status of the security associations.
Action From operational mode, enter the show security ike security-associations command.
Verifying Connected Clients and Assigned Addresses
Purpose Verify that the remote clients and the IP addresses assigned to them are using XAuth.
Action From operational mode, enter the show security ike active-peer command.
Verifying IPsec Phase 2 Status
Purpose Verify the IPsec Phase 2 status of the security associations.
Action From operational mode, enter the showsecurity ipsecsecurity-associations command.
Verifying Concurrent Connections and Parameters for Each User
Purpose Verify the number of concurrent connections and the negotiated parameters for each
user.
Action From operational mode, enter the show security dynamic-vpn users command.
RelatedDocumentation
Understanding Dynamic VPN Tunnels on page 7•
• Dynamic VPN Configuration Overview on page 23
• Understanding Group and Shared IKE IDs on page 15
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Example: Configuring Individual IKE IDs for Multiple Users
Supported Platforms SRX100, SRX210, SRX240, SRX650
49Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
This example shows how to configure individual IKE IDs for multiple users.
NOTE: When there are a large number of userswho need to access the VPN,configuring an individual IKE gateway, IPsec VPN, and a security policy foreach user can be cumbersome. The group IKE ID feature allows a number ofusers to share an IKE gateway configuration, thus reducing the number ofVPNconfigurations required. See “UnderstandingGroupandShared IKE IDs”on page 15.
• Requirements on page 50
• Overview on page 50
• Configuration on page 52
• Verification on page 59
Requirements
Before you begin:
1. Configure network interfaces on the device. See JunosOS Interfaces Library for Security
Devices.
2. Create security zones and assign interfaces to them. SeeUnderstandingSecurity Zones.
3. If there will be more than two simultaneous user connections, install a Dynamic VPN
license in the device. See Installation and Upgrade Guide for Security Devices.
4. Read “Dynamic VPN Configuration Overview” on page 23.
Overview
The following example shows the configuration for two remote dynamic VPN users. For
each user, an IKE policy and gateway, IPsec policy and VPN, and a security policy must
be configured (see Table 11 on page 50 and Table 12 on page 51). An external RADIUS
server is used to authenticate users and assign IP addresses to clients (see
Table 13 on page 52).
Table 11: Client 1 Configuration Parameters
Configuration ParametersNameFeature
• Mode: aggressive
• Proposal set: compatible
• Preshared key: (ASCII) for-client1
client1polIKE policy (Phase 1)
• IKE policy reference: client1pol
• Dynamic hostname: example.net
• External interface: ge-0/0/0.0
• Access profile reference: radius-profile
client1gwIKE gateway (Phase 1)
Proposal set: compatibleclient1vpnPolIPsec policy (Phase 2)
Copyright © 2016, Juniper Networks, Inc.50
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 11: Client 1 Configuration Parameters (continued)
Configuration ParametersNameFeature
• IKE gateway reference: client1gw
• IPsec policy reference: client1vpnPol
client1vpnIPsec VPN (Phase 2)
• Match criteria:
• source address any
• destination address any
• application any
• Permit action: tunnel ipsec-vpn client1vpn
client1-policySecurity policy (permits traffic fromthe untrust zone to the trust zone)
Allow the following types of traffic to the ge-0/0/0.0 interface inthe untrust zone:
• IKE
• HTTPS
• ping
• SSH
Host inbound traffic
Access profile reference: radius-profileAccess profile for remote clients
• IPsec VPN reference: client1vpn
• User name reference: derek
• Remote protected resources: 10.100.100.0/24
• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32
cfg1Remote clients
Table 12: Client 2 Configuration Parameters
Configuration ParametersNameFeature
• Mode: aggressive
• Proposal set: compatible
• Preshared key: (ASCII) for-client2
client2polIKE policy (Phase 1)
• IKE policy reference: client2pol
• Dynamic hostname: example.net
• External interface: ge-0/0/0.0
• Access profile reference: radius-profile
client2gwIKE gateway (Phase 1)
Proposal set: compatibleclient2vpnPolIPsec policy (Phase 2)
• IKE gateway reference: client2gw
• IPsec policy reference: client2vpnPol
client2vpnIPsec VPN (Phase 2)
• Match criteria:
• source address any
• destination address any
• application any
• Permit action: tunnel ipsec-vpn client2vpn
client2-policySecurity policy (permits traffic fromthe untrust zone to the trust zone)
51Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
Table 12: Client 2 Configuration Parameters (continued)
Configuration ParametersNameFeature
Allow the following types of traffic to the ge-0/0/0.0 interface inthe untrust zone:
• IKE
• HTTPS
• ping
• SSH
Host inbound traffic
Access profile reference: radius-profileAccess profile for remote clients
• IPsec VPN reference: client2vpn
• User name reference: chris
• Remote protected resources: 10.100.100.0/24
• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24
cfg2Remote clients
Table 13: RADIUS Server User Authentication (Individual IKE ID)
Configuration ParametersNameFeature
• RADIUS is the authentication method used to verify user credentials.
• RADIUS server IP address is 10.100.100.250 and the password is secret.
• This profile is the default profile for Web authentication.
radius-profileXAuth profile
Configuration
• Configuring the XAuth Profile on page 52
• Configuring Client 1 on page 53
• Configuring Client 2 on page 56
Configuring the XAuth Profile
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set access profile radius-profile authentication-order radiusset access profile radius-profile radius-server 10.100.100.250 secret "$ABC123"set access firewall-authentication web-authentication default-profile radius-profile
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure the XAuth profile:
1. Configure the access profile.
Copyright © 2016, Juniper Networks, Inc.52
Dynamic VPN Feature Guide for SRX Series Gateway Devices
[edit access]user@host# set profile radius-profile authentication-order radiususer@host# set profile radius-profile radius-server 10.100.100.250 secret secret
2. Configure Web authentication using the XAuth profile.
[edit access]user@host# set firewall-authentication web-authentication default-profileradius-profile
Results From configuration mode, confirm your configuration by entering the show access
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@host# show accessprofile radius-profile {authentication-order radius;radius-server {10.100.100.250 secret "$ABC123"; ## SECRET-DATA
}}firewall-authentication {web-authentication {default-profile radius-profile;
}}
If you are done configuring the device, enter commit from configuration mode.
Configuring Client 1
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set security ike policy client1pol mode aggressiveset security ike policy client1pol proposal-set compatibleset security ike policy client1pol pre-shared-key ascii-text "$ABC123"set security ike gateway client1gw ike-policy client1polset security ike gateway client1gw dynamic hostname example.netset security ike gateway client1gw external-interface ge-0/0/0.0set security ike gateway client1gw xauth access-profile radius-profileset security ipsec policy client1vpnPol proposal-set compatibleset security ipsec vpn client1vpn ike gateway client1gwset security ipsec vpn client1vpn ike ipsec-policy client1vpnPolset security policies from-zone untrust to-zone trust policy client1-sec-policymatchsource-address any
set security policies from-zone untrust to-zone trust policy client1-sec-policymatchdestination-address any
set security policies from-zone untrust to-zone trust policy client1-sec-policymatchapplication any
set security policies from-zoneuntrust to-zone trust policy client1-sec-policy thenpermittunnel ipsec-vpn client1vpn
set security dynamic-vpn access-profile radius-profile
53Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
set security dynamic-vpn clients cfg1 remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients cfg1 remote-exceptions 0.0.0.0/0set security dynamic-vpn clients cfg1 remote-exceptions 1.1.1.1/24set security dynamic-vpn clients cfg1 remote-exceptions 0.0.0.0/32set security dynamic-vpn clients cfg1 ipsec-vpn client1vpnset security dynamic-vpn clients cfg1 user derekset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ssh
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure dynamic VPN for a single user:
1. Configure the IKE policy.
[edit security ike]user@host# set policy client1pol mode aggressiveuser@host# set policy client1pol proposal-set compatibleuser@host# set policy client1pol pre-shared-key ascii-text for-client1
2. Configure the IKE gateway.
[edit security ike]user@host# set gateway client1gw ike-policy client1poluser@host# set gateway client1gw dynamic hostname example.netuser@host# set gateway client1gw external-interface ge-0/0/0.0user@host# set gateway client1gw xauth access-profile radius-profile
3. Configure IPsec.
[edit security ipsec]user@host# set policy client1vpnPol proposal-set compatibleuser@host# set vpn client1vpn ike gateway client1gwuser@host# set vpn client1vpn ike ipsec-policy client1vpnPol
4. Configure the security policy.
[edit security policies from-zone untrust to-zone trust]user@host# set policy client1-sec-policymatch source-address anydestination-address any application any
user@host# set policy client1-sec-policy then permit tunnel ipsec-vpn client1vpn
5. Configure host inbound traffic.
[edit security zones security-zone untrust interfaces ge-0/0/0.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services pinguser@host# set host-inbound-traffic system-services ssh
6. Specify the access profile to use with dynamic VPN.
Copyright © 2016, Juniper Networks, Inc.54
Dynamic VPN Feature Guide for SRX Series Gateway Devices
[edit security dynamic-vpn]user@host# set access-profile radius-profile
7. Configure the clients who can use the dynamic VPN.
[edit security dynamic-vpn]user@host# set clients cfg1 ipsec-vpn client1vpnuser@host# set clients cfg1 user derekuser@host# set clients cfg1 remote-protected-resources 10.100.100.0/24user@host# set clients cfg1 remote-exceptions 0.0.0.0/0user@host# set clients cfg1 remote-exceptions 1.1.1.1/24user@host# set clients cfg1 remote-exceptions 0.0.0.0/32
Results From configuration mode, confirm your configuration by entering the show security ike,
show security ipsec, show security policies, show security zones, and show security
dynamic-vpncommands. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show security ikepolicy client1pol {mode aggressive;proposal-set compatible;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}gateway client1gw {ike-policy client1pol;dynamic hostname example.net;external-interface ge-0/0/0.0;xauth access-profile radius-profile;
}user@host# show security ipsecpolicy client1vpnPol {proposal-set compatible;
}vpn client1vpn {ike {gateway client1gw;ipsec-policy client1vpnPol;
}}
user@host# show security policiesfrom-zone untrust to-zone trust {policy client1-sec-policy {match {source-address any;destination-address any;application any;
}then {permit {tunnel {ipsec-vpn client1vpn;
}}
}}
55Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;
}}
}}
}user@host# show security dynamic-vpn
access-profile radius-profile;clients {cfg1 {remote-protected-resources {10.100.100.0/24;
}remote-exceptions {0.0.0.0/0;1.1.1.1/24;0.0.0.0/32;
}ipsec-vpn client1vpn;user {derek;
}}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Client 2
CLI QuickConfiguration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set security ike policy client2pol mode aggressiveset security ike policy client2pol proposal-set compatibleset security ike policy client2pol pre-shared-key ascii-text "$ABC123"set security ike gateway client2gw ike-policy client2polset security ike gateway client2gw dynamic hostname example.netset security ike gateway client2gw external-interface ge-0/0/0.0set security ike gateway client2gw xauth access-profile radius-profileset security ipsec policy client2vpnPol proposal-set compatibleset security ipsec vpn client2vpn ike gateway client2gwset security ipsec vpn client2vpn ike ipsec-policy client2vpnPol
Copyright © 2016, Juniper Networks, Inc.56
Dynamic VPN Feature Guide for SRX Series Gateway Devices
set security policies from-zone untrust to-zone trust policy client2-sec-policymatchsource-address any
set security policies from-zone untrust to-zone trust policy client2-sec-policymatchdestination-address any
set security policies from-zone untrust to-zone trust policy client2-sec-policymatchapplication any
setsecuritypolicies from-zoneuntrust to-zonetrustpolicyclient2-sec-policy thenpermittunnel ipsec-vpn client1vpn
set security dynamic-vpn access-profile radius-profileset security dynamic-vpn clients cfg2 remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients cfg2 remote-exceptions 1.1.1.1/24set security dynamic-vpn clients cfg2 remote-exceptions 0.0.0.0/32set security dynamic-vpn clients cfg2 ipsec-vpn client2vpnset security dynamic-vpn clients cfg2 user chrisset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ssh
Step-by-StepProcedure
The following example requires you to navigate various levels in the configuration
hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure dynamic VPN for a single user:
1. Configure the IKE policy.
[edit security ike]user@host# set policy client2pol mode aggressiveuser@host# set policy client2pol proposal-set compatibleuser@host# set policy client2pol pre-shared-key ascii-text for-client2
2. Configure the IKE gateway.
[edit security ike]user@host# set gateway client2gw ike-policy client2poluser@host# set gateway client2gw dynamic hostname example.netuser@host# set gateway client2gw external-interface ge-0/0/0.0user@host# set gateway client2gw xauth access-profile radius-profile
3. Configure IPsec.
[edit security ipsec]user@host# set policy client2vpnPol proposal-set compatibleuser@host# set vpn client2vpn ike gateway client2gwuser@host# set vpn client2vpn ike ipsec-policy client2vpnPol
4. Configure the security policy.
[edit security policies from-zone untrust to-zone trust]user@host# set policy client2-sec-policymatch source-address anydestination-address any application any
user@host# set policy client2-sec-policy then permit tunnel ipsec-vpn client2vpn
57Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
5. Configure host inbound traffic.
[edit security zones security-zone untrust interfaces ge-0/0/0.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services pinguser@host# set host-inbound-traffic system-services ssh
6. Specify the access profile to use with dynamic VPN.
[edit security dynamic-vpn]user@host# set access-profile radius-profile
7. Configure the clients who can use the dynamic VPN.
[edit security dynamic-vpn]user@host# set clients cfg2 ipsec-vpn client1vpnuser@host# set clients cfg2 user chrisuser@host# set clients cfg2 remote-protected-resources 10.100.100.0/24user@host# set clients cfg2 remote-exceptions 1.1.1.1/24user@host# set clients cfg2 remote-exceptions 0.0.0.0/32
Results From configuration mode, confirm your configuration by entering the show security ike,
show security ipsec, show security policies, show security zones, and show security
dynamic-vpncommands. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show security ikepolicy client2pol {mode aggressive;proposal-set compatible;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}gateway client2gw {ike-policy client2pol;dynamic hostname example.net;external-interface ge-0/0/0.0;xauth access-profile radius-profile;
}user@host# show security ipsecpolicy client2vpnPol {proposal-set compatible;
}vpn client2vpn {ike {gateway client2gw;ipsec-policy client2vpnPol;
}}
user@host# show security policiesfrom-zone untrust to-zone trust {policy client2-sec-policy {match {source-address any;destination-address any;application any;
}
Copyright © 2016, Juniper Networks, Inc.58
Dynamic VPN Feature Guide for SRX Series Gateway Devices
then {permit {tunnel {ipsec-vpn client2vpn;
}}
}}
}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;
}}
}}
}user@host# show security dynamic-vpn
access-profile radius-profile;clients {cfg2 {remote-protected-resources {10.100.100.0/24;
}remote-exceptions {1.1.1.1/24;0.0.0.0/32;
}ipsec-vpn client2vpn;user {chris;
}}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Dynamic VPN tunnels can be monitored with the same commands used to monitor
traditional IPsec VPN tunnels. To confirm that the configuration is working properly,
perform these tasks:
• Verifying IKE Phase 1 Status on page 60
• Verifying Connected Clients and Assigned Addresses on page 60
59Copyright © 2016, Juniper Networks, Inc.
