In this example, XAuth client authentication is performed locally and client IP addresses are assigned from an address pool configured on the SRX Series device.
Then, standard proposal sets are used for both IKE and IPsec negotiations. For dynamic VPN tunnels, aggressive mode must be configured and only preshared keys are supported for phase 1 authentication. A shared IKE ID is used and the maximum number of connections is set to 10. Because dynamic VPNs must be policy-based VPNs, a security policy
must be configured to forward traffic to the tunnel.
Finally, the XAuth profile configured for remote clients is specified for the dynamic VPN. Remote users are associated with the configured IPsec VPN. Also configured are remote protected resources (the destination addresses of traffic that is always sent through the tunnel) and remote exceptions (the destination addresses of traffic that is sent in cleartext instead of through the tunnel).
Table: Remote Client Authentication and Address Assignment Configuration
Feature Name Configuration Parameters
IP address pool
dyn-vpn- address-pool
Addresses: 10.10.10.0/24
DNS server address: 4.2.2.2/32.
XAuth profile dyn-vpn-access- profile
Remote client username: 'client1' with password
$9$uY4o0EyMWxdwgX7
Remote client username: 'client2' with password
$9$neNM9CuB1hyrv5Q39
IP address pool reference: dyn-vpn-address-pool
This profile is the default profile for web authentication.
Table: VPN Tunnel Configuration Parameters
Feature Name Configuration Parameters
IKE policy (phase 1) ike-dyn- vpn-policy
Mode: aggressive Proposal set: standard Preshared key: (ASCII)
$9$KHxWXNs2aikPdbkP5Q9CKM8
IKE gateway (phase 1) dyn-vpn- local-gw
IKE policy reference: ike-dyn-vpn-policy
Dynamic hostname: dynvpn
IKE user type: shared IKE ID
Maximum number of concurrent connections: 10
External interface: ge-0/0/15.0
Access profile reference: dyn-vpn-access- profile
IPsec policy (phase 2) ipsec-dyn-vpn- policy
Proposal set: standard
IPsec VPN (phase 2) dyn-vpn IKE gateway reference: dyn-vpn-local-gw
IPsec policy reference: ipsec-dyn-vpn-policy
Security policy (permits traffic from the untrust zone to the trust zone)
dyn-vpn-policy Match criteria:
source address any destination address any application any
Permit action: tunnel ipsec-vpn dyn-vpn
Table: Dynamic VPN Configuration for Remote Clients
Feature Name Configuration Parameters
Access profile for remote clients Access profile reference: dyn-vpn-access-profile
|
Remote clients |
all |
IPsec VPN reference: dyn-vpn |
|
| User name reference: client1 and client2 | |
| Remote protected resources: 10.0.0.0/8 | ||
| Remote exceptions: 0.0.0.0/0 | ||
Configuration
Configuring the Remote User Authentication and Address Assignment
CLI Quick Configuration
To quickly configure remote user authentication and address assignment, copy the following commands and paste them
into the CLI:
[edit]
set access profile dyn-vpn-access-profile client client1 firewall-user password
"$9$uY4o0EyMWxdwgX7"
set access profile dyn-vpn-access-profile client client2 firewall-user password
"$9$neNM9CuB1hyrv5Q39"
set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns
4.2.2.2/32
set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that,
To configure remote user authentication and address assignment:
1. Create the address assignment pool.
[edit access address-assignment]
user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24
user@host# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns
4.2.2.2/32
2. Configure the XAuth profile.
[edit access]
user@host# set profile dyn-vpn-access-profile client client1 firewall-user password
"$9$uY4o0EyMWxdwgX7"
user@host# set profile dyn-vpn-access-profile client client2 firewall-user password
"$9$neNM9CuB1hyrv5Q39"
user@host# set profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
3. Configure Web authentication using the XAuth profile.
[edit access firewall-authentication]
user@host# set web-authentication default-profile dyn-vpn-access-profile
Results
From configuration mode, confirm your configuration by entering the show access command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show access
profile dyn-vpn-access-profile {
client client1 {
firewall-user {
password "$9$uY4o0EyMWxdwgX7"; ## SECRET-DATA
}
}
client client2 {
firewall-user {
password "$9$neNM9CuB1hyrv5Q39"; ## SECRET-DATA
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 10.10.10.0/24;
xauth-attributes {
primary-dns 4.2.2.2/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the VPN Tunnel
CLI Quick Configuration
To quickly configure the VPN tunnel, copy the following commands and paste them into the CLI:
[edit]
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text
"$9$KHxWXNs2aikPdbkP5Q9CKM8"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type shared-ike-id set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/15.0
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination- address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that,
To configure the VPN tunnel:
