How to configure VPN on SRX for the NCP client

The estimated reading time for this post is 1 minutes


Summary:

This article provides information on how to configure VPN on SRX for the NCP client.

 

Problem or Goal:

How to configure VPN on SRX for the NCP client.

Cause:

Solution:
The basic configuration, along with an example, is as follows:

    1. SRX configuration:
      root@# show security  
      ike {
          traceoptions {
              file iketrace;
              flag all;
          }
          proposal ike-prop1 {
              authentication-method pre-shared-keys;
              dh-group group2;
              authentication-algorithm sha1;
              encryption-algorithm aes-192-cbc;
              lifetime-seconds 28800;
          }
          policy ike-pol2 {
              mode aggressive;
              proposals ike-prop1;
              pre-shared-key ascii-text "$9$m5z6p0IreW9AeWLxwsP5QF9AuO1hyl"; ## SECRET-DATA
          }
          gateway remote-vpn1 {
              ike-policy ike-pol2;
              dynamic {
                  user-at-hostname "user1@juniper.net";
                  connections-limit 2;
                  ike-user-type shared-ike-id;
              }
              external-interface ge-0/0/1;
              xauth access-profile xauth-prof1;
          }
      }
      ipsec {
          traceoptions {
              flag all;
          }
          proposal ipsec-prop1 {
              protocol esp;
              authentication-algorithm hmac-sha1-96;
              encryption-algorithm aes-128-cbc;
          }
          policy ipsec1-lab {
              perfect-forward-secrecy {
                  keys group2;
              }
              proposals ipsec-prop1;
          }
          vpn remote-vpn1 {
              ike {
                  gateway remote-vpn1;
                  ipsec-policy ipsec1-lab;
              }
          }
      }
      policies {
          from-zone trust to-zone untrust {
              policy p1 {
                  match {
                      source-address any;
                      destination-address any;
                      application any;
                  }
                  then {
                      permit {
                          tunnel {
                              ipsec-vpn remote-vpn1;
                          }
                      }
                  }
              }
          }
      }
      zones {
          security-zone untrust {
              interfaces {
                  ge-0/0/1.0 {
                      host-inbound-traffic {
                          system-services {
                              all;
                          }
                          protocols {
                              all;
                          }
                      }
                  }
              }
          }
          security-zone trust {
              interfaces {
                  ge-0/0/0.0 {
                      host-inbound-traffic {
                          system-services {
                              all;
                          }
                          protocols {
                              all;
                          }
                      }
                  }
              }
          }
      }
      
      root@# show access 
      profile xauth-prof1 {
          authentication-order password;
          client michael {
              firewall-user {
                  password "$9$wtYoGPfz6/tGDi.P56/EcylWL7-VY4a"; ## SECRET-DATA
              }
          }
          client test {
              firewall-user {
                  password "$9$Cp8gpOIylMNdsEcds24DjCtuOEcrevL7-"; ## SECRET-DATA
              }
          }
          address-assignment {
              pool xauth-pool;
          }
      }
      address-assignment {
          pool xauth-pool {
              family inet {
                  network 10.1.1.0/24;
                  xauth-attributes {
                      primary-dns 4.2.2.2/32;
                  }
              }
          }
      }
  1.  Change the IP address of the gateway in the attached .ini file attached or via Connections > Profile > Edit > IPsec General Settings.
  2.  Load the attached .ini file to NCP.
  3.  When prompted for the username password type test and Juniper123. The username and password are similar to the credentials being used for the SRX profile.
  4. Change the pre-shared-key to juniper123 in NCP. To do so, go to Connections > Profile > Edit > Identities.
  5. Establish the connection.

Note: When the connection is established, a secure virtual adapter is generated on the client, which shows the IP address and other xauth attributes that are provided by SRX.