Chapter 7: Group and Shared IKE IDs
• Verifying IPsec Phase 2 Status on page 60
• Verifying Concurrent Connections and Parameters for Each User on page 60
Verifying IKE Phase 1 Status
Purpose Verify the IKE Phase 1 status of the security associations.
Action From operational mode, enter the show security ike security-associations command.
Verifying Connected Clients and Assigned Addresses
Purpose Verify that the remote clients and the IP addresses assigned to them are using XAuth.
Action From operational mode, enter the show security ike active-peer command.
Verifying IPsec Phase 2 Status
Purpose Verify the IPsec Phase 2 status of the security associations.
Action From operational mode, enter the showsecurity ipsecsecurity-associations command.
Verifying Concurrent Connections and Parameters for Each User
Purpose Verify the number of concurrent connections and the negotiated parameters for each
user.
Action From operational mode, enter the show security dynamic-vpn users command.
RelatedDocumentation
• Understanding Dynamic VPN Tunnels on page 7
• Dynamic VPN Configuration Overview on page 23
• Understanding Group and Shared IKE IDs on page 15
• Example: Configuring a Group IKE ID for Multiple Users on page 43
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.60
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 8
Configuration Statements
• Security Configuration Statement Hierarchy on page 61
• [edit security dynamic-vpn] Hierarchy Level on page 63
• access-profile (Security Dynamic VPN) on page 63
• access-profile (Security IKE Gateway) on page 64
• clients (Security) on page 64
• config-check (Security Dynamic VPN) on page 65
• dynamic-vpn on page 66
• force-upgrade on page 67
• ike (Security) on page 68
• interface (Security Dynamic VPN) on page 70
• ipsec (Security) on page 71
• ipsec-vpn (Security Dynamic VPNs) on page 72
• remote-exceptions on page 73
• remote-protected-resources on page 73
• traceoptions (Security Dynamic VPN) on page 74
• user (Security Dynamic VPN) on page 75
• user-groups (Security Dynamic VPN) on page 75
• xauth-attributes on page 76
Security Configuration Statement Hierarchy
Supported Platforms J Series, LN Series, SRX Series
Use the statements in the securityconfiguration hierarchy to configure actions, certificates,
dynamic virtual private networks (VPNs), firewall authentication, flow, forwarding options,
group VPNs, Intrusion Detection Prevention (IDP), Internet Key Exchange (IKE), Internet
Protocol Security (IPsec), logging, Network Address Translation (NAT), public key
infrastructure (PKI), policies, resource manager, rules, screens, secure shell known hosts,
trace options, user identification, Unified Threat Management (UTM), and zones.
Statements that are exclusive to the J Series and SRX Series devices running Junos OS
are described in this section.
61Copyright © 2016, Juniper Networks, Inc.
Each of the following topics lists the statements at a sub-hierarchy of the [edit security]
hierarchy.
• [edit security address-book] Hierarchy Level
• [edit security alarms] Hierarchy Level
• [edit security alg] Hierarchy Level
• [edit security analysis] Hierarchy Level
• [edit security application-firewall] Hierarchy Level
• [edit security application-tracking] Hierarchy Level
• [edit security certificates] Hierarchy Level
• [edit security datapath-debug] Hierarchy Level
• [edit security dynamic-vpn] Hierarchy Level on page 63
• [edit security firewall-authentication] Hierarchy Level
• [edit security flow] Hierarchy Level
• [edit security forwarding-options] Hierarchy Level
• [edit security forwarding-process] Hierarchy Level
• [edit security gprs] Hierarchy Level
• [edit security group-vpn] Hierarchy Level
• [edit security idp] Hierarchy Level
• [edit security ike] Hierarchy Level
• [edit security ipsec] Hierarchy Level
• [edit security log] Hierarchy Level
• [edit security nat] Hierarchy Level
• [edit security pki] Hierarchy Level
• [edit security policies] Hierarchy Level
• [edit security resource-manager] Hierarchy Level
• [edit security screen] Hierarchy Level
• [edit security softwires] Hierarchy Level
• [edit security ssh-known-hosts] Hierarchy Level
• [edit security traceoptions] Hierarchy Level
• [edit security user-identification] Hierarchy Level
• [edit security utm] Hierarchy Level
• [edit security zones] Hierarchy Level
Copyright © 2016, Juniper Networks, Inc.62
Dynamic VPN Feature Guide for SRX Series Gateway Devices
RelatedDocumentation
Master Administrator for Logical Systems Feature Guide for Security Devices•
• CLI User Guide
[edit security dynamic-vpn] Hierarchy Level
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
security {dynamic-vpn {access-profile profile-name;clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-names;
}force-upgrade;config-check;interface;traceoptions {file filename;flag flag;
}}
}
RelatedDocumentation
Security Configuration Statement Hierarchy on page 61•
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
access-profile (Security Dynamic VPN)
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax access-profile profile-name;
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 9.5.
Description Specify the access profile to use for Extended Authentication for remote users trying to
download the Access Manager.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
63Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
access-profile (Security IKE Gateway)
Supported Platforms J Series, SRX Series
Syntax access-profile profile-name;
Hierarchy Level [edit security ike gateway gateway-name xauth]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the access profile to use for Extended Authentication for remote users trying to
access a Virtual Private Network (VPN) tunnel.
Options profile-name —Name of the access profile.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
clients (Security)
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-name;
}
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 9.5.
Description Create a client configuration for the dynamic VPN feature. Within the configuration,
specify a name for the configuration, reference a standard VPN configuration to use for
IPsec negotiations, specify which resources to protect, define any exceptions, and list
the users to which the dynamic VPN configuration applies.
Options configuration-name—Name of the client configuration.
The remaining statements are explained separately.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.64
Dynamic VPN Feature Guide for SRX Series Gateway Devices
config-check (Security Dynamic VPN)
Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX650
Syntax config-check;
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Enable extra dynamic VPN configuration checking. If you include this statement in your
configuration, it is automatically enabled. If the statement is not present in your
configuration, the configuration check option is not enabled.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
65Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
dynamic-vpn
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax dynamic-vpn {access-profile profile-name;clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-name;
}force-upgrade;config-check;interface;traceoptions {file filename;flag flag;
}}
Hierarchy Level [edit security]
Release Information Statement introduced in Junos OS Release Release 9.5.
Description Configure the dynamic VPN feature. The dynamic VPN feature simplifies remote access
by enabling users to create IPsec VPN tunnels without having to manually configure
settings on their PCs or laptops. Instead, authenticated users can simply download a
preconfigured Web client to their computers with all the client-side information required
to create and manage an IPsec VPN tunnel to the server.
Options The remaining statements are explained separately.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.66
Dynamic VPN Feature Guide for SRX Series Gateway Devices
force-upgrade
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax force-upgrade;
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 9.5.
Description Use this statement to force users to automatically upgrade the Access Manager when
newer versions are available. If you include this statement in your configuration, it is
automatically enabled. If the statement is not present in your configuration, the force
upgrade option is not enabled.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
67Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
ike (Security)
Supported Platforms J Series, LN Series, SRX Series
Syntax ike {gateway gateway-name {address [ip-address-or-hostname];dead-peer-detection {(always-send | optimized | probe-idle-tunnel);interval seconds;threshold number;
}dynamic {connections-limit number;(distinguished-name <container container-string> <wildcardwildcard-string> |hostname domain-name | inet ip-address | inet6 ipv6-address | user-at-hostnamee-mail-address);
ike-user-type (group-ike-id | shared-ike-id);}external-interface external-interface-name;general-ikeid;ike-policy policy-name;local-identity {(distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address |user-at-hostname e-mail-address);
}nat-keepalive seconds;no-nat-traversal;remote-identity {(distinguished-name <container container-string> <wildcardwildcard-string> |hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostnamee-mail-address);
}version (v1-only | v2-only);xauth {access-profile profile-name;
}}policy policy-name {certificate {local-certificate certificate-id;peer-certificate-type (pkcs7 | x509-signature);
}description description;mode (aggressive | main);pre-shared-key (ascii-text key | hexadecimal key);proposal-set (basic | compatible | standard } suiteb-gcm-128 | suiteb-gcm-256);proposals [proposal-name];
}proposal proposal-name {authentication-algorithm (md5 | sha-256 | sha-384| sha1);authentication-method(dsa-signatures |ecdsa-signatures-256 |ecdsa-signatures-384| pre-shared-keys | rsa-signatures);
description description;dh-group (group1 | group14 | group19 | group2 | group20 | group24 | group5);
Copyright © 2016, Juniper Networks, Inc.68
Dynamic VPN Feature Guide for SRX Series Gateway Devices
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-seconds seconds;
}respond-bad-spi <max-responses>;traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(world-readable | no-world-readable);
}flag flag;no-remote-trace;rate-limitmessages-per-second;
}}
Hierarchy Level [edit security]
Release Information Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos
OS Release 11.1. The inet6 option added in Junos OS Release 11.1.
Description Define Internet Key Exchange (IKE) configuration.
Options The remaining statements are explained separately.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• IKE and ESP ALG Feature Guide for Security Devices
• AutoVPN Feature Guide for SRX Series Gateway Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• IPsec VPN Feature Guide for Security Devices
• Master Administrator for Logical Systems Feature Guide for Security Devices
69Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
interface (Security Dynamic VPN)
Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX650
Syntax interface [ interface-names ];
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify a list of interfaces to set the interfaces that allow access to dynamic VPN.
Options interface-names —Names of one or more Interfaces that accept dynamic VPN client
access, separated by spaces.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.70
Dynamic VPN Feature Guide for SRX Series Gateway Devices
ipsec (Security)
Supported Platforms J Series, LN Series, SRX Series
Syntax ipsec {policy policy-name {description description;perfect-forward-secrecy keys (group1 | group14 | group19 | group2 | group20 | group24 |group5);
proposal-set (basic | compatible | standard | suiteb-gcm-128 | suiteb-gcm-256);proposals [proposal-name];
}proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha-256-128 | hmac-sha1-96);description description;encryption-algorithm(3des-cbc |aes-128-cbc |aes-128-gcm|aes-192-cbc |aes-192-gcm| aes-256-cbc | aes-256-gcm | des-cbc);
lifetime-kilobytes kilobytes;lifetime-seconds seconds;protocol (ah | esp);
}traceoptions {flag flag;
}vpn vpn-name {bind-interface interface-name;df-bit (clear | copy | set);establish-tunnels (immediately | on-traffic);ike {gateway gateway-name;idle-time seconds;install-interval seconds;ipsec-policy ipsec-policy-name;no-anti-replay;proxy-identity {local ip-prefix;remote ip-prefix;service (any | service-name);
}}manual {authentication {algorithm(hmac-md5-96|hmac-sha-256-128|hmac-sha-256-96|hmac-sha1-96);key (ascii-text key | hexadecimal key);
}encryption {algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);key (ascii-text key | hexadecimal key);
}external-interface external-interface-name;gateway ip-address;protocol (ah | esp);spi spi-value;
}traffic-selector traffic-selector-name {
71Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
local-ip ip-address/netmask;remote-ip ip-address/netmask;
}vpn-monitor {destination-ip ip-address;optimized;source-interface interface-name;
}}vpn-monitor-options {interval seconds;threshold number;
}}
Hierarchy Level [edit security]
Release Information Statement modified in Junos OS Release 8.5.
Description Define IP Security (IPsec) configuration.
Options The remaining statements are explained separately.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• AutoVPN Feature Guide for SRX Series Gateway Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• IPsec VPN Feature Guide for Security Devices
• Master Administrator for Logical Systems Feature Guide for Security Devices
ipsec-vpn (Security Dynamic VPNs)
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax ipsec-vpn vpn-name;
Hierarchy Level [edit security dynamic-vpn clients vpn-name]
Release Information Statement introduced in Junos OS Release 9.5.
Description Use this statement to specify which IPsec VPN configuration the dynamic VPN feature
should use to secure traffic.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.72
Dynamic VPN Feature Guide for SRX Series Gateway Devices
remote-exceptions
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax remote-exceptions ip-address/mask;
Hierarchy Level [edit security dynamic-vpn clients configuration-name]
Release Information Statement introduced in Junos OS Release 9.5.
Description Use this statement to specify exceptions to the remote protected resources list for the
specified dynamic VPN configuration. Traffic to the specified IP address will not go
through the dynamic VPN tunnel and therefore will not be protected by the firewall’s
security policies.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
remote-protected-resources
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax remote-protected-resources ip-address/mask;
Hierarchy Level [edit security dynamic-vpn clients configuration-name]
Release Information Statement introduced in Junos OS Release 9.5.
Description Use this statement to specify which resources to protect using the dynamic VPN feature.
Traffic to the protected resource will go through the specified dynamic VPN tunnel and
will therefore be protected by the firewall’s security policies.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
73Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
traceoptions (Security Dynamic VPN)
Supported Platforms SRX210, SRX220, SRX240, SRX650
Syntax traceoptions {file filename;flag {all <detail | extensive | terse>;
}}
Hierarchy Level [edit security dynamic-vpn]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Configure dynamic VPN tracing options.
Options • file—Configure the trace file options.
file filename—Name of the file to receive the output of the tracing operation.
• flag—Trace operation to perform. To specify more than one trace operation, include
multiple flag statements.
• all—Enable all tracing operations
• detail—Display moderate amount of data in trace.
• extensive—Display extensive amount of data in trace.
• terse—Display minimum amount of data in trace.
Required PrivilegeLevel
trace—To view this statement in the configuration.
trace-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.74
Dynamic VPN Feature Guide for SRX Series Gateway Devices
user (Security Dynamic VPN)
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax user username;
Hierarchy Level [edit security dynamic-vpn client configuration-name]
Release Information Statement introduced in Junos OS Release 9.5.
Description Specify which users can access the selected dynamic VPN configuration.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
user-groups (Security Dynamic VPN)
Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX650
Syntax user-groups user-group-name;
Hierarchy Level [edit security dynamic-vpn client configuration-name]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify which users can access the selected dynamic VPN configuration.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
75Copyright © 2016, Juniper Networks, Inc.
Chapter 8: Configuration Statements
xauth-attributes
Supported Platforms J Series, SRX Series
Syntax xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;
}
Hierarchy Level [edit access address-assignment pool pool-name family (inet | inet6)]
Release Information Statement introduced in Junos OS Release 10.4.
Description Configure Xauth attributes.
Options • apply-groups—Groups from which to inherit configuration data.
• apply-groups-except—Do not inherit configuration data from these groups.
• primary-dns—Specify the primary-dns IP address.
• secondary-dns—Specify the secondary-dns IP address.
• primary-wins—Specify the primary-wins IP address.
• secondary-wins—Specify the secondary-wins IP address.
