{"id":5406,"date":"2018-01-09T13:40:58","date_gmt":"2018-01-09T11:40:58","guid":{"rendered":"http:\/\/skeletor.org.ua\/?p=5406"},"modified":"2018-01-09T16:53:31","modified_gmt":"2018-01-09T14:53:31","slug":"juniper-srx-550-vpn-pulse-secure-ldap-auth","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=5406","title":{"rendered":"[Juniper] SRX 550: VPN (Pulse Secure) + LDAP auth"},"content":{"rendered":"

Step 1. Configure Dynamic VPN Users and IP Address Pool<\/strong><\/span><\/p>\n

set access profile Dynamic-XAuth client Jed firewall-user password P@ssw0rd
\nset access profile Dynamic-XAuth address-assignment pool Dynamic-VPN-Pool
\nset access address-assignment pool Dynamic-VPN-Pool family inet network 10.14.0.0\/24
\nset access address-assignment pool Dynamic-VPN-Pool family inet xauth-attributes primary-dns 10.0.0.10\/32
\nset access firewall-authentication web-authentication default-profile Dynamic-XAuth<\/code><\/p>\n

<\/p>\n

Step 2. Configure IPSec Phase 1<\/span><\/strong><\/p>\n

set security ike proposal Dynamic-VPN-P1-Proposal description \"Dynamic P1 Proposal\"
\nset security ike proposal Dynamic-VPN-P1-Proposal authentication-method pre-shared-keys
\nset security ike proposal Dynamic-VPN-P1-Proposal dh-group group2
\nset security ike proposal Dynamic-VPN-P1-Proposal authentication-algorithm sha1
\nset security ike proposal Dynamic-VPN-P1-Proposal encryption-algorithm 3des-cbc
\nset security ike proposal Dynamic-VPN-P1-Proposal lifetime-seconds 1200
\nset security ike policy Dynamic-VPN-P2-Policy mode aggressive
\nset security ike policy Dynamic-VPN-P2-Policy description \"Dynamic P2 Policy\"
\nset security ike policy Dynamic-VPN-P2-Policy proposals Dynamic-VPN-P1-Proposal
\nset security ike policy Dynamic-VPN-P2-Policy pre-shared-key ascii-text test@123
\nset security ike gateway Dynamic-VPN-P1-Gateway ike-policy Dynamic-VPN-P2-Policy
\nset security ike gateway Dynamic-VPN-P1-Gateway dynamic hostname vpn.domain.com
\nset security ike gateway Dynamic-VPN-P1-Gateway dynamic ike-user-type shared-ike-id
\nset security ike gateway Dynamic-VPN-P1-Gateway external-interface ge-0\/0\/0.0
\nset security ike gateway Dynamic-VPN-P1-Gateway xauth access-profile Dynamic-XAuth<\/code><\/p>\n

Step 3. Configure IPSec Phase 2<\/span><\/strong><\/p>\n

set security ipsec proposal Dynamic-P2-Proposal description Dynamic-VPN-P2-Proposal
\nset security ipsec proposal Dynamic-P2-Proposal protocol esp
\nset security ipsec proposal Dynamic-P2-Proposal authentication-algorithm hmac-sha1-96
\nset security ipsec proposal Dynamic-P2-Proposal encryption-algorithm aes-256-cbc
\nset security ipsec proposal Dynamic-P2-Proposal lifetime-seconds 3600
\nset security ipsec policy Dynamic-P2-Policy perfect-forward-secrecy keys group5
\nset security ipsec policy Dynamic-P2-Policy proposals Dynamic-P2-Proposal
\nset security ipsec vpn Dynamic-VPN ike gateway Dynamic-VPN-P1-Gateway
\nset security ipsec vpn Dynamic-VPN ike ipsec-policy Dynamic-P2-Policy
\nset security ipsec vpn Dynamic-VPN establish-tunnels immediately<\/code><\/p>\n

Step 4. Configure Dynamic VPN Parameters<\/strong><\/span><\/p>\n

set security dynamic-vpn force-upgrade
\nset security dynamic-vpn access-profile Dynamic-XAuth
\nset security dynamic-vpn clients all remote-protected-resources AA.AA.AA.AA\/27 BB.BB.BB.BB\/28
\nset security dynamic-vpn clients all remote-exceptions 0.0.0.0\/0
\nset security dynamic-vpn clients all ipsec-vpn Dynamic-VPN
\nset security dynamic-vpn clients all user Jed
\nset security dynamic-vpn clients all remote-protected-resources AA.AA.AA.AA\/27
\nset security dynamic-vpn clients all remote-protected-resources BB.BB.BB.BB\/28<\/code><\/p>\n

