The JWEBwebgui wizard does a good job & with building a simple/effective dialup-profile and for local-accounts.
Here's the final junOS cli cfg details that seems to work best with pulse-client
IKE phase1 using the standard-proposl dhgrp2-aes128-sha1
set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set standard
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text KEEPITSECURED
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname GROUPIDHERE
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn xauth access-profile remote_access_profile
set security ike gateway gw_wizard_dyn_vpn version v1-only
IPSEC phase2 using the standard-proposl dhgrp2-aes128-sha1 and w/PFS
set security ipsec policy ipsec_pol_wizard_dyn_vpn perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set standard
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.1.1.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user socpuppets
set access profile remote_access_profile client socpuppets firewall-user password mypasswordhere
set access firewall-authentication web-authentication default-profile remote_access_profile
set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
set access firewall-authentication web-authentication default-profile remote_access_profile
You need to ensure that the IKE service is allowed & on the untrusted interface or where the vpn-clients will connect on. if you get any log message of "no response" than 99.99% of the time it's due to the firewall-engineer forgetting to enable IKE.e.g
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
The wizard will also set a fwpolicy that you can later modified with the "services" you want
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn
After a client connects, you can validate the Phase1/Phase2 Security-Associations details.
e.g
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment