Junos® OS Dynamic VPN Feature Guide for SRX Series Gateway ... · accounting-session-id[access-request]; accounting-terminate-cause[accounting-off];

Junos®OS

Dynamic VPN Feature Guide for SRX SeriesGateway Devices

Release

12.1X46-D10

Modified: 2016-07-07

Copyright © 2016, Juniper Networks, Inc.

Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Junos®OS Dynamic VPN Feature Guide for SRX Series Gateway Devices

12.1X46-D10Copyright © 2016, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2016, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Part 1 Overview

Chapter 1 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Dynamic VPN Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Understanding Dynamic VPN Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Grouping of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

IKE and IPsec Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Enabling Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Understanding Remote Client Access to the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Understanding Dynamic VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Dynamic VPN Proposal Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Understanding URL Separation for J-Web and Dynamic VPN . . . . . . . . . . . . . . . . 10

Changes in the Web Access Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Local Authentication and Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . 13

Understanding Local Authentication and Address Assignment . . . . . . . . . . . . . . . 13

Chapter 3 Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding Group and Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Group IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Shared IKE IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 4 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Understanding Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iiiCopyright © 2016, Juniper Networks, Inc.

Part 2 Configuration

Chapter 5 Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Dynamic VPN Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Example: Configuring Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Example: Configuring Unique URLs for J-Web and Dynamic VPN . . . . . . . . . . . . . 34

Chapter 6 Local Authentication and Address Assignment . . . . . . . . . . . . . . . . . . . . . . . 39

Example: Configuring Local Authentication and Address Pool . . . . . . . . . . . . . . . 39


Example: Configuring a Group IKE ID for Multiple Users . . . . . . . . . . . . . . . . . . . . . 43

Example: Configuring Individual IKE IDs for Multiple Users . . . . . . . . . . . . . . . . . . 49

Chapter 8 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Security Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

[edit security dynamic-vpn] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

access-profile (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

access-profile (Security IKE Gateway) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

clients (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

config-check (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

dynamic-vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

force-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

ike (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

interface (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

ipsec (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

ipsec-vpn (Security Dynamic VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

remote-exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

remote-protected-resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

traceoptions (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

user (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

user-groups (Security Dynamic VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

xauth-attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 9 Configuration Statements for Remote Client Authentication andAddresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Access Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

address-assignment (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

firewall-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

profile (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 10 Configuration Statements for URL Separation for J-Web and DynamicVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

system-generated-certificate (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . 95

wan-acceleration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

web-management (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Copyright © 2016, Juniper Networks, Inc.iv

Dynamic VPN Feature Guide for SRX Series Gateway Devices

Part 3 Administration

Chapter 11 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Junos Pulse Client Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Deploying Junos Pulse Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Junos Pulse Interface and Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Junos Pulse Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Junos Pulse Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Junos Pulse Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Junos Pulse Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Managing Junos Pulse Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Add a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Connect to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Disconnect from an Active Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

View Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Edit Connection Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Forget Saved Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Delete a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Troubleshoot a Junos Pulse Connection Issue . . . . . . . . . . . . . . . . . . . . . . . . 113

Annotate Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Set Log Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Save Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

View Component Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Chapter 12 Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Access Manager Client-Side System Requirements . . . . . . . . . . . . . . . . . . . . . . . 117

Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Chapter 13 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

clear security dynamic-vpn all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

clear security dynamic-vpn user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

show network-access address-assignment pool (View) . . . . . . . . . . . . . . . . . . . 126

show security dynamic-policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

show security dynamic-vpn client version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

show security dynamic-vpn users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

show security dynamic-vpn users terse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

show security ike active-peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

show security ike security-associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

show security ipsec security-associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Part 4 Troubleshooting


Access Manager Client-Side Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Troubleshooting Access Manager Client-Side Problems . . . . . . . . . . . . . . . . . . . 158

Part 5 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

vCopyright © 2016, Juniper Networks, Inc.

Table of Contents

Copyright © 2016, Juniper Networks, Inc.vi


List of Figures

Part 1 Overview


Figure 1: Using a VPN Tunnel to Enable Remote Access to a Corporate

Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4



Figure 2: Dynamic VPN Deployment Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

viiCopyright © 2016, Juniper Networks, Inc.

Copyright © 2016, Juniper Networks, Inc.viii


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Part 1 Overview


Table 3: Case 1: J-Web and Dynamic VPN Do Not Share the Same Interface . . . . . 11

Table 4: Case 2: J-Web and Dynamic VPN Share the Same Interface . . . . . . . . . . . 11



Table 5: Remote Client Authentication and Address Assignment

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 6: VPN Tunnel Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 7: Dynamic VPN Configuration for Remote Clients . . . . . . . . . . . . . . . . . . . . 28


Table 8: Group IKE ID VPN Tunnel Configuration Parameters . . . . . . . . . . . . . . . . 44

Table 9: Group IKE ID Dynamic VPN Configuration for Remote Clients . . . . . . . . . 44

Table 10: RADIUS Server User Authentication (Group IKE ID) . . . . . . . . . . . . . . . . 45

Table 11: Client 1 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table 12: Client 2 Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Table 13: RADIUS Server User Authentication (Individual IKE ID) . . . . . . . . . . . . . 52

Part 3 Administration

Chapter 11 Junos Pulse Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Table 14: Junos Pulse Client Hardware and Software Requirements . . . . . . . . . . 105

Table 15: Junos Pulse Troubleshooting Information . . . . . . . . . . . . . . . . . . . . . . . . 113


Table 16: Access Manager Client-Side Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Table 17: Access Manager Client-Side Registry Changes . . . . . . . . . . . . . . . . . . . 120

Chapter 13 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Table 18: show network-access address-assignment pool Output Fields . . . . . . 126

Table 19: show security dynamic-policies Output Fields . . . . . . . . . . . . . . . . . . . . 127

Table 20: show security dynamic-vpn users Output Fields . . . . . . . . . . . . . . . . . . 133

Table 21: show security dynamic-vpn users terse Output Fields . . . . . . . . . . . . . . 135

Table 22: show security ike security-associations Output Fields . . . . . . . . . . . . . 139

ixCopyright © 2016, Juniper Networks, Inc.

Table 23: show security ipsec security-associations . . . . . . . . . . . . . . . . . . . . . . . 146

Part 4 Troubleshooting


Table 24: Dynamic VPN Client-Side Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Copyright © 2016, Juniper Networks, Inc.x


About the Documentation

• Documentation and Release Notes on page xi

• Supported Platforms on page xi

• Using the Examples in This Manual on page xii

• Documentation Conventions on page xiii

• Documentation Feedback on page xv

• Requesting Technical Support on page xvi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®

technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• SRX550

• SRX220

• SRX110

• SRX650

• SRX100

• SRX240

• SRX210

xiCopyright © 2016, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/SRX550/index.html


http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx110/index.html




http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/hardware/srx210/srx210.html

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the loadmerge or the load

merge relative command. These commands cause the software to merge the incoming

configuration into the current candidate configuration. The example does not become

active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple

hierarchies), the example is a full example. In this case, use the loadmerge command.

If the example configuration does not start at the top level of the hierarchy, the example

is a snippet. In this case, use the loadmerge relative command. These procedures are

described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a

text file, save the file with a name, and copy the file to a directory on your routing

platform.

For example, copy the following configuration to a file and name the file ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {commit {file ex-script.xsl;

}}

}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing the

loadmerge configuration mode command:

[edit]user@host# loadmerge /var/tmp/ex-script.confload complete

Copyright © 2016, Juniper Networks, Inc.xii


Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text

file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file

ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory

on your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the

loadmerge relative configuration mode command:

[edit system scripts]user@host# loadmerge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see the CLI User Guide.

Documentation Conventions

Table 1 on page xiv defines notice icons used in this guide.

xiiiCopyright © 2016, Juniper Networks, Inc.


Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xiv defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2016, Juniper Networks, Inc.xiv


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• The console port is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configuration hierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between the mutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame line as the configuration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Represents graphical user interface (GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,

and use the pop-up form to provide us with information about your experience.

Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

xvCopyright © 2016, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.html

http://www.juniper.net/techpubs/feedback/

• E-mail—Send your comments to [email protected]. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2016, Juniper Networks, Inc.xvi


mailto:[email protected]?subject=

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xviiCopyright © 2016, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

Copyright © 2016, Juniper Networks, Inc.xviii


PART 1

Overview

• Dynamic VPN on page 3

• Local Authentication and Address Assignment on page 13

• Group and Shared IKE IDs on page 15

• Junos Pulse Client on page 19

1Copyright © 2016, Juniper Networks, Inc.

Copyright © 2016, Juniper Networks, Inc.2


CHAPTER 1

Dynamic VPN

• Dynamic VPN Overview on page 3

• Understanding Dynamic VPN Enhancements on page 5

• Understanding Remote Client Access to the VPN on page 6

• Understanding Dynamic VPN Tunnels on page 7

• Dynamic VPN Proposal Sets on page 9

• Understanding URL Separation for J-Web and Dynamic VPN on page 10

Dynamic VPNOverview

Supported Platforms SRX100, SRX210, SRX240, SRX650

Virtual private network (VPN) tunnels enable users to securely access assets such as

e-mail servers and application servers that reside behind a firewall. End-to-site VPN

tunnels are particularly helpful to remote users such as telecommuters because a single

tunnel enables access to all of the resources on a network—the users do not need to

configure individual access settings to each application and server. See Figure 1 on page 4.






Figure 1: Using a VPN Tunnel to Enable Remote Access to a CorporateNetwork

The dynamic VPN feature (also known as remote access VPN or IPsec VPN client) further

simplifies remote access by enabling users to establish Internet Protocol Security (IPsec)

VPN tunnels without having to manually configure VPN settings on their PCs or laptops.

Instead, authenticated users can simply download the VPN client software to their

computers. This Layer 3 remote access client uses client-side configuration settings that

it receives from the server to create and manage a secure end-to-site VPN tunnel to the

server.

NOTE: If more than two simultaneous user connections are required, adynamicVPN licensemustbe installed. ThedynamicVPNfeature is disabledby default on the device. To enable dynamic VPN, youmust configure thefeature using the dynamic-vpn configuration statement at the [edit security]

hierarchy level. See the Installation and Upgrade Guide for Security Devicesfor information about installing andmanaging licenses.

RelatedDocumentation

Understanding URL Separation for J-Web and Dynamic VPN on page 10•

• Dynamic VPN Configuration Overview on page 23



• Access Manager Client-Side System Requirements on page 117



• Dynamic VPN Feature Guide for SRX Series Gateway Devices

Understanding Dynamic VPN Enhancements

Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX550, SRX650

• Grouping of Users on page 5

• IKE and IPsec Configuration Validation on page 6

• Enabling Dynamic VPN on page 6

• Traceoptions on page 6

Grouping of Users

Prior to Junos OS Release 12.1X44-D10, dynamic VPN configuration requires that users

be configured in two locations:

• The client option at the [edit access profile profile-name] hierarchy level is used in the

authentication of a dynamic VPN user.

• The user option at the [edit security dynamic-vpn clients configuration-name] hierarchy

level is used to associate a client VPN configuration with a user.

As of Junos OS Release 12.1X44-D10, the configuration of dynamic VPN users and the

association of users with a client VPN are simplified.

There are two cases to consider when configuring dynamic VPN:

• When users are configured locally, they are configured at the [edit access profile

profile-name client client-name] hierarchy level and arranged into user groups using the

client-group configuration option.

• Users can be configured on an external authentication server, such as a RADIUS server.

Users configured on an external authentication server do not need to be configured at

the [edit access profile profile-name] hierarchy level.

The user group needs to be specified in the dynamic VPN configuration so that a user

can be associated with a client configuration. You specify a user group with theuser-groups

option at the [edit security dynamic-vpn clients configuration-name] hierarchy level.

When a user is authenticated, the user group is included in the authentication reply. This

information is extracted and user groups configured at the [edit security dynamic-vpn

clients configuration-name] hierarchy level are searched to determine which client

configuration to retrieve and return to the client for tunnel establishment.

If a user is associated with more than one user group, the first matching user group

configuration is used. If a user creates a second connection, then the next matching user

group configuration is used. Subsequent user connections use the next matching user

group configuration until there are no more matching configurations.


Chapter 1: Dynamic VPN







IKE and IPsec Configuration Validation

A configuration check can be performed to verify that all IKE and IPsec parameters needed

for dynamic VPN are correctly configured. If the configuration is invalid for IKE or IPsec,

an error message is displayed.

NOTE: Configuration checks are off by default. You enable configurationchecks by using the set security dynamic-vpn config-check command.

Enabling Dynamic VPN

As of Junos OS Release 12.1X44 D10, you do not need to configure Web management

services to enable dynamic VPN.

NOTE: Existing configurations that had the loopback interface set to disableWebmanagementnowenableWebmanagementon the loopback interface.

The Appweb server is started when Web management is not configured. Other Web

management configuration parameters that are needed to start the Appweb server have

default operations:

• A system-generated certificate is used by default for HTTPS.

• The default value for limits debug level is 9 for the Web server.

Traceoptions

Administrators can configure the traceoptionsstatement at the [editsecuritydynamic-vpn]

hierarchy level to log dynamic VPN messages.


Dynamic VPN Overview on page 3•


• Example: Configuring Unique URLs for J-Web and Dynamic VPN on page 34

Understanding Remote Client Access to the VPN


A common dynamic VPN deployment is to provide VPN access to remote clients

connected through a public network such as the Internet. IPsec access is provided through

a gateway on the Juniper Networks device. Client software such as Pulse Secure (formerly

called Junos Pulse) can be used for VPN access.







NOTE: Pulse Secure client software can be obtained from the JuniperNetworks Download Software site athttps://www.juniper.net/support/downloads/?p=pulse.

The following describes the process for a remote client to access the VPN:

1. The remote client contacts the Web portal by establishing an HTTP or HTTPS

connection to the interface on the SRX Series device that is configured to terminate

the VPN tunnels.

2. The remote client is redirected to the Web portal for authentication, where users are

prompted to enter their credentials.

3. Upon successful authentication, the server determines if client software is installed

in the remote client and if the software is the most recent version. If the remote client

does not have the client software installed or the installed software is an older version,

new software is installed in the remote client. The client software is launched and a

new authentication takes place.

4. Upon successful authentication, the remote client downloads the latest configuration

options from the server. This ensures that the remote client always has the most

recent configuration when it attempts to build a tunnel.

5. A new authentication is performed using IPsec extended authentication (XAuth). An

IP address is assigned to the remote client from a local address pool or through an

external RADIUS server. Upon successful authentication and address assignment, a

tunnel is established.

After VPN software is installed on the remote client, the user can access the VPN by

either logging in to the Web portal or launching the client software directly. In either case,

the remote client authenticates with the Juniper Networks device and downloads the

latest available configuration for the client.

NOTE: When launching newly installed client software, the user must firstclose theWeb browser windowwith the browser’s close button.





• Example: Configuring Dynamic VPN on page 25


Understanding Dynamic VPN Tunnels




https://www.juniper.net/support/downloads/?p=pulse





Dynamic VPN tunnels are configured in the same way as traditional IPsec VPN tunnels.

However, not all IPsec VPN options are supported.

The following list describes the requirements and supported options when configuring

dynamic VPN tunnels:

• Only policy-based VPNs are supported. Route-based VPNs are not supported with

dynamic VPN tunnels. Traffic allowed from the VPN can be controlled by pushing

routes to the remote client as part of the client’s configuration.

• Dynamic VPN tunnels must be configured with extended authentication (XAuth). This

can be done using local authentication or an external RADIUS server. XAuth is required

to obtain username and password information during IPsec negotiation and to push

an IP address to the remote client. For local authentication, the IP addresses assigned

to remote clients can be drawn from a local pool. Optionally, DNS and WINS server

addresses may also be pushed to the remote client.

• Only preshared keys are supported for Phase 1 authentication with dynamic VPN

tunnels. The same preshared key can be used for all remote clients because a different

username and password is assigned to each remote client.

• When a dynamic VPN client negotiates an AutoKey IKE tunnel with a preshared key,

aggressive mode must be used. Therefore, you must always configure aggressive mode

with dynamic VPN tunnels.

• Shared or group IKE IDs can be used to configure a single VPN that is shared by all

remote clients. When a single VPN is shared, the total number of simultaneous

connections to the gateway cannot be greater than the number of dynamic VPN

licenses installed. When configuring a shared or group IKE ID gateway, you can configure

the maximum number of connections to be greater than the number of installed

dynamic VPN licenses. However, if a new connection exceeds the number of licensed

connections, the connection will be denied.

NOTE: When the device disconnects abruptly, it will not release the userlicense immediately. This results in unavailability of licenses to new users.You can reduce the IPsec SA lifetime to a smaller value to reduce the delayof licenses to new users.

• The dynamic VPN client supports the following algorithms: MD5, SHA-1, DES, 3DES,

AES (with 96-bit, 128-bit, and 256-bit keys). The dynamic VPN client supports DH

groups 1,2, and 5. Tunnel negotiations will fail if other values are configured on the

Juniper Networks device.

• Either proposal sets or custom proposals may be configured for IKE and IPsec

negotiations. If there is a list of custom proposals referenced from the IKE or IPsec

policy, only the first proposal is sent to the client and other proposals in the list are

ignored.



• The same access profile should be used for both IKE and dynamic VPN tunnels. Doing

so avoids unpredictable behavior if the tunnel goes down unexpectedly or the client

crashes.

• The number of user licenses must be equal to the number of dynamic VPN client

connections. For example, if you have 10 user licenses, you can make 10 dynamic VPN

client connections. When you make the 11th dynamic VPN client connection, the

connection will be denied.





• Understanding IKE and IPsec Packet Processing


Dynamic VPN Proposal Sets


Configuring custom Internet Key Exchange (IKE) and IP Security (IPsec) proposals for

IKE and IPsec policies can be tedious and time-consuming when there are many dynamic

VPN clients. The administrator can select basic, compatible, or standard proposal sets

for dynamic VPN clients. Each proposal set consists of two or more predefined proposals.