Step 5. Configured NAT<\/strong><\/span><\/p>\n

set security nat source rule-set VPN_NAT from zone untrust
\nset security nat source rule-set VPN_NAT to zone [ untrust trust ]
\nset security nat source rule-set VPN_NAT rule r1 match source-address 10.14.0.0\/24
\nset security nat source rule-set VPN_NAT rule r1 match destination-address [ AA.AA.AA.AA\/27 BB.BB.BB.BB\/28 ]
\nset security nat source rule-set VPN_NAT rule r1 then source-nat interface<\/code><\/p>\n

\u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435.<\/strong><\/em><\/span><\/p>\n

\u0412\u00a0destination-address<\/strong> \u043d\u0435\u043b\u044c\u0437\u044f \u0443\u043a\u0430\u0437\u0430\u0442\u044c \u0431\u043e\u043b\u044c\u0448\u0435 8 \u043f\u043e\u0434\u0441\u0435\u0442\u0435\u0439. \u0415\u0441\u043b\u0438 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0431\u043e\u043b\u044c\u0448\u0435, \u0442\u043e\u0433\u0434\u0430 \u0441\u043e\u0437\u0434\u0430\u0451\u043c \u0435\u0449\u0451 \u043f\u0440\u0430\u0432\u0438\u043b\u043e (set security … VPN_NAT rule r2…<\/strong>) \u0441 \u0442\u0435\u043c\u0438 \u0436\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c\u0438, \u043d\u043e \u0441 \u043d\u0443\u0436\u043d\u044b\u043c destination-address<\/strong>.<\/p>\n

Step 6. Configured allowed policy<\/strong><\/span><\/p>\n

set security address-book global address VPN_NET 10.14.0.0\/24
\nset security address-book global address AA_NET01 AA.AA.AA.AA\/27
\nset security address-book global address BB_NET02 BB.BB.BB.BB\/28
\nset security policies from-zone untrust to-zone untrust policy untrust-to-untrust match source-address VPN_NET
\nset security policies from-zone untrust to-zone untrust policy untrust-to-untrust match destination-address [ AA_NET01 BB_NET02 ]
\nset security policies from-zone untrust to-zone untrust policy untrust-to-untrust match application any
\nset security policies from-zone untrust to-zone untrust policy untrust-to-untrust then permit<\/code><\/p>\n

Step 7. Verifying IPSec Connection<\/strong><\/span><\/p>\n

root@SRX240> show security dynamic-vpn users
\nroot@SRX240> show security dynamic-vpn client version
\nroot@SRX240> show security ike active-peer
\nroot@SRX240> show security ike security-associations
\nroot@SRX240> show security ipsec security-associations
\nroot@SRX240> show security flow session source-prefix 10.14.0.0\/24<\/code><\/p>\n

\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u0432\u0437\u044f\u0442\u0430 \u0441\u00a0http:\/\/www.mustbegeek.com\/configure-dynamic-remote-access-vpn-in-juniper-srx\/ \u0441 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u043c\u0438 \u0434\u043e\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f\u043c\u0438.<\/p>\n

\u0414\u043b\u044f \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043a\u043b\u0438\u0435\u043d\u0442 Pulse Secure<\/strong>, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u0430\u0447\u0430\u0442\u044c \u043b\u0438\u0431\u043e \u0441 \u043e\u0444\u0438\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0441\u0430\u0439\u0442\u0430 \u043b\u0438\u0431\u043e \u043f\u0440\u044f\u043c\u043e \u0438\u0437 web-\u043c\u043e\u0440\u0434\u044b SRX’a<\/p>\n

Step 8. LDAP AUTH<\/strong><\/span><\/p>\n

\u041a \u0441\u043e\u0436\u0430\u043b\u0435\u043d\u0438\u044e \u0443 \u043c\u0435\u043d\u044f \u043a\u0430\u043a \u0440\u0430\u0437 \u0432\u0435\u0440\u0441\u0438\u044f<\/p>\n

>show system software
\nInformation for junos:
\nComment:
\nJUNOS Software Release [12.1X44-D20.3]<\/code><\/p>\n

[SRX] LDAP authentication not working with Dynamic VPN (https:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=KB19869)<\/p>\n

SUMMARY:<\/strong><\/p>\n

\n

Unable to integrate LDAP authentication with Dynamic VPN<\/p>\n<\/div>\n

SYMPTOMS:<\/strong><\/p>\n

\n

Dynamic VPN XAuth is not working when external LDAP server is used.<\/p>\n

This applies to SRX platforms (SRX100, SRX210, SRX240, SRX650) and with the following versions of Junos:<\/p>\n