[Juniper] SRX 550: VPN (Pulse Secure) + LDAP auth

Step 1. Configure Dynamic VPN Users and IP Address Pool

set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rd
set access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool
set access address-assignment pool Dynamic-VPN-Pool family inet network 10.14.0.0/24
set access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.0.0.10/32
set access firewall-authentication web-authentication default-profile Dynamic-XAuth

Step 2. Configure IPSec Phase 1

set security ike proposal Dynamic-VPN-P1-Proposal description "Dynamic P1 Proposal"
set security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys
set security ike proposal Dynamic-VPN-P1-Proposal dh-group group2
set security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1
set security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc
set security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200
set security ike policy Dynamic-VPN-P2-Policy mode aggressive
set security ike policy Dynamic-VPN-P2-Policy description "Dynamic P2 Policy"
set security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal
set security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123
set security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy
set security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname vpn.domain.com
set security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id
set security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0/0/0.0
set security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth

Step 3. Configure IPSec Phase 2

set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposal
set security ipsec proposal Dynamic-P2-Proposal protocol esp
set security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc
set security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600
set security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5
set security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal
set security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway
set security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy
set security ipsec vpn Dynamic-VPN establish-tunnels immediately

Step 4. Configure Dynamic VPN Parameters

set security dynamic-vpn force-upgrade
set security dynamic-vpn access-profile Dynamic-XAuth
set security dynamic-vpn clients all remote-protected-resources AA.AA.AA.AA/27 BB.BB.BB.BB/28
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn Dynamic-VPN
set security dynamic-vpn clients all user Jed
set security dynamic-vpn clients all remote-protected-resources AA.AA.AA.AA/27
set security dynamic-vpn clients all remote-protected-resources BB.BB.BB.BB/28

Step 5. Configured NAT

set security nat source rule-set VPN_NAT from zone untrust
set security nat source rule-set VPN_NAT to zone [ untrust trust ]
set security nat source rule-set VPN_NAT rule r1 match source-address 10.14.0.0/24
set security nat source rule-set VPN_NAT rule r1 match destination-address [ AA.AA.AA.AA/27 BB.BB.BB.BB/28 ]
set security nat source rule-set VPN_NAT rule r1 then source-nat interface

Примечание.

В destination-address нельзя указать больше 8 подсетей. Если необходимо больше, тогда создаём ещё правило (set security … VPN_NAT rule r2…) с теми же параметрами, но с нужным destination-address.

Step 6. Configured allowed policy

set security address-book global address VPN_NET 10.14.0.0/24
set security address-book global address AA_NET01 AA.AA.AA.AA/27
set security address-book global address BB_NET02 BB.BB.BB.BB/28
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match source-address VPN_NET
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match destination-address [ AA_NET01 BB_NET02 ]
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match application any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust then permit

Step 7. Verifying IPSec Connection

root@SRX240> show security dynamic-vpn users
root@SRX240> show security dynamic-vpn client version
root@SRX240> show security ike active-peer
root@SRX240> show security ike security-associations
root@SRX240> show security ipsec security-associations
root@SRX240> show security flow session source-prefix 10.14.0.0/24

Информация взята с http://www.mustbegeek.com/configure-dynamic-remote-access-vpn-in-juniper-srx/ с некоторыми дополнениями.

Для подключения используется клиент Pulse Secure, который можно скачать либо с официального сайта либо прямо из web-морды SRX’a

Step 8. LDAP AUTH

К сожалению у меня как раз версия

>show system software
Information for junos:
Comment:
JUNOS Software Release [12.1X44-D20.3]

[SRX] LDAP authentication not working with Dynamic VPN (https://kb.juniper.net/InfoCenter/index?page=content&id=KB19869)

SUMMARY:

SYMPTOMS:

SOLUTION:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19869