The estimated reading time for this post is 1 minutes
Summary:
This article provides information on how to configure VPN on SRX for the NCP client.
Problem or Goal:
How to configure VPN on SRX for the NCP client.
Cause:
Solution:
The basic configuration, along with an example, is as follows:
- SRX configuration:
root@# show security ike { traceoptions { file iketrace; flag all; } proposal ike-prop1 { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-192-cbc; lifetime-seconds 28800; } policy ike-pol2 { mode aggressive; proposals ike-prop1; pre-shared-key ascii-text "$9$m5z6p0IreW9AeWLxwsP5QF9AuO1hyl"; ## SECRET-DATA } gateway remote-vpn1 { ike-policy ike-pol2; dynamic { user-at-hostname "user1@juniper.net"; connections-limit 2; ike-user-type shared-ike-id; } external-interface ge-0/0/1; xauth access-profile xauth-prof1; } } ipsec { traceoptions { flag all; } proposal ipsec-prop1 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; } policy ipsec1-lab { perfect-forward-secrecy { keys group2; } proposals ipsec-prop1; } vpn remote-vpn1 { ike { gateway remote-vpn1; ipsec-policy ipsec1-lab; } } } policies { from-zone trust to-zone untrust { policy p1 { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn remote-vpn1; } } } } } } zones { security-zone untrust { interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } root@# show access profile xauth-prof1 { authentication-order password; client michael { firewall-user { password "$9$wtYoGPfz6/tGDi.P56/EcylWL7-VY4a"; ## SECRET-DATA } } client test { firewall-user { password "$9$Cp8gpOIylMNdsEcds24DjCtuOEcrevL7-"; ## SECRET-DATA } } address-assignment { pool xauth-pool; } } address-assignment { pool xauth-pool { family inet { network 10.1.1.0/24; xauth-attributes { primary-dns 4.2.2.2/32; } } } }
- Change the IP address of the gateway in the attached .ini file attached or via Connections > Profile > Edit > IPsec General Settings.
- Load the attached .ini file to NCP.
- When prompted for the username password type test and Juniper123. The username and password are similar to the credentials being used for the SRX profile.
- Change the pre-shared-key to juniper123 in NCP. To do so, go to Connections > Profile > Edit > Identities.
- Establish the connection.
Note: When the connection is established, a secure virtual adapter is generated on the client, which shows the IP address and other xauth attributes that are provided by SRX.