The server selects one predefined proposal from the set and pushes it to the client in the

client configuration. The client uses this proposal in negotiations with the server to

establish the connection.

The default values for IKE and IPsec security association (SA) rekey timeout are as

follows:

• For IKE SAs, the rekey timeout is 28,800 seconds.

• For IPsec SAs, the rekey timeout is 3600 seconds.

NOTE: Because proposal-set configuration does not allow for configurationof rekey timeout, these values are included in the client configuration that issent to the client at client download time.

The basic use cases for proposals are as follows:

• IKE and IPsec both use proposal sets.

The server selects a predefined proposal from the proposal set and sends it to the

client, along with the default rekey timeout value.

• IKE uses a proposal set, and IPsec uses a custom proposal.







The server sends a predefined IKE proposal from the configured IKE proposal set to

the client, along with the default rekey timeout value. For IPsec, the server sends the

setting that is configured in the IPsec proposal.

• IKE uses a custom proposal, and IPsec uses a proposal set.

The server sends a predefined IPsec proposal from the configured IPsec proposal set

to the client, along with the default rekey timeout value. For IKE, the server sends the

setting that is configured in the IKE proposal.

NOTE: If IPsec uses a standard proposal set and perfect forward secrecy(PFS) is not configured, then the default PFS is set as group2. For otherproposal sets, PFSwill not be set, because it is not configured. Also, for theIPsec proposal set, the group configuration in ipsec policy

perfect-forward-secrecykeysoverrides theDiffie-Hellman(DH)groupsetting

in the proposal sets.

Because the client accepts only one proposal for negotiating tunnel establishment with

the server, the server internally selects one proposal from the proposal set to send to the

client. The selected proposal for each set is listed as follows:

For IKE

• Sec-level basic: preshared key, g1, des, sha1

• Sec-level compatible: preshared key, g2, 3des, sha1

• Sec-level standard: preshared key, g2, aes128, sha1

For IPsec

• Sec-level basic: esp, no pfs (if not configured) or groupx (if configured), des, sha1

• Sec-level compatible: esp, no pfs (if not configured) or groupx (if configured), 3des,

sha1

• Sec-level standard: esp, g2 (if not configured) or groupx (if configured), aes128, sha1




Understanding URL Separation for J-Web and Dynamic VPN


This feature prevents the dynamic VPN users from accessing J-Web accidentally or

intentionally. Unique URLs for J-Web and dynamic VPN add support to the webserver

for parsing all the HTTP requests it receives. The webserver also provides access

permission based on the interfaces enabled for J-Web and dynamic VPN.

• Changes in the Web Access Behavior on page 11







Changes in theWeb Access Behavior

Table 3 on page 11 and Table 4 on page 11 illustrate the changes in the web access

behavior when J-Web and dynamic VPN do not share and share the same interface.

Table 3: Case 1: J-Web and Dynamic VPNDoNot Share the Same Interface

http(s)://serverhost//dynamic-vpn

http(s)://serverhost//configured attributehttp(s)://server hostScenario

Navigates to the dynamicVPN login page

Navigates to the J-Web loginpage if the attribute is configured,else to the Page Not Found page

Navigates to the J-Web loginpage on the J-Web enabledinterface or to the dynamic VPNlogin page on the dynamic VPNenabled interface depending onthe server host chosen.

J-Web is enabled, anddynamic VPN is configured.

Navigates to the PageNot Found page

Navigates to the Page Not Foundpage


J-Web is not enabled, anddynamic VPN is notconfigured.

Navigates to the PageNot Found page.

Navigates to the J-Web loginpage if the J-Web attribute isconfigured, else to the Page NotFound page

Navigates to the J-Web loginpage

J-Web is enabled, anddynamic VPN is notconfigured.



Navigates to the dynamic VPNlogin page

J-Web is not enabled, anddynamic VPN is configured.

Table 4: Case 2: J-Web and Dynamic VPN Share the Same Interface

http(s)://serverhost//dynamic-vpn

http(s)://server host//configuredattributehttp(s)://server hostScenario


Navigates to the J-Web login pageif the attribute is configured, or tothe Page Not Found page


J-Web is enabled, anddynamic VPN is configured.

Navigates to the Page NotFound page


Navigates to the Page NotFound page

J-Web is not enabled, anddynamic VPN is notconfigured.

Navigates to the Page NotFound page.

Navigates to the J-Web login pageif the J-Web attribute is configured,else to the Page Not Found page

Navigates to the J-Weblogin page

J-Web is enabled, anddynamic VPN is notconfigured.




J-Web is not enabled, anddynamic VPN is configured.










CHAPTER 2

Local Authentication and AddressAssignment

• Understanding Local Authentication and Address Assignment on page 13

Understanding Local Authentication and Address Assignment


A client application can request an IP address on behalf of a client. This request is made

at the same time as the client authentication request. Upon successful authentication

of the client, an IP address can be assigned to the client from a predefined address pool

or a specific IP address can be assigned. Other attributes, such as WINS or DNS server

IP addresses, can also be provided to the client.

Address pools are defined with the pool configuration statement at the [edit access

address-assignment] hierarchy level. An address pool definition contains network

information (IP address with optional netmask), optional range definitions, and DHCP

or XAuth attributes that can be returned to the client. If all addresses in a pool are

assigned, a new request for a client address will fail even if the client is successfully

authenticated.

Access profiles are defined with the profile configuration statement at the [edit access]

hierarchy. A defined address pool can be referenced in an access profile configuration.

You can also bind a specific IP address to a client in an access profile with the xauth

ip-address address option. The IP address must be in the range of addresses specified in

the address pool. It must also be different from the IP address specified with the host

configuration statement at the [edit access profile address-assignment pool pool-name

family inet] hierarchy level. For any application, if one IP address has been assigned, it

will not be reassigned again until it is released.


• Example: Configuring Local Authentication and Address Pool on page 39













CHAPTER 3

Group and Shared IKE IDs

• Understanding Group and Shared IKE IDs on page 15

Understanding Group and Shared IKE IDs


With dynamic VPN, a unique Internet Key Exchange (IKE) ID is used for each user

connection. When there are a large number of users who need to access the VPN,

configuring an individual IKE gateway, IPsec VPN, and a security policy for each user can

be cumbersome. The group IKE ID and shared IKE ID features allow a number of users

to share an IKE gateway configuration, thus reducing the number of VPN configurations

required.

NOTE: We recommend that you configure group IKE IDs for dynamic VPNdeployments because group IKE IDs provide a unique preshared key and IKEID for each user.

This topic includes the following sections:

• Group IKE IDs on page 15

• Shared IKE IDs on page 16

Group IKE IDs

When group IKE IDs are configured, the IKE ID of each user is a concatenation of a

user-specific part and a part that is common to all group IKE ID users. For example, the

user Bob might use ”Bob.example.net“ as his full IKE ID, where ”.example.net“ is common

to all users. The full IKE ID is used to uniquely identify each user connection.

Although group IKE IDs do not require XAuth, XAuth is required by dynamic VPN to retrieve

network attributes like client IP addresses. A warning is displayed if XAuth is not configured

for a dynamic VPN that uses group IKE IDs.

NOTE: Werecommendthatusersuse thesamecredentials forbothWebAuthand XAuth authentication when group IKE IDs are configured.






Multiple users can use the same group IKE ID, but a single user cannot use the same

group IKE ID for different connections. If a user needs to have connections from different

remote clients, they need to have different group IKE IDs configured, one for each

connection. If a user only has one group IKE ID configured and attempts a second

connection from another PC, the first connection will be terminated to allow the second

connection to go through.

To configure a group IKE ID:

• Configure ike-user-type group-ike-id at the [edit security ike gateway gateway-name

dynamic] hierarchy level.

• Configure the hostname configuration statement at the [edit security ike gateway

gateway-name dynamic] hierarchy level. This configuration is the common part of the

full IKE ID for all users.

• Configure the pre-shared-key configuration statement at the [edit security ike policy

policy-name] hierarchy level. The configured preshared key is used to generate the

actual preshared key.

Shared IKE IDs

When a shared IKE ID is configured, all users share a single IKE ID and a single IKE

preshared key. Each user is authenticated through the mandatory XAuth phase, where

the credentials of individual users are verified either with an external RADIUS server or

with a local access database. XAuth is required for shared IKE IDs.

The XAuth user name together with the configured shared IKE ID is used to distinguish

between different user connections. Because the user name is used to identify each user

connection, both the WebAuth user name and XAuth user name must be the same.

Multiple users can use the same shared IKE ID, but a single user cannot use the same

shared IKE ID for different connections. If a user needs to have connections from different

remote clients, they need to have different shared IKE IDs configured, one for each

connection. If a user has only one shared IKE ID configured and attempts a second

connection from another client, the first connection will be terminated to allow the second

connection to go through. Also, because the user name is needed to identify each user

connection along with the IKE ID, the user must use the same credentials for both

WebAuth and XAuth authentication.