1. Configure the IKE policy.
[edit security ike]
user@host# set policy ike-dyn-vpn-policy mode aggressive user@host# set policy ike-dyn-vpn-policy proposal-set standard user@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"
2. Configure the IKE gateway.
[edit security ike]
user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
user@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpn
user@host# set gateway dyn-vpn-local-gw dynamic ike-user-type shared-ike-id user@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10 user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0
user@host# set gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
3. Configure IPsec.
[edit security ipsec]
user@host# set policy ipsec-dyn-vpn-policy proposal-set standard user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gw user@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
4. Configure the security policy.
[edit security policies from-zone untrust to-zone trust]
user@host# set policy dyn-vpn-policy match source-address any destination-address any application any
user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
5.
Results
From configuration mode, confirm your configuration by entering the show security ike, show security ipsec, show security policies, and show security nat commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security ike
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "$9$KHxWXNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 10;
ike-user-type shared-ike-id;
}
external-interface ge-0/0/15.0;
xauth access-profile dyn-vpn-access-profile;
}
[edit]
user@host# show security ipsec
policy ipsec-dyn-vpn-policy {
proposal-set standard;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
}
[edit]
user@host# show security policies
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Associate the Dynamic VPN w ith Remote Clients
CLI Quick Configuration
To quickly associate the dynamic VPN with remote clients, copy the following commands and paste them into the CLI:
[edit]
set security dynamic-vpn access-profile dyn-vpn-access-profile
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn dyn-vpn set security dynamic-vpn clients all user client1
set security dynamic-vpn clients all user client2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that,
To associate the dynamic VPN with remote clients:
1. Specify the access profile to use with dynamic VPN.
[edit security dynamic-vpn]
user@host# set access-profile dyn-vpn-access-profile
2. Configure the clients who can use the dynamic VPN.
[edit security dynamic-vpn]
user@host# set clients all ipsec-vpn dyn-vpn user@host# set clients all user client1 user@host# set clients all user client2
user@host# set clients all remote-protected-resources 10.0.0.0/8
user@host# set clients all remote-exceptions 0.0.0.0/0
Results
From configuration mode, confirm your configuration by entering the show security dynamic-vpn command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security dynamic-vpn access-profile dyn-vpn-access-profile; clients {
all {
remote-protected-resources {
10.0.0.0/8;
}
remote-exceptions {
0.0.0.0/0;
}
ipsec-vpn dyn-vpn;
user {
client1;
}
user {
client2;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Dynamic VPN tunnels can be monitored with the same commands used to monitor traditional IPsec VPN tunnels. To confirm that the configuration is working properly, perform these tasks:
Verifying IKE Phase 1 Status
Purpose
Verify the IKE Phase 1 status of the security associations.
Action
From operational mode, enter the show security ike security-associations command.
user@host> show security ike security-associations
| Index | Remote Address State Initiator cookie Responder cookie | Mode |
| 18 | 172.19.100.99 UP 37b45aa1469e488b 7d4454404002e2e6 | Aggressive |
Verifying Connected Clients and Assigned Addresses
Purpose
Verify that the remote clients and the IP addresses assigned to them are using XAuth.
Action
From operational mode, enter the show security ike active-peer command.
user@host> show security ike active-peer
| Remote Address | Port | Peer IKE-ID | XAUTH username | Assigned IP |
| 172.19.100.99 | 500 | testdynvpn | test | 10.10.10.2 |
Verifying IPsec Phase 2 Status
Purpose
Verify the IPsec Phase 2 status of the security associations.
Action
From operational mode, enter the show security ipsec security-associations command.
user@host> show security ipsec security-associations
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<133955586 172.19.100.99 500 ESP:aes-128/sha1 9c23b7a9 2862/ 449996 - root
>133955586 172.19.100.99 500 ESP:aes-128/sha1 c72c8f88 2862/ 449996 - root
Verifying Concurrent Connections and Parameters for Each User
Purpose
Verify the number of concurrent connections and the negotiated parameters for each user.
Action
From operational mode, enter the show security dynamic-vpn users command.
user@host> show security dynamic-vpn users
User: test , Number of connections: 1
Remote IP: 172.19.100.99
IPSEC VPN: dyn-vpn
IKE gateway: dyn-vpn-local-gw
IKE ID : testdynvpn
IKE Lifetime: 28800
IPSEC Lifetime: 3600
Status: CONNECTED
