Overview:These steps are reqired to enable a vpn between your laptop and the juniper srx firewall. Configure Authentication and IPs for Remote Clients:Define address(dhcp) poolwhat IP range to give vpn'ed users, and what dns they should get set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32
Define users:define users, their passwords, and what dhcp pool they should use set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123"set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC123"set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
Enable web auth.allow a group of users to web auth in for vpn set access firewall-authentication web-authentication default-profile dyn-vpn-access-profileConfigure P1 & P2 for the VPN TunnelIke policy (phase1)define phase1 shared key set security ike policy ike-dyn-vpn-policy mode aggressiveset security ike policy ike-dyn-vpn-policy proposal-set standardset security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"Ike gateway (phase1)link p1 gateway to policy, what interface it should listen on, and what users should be allowed on it. set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyset security ike gateway dyn-vpn-local-gw dynamic hostname dynvpnset security ike gateway dyn-vpn-local-gw dynamic connections-limit 10set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-idset security ike gateway dyn-vpn-local-gw external-interface ge-0/0/15.0set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profileWhere Ipsec (phase2)define p2, link it to an interface (gateway), and p1 policy set security ipsec policy ipsec-dyn-vpn-policy proposal-set standardset security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gwset security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policyCreate Security Policies and ACLs for inbound trafficconfigure security policycreate acl, and allow match to p2 gateway set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address anyset security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address anyset security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application anyset security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpnconfig host inbound trafficallow ike, https, and ping on the outside interface of the firewall. set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services httpsset security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services pingAssociate the Dynamic VPN with remote clientsdefine the access profile to use with dynamic vpnallow users to use dynamic vpn: set security dynamic-vpn access-profile dyn-vpn-access-profilelist clients who can connect with dynamic vpnallow users to vpn in. set security dynamic-vpn clients all ipsec-vpn dyn-vpnset security dynamic-vpn clients all user client1set security dynamic-vpn clients all user client2set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0Map of the interlinks References:
|