To configure a shared IKE ID:

• Configure ike-user-type shared-ike-id at the [edit security ike gateway gateway-name

dynamic] hierarchy level.

• Configure the hostname configuration statement at the [edit security ike gateway

gateway-namedynamic] hierarchy level. The configured hostname is shared by all users

configured in the dynamic VPN access profile.

• Configure the pre-shared-key configuration statement at the [edit security ike policy

policy-name] hierarchy level. The configured preshared key is shared by all users

configured in the dynamic VPN access profile.






• Example: Configuring a Group IKE ID for Multiple Users on page 43

• Example: Configuring Individual IKE IDs for Multiple Users on page 49



Chapter 3: Group and Shared IKE IDs



CHAPTER 4

Junos Pulse Client

• Understanding Junos Pulse Client on page 19

Understanding Junos Pulse Client


Junos Pulse is an extensible multiservice network client that supports integrated

connectivity, location-aware network access, application acceleration, security, and

selected third-party services. (For more information about Junos Pulse features, see the

Junos Pulse Administration Guide.)

Junos Pulse supports remote virtual private network (VPN) tunnel connectivity to SRX

Series gateways that are running Junos OS. To configure a firewall access environment

for Junos Pulse clients, you must configure the VPN settings on the SRX Series gateway

and create and deploy a firewall connection on the Junos Pulse client.

For SRX Series devices running Junos OS Release10.2 through 10.4, Junos Pulse is

supported but must be deployed separately. In Junos OS Release 11.1 and later, if the

Pulse client does not exist on the client machine, the Pulse client is automatically

downloaded and installed when you log into an SRX Series device. If the Pulse client

exists on the client machine, you must launch the Pulse client.



• Junos Pulse Client Installation Requirements on page 105

• Deploying Junos Pulse Client Software on page 106






http://www.juniper.net/techpubs/software/pulse/guides/j-pulse-3.1R1-adminguide.pdf



PART 2

Configuration

• Dynamic VPN on page 23

• Local Authentication and Address Assignment on page 39

• Group and Shared IKE IDs on page 43

• Configuration Statements on page 61

• Configuration Statements for Remote Client Authentication and Addresses on page 77

• Configuration Statements for URL Separation for J-Web and Dynamic VPN on page 95




CHAPTER 5

Dynamic VPN




Dynamic VPN Configuration Overview


A dynamic VPN allows administrators to provide IPsec access to a gateway on a Juniper

Networks device while also providing a way to distribute the Dynamic VPN software to

remote clients through the use of a Web portal.

The following procedure lists the tasks for configuring a dynamic VPN.

1. Configure authentication and address assignment for the remote clients:

a. Configure an XAuth profile to authenticate users and assign addresses. Either local

authentication or an external RADIUS server may be used. Use the profile

configuration statement at the [edit access] hierarchy level to configure the XAuth

profile.

To use the XAuth profile for Web authentication, use the web-authentication

configuration statement at the [editaccess firewall-authentication] hierarchy level.

b. Assign IP addresses from a local address pool if local authentication is used. Use

theaddress-assignmentpoolconfiguration statement at the [editaccess] hierarchy

level. A subnet or a range of IP addresses can be specified. IP addresses for DNS

and WINS servers may also be specified.

2. Configure the VPN tunnel:

a. Configure the IKE policy. The mode must be aggressive. Basic, compatible, or

standard proposal sets may be used. Only preshared keys are supported for Phase

1 authentication. Use the policy configuration statement at the [edit security ike]

hierarchy level.

b. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can

configure the maximum number of simultaneous connections to the gateway. Use

the gateway configuration statement at the [edit security ike] hierarchy level.






c. Configure the IPsec VPN. Basic, compatible, or standard proposal sets may be

specified with the policy configuration statement at the [edit security ipsec]

hierarchy level. Use the vpn configuration statement at the [edit security ipsec]

hierarchy level to configure the IPsec gateway and policy.

d. Configure a security policy to allow traffic from the remote clients to the IKE

gateway. Use the policy configuration statement at the [edit security policies

from-zone zone to-zone zone] hierarchy level.

NOTE: Configure the security policy with thematch criteriasource-address any, destination-address any, and application any and

the action permit tunnel ipsec-vpnwith the name of the dynamic VPN

tunnel. Place this policy at the end of the policy list.

e. Configure host inbound traffic to allow specific traffic to reach the device from

systems that are connected to its interfaces. For example, IKE and HTTPS traffic

must be allowed. SeeUnderstandingHowtoControl InboundTraffic BasedonTraffic

Types.

f. (Optional) If the client address pool belongs to a subnet that is directly connected

to the device, the device would need to respond to ARP requests to addresses in

the pool from other devices in the same zone. Use the proxy-arp configuration

statement at the [edit securitynat] hierarchy level. Specify the interface that directly

connects the subnet to the device and the addresses in the pool.

3. Associate the dynamic VPN with remote clients:

a. Specify the access profile for use with dynamic VPN. Use the access-profile

configuration statement at the [edit security dynamic-vpn] hierarchy level.

b. Configure the clients who can use the dynamic VPN. Specify protected resources

(traffic to the protected resource travels through the specified dynamic VPN tunnel

and is therefore protected by the firewall’s security policies) or exceptions to the

protected resources list (traffic that does not travel through the dynamic VPN

tunnel and is sent in cleartext). These options control the routes that are pushed

to the client when the tunnel is up, therefore controlling the traffic that is send

through the tunnel. Use the clients configuration statement at the [edit security

dynamic-vpn] hierarchy level.

NOTE: TheWeb portal requires that HTTPS is enabled on the JuniperNetworksdevice. If HTTPS is already enabled for J-Webaccess, no furtheraction is required.



NOTE: If userswill log in to the server by running thePulse client softwareinstead of connecting to the server through HTTP/HTTPS, use theforce-upgrade configuration statement at the [edit security dynamic-vpn]

hierarchy level. This configuration automatically upgrades the client’ssoftwarewhen amore recent version is available. If you do not enable thisoption, theuser isgivenachoice tomanuallyupgradetheclient’s softwarewhen amore recent version is available.






Example: Configuring Dynamic VPN


This example shows how to configure a dynamic VPN on a Juniper Networks device to

provide VPN access to remote clients.

• Requirements on page 25

• Overview on page 25

• Configuration on page 28

• Verification on page 33

Requirements

Before you begin:

1. Configure network interfaces on the device. See JunosOS Interfaces Library for Security

Devices.

2. Create security zones and assign interfaces to them. See “Understanding Security

Zones” on page 111.

3. If there will be more than two simultaneous user connections, install a Dynamic VPN

license in the device. See Installation and Upgrade Guide for Security Devices.

4. Read “Dynamic VPN Configuration Overview” on page 23.

Overview

A common deployment scenario for dynamic VPN is to provide VPN access to remote

clients that are connected through a public network such as the Internet. A public IP

address is assigned to one of the gateway’s interfaces; this interface is normally part of

the untrust zone. After the client software is installed, the remote user can access the

VPN by either logging in to a Web portal or by launching the client directly. In either case,







the remote client authenticates with the SRX Series device and downloads the latest

configuration available.

Figure 2 on page 26 illustrates this deployment topology. The ge-0/0/15.0 interface on

the SRX Series device is the termination point for the dynamic VPN tunnel. Remote clients

in the untrust zone access the ge-0/0/15.0 interface through an HTTP or HTTPS

connection.

Figure 2: Dynamic VPNDeployment Topology

ge-0/0/15.0SRX Series device

g030

693

Trustzone

10.0.1.0/24

Untrustzone

Client 1

Client N

Internet

In this example, XAuth client authentication is performed locally and client IP addresses

are assigned from an address pool configured on the SRX Series device. See

Table 5 on page 27.

Then, standard proposal sets are used for both IKE and IPsec negotiations. For dynamic

VPN tunnels, aggressive mode must be configured and only preshared keys are supported

for Phase 1 authentication. A group IKE ID is used and the maximum number of connections

is set to 10. Because dynamic VPNs must be policy-based VPNs, a security policy must

be configured to forward traffic to the tunnel. IKE and HTTPS traffic must be allowed for

host inbound traffic.See Table 6 on page 27.

Finally, the XAuth profile configured for remote clients is specified for the dynamic VPN.

Remote users are associated with the configured IPsec VPN. Also configured are remote

protected resources (the destination addresses of traffic that is always sent through the



tunnel) and remote exceptions (the destination addresses of traffic that is sent in cleartext

instead of through the tunnel). See Table 7 on page 28.