Required PrivilegeLevel
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc.76
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 9
Configuration Statements for RemoteClient Authentication and Addresses
• Access Configuration Statement Hierarchy on page 77
• address-assignment (Access) on page 86
• firewall-authentication on page 89
• profile (Access) on page 91
Access Configuration Statement Hierarchy
Supported Platforms J Series, LN Series, SRX Series
Use the statements in theaccessconfiguration hierarchy to configure access to the device
and authentication methods, including address assignment and address pool, user and
firewall authentication, a group profile, LDAP options and LDAP server configuration, an
access profile, RADIUS options and RADIUS server configuration, and SecurID server
configuration.
access {address-assignment {abated-utilization percentage;abated-utilization-v6 percentage;high-utilization percentage;high-utilization-v6 percentage;neighbor-discovery-router-advertisement ndra-name;pool pool-name {family {inet {dhcp-attributes {boot-file boot-file-name;boot-server boot-server-name;domain-name domain-name;grace-period seconds;maximum-lease-time (seconds | infinite);name-server ipv4-address;netbios-node-type (b-node | h-node | m-node | p-node);next-server next-server-name;option dhcp-option-identifier-code {array {byte [8-bit-value];
77Copyright © 2016, Juniper Networks, Inc.
flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];
}byte 8-bit-value;flag (false | off | on | true);integer 32-bit-numeric-values;ip-address ip-address;short signed-16-bit-numeric-value;string character string value;unsigned-integer unsigned-32-bit-numeric-value;unsigned-short 16-bit-numeric-value;
}option-match {option-82 {circuit-idmatch-value {range range-name;
}remote-idmatch-value;range range-name;
}}
}propagate-ppp-settings [interface-name];propagate-settings interface-name;router ipv4-address;server-identifier ip-address;sip-server {ip-address ipv4-address;name sip-server-name;
}tftp-server server-name;wins-server ipv4-address;
}host hostname {hardware-addressmac-address;ip-address reserved-address;
}network network address;range range-name {high upper-limit;low lower-limit;
}xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;
}}inet6 {dhcp-attributes {
Copyright © 2016, Juniper Networks, Inc.78
Dynamic VPN Feature Guide for SRX Series Gateway Devices
dns-server ipv6-address;grace-period seconds;maximum-lease-time (seconds | infinite);option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];
}byte 8-bit-value;flag (false | off | on | true);integer 32-bit-numeric-values;ip-address ip-address;short signed-16-bit-numeric-value;string character string value;unsigned-integer unsigned-32-bit-numeric-value;unsigned-short 16-bit-numeric-value;
}propagate-ppp-settings [interface-name];sip-server-address ipv6-address;sip-server-domain-name domain-name;
}prefix ipv6-network-prefix;range range-name {high upper-limit;low lower-limit;prefix-length delegated-prefix-length;
}}
link pool-name;}
}address-pool pool-name {(address address-or-address-prefix ) {address-range {high upper-limit;low lower-limit;mask network-mask;
}primary-dns name;primary-wins name;secondary-dns name;secondary-wins name;
}address-protection;domain {delimiter delimiter;map domain-map-name {aaa-logical-system logical-system-name;aaa-routing-instance routing-instance-name;access-profile access-profile-name;
79Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
address-pool address-pool-name;dynamic-profile dynamic-profile-name;padn destination-address; {mask destination-mask;metricmetric-value
}strip-domain;target-logical-system logical-system-name;target-routing-instance target-routing-instance;
}parse-direction (left-to-right | right-to-left);
}firewall-authentication {pass-through {default-profile profile-name;ftp {banner {fail string;login string;success string;
}}http {banner {fail string;login string;success string;
}telnet {banner {fail string;login string;success string;
}}traceoptions {file {filename;files number;flag flag;match regular-expression;no-remote-trace;sizemaximum-file-size;(world-readable | no-world-readable);
}}web-authentication {banner {success string;
}default-profile profile-name;
}}group-profile profile-name {ppp {cell-overhead;
Copyright © 2016, Juniper Networks, Inc.80
Dynamic VPN Feature Guide for SRX Series Gateway Devices
encapsulated-overhead encapsulated-overhead-value;framed-pool address-pool-name;idle-timeout seconds;interface-id interface-identifier;keepalive seconds;ppp-options {chap;pap;
}primary-dns name;primary-wins name;secondary-dns name;secondary-wins name;
}}gx-plus {global {max-outstanding-requestsmax-outstanding-requests;
}partition partition-name {destination-host gx-plus-destination-host;destination-realm gx-plus-destination-realm;diameter-instance gx-plus-diameter-instance;
}}ldap-options {assemble {common-name common-name;
}base-distinguished-name base-distinguished-name;revert-interval seconds;search {admin-search {distinguished-name distinguished-name;password password;
}search-filter filter-name;
}}ldap-server hostname-or-address; {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;
}ppp-options {compliance {rfc(2486 | [rfc-number]);
}}profile profile-name {accounting {accounting-stop-on-access-deny;accounting-stop-on-failure;coa-immediate-update;
81Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
duplication;immediate-update;order [accounting-method];statistics (time | volume-time);update-intervalminutes;
}accounting-order [accounting-method];address-assignment pool pool-name;authentication-order [ldap | none | password | radius | securid];authorization-order [jsrc];client client-name {chap-secret chap-secret;client-group [ group-names ];firewall-user {password password;
}no-rfc2486;pap-password pap-password;x-auth ip-address;
}client-name-filter {count number;domain-name domain-name;separator special-character;
}ldap-options {assemble {common-name common-name;
}base-distinguished-name base-distinguished-name;revert-interval seconds;search {admin-search {distinguished-name distinguished-name;password password;
}search-filter search-filter-name;
}}ldap-server server-address {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;
}provisioning-order (gx-plus | jsrc);radius {accounting-server [server];attributes {exclude {acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];acc-loop-cir-id [access-request | accounting-start | accounting-stop];accounting-authentic [accounting-off | accounting-on | accounting-start |accounting-stop];
Copyright © 2016, Juniper Networks, Inc.82
Dynamic VPN Feature Guide for SRX Series Gateway Devices
accounting-delay-time [accounting-off | accounting-on | accounting-start |accounting-stop];
accounting-session-id [access-request];accounting-terminate-cause [accounting-off];act-data-rate-dn [access-request | accounting-start | accounting-stop];act-data-rate-up [access-request | accounting-start | accounting-stop];act-interlv-delay-dn [access-request | accounting-start | accounting-stop];act-interlv-delay-up [access-request | accounting-start | accounting-stop];att-data-rate-dn [access-request | accounting-start | accounting-stop];att-data-rate-up [access-request | accounting-start | accounting-stop];called-station-id [access-request | accounting-start | accounting-stop];calling-station-id [access-request | accounting-start | accounting-stop];class [access-request | accounting-start | accounting-stop];delegated-ipv6-prefix [accounting-start | accounting-stop];dhcp-gi-address [access-request | accounting-start | accounting-stop];dhcp-mac-address [access-request | accounting-start | accounting-stop];dhcp-options [access-request | accounting-start | accounting-stop];downstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];
dsl-forum-attributes [access-request | accounting-start | accounting-stop];dsl-line-state [access-request | accounting-start | accounting-stop];dsl-type [access-request | accounting-start | accounting-stop];dynamic-iflset-name [accounting-start | accounting-stop];event-time-stamp [accounting-off | accounting-on | accounting-start |accounting-stop];
framed-interface-id [access-request | accounting-start | accounting-stop];framed-ip-address [access-request | accounting-start | accounting-stop];framed-ip-netmask [access-request | accounting-start | accounting-stop];framed-ip-route [access-request | accounting-start | accounting-stop];framed-ipv6-pool [accounting-start | accounting-stop];framed-ipv6-prefix [accounting-start | accounting-stop];framed-ipv6-route [accounting-start | accounting-stop];framed-pool [accounting-start | accounting-stop];input-filter [accounting-start | accounting-stop];input-gigapackets [accounting-stop];input-gigawords [accounting-stop];input-ipv6-gigawords [accounting-stop];input-ipv6-octets [accounting-stop];input-ipv6-packets [accounting-stop];interface-description [access-request | accounting-start | accounting-stop];l2c-downstream-data [access-request | accounting-start | accounting-stop];l2c-upstream-data [access-request | accounting-start | accounting-stop];max-data-rate-dn [access-request | accounting-start | accounting-stop];max-data-rate-up [access-request | accounting-start | accounting-stop];max-interlv-delay-dn [access-request | accounting-start | accounting-stop];max-interlv-delay-up [access-request | accounting-start | accounting-stop];min-data-rate-dn [access-request | accounting-start | accounting-stop];min-data-rate-up [access-request | accounting-start | accounting-stop];min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];min-lp-data-rate-up [access-request | accounting-start | accounting-stop];nas-identifier [access-request | accounting-start | accounting-stop];nas-port [access-request | accounting-off | accounting-on | accounting-start |accounting-stop];
nas-port-id [access-request | accounting-start | accounting-stop];nas-port-type [access-request | accounting-start | accounting-stop];output-filter [accounting-start | accounting-stop];
83Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
output-gigapackets [accounting-stop];output-gigawords [accounting-stop];output-ipv6-gigawords [accounting-stop];output-ipv6-octets [accounting-stop];output-ipv6-packets [accounting-stop];upstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];
}ignore {dynamic-iflset-name;framed-ip-netmask;input-filter;logical-system-routing-instance;output-filter;
}}
authentication-server [server];radius-options {request-rate number;revert-interval seconds;
}radius-server server-address {accounting-port port-numbermax-outstanding-requests number-of--outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;
}service {accounting-order {activation-protocol;radius;
}}session-options {client-group [group-name];client-idle-timeoutminutes;client-session-timeoutminutes;
}}radius-options {request-rate number;revert-interval seconds;
}radius-server server-address {accounting-port port-number;max-outstanding-requests number-of-max-outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;
Copyright © 2016, Juniper Networks, Inc.84
Dynamic VPN Feature Guide for SRX Series Gateway Devices
}securid-server server-name {configuration-file filepath;
}terminate-code {aaa {deny {authentication-denied {radius acct-terminate-cause-value;
}no-resources {radius acct-terminate-cause-value;
}server-request-timeout {radius acct-terminate-cause-value;
}}shutdown {administrative-reset {radius acct-terminate-cause-value;
}remote-reset {radius acct-terminate-cause-value;
}}
}dhcp {client-request {radius acct-terminate-cause-value;
}lost-carrier {radius acct-terminate-cause-value;
}nak {radius acct-terminate-cause-value;
}nas-logout {radius acct-terminate-cause-value;
}no-offers {radius acct-terminate-cause-value;
}}
}}
RelatedDocumentation
Administration Guide for Security Devices•
• Ethernet Port Switching Feature Guide for Security Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Firewall User Authentication Feature Guide for Security Devices
85Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
address-assignment (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax address-assignment {abated-utilization percentage;abated-utilization-v6 percentage;high-utilization percentage;high-utilization-v6 percentage;neighbor-discovery-router-advertisement ndra-name;pool pool-name {family {inet {dhcp-attributes {boot-file boot-file-name;boot-server boot-server-name;domain-name domain-name;grace-period seconds;maximum-lease-time (seconds | infinite);name-server ipv4-address;netbios-node-type (b-node | h-node | m-node | p-node);next-server next-server-name;option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];
}byte 8-bit-value;flag (false | off | on | true);integer 32-bit-numeric-values;ip-address ip-address;short signed-16-bit-numeric-value;string character string value;unsigned-integer unsigned-32-bit-numeric-value;unsigned-short 16-bit-numeric-value;
}option-match {option-82 {circuit-idmatch-value {range range-name;
}remote-idmatch-value;range range-name;
}}
}propagate-ppp-settings [interface-name];propagate-settings interface-name;router ipv4-address;
Copyright © 2016, Juniper Networks, Inc.86
Dynamic VPN Feature Guide for SRX Series Gateway Devices
server-identifier ip-address;sip-server {ip-address ipv4-address;name sip-server-name;
}tftp-server server-name;wins-server ipv4-address;
}host hostname {hardware-addressmac-address;ip-address reserved-address;
}network network address;range range-name {high upper-limit;low lower-limit;
}xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;
}}inet6 {dhcp-attributes {dns-server ipv6-address;grace-period seconds;maximum-lease-time (seconds | infinite);option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];
}byte 8-bit-value;flag (false | off | on | true);integer 32-bit-numeric-values;ip-address ip-address;short signed-16-bit-numeric-value;string character string value;unsigned-integer unsigned-32-bit-numeric-value;unsigned-short 16-bit-numeric-value;
}propagate-ppp-settings [interface-name];sip-server-address ipv6-address;sip-server-domain-name domain-name;
}prefix ipv6-network-prefix;range range-name {high upper-limit;
87Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
low lower-limit;prefix-length delegated-prefix-length;
}}
link pool-name;}
}
Hierarchy Level [edit access]
Release Information Statement introduced in Junos OS Release 10.4.
Description The address-assignment pool feature enables you to create IPv4 and IPv6 address pools
that different client applications can share. For example, multiple client applications,
such as DHCPv4 or DHCPv6, can use an address-assignment pool to provide addresses
for their particular clients.
Required PrivilegeLevel
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.88
Dynamic VPN Feature Guide for SRX Series Gateway Devices
firewall-authentication
Supported Platforms J Series, LN Series, SRX Series
Syntax firewall-authentication {pass-through {default-profile profile-name;ftp {banner {fail string;login string;success string;
}}http {banner {fail string;login string;success string;
}telnet {banner {fail string;login string;success string;
}}traceoptions {file {filename;files number;flag flag;match regular-expression;no-remote-trace;sizemaximum-file-size;(world-readable | no-world-readable);
}}web-authentication {banner {success string;
}default-profile profile-name;
}}
Hierarchy Level [edit access]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure default firewall authentication settings used by firewall authentication policies
that restrict and permit access of firewall users to protected resources behind a firewall.
Options The remaining statements are explained separately.
89Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
Required PrivilegeLevel
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Firewall User Authentication Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.90
Dynamic VPN Feature Guide for SRX Series Gateway Devices
profile (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax profile profile-name {accounting {accounting-stop-on-access-deny;accounting-stop-on-failure;coa-immediate-update;duplication;immediate-update;order [accounting-method];statistics (time | volume-time);update-intervalminutes;
}accounting-order [accounting-method];address-assignment pool pool-name;authentication-order [ldap | none | password | radius | securid];authorization-order [jsrc];client client-name {chap-secret chap-secret;client-group [ group-names ];firewall-user {password password;
}no-rfc2486;pap-password pap-password;x-auth ip-address;
}client-name-filter {count number;domain-name domain-name;separator special-character;
}ldap-options {assemble {common-name common-name;
}base-distinguished-name base-distinguished-name;revert-interval seconds;search {admin-search {distinguished-name distinguished-name;password password;
}search-filter search-filter-name;
}}ldap-server server-address {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;
}
91Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
provisioning-order (gx-plus | jsrc);radius {accounting-server [server];attributes {exclude {acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];acc-loop-cir-id [access-request | accounting-start | accounting-stop];accounting-authentic [accounting-off | accounting-on | accounting-start |accounting-stop];
accounting-delay-time [accounting-off | accounting-on | accounting-start |accounting-stop];
accounting-session-id [access-request];accounting-terminate-cause [accounting-off];act-data-rate-dn [access-request | accounting-start | accounting-stop];act-data-rate-up [access-request | accounting-start | accounting-stop];act-interlv-delay-dn [access-request | accounting-start | accounting-stop];act-interlv-delay-up [access-request | accounting-start | accounting-stop];att-data-rate-dn [access-request | accounting-start | accounting-stop];att-data-rate-up [access-request | accounting-start | accounting-stop];called-station-id [access-request | accounting-start | accounting-stop];calling-station-id [access-request | accounting-start | accounting-stop];class [access-request | accounting-start | accounting-stop];delegated-ipv6-prefix [accounting-start | accounting-stop];dhcp-gi-address [access-request | accounting-start | accounting-stop];dhcp-mac-address [access-request | accounting-start | accounting-stop];dhcp-options [access-request | accounting-start | accounting-stop];downstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];
dsl-forum-attributes [access-request | accounting-start | accounting-stop];dsl-line-state [access-request | accounting-start | accounting-stop];dsl-type [access-request | accounting-start | accounting-stop];dynamic-iflset-name [accounting-start | accounting-stop];event-time-stamp [accounting-off | accounting-on | accounting-start |accounting-stop];
framed-interface-id [access-request | accounting-start | accounting-stop];framed-ip-address [access-request | accounting-start | accounting-stop];framed-ip-netmask [access-request | accounting-start | accounting-stop];framed-ip-route [access-request | accounting-start | accounting-stop];framed-ipv6-pool [accounting-start | accounting-stop];framed-ipv6-prefix [accounting-start | accounting-stop];framed-ipv6-route [accounting-start | accounting-stop];framed-pool [accounting-start | accounting-stop];input-filter [accounting-start | accounting-stop];input-gigapackets [accounting-stop];input-gigawords [accounting-stop];input-ipv6-gigawords [accounting-stop];input-ipv6-octets [accounting-stop];input-ipv6-packets [accounting-stop];interface-description [access-request | accounting-start | accounting-stop];l2c-downstream-data [access-request | accounting-start | accounting-stop];l2c-upstream-data [access-request | accounting-start | accounting-stop];max-data-rate-dn [access-request | accounting-start | accounting-stop];max-data-rate-up [access-request | accounting-start | accounting-stop];max-interlv-delay-dn [access-request | accounting-start | accounting-stop];max-interlv-delay-up [access-request | accounting-start | accounting-stop];
Copyright © 2016, Juniper Networks, Inc.92
Dynamic VPN Feature Guide for SRX Series Gateway Devices
min-data-rate-dn [access-request | accounting-start | accounting-stop];min-data-rate-up [access-request | accounting-start | accounting-stop];min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];min-lp-data-rate-up [access-request | accounting-start | accounting-stop];nas-identifier [access-request | accounting-start | accounting-stop];nas-port [access-request | accounting-off | accounting-on | accounting-start |accounting-stop];
nas-port-id [access-request | accounting-start | accounting-stop];nas-port-type [access-request | accounting-start | accounting-stop];output-filter [accounting-start | accounting-stop];output-gigapackets [accounting-stop];output-gigawords [accounting-stop];output-ipv6-gigawords [accounting-stop];output-ipv6-octets [accounting-stop];output-ipv6-packets [accounting-stop];upstream-calculated-qos-rate[access-request |accounting-start |accounting-stop];
}ignore {dynamic-iflset-name;framed-ip-netmask;input-filter;logical-system-routing-instance;output-filter;
}}
authentication-server [server];radius-options {request-rate number;revert-interval seconds;
}radius-server server-address {accounting-port port-numbermax-outstanding-requests number-of--outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;
}service {accounting-order {activation-protocol;radius;
}}session-options {client-group [group-name];client-idle-timeoutminutes;client-session-timeoutminutes;
}}
Hierarchy Level [edit access]
93Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuration Statements for Remote Client Authentication and Addresses
Release Information Statement introduced in Junos OS Release 10.4.
Description Create a profile containing a set of attributes that define device management access.
Required PrivilegeLevel
access—To view this statement in the configuration.
access-control—To add this statement to the configuration.
RelatedDocumentation
• Ethernet Port Switching Feature Guide for Security Devices
• Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Master Administrator for Logical Systems Feature Guide for Security Devices
• Modem Interfaces Feature Guide for Security Devices
• Junos OS Interfaces Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.94
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 10
Configuration Statements for URLSeparation for J-Web and Dynamic VPN
• system-generated-certificate (System Services) on page 95
• wan-acceleration on page 96
• web-management (System Services) on page 98
system-generated-certificate (SystemServices)
Supported Platforms J Series, SRX Series
Syntax system-generated-certificate;
Hierarchy Level [edit system services web-management https]
Description Automatically generated self-signed certificate
Required PrivilegeLevel
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
95Copyright © 2016, Juniper Networks, Inc.
wan-acceleration
Supported Platforms J Series, SRX Series
Syntax wan-acceleration {disable;traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(no-world-readable | world-readable);
}flag flag;no-remote-trace;
}}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Enable the WAN acceleration process.
Options disable—Disable the WAN acceleration process.•
• traceoptions—Set the trace options.
• file—Configure the trace file information.
• filename—Name of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log. By
default, the name of the file is the name of the process being traced.
• files number— Maximum number of trace files. When a trace file named trace-file
reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,
until the maximum number of trace files is reached. Then the oldest trace file is
overwritten.
If you specify a maximum number of files, you also must specify a maximum file
size with the size maximum file-size option.
Range: 2 through 1000 files
Default: 10 files
• match regular-expression—Refine the output to include lines that contain the regular
expression.
• sizemaximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB).
Range: 10 KB through 1 GB
Default: 128 KB
Copyright © 2016, Juniper Networks, Inc.96
Dynamic VPN Feature Guide for SRX Series Gateway Devices
If you specify a maximum file size, you also must specify a maximum number of trace
files with the files number option.
• (world-readable | no-world-readable)— By default, log files can be accessed only by
the user who configures the tracing operation. Theworld-readable option enables
any user to read the file. To explicitly set the default behavior, use the
no-world-readable option.
• flag flag—Specify which tracing operation to perform. To specify more than one
tracing operation, include multiple flag statements. You can include the following
flags.
• all—Trace all events and messages.
• configuration—Trace configuration events.
• fpc-ipc—Trace FPC inter-process communication messages.
• fpc-ipc-heart-beat—Trace FPC inter-process communication heart beat messages.
• memory—Memory allocation or deallocation messages.
• ssam—Trace state synchronization and management events.
• wx-login—Trace ISM login events.
• no-remote-trace—Disable the remote tracing.
Required PrivilegeLevel
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
RelatedDocumentation
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
97Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Configuration Statements for URL Separation for J-Web and Dynamic VPN
web-management (SystemServices)
Supported Platforms J Series, LN Series, SRX Series
Syntax web-management {http {interfaces interface-names ;port port;
}https {interfaces interface-names;system-generated-certificate name;port port;
}management urlmanagement url;session {idle-timoutminutes;session-limit number;
}traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(no-world-readable | world-readable);
}flag flag;level level;no-remote-trace;
}}
Hierarchy Level [edit system services]
Release Information Statement introduced in Junos OS Release 9.0.
Description Configure settings for HTTP or HTTPS access. HTTP access allows management of the
device using the J-Web interface. HTTPS access allows secure management of the device
using the J-Web interface. With HTTPS access, communication is encrypted between
your browser and the webserver for your device.
Options control—Disable the SBC process.
• max-threads—Maximum simultaneous threads to handle requests.
Range: 0 through 16
http—Configure HTTP.
• interface [value]—Interface value that accept HTTP access.
• port number—TCP port for incoming HTTP connections.
Range: 1 through 65,535
Copyright © 2016, Juniper Networks, Inc.98
Dynamic VPN Feature Guide for SRX Series Gateway Devices
https—Configure HTTPS.
• interface [value]—Interface value that accept HTTP access.
• port number—TCP port for incoming HTTP connections.
Range: 1 through 65,535
• local-certificate—X.509 certificate to use from configuration.
• pki-local-certificate—X.509 certificate to use from PKI local store.
• system-generated-certificate—X.509 certificate generated automatically by system.
management urlmanagement url—URL Path for Web management access.
session—Configure web management session.
• idle-timoutminutes—Default timeout of web-management sessions in minutes.
• session-limit number—Maximum number of web-management sessions to allow.
99Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Configuration Statements for URL Separation for J-Web and Dynamic VPN
traceoptions—Set the trace options.
• file—Configure the trace file information.
• filename—Name of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
By default, the name of the file is the name of the process being traced.
• filesnumber— Maximum number of trace files. When a trace file named trace-file
reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,
until the maximum number of trace files is reached. Then the oldest trace file
is overwritten.
If you specify a maximum number of files, you also must specify a maximum
file size with the size maximum file-size option.
Range: 2 through 1000 files
Default: 10 files
• match regular-expression—Refine the output to include lines that contain the regular
expression.
• sizemaximum-file-size—Maximum size of each trace file, in kilobytes (KB),
megabytes (MB), or gigabytes (GB).
Range: 10 KB through 1 GB
Default: 128 KB
If you specify a maximum file size, you also must specify a maximum number of
trace files with the files number option.
• (world-readable | no-world-readable)— By default, log files can be accessed only
by the user who configures the tracing operation. Theworld-readableoption enables
any user to read the file. To explicitly set the default behavior, use the
no-world-readable option.
• flag flag—Specify which tracing operation to perform. To specify more than one
tracing operation, include multiple flag statements. You can include the following
flags.
• all—Trace all areas.
• configuration—Trace configuration.
• dynamic-vpn—Trace dynamic-vpn events.
• init—Trace daemon init process.
• mgd—Trace MGD requests.
• webauth—Trace webauth requests.
• level level —Specify the level of debugging output.
• all—Match all levels.
• error—Match error conditions.
Copyright © 2016, Juniper Networks, Inc.100
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• info—Match informational messages.
• notice—Match conditions that should be handled specially.
• verbose—Match verbose messages.
• warning—Match warning messages.
• no-remote-trace—Disable the remote tracing.
Required PrivilegeLevel
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
RelatedDocumentation
• WLAN Feature Guide for Security Devices
• Administration Guide for Security Devices
• Firewall User Authentication Feature Guide for Security Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
101Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Configuration Statements for URL Separation for J-Web and Dynamic VPN
Copyright © 2016, Juniper Networks, Inc.102
Dynamic VPN Feature Guide for SRX Series Gateway Devices
PART 3
Administration
• Junos Pulse Client on page 105
• Access Manager on page 117
• Operational Commands on page 123
103Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.104
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 11
Junos Pulse Client
• Junos Pulse Client Installation Requirements on page 105
• Deploying Junos Pulse Client Software on page 106
• Junos Pulse Interface and Connections on page 107
• Managing Junos Pulse Connections on page 109
Junos Pulse Client Installation Requirements
Supported Platforms SRX100, SRX210, SRX240, SRX650
The Junos Pulse Release 2.0 client software is supported on computers that run Microsoft
Windows. Table 14 on page 105 lists the minimum hardware and software requirements
to support the Junos Pulse client software.
Table 14: Junos Pulse Client Hardware and Software Requirements
RequirementComponent
• Vista Ultimate/Business/Home- Basic/Home-Premium with ServicePack 2 on 32-bit or 64-bit platforms; Internet Explorer 9.0, InternetExplorer 7.0, Firefox 3.0, and Firefox 3.5
• Windows 7 Ultimate/Professional/Home-Basic/Home-Premiumon 32-bit or 64-bit platforms; Internet Explorer 9.0, Internet Explorer7.0, Firefox 3.0, and Firefox 3.5
• XP Home with Service Pack 3 on 32-bit platforms only; InternetExplorer 9.0, Internet Explorer 7.0, Firefox 3.0, and Firefox 3.5
Operating system andbrowser
1.8 GHzCPU
1 GB of RAMMemory
Install: 25 MB; Logging: 50 MBAvailable disk space
NOTE: Junos Pulse 2.0 is not supported onWindows Server platforms andonMacintosh or Linux platforms. It is also not supported on 64-bit browsers.
105Copyright © 2016, Juniper Networks, Inc.
NOTE: For increased security, we recommend that you disable the Fast UserSwitching feature onWindows endpoints. The Fast User Switching featureallowsmore than one user to log on simultaneously at a single computer.The feature is enabled by default for Windows 7 andWindows Vista and fordomain users onWindowsXP.With the FastUser Switching feature enabled,all concurrent user sessions on a system can access the current desktopconnections to networks and Infranet Controllers. Thus, if one user has acurrent network connection, other users logged in on the samecomputer canaccess the same network connections, which creates a security risk.
RelatedDocumentation
Dynamic VPN Overview on page 3•
• Understanding Junos Pulse Client on page 19
• Deploying Junos Pulse Client Software on page 106
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Deploying Junos Pulse Client Software
Supported Platforms SRX100, SRX210, SRX240, SRX650
You must configure the dynamic VPN feature, which is disabled by default on the SRX
Series device. You must enable and configure it before you can use it. The dynamic VPN
feature secures traffic through your network by passing it through IPsec VPN tunnels. As
part of the VPN configuration, you define the client configuration. The client and the
settings are downloaded to your users’ computers. The users must uninstall the Access
Manager before installing the Junos Pulse client. See “Dynamic VPN Configuration
Overview” on page 23.
Junos Pulse Client Installation Overview-This section describes how to deploy Junos
Pulse client software from SRX Series Gateways.
Copyright © 2016, Juniper Networks, Inc.106
Dynamic VPN Feature Guide for SRX Series Gateway Devices
You can deploy Junos Pulse to endpoints from SRX Series devices in the following way:
• Web Install—With a Web install, when you log into the access gateway’s Web portal
using the Dynamic VPN URL, the Pulse client gets downloaded on the client machine.
After the Pulse client is downloaded on the client machine, you need to create a firewall
connection.
NOTE: A Junos Pulse installation causes a restart of active networkconnections on aWindows endpoint. When a user initiates a Junos Pulseinstallation through aWAN connection to theWeb interface of an accessgateway, the user might need to log in to their service provider again toreestablish network connectivity. Users need to be aware of this issuebefore they begin the installation.
RelatedDocumentation
Dynamic VPN Configuration Overview on page 23•
• Understanding Junos Pulse Client on page 19
• Junos Pulse Interface and Connections on page 107
• Managing Junos Pulse Connections on page 109
Junos Pulse Interface and Connections
Supported Platforms SRX100, SRX210, SRX240, SRX650
• Junos Pulse Interface on page 107
• Junos Pulse Connection Type on page 108
• Junos Pulse Connection Status on page 108
• Junos Pulse Log Files on page 108
Junos Pulse Interface
The Junos Pulse interface shows your network connections and provides status about
your endpoint’s connectivity, security, and acceleration. For SRX Series devices, you have
the optional WAN acceleration software installed. WAN acceleration software interacts
with network devices to optimize application performance when you are connected over
wide area networks
If your Junos Pulse interface shows the Acceleration pane, it means that you are connected
to a network device that can improve your application performance over wide area
networks through WAN optimization. The acceleration service of Junos Pulse requires
no configuration. Junos Pulse automatically discovers Juniper Networks WXC Series
Application Acceleration Platforms in the data center and then negotiates a level of
service that can be supported by both client and server. If the service is active, a check
mark icon appears.
In some circumstances, you might find that you have better network performance for a
particular application with WAN optimization turned off.
107Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Junos Pulse Client
To enable or disable WAN optimization, on the Junos Pulse Acceleration pane, click
Enable or Disable.
• Connections—Act on a selected connection: disconnect, edit, or delete. Add a new
connection. Forget saved settings for all connections.
• Logs—Annotate, set logging level, or save log files.
• About—Display version and copyrights.
• Help—Display the Help file.
• Close—Close the Junos Pulse interface. Note that the program does not disconnect
active network connections.
Junos Pulse Connection Type
The connection type you choose when you define a new connection relates to the type
of device that provides access to protected network resources. For SRX Series Services
Gateway, use Firewall connection type.
If you want to access the SRX Series device through a wireless connection, use the
Windows supplicant to a connection to the Junos wireless network and then to connect
the SRX Series firewall through Junos Pulse.
Junos Pulse Connection Status
Junos Pulse displays the status of a connection in the Connections pane and in the system
tray. A Connections pane icon shows the state of each connection. The connection status
is also indicated by the system tray icon.
NOTE: You can right-click the system tray icon to open the Junos Pulseinterface or to close Junos Pulse.
A connection can be in any of the following states:
• No connection.
