Monday, 23 September 2013

SRX IPSec VPN - Dynamic (Client VPN) Part 1

In this post dynamic client based IPSec will be configured. This exercise assumes that basic system and IP configuration are already present and only contains configuration related to this specific task.

Dynamic Client VPN can be used to allow remote clients to securely connect to the SRX (Branch Series Only). By default, two dynamic-vpn licenses are included with any branch SRX. Juniper has two types of clients, Junos Pulse and Junos Access Manager. When running Junos version 11.1 or later the Junos Pulse client is provided to the client by the SRX. There were also historical requirements which made it mandatory to use RADIUS for authentication, however this is no longer the case as of Junos 10.4.

Upon initial connection to the SRX https interface the client will be downloaded and launched. Subsequent connections can happen the same way or the client can be launched directly once already installed.

The diagram below outlines the lab topology.

 Configure SRX
1. Create Access Profile, Address Pool and Firewall Authentication 
In this step the username/password, IP addresses for clients and authentication profile are created. Some of these steps will look similar to steps when configuring firewall authentication in security policies. Although not part of this exercise, RADIUS could be configured at this step. The screenshot below outlines the commands.

2. Configure IPSec Phase 1 Policy
This step kicks off the traditional IPSec configuration. The next four steps will look very similar to the steps found in the previous IPSec posts. The screenshot below outlines the IKE policy configuration.

3. Configure IPSec Phase 1 Gateway
In this step the IKE gateway is configured. There are some key components to understand when configured IKE gateways for dynamic VPN clients. 'dynamic hostname' is needed as the public IP address of the client is not static and not known by the SRX. 'ike-user-type group-ike-id' is needed to allow many (in this case two) clients to share the same IPSec configuration. 'xauth access-profile' is needed to obtain username/password information and to push client IP/DNS information to the client. See below for details.

4. Configure IPSec Phase 2 Policy
This step outlines a typical IPSec policy configuration.

1. Configure IPSec Phase 2 VPN
This step outlines a typical IPSec VPN configuration.

5. Configure IPSec Dynamic VPN
This step is needed to associate the configured users with the IPSec VPNs. The access profile created in step 1 is referenced here. The command 'remote-protected-resources' outlines the prefixes that should use the IPSec tunnel on the client machine. The command 'remote-exceptions' outline prefixes which should NOT use the tunnel. Lastly the VPN is referenced along with the configured user. See below for CLI commands.

6. Create Security Policies
In this step the security policy is configured. Only policy based VPNs are supported for dynamic client VPN.

7. Configure Proxy-ARP
Proxy-arp is needed so the SRX can respond to ARP requests on behalf of the remote client. This will allow traffic destine for the remote client to be forwarded to the SRX.

8. Modify Host-Inbound-Traffic
Two services need to be allowed to the SRX device. IKE allows the IPSec VPN to form to the SRX device, and HTTPS allows the remote user to launch the initial session to the HTTPS portal page.

9. Enable HTTPS Service
The HTTPS daemon needs to be running for client VPN access to work. This service needs to be enabled under system services web-management. To ensure that only VPN access is used on the external interface (and not J-Web) the management interface can be specified. This ensures that J-Web can only be used on the internal interface of vlan.192 even though HTTPS is allowed on both internal and external interfaces. See the screenshot below for command details.

The chart below outlines the web-management behavior in releases 10.4 and later.

 Verify Operation
1. Launch VPN (Web)
The screenshot below outlines the external web page for connecting to the client VPN.

The client is launched and the remote user has access to the segment. Alternatively the user can manually install the client from a link provided on this page if there were issues with the automatic launch in the previous step.

Junos Pulse can also be used to connect to the SRX. When using Junos Pulse you do not need to browse to the HTTPS site, you simply enter in the information and log in. When using Junos Pulse you will need to enter your credentials twice. Ensure the type is set to SRX. The server URL will be the public IP address of the SRX. Note: "HTTPS://" is not required, simply enter the IP address alone. Alternatively DNS could be used so that a DNS name could be used to connect.  

 Verify Operation
1. Show IKE/Phase 1 Security Associations
The screenshot below outlines the Phase1/IKE security association.

1. Show IPSec/Phase 2 Security Associations
The screenshot below outlines the Phase2 security association. We can assume that this remote client is functioning normally as both security associations are up.

In this post dynamic client based IPSec VPNs were configured. This allows a remote user to connect and gain access to specific internal networks. Traditional client based VPN solutions would call this 'split-tunnel' VPN as only select destinations use the encrypted tunnel. Forcing all traffic down the encrypted tunnel is also possible and will be examined in the next post.

No comments:

Post a Comment