Table 5: Remote Client Authentication and Address Assignment Configuration

Configuration ParametersNameFeature

• Addresses: 10.10.10.0/24

• DNS server address: 4.2.2.2/32.

dyn-vpn-address-poolIP address pool

• Remote client username: 'client1' with password $ABC123

• Remote client username: 'client2' with password $ABC123

• IP address pool reference: dyn-vpn-address-pool

• This profile is the default profile for web authentication.

dyn-vpn-access-profileXAuth profile

Table 6: VPN Tunnel Configuration Parameters


• Mode: aggressive

• Proposal set: standard

• Preshared key: (ASCII) $ABC123

ike-dyn-vpn-policyIKE policy (Phase 1)

• IKE policy reference: ike-dyn-vpn-policy

• Dynamic hostname: dynvpn

• IKE user type: group IKE ID

• Maximum number of concurrent connections: 10

• External interface: ge-0/0/15.0

• Access profile reference: dyn-vpn-access-profile

dyn-vpn-local-gwIKE gateway (Phase 1)

Proposal set: standardipsec-dyn-vpn-policyIPsec policy (Phase 2)

• IKE gateway reference: dyn-vpn-local-gw

• IPsec policy reference: ipsec-dyn-vpn-policy

dyn-vpnIPsec VPN (Phase 2)

• Match criteria:

• source address any

• destination address any

• application any

• Permit action: tunnel ipsec-vpn dyn-vpn

dyn-vpn-policySecurity policy (permits trafficfrom the untrust zone to the trustzone)

Allow the following types of traffic to the ge-0/0/15.0 interfacein the untrust zone:

• IKE

• HTTPS

• ping

• SSH

Host inbound traffic



Table 7: Dynamic VPN Configuration for Remote Clients


Access profile reference: dyn-vpn-access-profileAccess profile for remote clients

• IPsec VPN reference: dyn-vpn

• User name reference: client1 and client2

• Remote protected resources: 10.0.0.0/8

• Remote exceptions: 0.0.0.0/0

allRemote clients

Configuration

• Configuring the Remote User Authentication and Address Assignment on page 28

• Configuring the VPN Tunnel on page 29

• Associate the Dynamic VPN with Remote Clients on page 32

Configuring the Remote User Authentication and Address Assignment

CLI QuickConfiguration

To quickly configure this example, copy the following commands, paste them into a text

file, remove any line breaks, change any details necessary to match your network

configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,

and then enter commit from configuration mode.

setaccessprofiledyn-vpn-access-profileclientclient1 firewall-userpassword"$ABC123"setaccessprofiledyn-vpn-access-profileclientclient2 firewall-userpassword"$ABC123"setaccessprofiledyn-vpn-access-profileaddress-assignmentpooldyn-vpn-address-poolset access address-assignment pool dyn-vpn-address-pool family inet network10.10.10.0/24

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributesprimary-dns 4.2.2.2/32

set access firewall-authentication web-authentication default-profiledyn-vpn-access-profile

Step-by-StepProcedure

The following example requires you to navigate various levels in the configuration

hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration

Mode.

To configure remote user authentication and address assignment:

1. Create the address assignment pool.

[edit access address-assignment]user@host# set pool dyn-vpn-address-pool family inet network 10.10.10.0/24user@host#setpooldyn-vpn-address-pool family inetxauth-attributesprimary-dns4.2.2.2/32

2. Configure the XAuth profile.

[edit access]user@host# setprofiledyn-vpn-access-profile client client1 firewall-userpassword"$$ABC123"

user@host#setprofiledyn-vpn-access-profile clientclient2 firewall-userpassword"$ABC123"



user@host# set profile dyn-vpn-access-profile address-assignment pooldyn-vpn-address-pool

3. Configure Web authentication using the XAuth profile.

[edit access firewall-authentication]user@host# set web-authentication default-profile dyn-vpn-access-profile

Results From configuration mode, confirm your configuration by entering the show access

command. If the output does not display the intended configuration, repeat the

configuration instructions in this example to correct it.

[edit]user@host# show accessprofile dyn-vpn-access-profile {client client1 {firewall-user {password "$ABC123"; ## SECRET-DATA

}}client client2 {firewall-user {password "$ABC123"; ## SECRET-DATA

}}address-assignment {pool dyn-vpn-address-pool;

}}address-assignment {pool dyn-vpn-address-pool {family inet {network 10.10.10.0/24;xauth-attributes {primary-dns 4.2.2.2/32;

}}

}}firewall-authentication {web-authentication {default-profile dyn-vpn-access-profile;

}}

If you are done configuring the device, enter commit from configuration mode.

Configuring the VPN Tunnel






[edit]



set security ike policy ike-dyn-vpn-policymode aggressiveset security ike policy ike-dyn-vpn-policy proposal-set standardset security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyset security ike gateway dyn-vpn-local-gw dynamic hostname dynvpnset security ike gateway dyn-vpn-local-gw dynamic connections-limit 10set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-idset security ike gateway dyn-vpn-local-gw external-interface ge-0/0/15.0set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profileset security ipsec policy ipsec-dyn-vpn-policy proposal-set standardset security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gwset security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policyset security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchsource-address any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchdestination-address any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policymatchapplication any

set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permittunnel ipsec-vpn dyn-vpn

set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ike

set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services https

set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ping

set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-trafficsystem-services ssh




Mode.

To configure the VPN tunnel:

1. Configure the IKE policy.

[edit security ike]user@host# set policy ike-dyn-vpn-policymode aggressiveuser@host# set policy ike-dyn-vpn-policy proposal-set standarduser@host# set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"

2. Configure the IKE gateway.

[edit security ike]user@host# set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policyuser@host# set gateway dyn-vpn-local-gw dynamic hostname dynvpnuser@host# set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-iduser@host# set gateway dyn-vpn-local-gw dynamic connections-limit 10user@host# set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0user@host# set gateway dyn-vpn-local-gw xauth access-profiledyn-vpn-access-profile

3. Configure IPsec.

[edit security ipsec]user@host# set policy ipsec-dyn-vpn-policy proposal-set standard



user@host# set vpn dyn-vpn ike gateway dyn-vpn-local-gwuser@host# set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

4. Configure the security policy.

[edit security policies from-zone untrust to-zone trust]user@host#setpolicydyn-vpn-policymatchsource-addressanydestination-addressany application any

user@host# set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

5. Configure host inbound traffic.

[edit security zones security-zone untrust interfaces ge-0/0/15.0]user@host# set host-inbound-traffic system-services ikeuser@host# set host-inbound-traffic system-services httpsuser@host# set host-inbound-traffic system-services pinguser@host# set host-inbound-traffic system-services ssh

Results From configuration mode, confirm your configuration by entering the show security ike,

show security ipsec, show security policies, and show security zones commands. If the

output does not display the intended configuration, repeat the configuration instructions

in this example to correct it.

[edit]user@host# show security ikepolicy ike-dyn-vpn-policy {mode aggressive;proposal-set standard;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA

}gateway dyn-vpn-local-gw {ike-policy ike-dyn-vpn-policy;dynamic {hostname dynvpn;connections-limit 10;ike-user-type group-ike-id;

}external-interface ge-0/0/15.0;xauth access-profile dyn-vpn-access-profile;

}

[edit]user@host# show security ipsecpolicy ipsec-dyn-vpn-policy {proposal-set standard;

}vpn dyn-vpn {ike {gateway dyn-vpn-local-gw;ipsec-policy ipsec-dyn-vpn-policy;

}}

[edit]user@host# show security policiesfrom-zone untrust to-zone trust {policy dyn-vpn-policy {



match {source-address any;destination-address any;application any;

}then {permit {tunnel {ipsec-vpn dyn-vpn;

}}

}}

[edit]user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/15.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;

}}

}}

}


Associate the Dynamic VPNwith Remote Clients






set security dynamic-vpn access-profile dyn-vpn-access-profileset security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0set security dynamic-vpn clients all ipsec-vpn dyn-vpnset security dynamic-vpn clients all user client1set security dynamic-vpn clients all user client2




Mode.

To associate the dynamic VPN with remote clients:

1. Specify the access profile to use with dynamic VPN.

[edit security dynamic-vpn]



user@host# set access-profile dyn-vpn-access-profile

2. Configure the clients who can use the dynamic VPN.

[edit security dynamic-vpn]user@host# set clients all ipsec-vpn dyn-vpnuser@host# set clients all user client1user@host# set clients all user client2user@host# set clients all remote-protected-resources 10.0.0.0/8user@host# set clients all remote-exceptions 0.0.0.0/0

Results From configuration mode, confirm your configuration by entering the show security

dynamic-vpn command. If the output does not display the intended configuration, repeat

the configuration instructions in this example to correct it.

[edit]user@host# show security dynamic-vpnaccess-profile dyn-vpn-access-profile;clients {all {remote-protected-resources {10.0.0.0/8;

}remote-exceptions {0.0.0.0/0;

}ipsec-vpn dyn-vpn;user {client1;client2;

}}

}


Verification

Dynamic VPN tunnels can be monitored with the same commands used to monitor

traditional IPsec VPN tunnels. To confirm that the configuration is working properly,

perform these tasks:

• Verifying IKE Phase 1 Status on page 33

• Verifying Connected Clients and Assigned Addresses on page 34

• Verifying IPsec Phase 2 Status on page 34

• Verifying Concurrent Connections and Parameters for Each User on page 34

Verifying IKE Phase 1 Status

Purpose Verify the IKE Phase 1 status of the security associations.

Action From operational mode, enter the show security ike security-associations command.

user@host> show security ike security-associations



Index Remote Address State Initiator cookie Responder cookie Mode18 172.19.100.99 UP 37b45aa1469e488b 7d4454404002e2e6 Aggressive

Verifying Connected Clients and Assigned Addresses

Purpose Verify that the remote clients and the IP addresses assigned to them are using XAuth.

Action From operational mode, enter the show security ike active-peer command.

user@host> show security ike active-peerRemote Address Port Peer IKE-ID XAUTH username Assigned IP172.19.100.99 500 testdynvpn test 10.10.10.2

Verifying IPsec Phase 2 Status

Purpose Verify the IPsec Phase 2 status of the security associations.

Action From operational mode, enter the showsecurity ipsecsecurity-associations command.

user@host> show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <133955586 172.19.100.99 500 ESP:aes-128/sha1 9c23b7a9 2862/ 449996 - root >133955586 172.19.100.99 500 ESP:aes-128/sha1 c72c8f88 2862/ 449996 - root

Verifying Concurrent Connections and Parameters for Each User

Purpose Verify the number of concurrent connections and the negotiated parameters for each

user.

Action From operational mode, enter the show security dynamic-vpn users command.

user@host> show security dynamic-vpn usersUser: test , User group: group-one, Number of connections: 1 Remote IP: 172.19.100.99 IPSEC VPN: dyn-vpn IKE gateway: dyn-vpn-local-gw IKE ID : testdynvpn IKE Lifetime: 28800 IPSEC Lifetime: 3600 Status: CONNECTED






Example: Configuring Unique URLs for J-Web and Dynamic VPN








This example shows how to prevent J-Web access when both J-Web and dynamic VPN

are enabled on the same interface.




Requirements

Before you begin, verify if J-Web and dynamic VPN are configured on the same interface.

To verify the configuration, use the following commands:

• show security ike

• show system services web-management

Overview

The configuration attribute management-url at the [edit system services

web-management]hierarchy level controls J-Web access when both J-Web and dynamic

VPN are enabled on the same interface.

Dynamic VPN must have the configured HTTPS certificate and the webserver to

communicate with the client. Therefore, the configuration at the [edit system services

web-management] hierarchy level required to start the Appweb webserver cannot be

deleted or deactivated.

You can also enable trace options for dynamic VPN, assign debug levels for the Appweb

process, and configure the maximum number of sessions that the web-management

command can allow with the session-limits configuration option.

Configuration




configuration, copy and paste the commands into the CLI at the [edit system services

web-management] hierarchy level, and then enter commit from configuration mode.

set traceoptions level allset traceoptions flag allset management-url jwebset https system-generated-certificateset limits debug-level 9set session session-limit 7




Mode in the CLI User Guide.

To configure URL separation for J-Web and dynamic VPN when both J-Web and dynamic

VPN are enabled on the same interface:

1. Configure the device to debug output at all levels.



[edit system services web-management traceoptions]user@host# set level all

2. Enable trace flags for all system services and for dynamic VPN.

[edit system services web-management traceoptions]user@host# set flag all

3. Configure the management URL path for Web management access.

[edit system services web-management]user@host# setmanagement-url jweb

4. Configure the HTTPS certificate.

[edit system services web-management]user@host# set https system-generated-certificate

5. Configure the debug level for the Appweb process.

[edit system services web-management]user@host# set limits debug-level 9

6. Configure the maximum number of sessions that Web management can allow.

[edit system services web-management]user@host# set session session-limit 7

Results From configuration mode, confirm your configuration by entering the showsytemservices



[edit]user@host# show system servicesssh;telnet;web-management {traceoptions {level all;flag all;

}management-url jweb;http {interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0];

}https {system-generated-certificate;

}limits {debug-level 9;

}session {session-limit 7;

}}





• Understanding URL Separation for J-Web and Dynamic VPN on page 10






CHAPTER 6

Local Authentication and AddressAssignment

• Example: Configuring Local Authentication and Address Pool on page 39

Example: Configuring Local Authentication and Address Pool


This example shows how to create an address pool and how to assign client IP addresses

in an access profile.

Requirements

Before you begin, configure primary and secondary DNS and WINS servers and assign IP

addresses to them.

Overview

This example creates an address pool xauth1 that consists of the IP addresses in the

40.0.0.0/24 subnet. The xauth1pool also assigns IP addresses for primary and secondary

DNS and WINS servers.

The access profile dvpn-auth references the xauth1 pool. The dvpn-auth access profile

configures two clients:

• jason: The IP address 40.0.0.1 is bound to this client. Upon successful authentication,

the client is assigned the IP address 40.0.0.1. If the client logs in again before logging

out, the client is assigned an IP address from the xauth1 pool.

• jacky: Upon successful authentication, the client is assigned an IP address from the

xauth1 pool.

In addition, the dvpn-auth access profile specifies that password authentication is used

to verify clients at login. Additional authentication methods may be specified; the software

tries the authentication methods in order, from first to last, for each client login attempt.

Configuration











set access profile dvpn-auth authentication-order passwordset access profile dvpn-auth client jacky firewall-user password "$ABC123"set access profile dvpn-auth client jason xauth ip-address 40.0.0.1/32set access profile dvpn-auth client jason firewall-user password "$ABC123"set access profile dvpn-auth address-assignment pool xauth1set access address-assignment pool xauth1 family inet network 40.0.0.0/24set access address-assignment pool xauth1 family inet xauth-attributes primary-dns40.0.0.250/32

set access address-assignment pool xauth1 family inet xauth-attributes secondary-dns40.0.0.251/32

set access address-assignment pool xauth1 family inet xauth-attributes primary-wins40.0.0.253/32

set access address-assignment pool xauth1 family inet xauth-attributes secondary-wins40.0.0.254/32




Mode.

To configure an address pool and an access profile that uses the address pool:

1. Create the address pool.

[edit access address-assignment]user@host# set pool xauth1 family inet network 40.0.0.0/24 xauth-attributesprimary-dns 40.0.0.250 secondary-dns 40.0.0.251 primary-wins 40.0.0.253secondary-wins 40.0.0.254

2. Configure the access profile.

[edit access]user@host# set profile dvpn-auth address-assignment pool xauth1user@host# set profile dvpn-auth authentication-order passworduser@host# set profile dvpn-auth client jason xauth ip-address 40.0.0.1user@host# set profile dvpn-auth client jason firewall-user password jasonuser@host# set profile dvpn-auth client jacky firewall-user password jacky




user@host# show accessprofile dvpn-auth {authentication-order password;client jacky {firewall-user {password "$ABC123"; ## SECRET-DATA

}}client jason {xauth {ip-address 40.0.0.1/32;

}



firewall-user {password "$ABC123"; ## SECRET-DATA

}}address-assignment {pool xauth1;

}}address-assignment {pool xauth1 {family inet {network 40.0.0.0/24;xauth-attributes {primary-dns 40.0.0.250/32;secondary-dns 40.0.0.251/32;primary-wins 40.0.0.253/32;secondary-wins 40.0.0.254/32;

}}

}}


Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying Address Assignment on page 41

Verifying Address Assignment

Purpose Verify address assignment. For XAuth, the hardware address is always shown as NA. If

a static IP address is assigned to a specific user, the user name and profile name (in the

format user@profile) is displayed in the "Host/User" column. If a client is assigned an IP

address from the pool, the username is displayed; if the username does not exist, NA is

displayed. For other applications (for example, DHCP), the hostname is displayed if

configured; if the hostname is not configured, NA is displayed.

Action From operational mode, enter the show network-access address-assignment poolcommand.

user

user@host> show network-access address-assignment pool xauth1IP address Hardware address Host/User Type40.0.0.1 NA jason@dvpn-auth XAUTH40.0.0.2 NA jacky XAUTH


• Understanding Local Authentication and Address Assignment on page 13





Chapter 6: Local Authentication and Address Assignment





CHAPTER 7

Group and Shared IKE IDs


• Example: Configuring Individual IKE IDs for Multiple Users on page 49

Example: Configuring a Group IKE ID for Multiple Users


This example shows how to configure a group IKE ID that is used by multiple users.





Requirements

Before you begin:

1. Configure network interfaces on the device. See the Junos OS Interfaces Library for

Security Devices.

2. Create security zones and assign interfaces to them. SeeUnderstandingSecurity Zones.




Overview

In this example, you configure two remote dynamic VPN users who use a single IKE ID

and a single IKE preshared key (see Table 8 on page 44 and Table 9 on page 44). An

external RADIUS server is used to authenticate users and assign IP addresses to clients

(see Table 10 on page 45).






Table 8: Group IKE ID VPN Tunnel Configuration Parameters



• Proposal set: compatible

• Preshared key: (ASCII) for-everyone-in-access-profile

clientpol-groupIKE policy (Phase 1)

• IKE policy reference: clientpol-group

• Dynamic hostname: example.net

• IKE user type: group IKE ID

• Maximum number of concurrent connections: 50


• Access profile reference: radius-profile

groupgwIKE gateway (Phase 1)

Proposal set: compatibleclient1vpnPolIPsec policy (Phase 2)

• IKE gateway reference: groupgw

• IPsec policy reference: client1vpnPol

groupvpnIPsec VPN (Phase 2)

• Match criteria:



• application any

• Permit action: tunnel ipsec-vpn groupvpn

group-sec-policySecurity policy (permits trafficfrom the untrust zone to the trustzone)

Allow the following types of traffic to the ge-0/0/0.0 interface inthe untrust zone:

• IKE

• HTTPS

• ping

• SSH


Table 9: Group IKE ID Dynamic VPN Configuration for Remote Clients


Access profile reference: radius-profileAccess profile for remote clients

• IPsec VPN reference: groupvpn

• User name reference: derek and chris


• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32

groupcfgRemote clients



Table 10: RADIUS Server User Authentication (Group IKE ID)


• RADIUS is the authentication method used to verify user credentials.

• The RADIUS server IP address is 10.100.100.250 and the password is secret.

• This profile is the default profile for Web authentication.

radius-profileXAuth profile

Configuration






set access profile radius-profile authentication-order radiusset access profile radius-profile radius-server 10.100.100.250 secret "$ABC123"set access firewall-authentication web-authentication default-profile radius-profileset security ike policy clientpol-groupmode aggressiveset security ike policy clientpol-group proposal-set compatibleset security ike policy clientpol-group pre-shared-key ascii-text "$ABC123"set security ike gateway groupgw ike-policy clientpol-groupset security ike gateway groupgw dynamic hostname example.netset security ike gateway groupgw dynamic connections-limit 50set security ike gateway groupgw dynamic ike-user-type group-ike-idset security ike gateway groupgw external-interface ge-0/0/0.0set security ike gateway groupgw xauth access-profile radius-profileset security ipsec policy client1vpnPol proposal-set compatibleset security ipsec vpn groupvpn ike gateway groupgwset security ipsec vpn groupvpn ike ipsec-policy client1vpnPolset security policies from-zone untrust to-zone trust policy group-sec-policymatchsource-address any

set security policies from-zone untrust to-zone trust policy group-sec-policymatchdestination-address any

set security policies from-zone untrust to-zone trust policy group-sec-policymatchapplication any

set security policies from-zone untrust to-zone trust policy group-sec-policy then permittunnel ipsec-vpn groupvpn

set security dynamic-vpn access-profile radius-profileset security dynamic-vpn clients groupcfg remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients groupcfg remote-exceptions 0.0.0.0/0set security dynamic-vpn clients groupcfg remote-exceptions 1.1.1.1/24set security dynamic-vpn clients groupcfg remote-exceptions 0.0.0.0/32set security dynamic-vpn clients groupcfg ipsec-vpn groupvpnset security dynamic-vpn clients groupcfg user chrisset security dynamic-vpn clients groupcfg user derekset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike









Mode.

To configure a group IKE ID for multiple users:

1. Configure the XAuth profile.

[edit access]user@host# set profile radius-profile authentication-order radiususer@host# set profile radius-profile radius-server 10.100.100.250 secret secretuser@host# set firewall-authentication web-authentication default-profileradius-profile


[edit security ike]user@host# set policy clientpol-groupmode aggressiveuser@host# set policy clientpol-group proposal-set compatibleuser@host# set policy clientpol-group pre-shared-key ascii-textfor-everyone-in-access-profile


[edit security ike]user@host# set gateway groupgw ike-policy clientpol-groupuser@host# set gateway groupgw dynamic hostname example.netuser@host# set gateway groupgw dynamic ike-user-type group-ike-iduser@host# set gateway groupgw dynamic connections-limit 50user@host# set gateway groupgw external-interface ge-0/0/0.0user@host# set gateway groupgw xauth access-profile radius-profile

4. Configure IPsec.

[edit security ipsec]user@host# set policy client1vpnPol proposal-set compatibleuser@host# set vpn groupvpn ike gateway groupgwuser@host# set vpn groupvpn ike ipsec-policy client1vpnPol


[edit security policies from-zone untrust to-zone trust]user@host# set policy group-sec-policymatch source-address anydestination-address any application any

user@host# set policy group-sec-policy then permit tunnel ipsec-vpn groupvpn




[edit security dynamic-vpn]user@host# set access-profile radius-profile




[edit security dynamic-vpn]user@host# set clients groupcfg ipsec-vpn groupvpnuser@host# set clients groupcfg user derekuser@host# set clients groupcfg user chrisuser@host# set clients groupcfg remote-protected-resources 10.100.100.0/24user@host# set clients groupcfg remote-exceptions 0.0.0.0/0user@host# set clients groupcfg remote-exceptions 1.1.1.1/24user@host# set clients groupcfg remote-exceptions 0.0.0.0/32


show security ipsec, show security policies, show security zones, and show security

dynamic-vpncommands. If the output does not display the intended configuration, repeat


user@host# show accessprofile radius-profile {authentication-order radius;radius-server {10.100.100.250 secret "$ABC123"; ## SECRET-DATA

}}firewall-authentication {web-authentication {default-profile radius-profile;

}}

user@host# show security ikeike {policy clientpol-group {mode aggressive;proposal-set compatible;pre-shared-key ascii-text"$ABC123"; ## SECRET-DATA

}gateway groupgw {ike-policy clientpol-group;dynamic {hostname example.net;connections-limit 50;ike-user-type group-ike-id;

}external-interface ge-0/0/0.0;xauth access-profile radius-profile;

}}user@host# show security ipsecipsec {policy client1vpnPol {proposal-set compatible;

}vpn groupvpn {ike {gateway groupgw;ipsec-policy client1vpnPol;

}



}}user@host# show security policiesfrom-zone untrust to-zone trust {policy group-sec-policy {match {source-address any;destination-address any;application any;

}then {permit {tunnel {ipsec-vpn groupvpn;

}}

}}

}}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;

}}

}}

}user@host# show security dynamic-vpndynamic-vpn {access-profile radius-profile;clients {groupcfg {remote-protected-resources {10.100.100.0/24;

}remote-exceptions {0.0.0.0/0;1.1.1.1/24;0.0.0.0/32;

}ipsec-vpn groupvpn;user {chris;derek;

}}

}}




Verification



















user.



Understanding Dynamic VPN Tunnels on page 7•




Example: Configuring Individual IKE IDs for Multiple Users








This example shows how to configure individual IKE IDs for multiple users.

NOTE: When there are a large number of userswho need to access the VPN,configuring an individual IKE gateway, IPsec VPN, and a security policy foreach user can be cumbersome. The group IKE ID feature allows a number ofusers to share an IKE gateway configuration, thus reducing the number ofVPNconfigurations required. See “UnderstandingGroupandShared IKE IDs”on page 15.





Requirements

Before you begin:

1. Configure network interfaces on the device. See JunosOS Interfaces Library for Security

Devices.

2. Create security zones and assign interfaces to them. SeeUnderstandingSecurity Zones.




Overview

The following example shows the configuration for two remote dynamic VPN users. For

each user, an IKE policy and gateway, IPsec policy and VPN, and a security policy must

be configured (see Table 11 on page 50 and Table 12 on page 51). An external RADIUS

server is used to authenticate users and assign IP addresses to clients (see

Table 13 on page 52).

Table 11: Client 1 Configuration Parameters




• Preshared key: (ASCII) for-client1

client1polIKE policy (Phase 1)

• IKE policy reference: client1pol




client1gwIKE gateway (Phase 1)




Table 11: Client 1 Configuration Parameters (continued)


• IKE gateway reference: client1gw


client1vpnIPsec VPN (Phase 2)

• Match criteria:



• application any

• Permit action: tunnel ipsec-vpn client1vpn

client1-policySecurity policy (permits traffic fromthe untrust zone to the trust zone)


• IKE

• HTTPS

• ping

• SSH



• IPsec VPN reference: client1vpn

• User name reference: derek


• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24, 0.0.0.0/32

cfg1Remote clients

Table 12: Client 2 Configuration Parameters




• Preshared key: (ASCII) for-client2

client2polIKE policy (Phase 1)

• IKE policy reference: client2pol




client2gwIKE gateway (Phase 1)


• IKE gateway reference: client2gw


client2vpnIPsec VPN (Phase 2)

• Match criteria:



• application any

• Permit action: tunnel ipsec-vpn client2vpn

client2-policySecurity policy (permits traffic fromthe untrust zone to the trust zone)



Table 12: Client 2 Configuration Parameters (continued)



• IKE

• HTTPS

• ping

• SSH



• IPsec VPN reference: client2vpn

• User name reference: chris


• Remote exceptions: 0.0.0.0/0, 1.1.1.1/24

cfg2Remote clients

Table 13: RADIUS Server User Authentication (Individual IKE ID)


• RADIUS is the authentication method used to verify user credentials.

• RADIUS server IP address is 10.100.100.250 and the password is secret.