• Connecting. A connection stays in this state until it fails or succeeds.
• Connected with issues.
• Connection failed.
• Connected.
Junos Pulse Log Files
A Junos Pulse log file tracks information that can help solve connection issues. Logging
is a background operation. You do not need to make any changes to your logging
environment unless instructed to do so as part of a troubleshooting effort.
Copyright © 2016, Juniper Networks, Inc.108
Dynamic VPN Feature Guide for SRX Series Gateway Devices
To help in a troubleshooting effort, you might be asked to do the following tasks:
• Annotate the logs—When you annotate a log file, you insert text that marks the log
file at a specific location. For example, to troubleshoot a connection problem, you
might be asked to annotate the log file with specific text, attempt the connection that
has been failing, and then annotate the log file again. This sequence of events allows
a support representative to search the log file for the text you inserted. The text brackets
the entries of the log file that track your connection issue.
• Set the log level—The default logging level is Normal. For a troubleshooting operation,
you might be asked to change the logging level to Detailed.
• Save the logs—The Save As operation gathers all of the log files into a single .zip file
and lets you specify where to place the file.
RelatedDocumentation
Understanding Junos Pulse Client on page 19•
• Deploying Junos Pulse Client Software on page 106
• Managing Junos Pulse Connections on page 109
Managing Junos Pulse Connections
Supported Platforms SRX100, SRX210, SRX240, SRX650
• Add a Connection on page 109
• Connect to a Network on page 110
• Disconnect from an Active Network on page 111
• View Connection Properties on page 111
• Edit Connection Properties on page 111
• Forget Saved Settings on page 112
• Delete a Connection on page 112
• Troubleshoot a Junos Pulse Connection Issue on page 113
• Annotate Log Files on page 113
• Set Log Level on page 114
• Save Log Files on page 114
• View Component Version Information on page 114
Add a Connection
Each connection in Junos Pulse represents a protected network. Typically, your network
administrator defines the connections for you and might disable the Add a Connection
feature. If you are required to create new connections, your network administrator will
tell you the settings that you must use.
109Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Junos Pulse Client
To add a new connection:
• On the Connections pane, click the Add a Connection button.
The Add Connection dialog box appears.
• For Type, choose one of the following:
• Firewall—Use this network type if you are connecting to a Juniper Networks SRX
Series device.
• For Name, specify a descriptive name for this connection. The name you specify will
appear in the Connections pane of the Junos Pulse interface.
• For Server URL, specify the network that you want to connect to. You can enter the
Server URL in any of the following formats:
• An IP address, for example 10.204.71.86
• A DNS name, for example server.mycompany.net
• Click Add to save your new connection and close the dialog box. Click Connect to
save your new connection and initiate a connection to the network.
Connect to a Network
You must have at least one connection listed in the Connections pane before you can
connect to a network. The connection prompts you see depend on your network access
environment.
NOTE: To use Junos Pulse with a wireless network, youmight need to firstconfigure your endpoint’s wireless network settings throughWindows or thewirelessdevicesoftware installedonyourendpoint. For example, inWindowsXP,useStart>ControlPanel>NetworkConnections toaccessWindowsnetwork
setup options. Or your network administrator can define your wirelessconnections and scan lists and include them in your Junos Pulse installation.
To use a defined connection to connect to a network:
1. In the Connections list, click Connect for the connection you want to establish.
2. Respond to the prompts for information such as username and password.
After you click the Connect button, you might need to respond to the following prompts:
• Certificate—If Junos Pulse needs to communicate with a certificate server, and your
network administrator has configured more than one server, you are prompted to
choose a server. A certificate issued by a certificate authority verifies that the network
resource you are connecting to is valid. If the certificate is from a trusted source, it is
automatically accepted and you do not see the certificate prompt. If there is a problem
with the certificate, you might be asked if you want to accept the certificate and proceed
with the connection.
Copyright © 2016, Juniper Networks, Inc.110
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Credentials—Your username and password or username and token code, establish
your identity to the access device. You might also be prompted for a secondary
username and password and a username and password to a proxy server. Your
authentication environment might periodically prompt you to change your password
or your token PIN number.
A Save Settings check box might appear on each login screen. (Your administrator can
disable this feature.) If you enable the check box, you are not prompted for that
information the next time you login. If you save settings, you can use the Forget Saved
Settings feature to return to being prompted for log in information. The Save Settings
feature enables you to save the following information:
• Certificate acceptance
• Certificate selection
• Username and password
The steps that take place after you respond to all of the connection prompts depend on
the access polices that your network administrator has configured and on the type of
network access device. The connection process can include the following tasks:
• Software updates—Junos Pulse can be automatically updated at connect time. Your
system might receive updated Junos Pulse software or you might receive additional
software modules to support expanded services such as when you connect to a new
type of network access device for the first time.
Disconnect from an Active Network
To disconnect from a network:
1. On the Junos Pulse Connections pane, click Disconnect for the connection you want
to disconnect.
Or
1. On the Junos Pulse Connections pane, right-click the connection to display the pop-up
menu.
2. Click Disconnect.
View Connection Properties
To view the properties for a connection:
1. In the Connections list, click the expand icon next to the connection name. Connection
details appear beneath the connection.
Edit Connection Properties
After you create a connection, you can edit the URL and the name that appears in the
Connections pane. You can edit a connection only if that connection is not currently
active.
111Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Junos Pulse Client
To edit a connection:
1. In the Connections pane, right-click the connection to display the pop-up menu, and
then click Edit.
The Edit Connection dialog box appears.
2. Edit the connection, and then click Save to save your changes and close the dialog
box, or click Connect to initiate a connection and close the dialog box.
Or
1. Click the connection to select it.
2. Click the Edit Connection button.
The Edit Connection dialog box opens.
3. Edit the connection, and then click Save to save your changes and close the dialog
box, or click Connect to initiate a connection and close the dialog box.
Forget Saved Settings
When you connect to a network, you can check the Save Settings check box to have
Junos Pulse remember your login credentials. (Note that your network administrator can
disable this feature.) Each different screen where you are prompted for a response has
its own Save Settings check box. If you save settings, you are not prompted to provide
that information on subsequent login attempts. If your login credentials change, you
must clear the saved settings in Junos Pulse and you are prompted to provide them again.
To remove saved login credentials:
1. Right-click anywhere in the Connections list to display the pop-up menu.
2. Click Forget Saved Settings. Junos Pulse clears the saved settings for all configured
Connections.
Or
1. Click the Forget Saved Settings button:
Delete a Connection
To delete a connection:
1. In the Connections list, click the connection you want to delete to select it.
2. Click the Delete button:
3. You are prompted to verify your decision before the connection is deleted.
Or
1. Right-click the connection you want to delete to display the pop-up menu, and then
click Delete.
Copyright © 2016, Juniper Networks, Inc.112
Dynamic VPN Feature Guide for SRX Series Gateway Devices
2. You are prompted to verify your decision before the connection is deleted.
Troubleshoot a Junos Pulse Connection Issue
You can use the following troubleshooting information to help resolve connection issues.
Table 15 on page 113 lists issues, descriptions and resolution suggestions.
Table 15: Junos Pulse Troubleshooting Information
Description and Resolution SuggestionsIssue
Junos Pulse cannot verify the identity of the server.This error or any certificate error means that JunosPulse cannot ensure that you are connecting to atrusted server. The server certificate might havebeen revoked or it might have expired. It could havebeen issued by a certificate authority that is notrecognized by Junos Pulse, such as when yourorganization uses a self-signed certificate. If yournetwork administrator has enabled this permission,you can choose to proceed and connect to theserver, but you should do so only if your networkadministrator has advised you to ignore thecertificate error.
During login, the following message appears:
Youare about to authenticate to anuntrustedserver. Do you accept the certificate for thisconnection?
If you selected the Save Settings check box whenyou activated a Junos Pulse connection, thecredentials you provided are used every time youactivate that connection without prompting youto enter login information. However, Junos Pulsecannot detect when you change your networkpassword—it continues to use the saved settings,and that can result in the “Credentials were invalid”error. To resolve this issue, click the Forget SavedSettings button.
The next time you connect, you are prompted foryour login credentials, and you can specify yournew login information. If you select the SaveSettings check box, the new credential informationwill be saved.
During login, the following message appears:
Credentials were invalid. Please try again.
When you see the connection failed icon in theConnections pane, click the connection to displaythe connection status. The Details section showsthe specific error, which you can click to open awindow that shows a detailed description of theerror.
The system tray icon and a Connectionspane icon change to the failed” state:
Connection failed
Annotate Log Files
When you annotate a log file, you insert text that marks the log file at a specific location.
For example, to troubleshoot a connection problem, you might be asked to annotate the
log file with specific text, attempt the connection that has been failing, and then annotate
the log file again. This sequence of events enables a support technician to easily find the
log file entries that track your connection issue.
113Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Junos Pulse Client
To annotate Junos Pulse log files:
1. Click the program icon at the top of the Junos Pulse window to display the pop-up
menu.
2. Click Logs>Annotate to open the Annotate Logs dialog box.
3. Type your annotation text, and then click OK.
Set Log Level
To set the log level:
1. Click the program icon at the top of the Junos Pulse window to display the pop-up
menu.
2. Click Logs>Log Level>Detailed or Logs>Log Level>Normal. A check mark indicates the
option that is currently enabled.
Normal logging is the default. You should set logging to Normal unless you are
troubleshooting a connection issue.
Detailed logging creates a greater number of log entries and increases the size of the log
files. Detailed logging is typically enabled only when troubleshooting an issue.
Save Log Files
As part of a troubleshooting process, you might be asked to save the Junos Pulse log
files. Pulse includes a number of possible components and each component generates
one or more log files. The Save As operation combines all of the Pulse log files and other
diagnostic files into a single file named LogsAndDiagnostics.zip.
To save Junos Pulse log files:
1. Click the program icon at the top of the Junos Pulse window to display the pop-up
menu.
2. Click Logs>Save As. The Save As dialog box appears.
3. Either accept the default values for location and filename or specify new values, and
then click Save.
View Component Version Information
In a troubleshooting operation, your network administrator might ask you to verify the
version numbers of the Junos Pulse programs. To view Junos Pulse version information:
1. Click Pulse>About to open the About dialog box.
2. Click version details to open the Pulse Version Details dialog box.
RelatedDocumentation
• Understanding Junos Pulse Client on page 19
• Deploying Junos Pulse Client Software on page 106
Copyright © 2016, Juniper Networks, Inc.114
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Junos Pulse Interface and Connections on page 107
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
115Copyright © 2016, Juniper Networks, Inc.
Chapter 11: Junos Pulse Client
Copyright © 2016, Juniper Networks, Inc.116
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 12
Access Manager
• Access Manager Client-Side System Requirements on page 117
• Access Manager Client-Side Files on page 117
• Access Manager Client-Side Registry Changes on page 120
AccessManager Client-Side SystemRequirements
Supported Platforms SRX100, SRX210, SRX240, SRX650
The user can install Access Manager on Windows XP 32-bit, Windows Vista 64/32-bit,
and Windows 7 64/32-bit machines with an Internet connection. The user must have
administrator privileges to install the client, but not to run it.
Access Manager can run simultaneously on the same computer with other Juniper
Networks clients, including the Odyssey Access Client (OAC), Network Connect client,
Windows Secure Application Manager (WSAM) client, Host Checker client, and WX client.
RelatedDocumentation
Understanding Remote Client Access to the VPN on page 6•
• Access Manager Client-Side Files on page 117
• Access Manager Client-Side Registry Changes on page 120
• Access Manager Client-Side Error Messages on page 155
• Troubleshooting Access Manager Client-Side Problems on page 158
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
AccessManager Client-Side Files
Supported Platforms SRX100, SRX210, SRX240, SRX650
Table 16 on page 118 lists the directories where Access Manager installs files on a user’s
computer, the files it installs, and the files that remain after the user uninstalls the client.
117Copyright © 2016, Juniper Networks, Inc.
Table 16: AccessManager Client-Side Files
Files Remaining AfterUninstallFiles Installed in DirectoryInstallation Directory
install.log• ConnectionManagerService.dll
• install.log
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
%COMMONFILES%\JuniperNetworks\Connection Manager
install.log• ConnectionStoreService.dll
• dcfDOM.dll
• install.log
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
%COMMONFILES%\JuniperNetworks\ConnectionStore
install.log• install.log
• ipsecmgr.dll
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
%COMMONFILES%\JuniperNetworks\IPSecMgr
install.log
Log file location:C:\Documents andSettings\AllUsers\ApplicationData\JuniperNetworks\Logging
• AccessServiceComponent.x86.exe
• ConnectionMgrComponent.x86.exe
• ConnectionStoreComponent.x86.exe
• install.log
• IPSecMgrComponent.x86.exe
• JamGUIComponent.x86.exe
• JamInstaller.dep
• jnprnaInstall.exe
• TunnelManagerComponent.x86.exe
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
• vpnAccessMethodComponent.x86.exe
PROGRAMFILES%\JuniperNetworks\Juniper Access Manager
install.log• install.log
• jamCommand.exe
• jamTray.exe
• jamUI.exe
• jamUIResource_EN.dll
• uiPlugin.dll
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
%COMMONFILES%\JuniperNetworks\JamUI
Copyright © 2016, Juniper Networks, Inc.118
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 16: AccessManager Client-Side Files (continued)
Files Remaining AfterUninstallFiles Installed in DirectoryInstallation Directory
install.log• access.ini
• dsAccessService.exe
• dsInstallerService.dll
• dsLogService.dll
• install.log
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
%COMMONFILES%\JuniperNetworks\JUNS
• install.log
• jnprnaNetInstall.log
• install.log
• jnprna.cat
• jnprna.inf
• jnprna.sys
• jnprnaapi.dll
• jnprnaNetInstall.dll
• jnprnaNetInstall.log
• jnprna_m.cat
• jnprna_m.inf
• jnprva.cat
• jnprva.inf
• jnprva.sys
• jnprvamgr.cat
• jnprvamgr.dll
• jnprvamgr.inf
• jnprvamgr.sys
• nsStatsDump.exe
• uninst.exe
• versionInfo.ini
• %WINDIR%\system32\drivers\jnprna.sys
• %WINDIR%\system32\drivers\jnprva.sys
• %WINDIR%\system32\drivers\jnprvamgr.sys
%COMMONFILES%\JuniperNetworks\JNPRNA
install.log• dsTMClient.dll
• dsTMService.dll
• dsTunnelManager.dll
• install.log
• TM.dep
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
COMMONFILES%\JuniperNetworks\Tunnel Manager
119Copyright © 2016, Juniper Networks, Inc.
Chapter 12: Access Manager
Table 16: AccessManager Client-Side Files (continued)
Files Remaining AfterUninstallFiles Installed in DirectoryInstallation Directory
install.log• install.log
• Uninstall.exe
• Uninstall.exe.manifest
• versionInfo.ini
• vpnAccessMethod.dll
• vpnAccessMethod_EN.dll
%COMMONFILES%\JuniperNetworks\vpnAccessMethod
RelatedDocumentation
Understanding Remote Client Access to the VPN on page 6•
• Access Manager Client-Side System Requirements on page 117
• Access Manager Client-Side Registry Changes on page 120
• Access Manager Client-Side Error Messages on page 155
• Troubleshooting Access Manager Client-Side Problems on page 158
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
AccessManager Client-Side Registry Changes
Supported Platforms SRX100, SRX210, SRX240, SRX650
Table 17 on page 120 lists the Windows Registry changes that the Access Manager client
and components make to your users’ computers when creating dynamic VPN tunnels.
