The NCP remote vpn client is a great client. Simple to build proposals and user profiles. One negative tho, you can not export existing profile with ease.
I will show you
howto do a ike group-based vpn . It's similar to standard dynamic-group-vpn, but the ike user type is set to
shared
e.g
set security ike gateway myvpngw dynamic ike-user-type shared-ike-id <-------
I will explain the difference on
shared-ike-id vr
user+group later.
Here's a few details of the platforms involved from the VPNserver and RADIUS-aaS
JUNOS 15.1X49-D110.4
NCP Macosx verson3 rev35061
AUTH XAUTH
RADIUS_REMOTE ( JUMPCLOUD )
For this vpn settings, I decided to use defined proposal of AES256 with auth md5/sha1/sha256 types which we will use in the NCP client settings
ike
set security ike proposal AES256SHA1 authentication-method pre-shared-keys
set security ike proposal AES256SHA1 dh-group group5
set security ike proposal AES256SHA1 authentication-algorithm sha1
set security ike proposal AES256SHA1 encryption-algorithm aes-256-cbc
set security ike proposal AES256MD5 authentication-method pre-shared-keys
set security ike proposal AES256MD5 dh-group group5
set security ike proposal AES256MD5 authentication-algorithm md5
set security ike proposal AES256MD5 encryption-algorithm aes-256-cbc
set security ike proposal AES256SHA256 authentication-method pre-shared-keys
set security ike proposal AES256SHA256 dh-group group5
set security ike proposal AES256SHA256 authentication-algorithm sha-256
set security ike proposal AES256SHA256 encryption-algorithm aes-256-cbc
NOTE BCPs suggest using dhgrp 14 or stronger, but to support clients who might have a older vpn-client software I'm using PFS+group5
IPSEC
set security ipsec proposal AES256SHA256 protocol esp
set security ipsec proposal AES256SHA256 authentication-algorithm hmac-sha-256-128
set security ipsec proposal AES256SHA256 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256SHA256 lifetime-seconds 3600
set security ipsec proposal AES256SHA1 protocol esp
set security ipsec proposal AES256SHA1 authentication-algorithm hmac-sha1-96
set security ipsec proposal AES256SHA1 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256SHA1 lifetime-seconds 3600
set security ipsec proposal AES256MD5 protocol esp
set security ipsec proposal AES256MD5 authentication-algorithm hmac-md5-96
set security ipsec proposal AES256MD5 encryption-algorithm aes-256-cbc
set security ipsec proposal AES256MD5 lifetime-seconds 3600
=======================================================
Now to wrap this up you need to set the ike and ipsec policies for the gateway
set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256MD5
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256SHA1
set security ike policy ike_pol_wizard_dyn_vpn proposals AES256SHA256
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "mystrongpsk"
set security ipsec policy ipsec_pol_wizard_dyn_vpn perfect-forward-secrecy keys group5
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256SHA256
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256SHA1
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals AES256MD5
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
Now the fun starts, you will need to set the remote-access-profile to use your jumpcloud radius servers and set the src_ipv4 address for the radius-client
set access profile remote_access_profile authentication-order radius
set access profile remote_access_profile client socpuppets firewall-user password "$9$r47KLxVwY2oJYgJDiH5TRhSyvWLxN"
set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
set access profile remote_access_profile radius-server 104.154.91.253 port 1812
set access profile remote_access_profile radius-server 104.154.91.253 secret "$9$RFcSKML7-dwY5QESyeLXUjHq.53nCtu129K8Xx-d"
set access profile remote_access_profile radius-server 104.154.91.253 source-address 10.10.10.98
set access profile remote_access_profile radius-server 104.196.54.120 port 1812
set access profile remote_access_profile radius-server 104.196.54.120 secret "$9$esuW7-wYg4JG/CKW8xbwmfTzF/pu1RKr0B7Vwsg4"
set access profile remote_access_profile radius-server 104.196.54.120 source-address 10.10.10.98
set access firewall-authentication pass-through default-profile remote_access_profile
In the jumpcloud portal, you have to define the radius-client and set the shared secret and have remote-users defined
NOTE: you can execute a unix-shell and tcpdump on your interface that sends the radius-access-request to look for radius reject or access messages, and to confirm the radius-requests are actually going out from the Juniper SRX to the RADIUS-aaS platform.
( a no-success login )
( a success login )
The NCP-vpn-client-side is configured very easily, by setting both a IKE and IPSEC proposals and defined these in your NCP profiles.
e.g defined IPSEC transform and IKEproposals
user details;
You remember the
shared-ike-id thing, that I mention earlier ?
When you connect into the SRX, the NCPvpnclient identity would be just the client-ipv4-addr and the groupname.
e.g IKE SA details ( shared-ike-id)
vrs the typical user+group-ike-id combination
The one cool item about the NCP client, it can display almost too much details for logging and diagnostics purposes.
Here's the final vpn configuration for dynamic-vpn
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \