Juniper SRX Dynamic VPN Guide

Dynamic VPN is Juniper’s clientless solution for remote access IPSEC VPN. This client is dynamically delivered from the SRX to end users, and simplifies remote access by enabling users to establish secure IPSec VPN tunnels without having to configure VPN settings on their computers. This process is initiated by the client browsing to https://<serverhost>/dynamic-vpn and authenticates using a username and password.

The configuration is rather straightforward, but again, there are some details we cannot afford to miss

There are three steps to configure Dynamic-VPN:

  1. Configure VPN tunnel
  2. Configuring the authentication and IP address assignment parameters
  3. Associating VPNs users with dynamic-vpn configurations

Juniper SRX Dynamic VPN Guide Step 0 – Initial configuration

But we will begin with this initial step. Why it is so important? Because of the Pulse Secure client. This example is shown on Juniper SRX 100H2 device with JUNOS 12.1X44-D15.5. And for Dynamic VPN I used Pulse Secure from the Juniper – and the connection didn’t work – It was in Connecting status. The problem was solved by installing Pulse Secure version 5.1.5, so use this or higher version on client PC’s.

Next, let’s check the initial config. The scheme is simple – fe-0/0/0.0 is used for internet connections, DHCP is off, and all other interfaces are configured to use the default vlan.0. There is a simple NAT rule for NATing internal clients to external network, and two zones, Internet and Internal.

The dynamic-vpn portal requires the services of the https daemon, which can be enabled under the [system services webmanagement https] hierarchy. This configuration step is only required if this service is not already enabled. If this service is already enabled for J-web access, no further configuration is required. In order to enable this service only for dynamicvpn access, without allowing for J-web access on any interface, simply configure the service without specifying any interface for J-web, as shown below:

Juniper SRX Dynamic VPN Guide Step 1 – Configure VPN tunnel

The security zone hosting the interfaces used to terminate the dynamic VPN need to allow IKE and HTTPS host-inbound traffic (IKE and HTTPS are required at a minimum).

Remote access tunnels are supported only using policy-based VPNs, we therefore need to configure a security policy allowing encrypted traffic from the clients which, in the deployment scenario described in this application note, comes from the untrust zone to the trust networks.

NOTE: Placement of this VPN security policy is important. It needs to be placed above more specific non-VPN policies so that traffic that is intended to be sent over the VPN is processed correctly.

Juniper SRX Dynamic VPN Guide Step 2 – Configuring the authentication and IP address assignment parameters

But there is a little detail – if addresses that are given to dynamic VPN clients belong to the same network as Trust zone – SRX would have to respond to ARP requests to the addresses in the pool from machines in the Trust zone. This can be achieved by configuring proxy-arp as shown below, and it is only needed if the configured pool belongs to one of the subnets of the interfaces directly connected to the SRX. Of course, if these addresses do not belong to the addresses of a directly connected interfaces, other devices in the network will need a route pointing to this pool, in order to reach the client machines behind the tunnel.

Juniper SRX Dynamic VPN Guide Step 3 – Associating VPNs users with dynamic-vpn configurations

At this point we have the IPSec VPN configuration we want to use for the dynamic-vpn tunnels and we have created an access profile that is used for IPSec extended authentication (xauth). Every time a user attempts to establish a dynamicVPN connection to an SRX, the latest available configuration is pushed to the client. In order to do this, there must be a way to associate IPSec VPN configurations with client names.

Juniper SRX Dynamic VPN Guide Troubleshooting Dynamic VPN

Of course, we have to know methods of troubleshooting dynamic VPN if something goes wrong or the connection couldn`t be established. The first I suggest you to do – is check your configuration. Here you can find full working config for Dynamic VPN to work.

Listing of all VPN errors will also be very helpful in troubleshooting.

Phase 1 IKE Troubleshooting

Here we can see Juniper step-by-step procedure of analyzing phase 1 ike. Useful commands are:

Notice the State information – it must be UP

Phase 2 IKE Troubleshooting

Show inactive tunnels and the error:

Next, you can display the number of concurrent connections for each connected user, and the negotiated parameters for that user:

Juniper SRX Dynamic VPN Guide – Log and trace gathering:

If the above commands do a little help to you, then we must enable traceoptions and analyze logs deeply:

Then, we can view them with the command:

But what if…

Juniper SRX Dynamic VPN Guide – VPN is up, but is not passing traffic

And here is another one Step-by-step diagnostics from Juniper

May be the root of the issue is in security policies? Then you can check that with these commands:

The most useful – show sessions table and the policy names for them

Juniper SRX Dynamic VPN Guide Case: SRX Dynamic VPN behind NAT

In this example, the SRX device has the external-interface as On the static NAT device, it is NAT’ing as the IP address. The required IKE configuration is:

Notice that the local-identity is specified as the external public IP address, which the external-interface is advertised as out to the Pulse client. The pulse client will point its connection to the NAT’d IP address