Table 17: AccessManager Client-Side Registry Changes
Registry Key ChangesRegistry Key Location
• jnprnaapi"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\jnprnaapi.dll
• jnprvamgr"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\jnprvamgr.dll
• nsStatsDump"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\nsStatsDump.exe
• dsLogService"="C:\\Program Files\\Common Files\\JuniperNetworks\\JUNS\\dsLogService.dll
• dsTMClient"="C:\\Program Files\\Common Files\\JuniperNetworks\\Tunnel Manager\\dsTMClient.dll
• dsTunnelManager"="C:\\Program Files\\CommonFiles\\Juniper Networks\\TunnelManager\\dsTunnelManager.dll
HKEY_LOCAL_MACHINE\SOFTWARE\JuniperNetworks\Common Files
• LogFileName"="C:\\Documents and Settings\\AllUsers\\Application Data\\JuniperNetworks\\Logging\\debuglog.log
• "Level"="3"
• "LogSizeInMB"="10"
HKEY_LOCAL_MACHINE\SOFTWARE\JuniperNetworks\Logging
Copyright © 2016, Juniper Networks, Inc.120
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 17: AccessManager Client-Side Registry Changes (continued)
Registry Key ChangesRegistry Key Location
(Content varies. Contains client configuration data downloadedfrom the server.)
HKCU\Software\Juniper Networks\Access Manager\
RelatedDocumentation
• Understanding Remote Client Access to the VPN on page 6
• Access Manager Client-Side System Requirements on page 117
• Access Manager Client-Side Files on page 117
• Access Manager Client-Side Error Messages on page 155
• Troubleshooting Access Manager Client-Side Problems on page 158
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
121Copyright © 2016, Juniper Networks, Inc.
Chapter 12: Access Manager
Copyright © 2016, Juniper Networks, Inc.122
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 13
Operational Commands
• clear security dynamic-vpn all
• clear security dynamic-vpn user
• show network-access address-assignment pool (View)
• show security dynamic-policies
• show security dynamic-vpn client version
• show security dynamic-vpn users
• show security dynamic-vpn users terse
• show security ike active-peer
• show security ike security-associations
• show security ipsec security-associations
123Copyright © 2016, Juniper Networks, Inc.
clear security dynamic-vpn all
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear security dynamic-vpn all
Release Information Command introduced in Junos Release 10.4.
Description Clear all dynamic VPN user connections.
Required PrivilegeLevel
clear
RelatedDocumentation
show security dynamic-vpn users on page 133•
• show security dynamic-vpn users terse on page 135
List of Sample Output clear security dynamic-vpn all on page 124
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear security dynamic-vpn all
user@host> clear security dynamic-vpn all2 user connection entries cleared
Copyright © 2016, Juniper Networks, Inc.124
Dynamic VPN Feature Guide for SRX Series Gateway Devices
clear security dynamic-vpn user
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear security dynamic-vpn user username ike-id id
Release Information Command introduced in Junos OS Release 10.4.
Description Clear the dynamic VPN user connection for the specified username.
Required PrivilegeLevel
clear
RelatedDocumentation
show security dynamic-vpn users on page 133•
• show security dynamic-vpn users terse on page 135
List of Sample Output clear security dynamic-vpn user on page 125
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear security dynamic-vpn user
user@host> clear security dynamic-vpn user user ike-id bob.example.netConnection entry for user user has been cleared
125Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
show network-access address-assignment pool (View)
Supported Platforms J Series, SRX Series
Syntax show network-access address-assignment pool name
Release Information Command introduced in Release 10.4 of Junos OS.
Description Display information summary about a specific pool.
Required PrivilegeLevel
view
RelatedDocumentation
Dynamic VPN Feature Guide for SRX Series Gateway Devices•
Output Fields Table 18 on page 126 lists the output fields for theshownetwork-accessaddress-assignment
pool command. Output fields are listed in the approximate order in which they appear.
Table 18: show network-access address-assignment pool Output Fields
Field DescriptionField Name
IP address assigned to a client.IP address
MAC address of the client. For XAuth clients, the value is NA.Hardware address
For static IP address assignment, the user name and profile are displayed in the formatusername@profile. If the client is assigned an IP address from an address pool and a username exists, the user name is displayed. For DHCP applications, if the host name isconfigured the host name is displayed; otherwise NA is displayed.
Host/User
Either XAuth or DHCP attributes are configured.Type
Sample Output
user@host> show network-access address-assignment pool xauth1IP address Hardware address Host/User Type40.0.0.1 NA jason@dvpn-auth XAUTH40.0.0.2 NA jacky XAUTH40.0.0.3 00:05:1b:00:b9:01 host1 DHCP40.0.0.4 00:05:1b:00:b9:02 NA DHCP
Copyright © 2016, Juniper Networks, Inc.126
Dynamic VPN Feature Guide for SRX Series Gateway Devices
show security dynamic-policies
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show security dynamic-policies [detail] [from-zone zone] [scope-id id] [to-zone zone]
Release Information Command introduced in Junos OS Release 10.2.
Description Display dynamic policies downloaded on the group member.
Options • none—Display basic information about all policies installed on the group member.
• detail—(Optional) Display a detailed view of all of the policies installed on the group
member.
• from-zone—(Optional) Display information about the policies installed on the group
member for the specified source zone.
• scope-id—(Optional) Display information about the policies installed on the group
member for the specified policy identifier.
• to-zone—(Optional) Display information about the policies installed on the group
member for the specified destination zone.
Required PrivilegeLevel
view
RelatedDocumentation
show security policies•
• Group VPN Feature Guide for Security Devices
List of Sample Output show security dynamic-policies on page 128show security dynamic-policies detail on page 129show security dynamic-policies from-zone Internal on page 130show security dynamic-policies scope-id 8 from-zone Internal on page 130show security dynamic-policies detail from-zone Internal on page 130show security dynamic-policies detail from-zone Internal to-zone Host on page 131
Output Fields Table 19 on page 127 lists the output fields for theshowsecuritydynamic-policiescommand.
Output fields are listed in the approximate order in which they appear.
Table 19: show security dynamic-policies Output Fields
Field DescriptionField Name
Name of the applicable Policy.Policy
Status of the policy:
• enabled: The policy can be used in the policy lookup process, which determines accessrights for a packet and the action taken in regard to it.
• disabled: The policy cannot be used in the policy lookup process, and therefore it isnot available for access control.
State
127Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Table 19: show security dynamic-policies Output Fields (continued)
Field DescriptionField Name
An internal number associated with the policy.Index
Policy identifier.Scope Policy
Number of the policy within a given context. For example, three policies that are applicablein a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3.Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1,2, 3, and 4.
Sequence number
For standard display mode, the names of the source addresses for a policy. Address setsare resolved to their individual names. (In this case, only the names are given, not theirIP addresses.)
For detail display mode, the names and corresponding IP addresses of the sourceaddresses for a policy. Address sets are resolved to their individual address name-IPaddress pairs.
Source addresses
Name of the destination address (or address set) as it was entered in the destinationzone’s address book. A packet’s destination address must match this value for the policyto apply to it.
Destination addresses
Name of a preconfigured or custom application whose type the packet matches, asspecified at configuration time.
• IP protocol: The IP protocol used by the application—for example, TCP, UDP, ICMP.
• ALG: If an ALG is associated with the session, the name of the ALG. Otherwise, 0.
• Inactivity timeout: Elapse time without activity after which the application is terminated.
• Source port range: The low-high source port range for the session application.
• Destinationport range: The low-high destination port range for the session application.
Application
Must be permit.action-type
Must be dynamic.Policy Type
Name of the source zone.From zone
Name of the destination zone.To zone
Tunnel name, type (IPsec), and index number.Tunnel
Sample Output
show security dynamic-policies
user@host> show security dynamic-policiesPolicy: policy_forward-0001, State: enabled, Index: 1048580, Scope Policy: 4 Sequence number: 1 Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Applications: Unknown
Copyright © 2016, Juniper Networks, Inc.128
Dynamic VPN Feature Guide for SRX Series Gateway Devices
action-type: permit, tunnel:Policy: policy_forward-0002, State: enabled, Index: 2097156, Scope Policy: 4 Sequence number: 2 Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Applications: Unknownaction-type: permit, tunnel:
Sample Output
show security dynamic-policies detail
user@host> show security dynamic-policies detailPolicy: policy_forward-0001, action-type: permit, State: enabled, Index: 1048580,AI: disabled, Scope Policy: 4 Policy Type: Dynamic Sequence number: 1 From zone: Host, To zone: untrust Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [23-23] Tunnel: Test Tunnel, Type: IPSec, Index: 1001Policy: policy_backward-0001, action-type: permit, State: enabled, Index: 1048582,AI: disabled, Scope Policy: 6 Policy Type: Dynamic Sequence number: 1 From zone: untrust, To zone: Host Source addresses:20.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1003Policy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005Policy: policy_external-0001, action-type: permit, State: enabled, Index: 1048584,AI: disabled, Scope Policy: 8 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: untrust Source addresses:192.168.1.0/24 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1006
129Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Policy: policy_forward-0002, action-type: permit, State: enabled, Index: 2097156,AI: disabled, Scope Policy: 4 Policy Type: Dynamic Sequence number: 2 From zone: Host, To zone: untrust Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1002Policy: policy_backward-0002, action-type: permit, State: enabled, Index: 2097158,AI: disabled, Scope Policy: 6 Policy Type: Dynamic Sequence number: 2 From zone: untrust, To zone: Host Source addresses:20.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [23-23] Tunnel: Test Tunnel, Type: IPSec, Index: 1004
Sample Output
show security dynamic-policies from-zone Internal
user@host> show security dynamic-policies from-zone InternalPolicy: policy_internal-0001, State: enabled, Index: 1048583, Scope Policy: 7 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:Policy: policy_external-0001, State: enabled, Index: 1048584, Scope Policy: 8 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:
Sample Output
show security dynamic-policies scope-id 8 from-zone Internal
user@host> show security dynamic-policies scope-id 8 from-zone InternalPolicy: policy_external-0001, State: enabled, Index: 1048584, Scope Policy: 8 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:
Sample Output
show security dynamic-policies detail from-zone Internal
user@host> show security dynamic-policies detail from-zone InternalPolicy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16
Copyright © 2016, Juniper Networks, Inc.130
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005Policy: policy_external-0001, action-type: permit, State: enabled, Index: 1048584,AI: disabled, Scope Policy: 8 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: untrust Source addresses:192.168.1.0/24 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1006
Sample Output
show security dynamic-policies detail from-zone Internal to-zone Host
user@host> show security dynamic-policies detail from-zone Internal to-zone HostPolicy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005
131Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
show security dynamic-vpn client version
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show security dynamic-vpn client version
Release Information Command introduced in Junos OS Release 10.0.
Description Display the client software version.
Required PrivilegeLevel
view
RelatedDocumentation
show security dynamic-vpn users on page 133•
• show security dynamic-vpn users terse on page 135
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Sample Output
user@host> show security dynamic-vpn client versionJuniper Access Manager version: 1.1.0.4165
Copyright © 2016, Juniper Networks, Inc.132
Dynamic VPN Feature Guide for SRX Series Gateway Devices
show security dynamic-vpn users
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show security dynamic-vpn users
Release Information Command introduced in Junos OS Release 10.0.
Description Display all relevant user information.
Required PrivilegeLevel
view
RelatedDocumentation
show security dynamic-vpn client version on page 132•
• show security dynamic-vpn users terse on page 135
• clear security dynamic-vpn user on page 125
• clear security dynamic-vpn all on page 124
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Output Fields Table 20 on page 133 lists the output fields for the show security dynamic-vpn users
command. Output fields are listed in the approximate order in which they appear.
Table 20: show security dynamic-vpn users Output Fields
Field DescriptionField Name
Username.User
Remote IPSec VPN usergroupsUser-groups
Number of connections currently active.Number of connections
IP address of the client.Remote IP
Name of the IPsec VPN.IPsec VPN
Name of the IKE gateway.IKE gateway
IKE ID configured for the client.IKE ID
Status of the connection.Status
Sample Output
user@host> show security dynamic-vpn usersUser: alice , User group: group-one , Number of connections: 1Remote IP: 2.2.2.10 IPSEC VPN: dyn_vpn2
133Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
IKE gateway: gw2 IKE ID : alicegw2.example.net IKE Lifetime: 72000 IPSEC Lifetime: 3600 Status: CONNECTED
Copyright © 2016, Juniper Networks, Inc.134
Dynamic VPN Feature Guide for SRX Series Gateway Devices
show security dynamic-vpn users terse
Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show security dynamic-vpn users terse
Release Information This command introduced in Junos OS Release 10.0.
Description Display all relevant user information.
Required PrivilegeLevel
view
RelatedDocumentation
show security dynamic-vpn users on page 133•
• clear security dynamic-vpn user on page 125
• clear security dynamic-vpn all on page 124
• show security dynamic-vpn client version on page 132
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Output Fields Table 21 on page 135 lists the output fields for the show security dynamic-vpn users terse
command. Output fields are listed in the approximate order in which they appear.
Table 21: show security dynamic-vpn users terse Output Fields
Field DescriptionField Name
Username.User
Remote IPSec VPN usergroupsUser-groups
IP address of the client.Remote IP
IKE ID configured for the client.IKE ID
Status of the connection.Status
Name of the client configuration.Client Config Name
Time that the user connection was established.Time Established
Sample Output
user@host> show security dynamic-vpn users terse
User User Remote IKE Status IKE IPSEC Client Time Groups IP ID Lifetime Lifetime Config Established
Name alice group-one 2.2.2.10 alicegw2.CONNECTED 72000 3600 group Wed
135Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
example. Aug 8 10: net 26:39 2012
Copyright © 2016, Juniper Networks, Inc.136
Dynamic VPN Feature Guide for SRX Series Gateway Devices
show security ike active-peer
Supported Platforms J Series, LN Series, SRX Series
Syntax show security ike active-peer
Release Information Command introduced in Junos OS Release 10.4.
Description This command is used to display the list of connected active users with details about
the peer addresses and ports they are using.
Required PrivilegeLevel
view
RelatedDocumentation
show security ike security-associations on page 138•
• show security ipsec security-associations on page 145
• Junos OS VPN Library for Security Devices
List of Sample Output show security ike active-peer on page 137
Sample Output
show security ike active-peer
user@host> show security ike active-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP172.27.6.136 8034 tleungjtac@650a tleung 10.123.80.225
137Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
show security ike security-associations
Supported Platforms J Series, LN Series, SRX Series
Syntax show security ike security-associationspeer-addressbrief | detailfpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-numberfamily (inet | inet6)
Release Information Command introduced in Junos OS Release 8.5 . The fpc, pic, and kmd-instance options
added in Junos OS Release 9.3. The family option added in Junos OS Release 11.1.
Description Display information about Internet Key Exchange security associations (IKE SAs).
Options • none—Display standard information about existing IKE SAs, including index numbers.
• peer-address—(Optional) Display details about a particular SA based on the IPv4 or
IPv6 address of the destination peer. This option and index provide the same level of
output.
• brief—(Optional) Display standard information about all existing IKE SAs. (Default)
• detail—(Optional) Display detailed information about all existing IKE SAs.
• fpc slot-number—(Optional) Specific to SRX Series devices. Display information about
existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter
the output.
• index SA-index-number—(Optional) Display information for a particular SA based on
the index number of the SA. For a particular SA, display the list of existing SAs by using
the command with no options. This option and peer-address provide the same level of
output.
• kmd-instance—(Optional) Specific to SRX Series devices. Display information about
existing IKE SAs in the key management process (in this case, it is KMD) identified by
FPC slot-number and PIC slot-number. This option is used to filter the output.
• all—All KMD instances running on the Services Processing Unit (SPU).
• kmd-instance-name—Name of the KMD instance running on the SPU.
• pic slot-number—(Optional) Specific to SRX Series devices. Display information about
existing IKE SAs in this PIC slot. This option is used to filter the output.
• family—(Optional) Display IKE SAs by family. This option is used to filter the output.
• inet—IPv4 address family.
• inet6—IPv6 address family.
Copyright © 2016, Juniper Networks, Inc.138
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Required PrivilegeLevel
view
RelatedDocumentation
clear security ike security-associations•
• Junos OS VPN Library for Security Devices
• Master Administrator for Logical Systems Feature Guide for Security Devices
List of Sample Output show security ike security-associations (IPv4) on page 141show security ike security-associations (IPv6) on page 141showsecurity ikesecurity-associationsdetail (BranchSRXSeriesDevices)onpage 142show security ike security-associations detail (For High-End SRX SeriesDevices) on page 142show security ike security-associations family inet6 on page 143show security ike security-associations index 8 detail on page 143show security ike security-associations 1.1.1.2 on page 144show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX SeriesDevices) on page 144
Output Fields Table 22 on page 139 lists the output fields for the show security ike security-associations
command. Output fields are listed in the approximate order in which they appear.
Table 22: show security ike security-associations Output Fields
Field DescriptionField Name
IP address of the destination peer with which the local peer communicates.IKE Peer or Remote Address
Index number of an SA. This number is an internally generated number you can use todisplay information about a single SA.
Index
Name of the IKE gateway.Gateway Name
• FPC—Flexible PIC Concentrator (FPC) slot number.
• PIC—PIC slot number.
• KMD-Instance—The name of the KMD instance running on the SPU, identified by FPCslot-number and PIC slot-number. Currently, 4 KMD instances are running on eachSPU, and any particular IKE negotiation is carried out by a single KMD instance.
Location
Part played in the IKE session. The device triggering the IKE negotiation is the initiator,and the device accepting the first IKE exchange packets is the responder.
Role
State of the IKE SAs:
• DOWN—SA has not been negotiated with the peer.
• UP—SA has been negotiated with the peer.
State
Random number, called a cookie, which is sent to the remote node when the IKEnegotiation is triggered.
Initiator cookie
139Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Table 22: show security ike security-associations Output Fields (continued)
Field DescriptionField Name
Random number generated by the remote node and sent back to the initiator as averification that the packets were received.
A cookie is aimed at protecting the computing resources from attack without spendingexcessive CPU resources to determine the cookie's authenticity.
Responder cookie
Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchangeinformation between one another. Each exchange type determines the number ofmessages and the payload types that are contained in each message. The modes, orexchange types, are:
• main—The exchange is done with six messages. This mode or exchange type encryptsthe payload, protecting the identity of the neighbor. The authentication method usedis displayed: preshared keys or certificate.
• aggressive—The exchange is done with three messages. This mode or exchange typedoes not encrypt the payload, leaving the identity of the neighbor unprotected.
NOTE: IKEv2 protocol does not use the mode configuration for negotiation. Therefore,mode displays the version number of the security association.
Mode or Exchange type
Address of the local peer.Local
Address of the remote peer.Remote
Number of seconds remaining until the IKE SA expires.Lifetime
IKE algorithms used to encrypt and secure exchanges between the peers during the IPsecPhase 2 process:
• Authentication—Type of authentication algorithm used:
• sha1—Secure Hash Algorithm 1 authentication.
• md5—MD5 authentication.
• Encryption—Type of encryption algorithm used:
• aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
• aes-192-cbc— AES192-bit encryption.
• aes-128-cbc—AES 128-bit encryption.
• 3des-cbc—3 Data Encryption Standard (DES) encryption.
• des-cbc—DES encryption.
Algorithms
Specifies the IKE Diffie-Hellman group.Diffie-Hellman group
• Input bytes—Number of bytes received.
• Output bytes—Number of bytes transmitted.
• Input packets—Number of packets received.
• Output packets—Number of packets transmitted.
Traffic statistics
Copyright © 2016, Juniper Networks, Inc.140
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 22: show security ike security-associations Output Fields (continued)
Field DescriptionField Name
Notification to the key management process of the status of the IKE negotiation:
• caller notification sent—Caller program notified about the completion of the IKEnegotiation.
• waiting for done—Negotiation is done. The library is waiting for the remote endretransmission timers to expire.
• waiting for remove—Negotiation has failed. The library is waiting for the remote endretransmission timers to expire before removing this negotiation.
• waiting for policymanager—Negotiation is waiting for a response from the policymanager.
Flags
• number created: The number of SAs created.
• number deleted: The number of SAs deleted.
IPSec security associations
Number of Phase 2 IKE negotiations in progress and status information:
• Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quickmode.
• Message ID—Unique identifier for a Phase 2 negotiation.
• Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name(proto-name:port-number,[0..id-data-len] = iddata-presentation).
• Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name(proto-name:port-number,[0..id-data-len] = iddata-presentation).
• Flags—Notification to the key management process of the status of the IKE negotiation:
• caller notification sent—Caller program notified about the completion of the IKEnegotiation.
• waiting for done—Negotiation is done. The library is waiting for the remote endretransmission timers to expire.
• waiting for remove—Negotiation has failed. The library is waiting for the remote endretransmission timers to expire before removing this negotiation.
• waiting for policymanager—Negotiation is waiting for a response from the policymanager.
Phase 2 negotiations in progress
Sample Output
show security ike security-associations (IPv4)
user@host> show security ike security-associationsIndex Remote Address State Initiator cookie Responder cookie Mode8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb MainIndex Remote Address State Initiator cookie Responder cookie Mode9 1.2.1.3 UP 5ba96hfa9f65067 1 70890755b65b80b d Main
Sample Output
show security ike security-associations (IPv6)
user@host> show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address
5 UP e48efd6a444853cf 0d09c59aafb720be Aggressive 1212::1112
141Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Sample Output
show security ike security-associations detail (Branch SRX Series Devices)
user@host> show security ike security-associations detailIKE peer 25.191.134.245, Index 2577565, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3 Exchange type: Main, Authentication method: Pre-shared-keys Local: 25.191.134.241:500, Remote: 25.191.134.245:500 Lifetime: Expires in 169 seconds Peer ike-id: 25.191.134.245 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes128-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1012 Output bytes : 1196 Input packets: 4 Output packets: 5 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 25.191.134.241:500, Remote: 25.191.134.245:500 Local identity: 25.191.134.241 Remote identity: 25.191.134.245 Flags: IKE SA is created
Sample Output
show security ike security-associations detail (For High-End SRX Series Devices)
user@host> show security ike security-associations detailIKE peer 1.1.1.2, Index 914039858, Gateway Name: tropic Location: FPC 3, PIC 1, KMD-Instance 3 Role: Initiator, State: UP Initiator cookie: 219a697652bdde37, Responder cookie: b49c30b229d36bcd Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Lifetime: Expires in 26297 seconds Peer ike-id: 1.1.1.2 Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1
Copyright © 2016, Juniper Networks, Inc.142
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Sample Output
show security ike security-associations family inet6
user@host> show security ike security-associations family inet6 IKE peer 1212::1112, Index 5, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 1212::1111:500, Remote: 1212::1112:500 Lifetime: Expires in 19518 seconds Peer ike-id: not valid Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1568 Output bytes : 2748 Input packets: 6 Output packets: 23 Flags: Caller notification sent IPSec security associations: 5 created, 0 deleted Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624 Local: 1212::1111:500, Remote: 1212::1112:500 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Flags: Caller notification sent, Waiting for done
Sample Output
show security ike security-associations index 8 detail
user@host> show security ike security-associations index 8 detailIKE peer 1.1.1.2, Index 8, Gateway Name: tropic Role: Responder, State:UP Initiator cookie: 3a895f8a9f620198, Responder cookie: 9040753e66d700bb Exchange type; main, Authentication method: Pre-shared-keys Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Lifetime: Expired in 381 seconds Algorithms: Authentication: md5 Encryption: 3des-cbc Pseudo random function hmac-md5 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes: 11268 Output bytes: 6940 Input packets: 57 Output packets: 57 Flags: Caller notification sent IPsec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 1765792815 Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Local identity: No Id
143Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Remote identity: No Id Flags: Caller notification sent, Waiting for remove
Sample Output
show security ike security-associations 1.1.1.2
user@host> show security ike security-associations 1.1.1.2Index State Initiator cookie Responder cookie Mode Remote Address 8 UP 3a895f8a9f620198 9040753e66d700bb Main 1.1.1.2
Sample Output
show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
user@host> show security ike security-associations fpc 6 pic 1 kmd-instance allIndex Remote Address State Initiator cookie Responder cookie Mode
1728053250 1.1.1.2 UP fc959afd1070d10b bdeb7e8c1ea99483 Main
Copyright © 2016, Juniper Networks, Inc.144
Dynamic VPN Feature Guide for SRX Series Gateway Devices
show security ipsec security-associations
Supported Platforms J Series, LN Series, SRX Series
Syntax show security ipsec security-associationsbrief | detailfpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-number>family (inet | inet6)vpn-name vpn-name <traffic-selector traffic-selector-name>
Release Information Command introduced in Junos OS Release 8.5. Support for the fpc,pic, and kmd-instance
options added in Junos OS Release 9.3. Support for the family option added in Junos OS
Release 11.1. Support for the vpn-name option added in Junos OS Release 11.4R3. Support
for the traffic-selector option and traffic selector field added in Junos OS Release
12.1X46-D10.
Description Display information about the IPsec security associations (SAs).
Options • none—Display information about all SAs.
• brief | detail—(Optional) Display the specified level of output.
• fpc slot-number—(Optional) Specific to SRX Series devices. Display information about
existing IPsec SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to
filter the output.
• index SA-index-number—(Optional) Display detailed information about the specified
SA identified by this index number. To obtain a list of all SAs that includes their index
numbers, use the command with no options.
• kmd-instance—(Optional) Specific to SRX Series devices. Display information about
existing IPsec SAs in the key management process (in this case, it is KMD) identified
by the FPC slot-number and PIC slot-number. This option is used to filter the output.
• all—All KMD instances running on the Services Processing Unit (SPU).
• kmd-instance-name—Name of the KMD instance running on the SPU.
• pic slot-number—(Optional) Specific to SRX Series devices. Display information about
existing IPsec SAs in this PIC slot. This option is used to filter the output.
• family—(Optional) Display SAs by family. This option is used to filter the output.
• inet—IPv4 address family.
• inet6—IPv6 address family.
• vpn-name vpn-name—Name of the VPN. If configured, traffic-selector
traffic-selector-name can optionally be specified.
145Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Required PrivilegeLevel
view
RelatedDocumentation
MPLS Feature Guide for Security Devices•
• clear security ipsec security-associations
• Junos OS VPN Library for Security Devices
• Master Administrator for Logical Systems Feature Guide for Security Devices
List of Sample Output show security ipsec security-associations (IPv4) on page 149show security ipsec security-associations (IPv6) on page 149show security ipsec security-associations index 5 on page 149show security ipsec security-associations brief on page 150show security ipsec security-associations detail on page 150show security ipsec security-associations detail (SRX Series Devices) on page 150show security ipsec security-associations family inet6 on page 152show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX SeriesDevices) on page 152
Output Fields Table 23 on page 146 lists the output fields for the showsecurity ipsecsecurity-associations
command. Output fields are listed in the approximate order in which they appear.
Table 23: show security ipsec security-associations
Field DescriptionField Name
Total number of active IPsec tunnels.Total active tunnels
Index number of the SA. You can use this number to get additional information aboutthe SA.
ID
IPsec name for VPN.VPN name
IP address of the remote gateway.Gateway
If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is thestandard IKE port, 500.
Port
Cryptography used to secure exchanges between peers during the IKE Phase 2negotiations includes:
• An authentication algorithm used to authenticate exchanges between the peers.Options are hmac-md5-95, hmac-sha1-96, or ESP.
• An encryption algorithm used to encrypt data traffic. Options are3des-cbc, aes-128-cbc,aes-192-cbc, aes-256-cbc, or des-cbc.
Algorithm
Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Eachentry includes the name of the VPN, the remote gateway address, the SPIs for eachdirection, the encryption and authentication algorithms, and keys. The peer gatewayseach have two SAs, one resulting from each of the two phases of negotiation: Phase 1and Phase 2.
SPI
Copyright © 2016, Juniper Networks, Inc.146
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 23: show security ipsec security-associations (continued)
Field DescriptionField Name
The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.Life: sec/kb
State has two options, Installed and Not Installed.
• Installed—The SA is installed in the SA database.
• Not Installed—The SA is not installed in the SA database.
For transport mode, the value of State is always Installed.
Sta
The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then thisfield displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabledfor this SA.
Mon
The root system.vsys or Virtual-system
Numeric identifier of the specific IPsec tunnel for the SA.Tunnel index
Gateway address of the local system.Local gateway
Gateway address of the remote system.Remote gateway
Name of the traffic selector.Traffic selector
Identity of the local peer so that its partner destination gateway can communicate withit. The value is specified as an IP address, fully qualified domain name, e-mail address,or distinguished name (DN).
Local identity
IP address of the destination peer gateway.Remote identity
State of the don't fragment bit: set or cleared.DF-bit
The tunnel interface to which VPN is bound.Bind interface
Name of the applicable policy.Policy-name
FPC—Flexible PIC Concentrator (FPC) slot number.
PIC—PIC slot number.
KMD-Instance—The name of the KMD instance running on the SPU, identified by FPCslot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, andany particular IPsec negotiation is carried out by a single KMD instance.
Location
Direction of the SA; it can be inbound or outbound.Direction
Value of the auxiliary security parameter index(SPI).
• When the value is AH or ESP, AUX-SPI is always 0.
• When the value is AH+ESP, AUX-SPI is always a positive integer.
AUX-SPI
147Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Table 23: show security ipsec security-associations (continued)
Field DescriptionField Name
Mode of the SA:
• transport—Protects host-to-host connections.
• tunnel—Protects connections between security gateways.
Mode
Type of the SA:
• manual—Security parameters require no negotiation. They are static and are configuredby the user.
• dynamic—Security parameters are negotiated by the IKE protocol. Dynamic SAs arenot supported in transport mode.
Type
State of the SA:
• Installed—The SA is installed in the SA database.
• Not Installed—The SA is not installed in the SA database.
For transport mode, the value of State is always Installed.
State
Protocol supported.
• Transport mode supports Encapsulation Security Protocol (ESP) and AuthenticationHeader (AH).
• Tunnel mode supports ESP and AH.
• Authentication—Type of authentication used.
• Encryption—Type of encryption used.
Protocol
The soft lifetime informs the IPsec key management system that the SA is about toexpire.
Each lifetime of an SA has two display options, hard and soft, one of which must bepresent for a dynamic SA. This allows the key management system to negotiate a newSA before the hard lifetime expires.
• Expires in seconds—Number of seconds left until the SA expires.
Soft lifetime
The hard lifetime specifies the lifetime of the SA.
• Expires in seconds—Number of seconds left until the SA expires.
Hard lifetime
The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified,it shows unlimited.
• Expires in kilobytes—Number of kilobytes left until the SA expires.
Lifesize Remaining
State of the service that prevents packets from being replayed. It can be Enabled orDisabled.
Anti-replay service
Configured size of the antireplay service window. It can be 32 or 64 packets. If the replaywindow size is 0, the antireplay service is disabled.
The antireplay window size protects the receiver against replay attacks by rejecting oldor duplicate packets.
Replay window size
Copyright © 2016, Juniper Networks, Inc.148
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 23: show security ipsec security-associations (continued)
Field DescriptionField Name
The tunnel interface to which the route-based VPN is bound.Bind-interface
Sample Output
show security ipsec security-associations (IPv4)
user@host> show security ipsec security-associationsTotal active tunnels: 1ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys 131075 11.0.28.241 500 ESP:3des/sha1 86758ff0 6918/ unlim - 0 131075 11.0.28.241 500 ESP:3des/sha1 3183ff26 6918/ unlim - 0
Sample Output
show security ipsec security-associations (IPv6)
user@host> show security ipsec security-associationsTotal active tunnels: 1ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:3des/sha1 14caf1d9 3597/ unlim - root 500 1212::1112 131074 ESP:3des/sha1 9a4db486 3597/ unlim - root 500 1212::1112
Sample Output
show security ipsec security-associations index 5
user@host> show security ipsec security-associations index 5ID: 131073 Virtual-system: root, VPN Name: tropicLocal gateway: 1.1.1.1, Remote gateway: 1.1.1.2Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Remote identity: ipv4_subnet(any:0,[0...7]=0.0.0.0/0)Version: IKEv2DF-bit: clearBind-interface: st0.3Policy-name: my-policy
Direction: inbound, SPI: 494001027, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: ExpiredHard lifetime: Expired in 130 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64
Direction: inbound, SPI: 1498711950, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: Expires in 40 secondsHard lifetime: Expires in 175 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64
149Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Direction: outbound, SPI: 4038397695, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: Expires in 40 secondsHard lifetime: Expires in 175 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64
Sample Output
show security ipsec security-associations brief
user@host> show security ipsec security-associations briefTotal active tunnels: 2ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys<16384 1.1.1.1 500 ESP:3des/sha1 af88baa 28795/unlim D 0 >16384 1.1.1.1 500 ESP:3des/sha1 f4e3e5f4 28795/unlim D 0
Sample Output
show security ipsec security-associations detail
user@host> show security ipsec security-associations detailID: 131073 Virtual-system: root, VPN Name: tropicLocal Gateway: 1.1.1.2, Remote Gateway: 1.1.1.1Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Version: IKEv2DF-bit: clearBind-interface: st0.3Direction: inbound, SPI: 184060842, AUX-SPI: 0Hard lifetime: Expires in 28785 secondsLifesize Remaining: UnlimitedSoft lifetime: ExpiredMode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWNProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcAnti-replay service: enabled, Replay window size: 32
Direction: outbound, SPI: 4108576244, AUX-SPI: 0Hard lifetime: Expires in 28785 secondsLifesize Remaining: UnlimitedSoft lifetime: ExpiredMode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWNProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcAnti-replay service: enabled, Replay window size: 32
Sample Output
show security ipsec security-associations detail (SRX Series Devices)
user@host> show security ipsec security-associations detail ID: 268173313 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS1-ipv6 Local Identity: ipv6(10::-10::ffff:ffff:ffff:ffff) Remote Identity: ipv6(20::-20::ffff:ffff:ffff:ffff) Version: IKEv1 DF-bit: clear Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29
Copyright © 2016, Juniper Networks, Inc.150
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 3d75aeff, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: a468fece, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
ID: 268173316 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS2-ipv4 Local Identity: ipv4(10.1.1.0-10.1.1.255) Remote Identity: ipv4(20.1.0.0-20.1.255.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 417f3cea, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: a4344027, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
ID: 268173317 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS3-ipv4 Local Identity: ipv4(10.1.1.0-10.1.1.255) Remote Identity: ipv4(20.1.1.0-20.1.1.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.1
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: cc9fb573, AUX-SPI: 0 , VPN Monitoring: -
151Copyright © 2016, Juniper Networks, Inc.
Chapter 13: Operational Commands
Hard lifetime: Expires in 3548 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2925 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: a4bde69b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3548 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2925 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Sample Output
show security ipsec security-associations family inet6
user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 1212::1111, Remote Gateway: 1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Sample Output
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<2 1.1.1.2 500 ESP:3des/sha1 67a7d25d 28280/unlim - 0
>2 1.1.1.2 500 ESP:3des/sha1 a23cbcdc 28280/unlim - 0
Copyright © 2016, Juniper Networks, Inc.152
Dynamic VPN Feature Guide for SRX Series Gateway Devices
PART 4
Troubleshooting
• Access Manager on page 155
153Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.154
Dynamic VPN Feature Guide for SRX Series Gateway Devices
CHAPTER 14
Access Manager
• Access Manager Client-Side Error Messages on page 155
• Troubleshooting Access Manager Client-Side Problems on page 158
AccessManager Client-Side Error Messages
Supported Platforms SRX100, SRX210, SRX240, SRX650
Table 24 on page 155 lists possible errors that end users might see when installing or
running Access Manager, the possible causes for the messages, and suggested actions.
Table 24: Dynamic VPN Client-Side Errors
Suggested User ActionPossible CausesError Message
Try to reconnect to the firewall.Internal error.Component instancealready in use
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error.Memory allocationfailure
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error.Failed to loadconnection store
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error. Could not retrieve connectioninformation for the specified firewall.
Cannot get connectioninformation for firewall
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Internal error. Could not decipher the HTTPresponse.
Authentication failure:Unknown HTTPresponse code
Reenter your credentials.The user entered an invalid username orpassword.
Authentication failure:Incorrect username orpassword
Try to reconnect to the firewall once a license hasbeen freed by another user. If the problempersists, contact your system administrator.
All available licenses are currently being used forother dynamic VPN sessions or no licenses areinstalled for the feature.
Authentication failure:Firewall is out oflicenses
Contact your system administrator.No configuration is currently available for thespecified user account.
Authentication failure:No configurationavailable
155Copyright © 2016, Juniper Networks, Inc.
Table 24: Dynamic VPN Client-Side Errors (continued)
Suggested User ActionPossible CausesError Message
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error. Failed to read route entry from theconnection store.
Cannot create IPsecroute entry
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error. Failed to read the route entry fromthe connection store.
Failed to read routeentry from connectionstore
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error. Failed to add the route entry to theconnection store.
Failed to add routeentry to policy
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
Internal error. Failed to initialize the IPsecManager.
Failed to initialize IPsecManager
Try to reconnect to the firewall.Phase 1 negotiations, Extended Authentication(XAuth), or Phase 2 negotiations failed.
IPsec authenticationfailed
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Internal error or policy configuration error. TheTunnel Manager was unable to configure the localIP settings.
IPsec configurationfailed
Contact your system administrator.The components cannot agree on securityparameters during the IKE exchange. Theadministrator probably needs to reconfigure thePhase 1 proposal.
IKE negotiations failed
Try to reconnect to the firewall.Failed to authenticate when connecting to thefirewall, possibly because the specified hostnamedid not resolve against the distinguished nameserver (DNS).
Failed to initializeauthentication
Try to reconnect to the firewall.The TCP connection to the webserver failedduring authentication, possibly because ofnetwork connectivity issues.
Failed to connect toserver
Try to reconnect to the firewall.Webserver authentication failed, possibly becauseof network connectivity issues.
Failed to send initialHTTP request
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Failed to get HTTPresponse
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Firewall refusedauthentication request
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Client failed to providelogin page
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Server failed to sendauthentication request
Copyright © 2016, Juniper Networks, Inc.156
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Table 24: Dynamic VPN Client-Side Errors (continued)
Suggested User ActionPossible CausesError Message
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
The client sent the user’s credentials to thewebserver, but the server failed to respond in auseful manner.
Server failed torespond toauthentication request
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Authenticationnegotiation failed
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
Webserver authentication failed.Failed to getconfiguration fromfirewall
Try to reconnect to the firewall and reenter yourcredentials.
User canceled authenticationThe user cancelledauthentication.
Try to reconnect to the firewall and reenter yourcredentials.
Authentication request timed out.Failed to enterusername or password
Exit and restart Access Manager. If the problempersists, contact your system administrator.
The client failed to display the user interfaceasking the user for credentials.
Server failed to requestusername andpassword
Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.
The user’s client is in an inoperable state.Your client state ispreventing theconnection
Exit and restart Access Manager. If the problempersists, reinstall Access Manager.
The client could not contact the connection store.Cannot openconnection store
Try to reconnect to the firewall. If the problempersists, contact your system administrator.
The script provided by the firewall was insomeway unusable. The configuration might needto be updated on the server.
Cannot processconfiguration providedby firewall
Exit and restart Access Manager.The Access Manager service is not running.Access Manager is notrunning
Select the firewall you want to connect to andthen choose Start Connection.
The user choseStartConnectionwithout selectinga connection first.
Please select aconnection
Specify whether or not you want to delete theselection connection profile.
The user chose Delete Connection.Are you sure you wantto delete the selectedconnection?
Exit and restart Access Manager. If the problempersists, reinstall Access Manager.
The Access Manager service is not running;therefore it cannot create a new connectionprofile.
Cannot add newconnection. Service isnot running.
Try again. If the problem persists, exit and restartAccess Manager.
The Access Manager failed to add the newconnection profile.
Cannot add newconnection
Specify a unique name for the connection profile.Unable to add connection profile because thespecified connection name already exists.
Connection name isalready in use
157Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Access Manager
Table 24: Dynamic VPN Client-Side Errors (continued)
Suggested User ActionPossible CausesError Message
Reinstall Access Manager.Files could not be found when trying to finish theoperation.
Please reinstall AccessManager
Check client-side logs to determine why thecertificate failed.
Certificate validation failed.Invalid servercertificate
Wait for the service to finish initializing.Initializing one of the client’s core components. Ifthe component does not initialize, the clientcannot function.
Initializing service...
RelatedDocumentation
Understanding Remote Client Access to the VPN on page 6•
• Access Manager Client-Side System Requirements on page 117
• Access Manager Client-Side Files on page 117
• Access Manager Client-Side Registry Changes on page 120
• Troubleshooting Access Manager Client-Side Problems on page 158
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Troubleshooting AccessManager Client-Side Problems
Supported Platforms LN Series, SRX100, SRX210, SRX240, SRX650
Problem Description:Users are having problems connecting to the remote access server using
Access Manager.
Solution Use the following tools to troubleshoot client-side issues:
• Client-side logs—To view client-side logs, open Access Manager and choose Save logs
and diagnostics from the File menu. Select a location on your computer to save the
zipped log files and click Save.
• Detailed logs—To create more detailed client-side logs, open Access Manager and
choose Enable Detailed Logging from the File menu.
• Firewall connection information—To view connection information for a given firewall,
open Access Manager, right-click to select the firewall, and choose Status.
RelatedDocumentation
• Understanding Remote Client Access to the VPN on page 6
• Access Manager Client-Side System Requirements on page 117
• Access Manager Client-Side Files on page 117
• Access Manager Client-Side Registry Changes on page 120
• Access Manager Client-Side Error Messages on page 155
Copyright © 2016, Juniper Networks, Inc.158
Dynamic VPN Feature Guide for SRX Series Gateway Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
159Copyright © 2016, Juniper Networks, Inc.
Chapter 14: Access Manager
Copyright © 2016, Juniper Networks, Inc.160
Dynamic VPN Feature Guide for SRX Series Gateway Devices
PART 5
Index
• Index on page 163
161Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.162
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Index
Symbols#, comments in configuration statements....................xv
( ), in syntax descriptions.....................................................xv
< >, in syntax descriptions....................................................xv
[ ], in configuration statements.........................................xv
{ }, in configuration statements.........................................xv
| (pipe), in syntax descriptions...........................................xv
AAccess Configuration Statement Hierarchy..................77
Access Manager
client-side files................................................................117
error messages..............................................................155
logging..............................................................................155
overview...............................................................................3
system requirements....................................................117
Windows registry changes........................................120
access-profile statement
(Dynamic VPNs)............................................................63
(IPsec VPNs)...................................................................64
address pools.....................................................................13, 39
address-assignment statement.......................................86
Bbraces, in configuration statements.................................xv
brackets
angle, in syntax descriptions......................................xv
square, in configuration statements........................xv
Cclear security dynamic-vpn all command...................124
clear security dynamic-vpn user command...............125
clients statement...................................................................64
comments, in configuration statements........................xv
config-check statement......................................................65
connection, deleting..............................................................112
conventions
text and syntax...............................................................xiv
curly braces, in configuration statements......................xv
customer support...................................................................xvi
contacting JTAC..............................................................xvi
Ddocumentation
comments on...................................................................xv
dynamic VPNs
address pools............................................................13, 39
client access.......................................................................6
configuration example.................................................25
configuration overview.................................................23
group IKE IDs.............................................................15, 43
individual user IKE IDs..................................................49
local authentication................................................13, 39
overview...............................................................................3
remote user access..........................................................3
shared IKE IDs............................................................15, 16
supported options............................................................7
tunnels..................................................................................7
dynamic-vpn statement......................................................66
Ffirewall filters
statistics
clearing ...................................................................138
firewall-authentication statement..................................89
font conventions.....................................................................xiv
force-upgrade statement....................................................67
Ggroup IKE IDs......................................................................15, 43
IIKE
group IDs.....................................................................15, 43
individual user IDs..........................................................49
shared IDs....................................................................15, 16
IKE IDs.........................................................................................49
ike statement
(Security)..........................................................................68
interface statement...............................................................70
IPsec
tunnel
creating through dynamic VPN feature...........3
ipsec statement........................................................................71
IPsec VPN client See dynamic VPNs
ipsec-vpn statement
(Dynamic VPNs).............................................................72
Llocal authentication.........................................................13, 39
163Copyright © 2016, Juniper Networks, Inc.
Mmanuals
comments on...................................................................xv
Pparentheses, in syntax descriptions.................................xv
Primary-level entry
secondary-level entry...................................................34
Primary-level entry only.......................................................34
profile statement.....................................................................91
Rregistry changes, Access Manager.................................120
Remote Access Management SolutionSeedynamic
VPNs
remote access server
overview...............................................................................3
remote access VPN See dynamic VPNs
remote user access VPN See dynamic VPNs
remote-exceptions statement...........................................73
remote-protected-resources statement........................73
SSecurity Configuration Statement Hierarchy................61
shared IKE IDs.....................................................................15, 16
show network-access address-assignment pool
command............................................................................126
show security dynamic-policies command.................127
show security dynamic-vpn client version..................132
show security dynamic-vpn users..................................133
show security dynamic-vpn users terse.......................135
show security ike active-peer command......................137
show security ike security-associations
command............................................................................138
show security ipsec security-associations
command............................................................................145
support, technical See technical support
syntax conventions................................................................xiv
system-generated-certificate statement.....................95
Ttechnical support
contacting JTAC..............................................................xvi
traceoptions statement
(dynamic-vpn)................................................................74
Uuser statement.........................................................................75
user-groups statement.........................................................75
VVPNs
dynamic VPN See dynamic VPNs
remote user access See dynamic VPNs
Wwan-acceleration statement.............................................96
web-management statement..........................................98
Windows registry changes, Access Manager.............120
Copyright © 2016, Juniper Networks, Inc.164
Dynamic VPN Feature Guide for SRX Series Gateway Devices
Recommended