• This profile is the default profile for Web authentication.

radius-profileXAuth profile

Configuration

• Configuring the XAuth Profile on page 52

• Configuring Client 1 on page 53

• Configuring Client 2 on page 56

Configuring the XAuth Profile






set access profile radius-profile authentication-order radiusset access profile radius-profile radius-server 10.100.100.250 secret "$ABC123"set access firewall-authentication web-authentication default-profile radius-profile




Mode.

To configure the XAuth profile:

1. Configure the access profile.



[edit access]user@host# set profile radius-profile authentication-order radiususer@host# set profile radius-profile radius-server 10.100.100.250 secret secret

2. Configure Web authentication using the XAuth profile.

[edit access]user@host# set firewall-authentication web-authentication default-profileradius-profile




user@host# show accessprofile radius-profile {authentication-order radius;radius-server {10.100.100.250 secret "$ABC123"; ## SECRET-DATA

}}firewall-authentication {web-authentication {default-profile radius-profile;

}}


Configuring Client 1






set security ike policy client1pol mode aggressiveset security ike policy client1pol proposal-set compatibleset security ike policy client1pol pre-shared-key ascii-text "$ABC123"set security ike gateway client1gw ike-policy client1polset security ike gateway client1gw dynamic hostname example.netset security ike gateway client1gw external-interface ge-0/0/0.0set security ike gateway client1gw xauth access-profile radius-profileset security ipsec policy client1vpnPol proposal-set compatibleset security ipsec vpn client1vpn ike gateway client1gwset security ipsec vpn client1vpn ike ipsec-policy client1vpnPolset security policies from-zone untrust to-zone trust policy client1-sec-policymatchsource-address any

set security policies from-zone untrust to-zone trust policy client1-sec-policymatchdestination-address any

set security policies from-zone untrust to-zone trust policy client1-sec-policymatchapplication any

set security policies from-zoneuntrust to-zone trust policy client1-sec-policy thenpermittunnel ipsec-vpn client1vpn

set security dynamic-vpn access-profile radius-profile



set security dynamic-vpn clients cfg1 remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients cfg1 remote-exceptions 0.0.0.0/0set security dynamic-vpn clients cfg1 remote-exceptions 1.1.1.1/24set security dynamic-vpn clients cfg1 remote-exceptions 0.0.0.0/32set security dynamic-vpn clients cfg1 ipsec-vpn client1vpnset security dynamic-vpn clients cfg1 user derekset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike







Mode.

To configure dynamic VPN for a single user:


[edit security ike]user@host# set policy client1pol mode aggressiveuser@host# set policy client1pol proposal-set compatibleuser@host# set policy client1pol pre-shared-key ascii-text for-client1


[edit security ike]user@host# set gateway client1gw ike-policy client1poluser@host# set gateway client1gw dynamic hostname example.netuser@host# set gateway client1gw external-interface ge-0/0/0.0user@host# set gateway client1gw xauth access-profile radius-profile

3. Configure IPsec.

[edit security ipsec]user@host# set policy client1vpnPol proposal-set compatibleuser@host# set vpn client1vpn ike gateway client1gwuser@host# set vpn client1vpn ike ipsec-policy client1vpnPol


[edit security policies from-zone untrust to-zone trust]user@host# set policy client1-sec-policymatch source-address anydestination-address any application any

user@host# set policy client1-sec-policy then permit tunnel ipsec-vpn client1vpn








[edit security dynamic-vpn]user@host# set clients cfg1 ipsec-vpn client1vpnuser@host# set clients cfg1 user derekuser@host# set clients cfg1 remote-protected-resources 10.100.100.0/24user@host# set clients cfg1 remote-exceptions 0.0.0.0/0user@host# set clients cfg1 remote-exceptions 1.1.1.1/24user@host# set clients cfg1 remote-exceptions 0.0.0.0/32





user@host# show security ikepolicy client1pol {mode aggressive;proposal-set compatible;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA

}gateway client1gw {ike-policy client1pol;dynamic hostname example.net;external-interface ge-0/0/0.0;xauth access-profile radius-profile;

}user@host# show security ipsecpolicy client1vpnPol {proposal-set compatible;

}vpn client1vpn {ike {gateway client1gw;ipsec-policy client1vpnPol;

}}

user@host# show security policiesfrom-zone untrust to-zone trust {policy client1-sec-policy {match {source-address any;destination-address any;application any;

}then {permit {tunnel {ipsec-vpn client1vpn;

}}

}}



}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;

}}

}}

}user@host# show security dynamic-vpn

access-profile radius-profile;clients {cfg1 {remote-protected-resources {10.100.100.0/24;

}remote-exceptions {0.0.0.0/0;1.1.1.1/24;0.0.0.0/32;

}ipsec-vpn client1vpn;user {derek;

}}

}


Configuring Client 2






set security ike policy client2pol mode aggressiveset security ike policy client2pol proposal-set compatibleset security ike policy client2pol pre-shared-key ascii-text "$ABC123"set security ike gateway client2gw ike-policy client2polset security ike gateway client2gw dynamic hostname example.netset security ike gateway client2gw external-interface ge-0/0/0.0set security ike gateway client2gw xauth access-profile radius-profileset security ipsec policy client2vpnPol proposal-set compatibleset security ipsec vpn client2vpn ike gateway client2gwset security ipsec vpn client2vpn ike ipsec-policy client2vpnPol



set security policies from-zone untrust to-zone trust policy client2-sec-policymatchsource-address any

set security policies from-zone untrust to-zone trust policy client2-sec-policymatchdestination-address any

set security policies from-zone untrust to-zone trust policy client2-sec-policymatchapplication any

setsecuritypolicies from-zoneuntrust to-zonetrustpolicyclient2-sec-policy thenpermittunnel ipsec-vpn client1vpn

set security dynamic-vpn access-profile radius-profileset security dynamic-vpn clients cfg2 remote-protected-resources 10.100.100.0/24set security dynamic-vpn clients cfg2 remote-exceptions 1.1.1.1/24set security dynamic-vpn clients cfg2 remote-exceptions 0.0.0.0/32set security dynamic-vpn clients cfg2 ipsec-vpn client2vpnset security dynamic-vpn clients cfg2 user chrisset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-trafficsystem-services ike







Mode.

To configure dynamic VPN for a single user:


[edit security ike]user@host# set policy client2pol mode aggressiveuser@host# set policy client2pol proposal-set compatibleuser@host# set policy client2pol pre-shared-key ascii-text for-client2


[edit security ike]user@host# set gateway client2gw ike-policy client2poluser@host# set gateway client2gw dynamic hostname example.netuser@host# set gateway client2gw external-interface ge-0/0/0.0user@host# set gateway client2gw xauth access-profile radius-profile

3. Configure IPsec.

[edit security ipsec]user@host# set policy client2vpnPol proposal-set compatibleuser@host# set vpn client2vpn ike gateway client2gwuser@host# set vpn client2vpn ike ipsec-policy client2vpnPol


[edit security policies from-zone untrust to-zone trust]user@host# set policy client2-sec-policymatch source-address anydestination-address any application any

user@host# set policy client2-sec-policy then permit tunnel ipsec-vpn client2vpn








[edit security dynamic-vpn]user@host# set clients cfg2 ipsec-vpn client1vpnuser@host# set clients cfg2 user chrisuser@host# set clients cfg2 remote-protected-resources 10.100.100.0/24user@host# set clients cfg2 remote-exceptions 1.1.1.1/24user@host# set clients cfg2 remote-exceptions 0.0.0.0/32





user@host# show security ikepolicy client2pol {mode aggressive;proposal-set compatible;pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA

}gateway client2gw {ike-policy client2pol;dynamic hostname example.net;external-interface ge-0/0/0.0;xauth access-profile radius-profile;

}user@host# show security ipsecpolicy client2vpnPol {proposal-set compatible;

}vpn client2vpn {ike {gateway client2gw;ipsec-policy client2vpnPol;

}}

user@host# show security policiesfrom-zone untrust to-zone trust {policy client2-sec-policy {match {source-address any;destination-address any;application any;

}



then {permit {tunnel {ipsec-vpn client2vpn;

}}

}}

}user@host# show security zonessecurity-zone untrust {interfaces {ge-0/0/0.0 {host-inbound-traffic {system-services {ike;https;ping;ssh;

}}

}}

}user@host# show security dynamic-vpn

access-profile radius-profile;clients {cfg2 {remote-protected-resources {10.100.100.0/24;

}remote-exceptions {1.1.1.1/24;0.0.0.0/32;

}ipsec-vpn client2vpn;user {chris;

}}

}


Verification





















user.










CHAPTER 8

Configuration Statements

• Security Configuration Statement Hierarchy on page 61

• [edit security dynamic-vpn] Hierarchy Level on page 63

• access-profile (Security Dynamic VPN) on page 63

• access-profile (Security IKE Gateway) on page 64

• clients (Security) on page 64

• config-check (Security Dynamic VPN) on page 65

• dynamic-vpn on page 66

• force-upgrade on page 67

• ike (Security) on page 68

• interface (Security Dynamic VPN) on page 70

• ipsec (Security) on page 71

• ipsec-vpn (Security Dynamic VPNs) on page 72

• remote-exceptions on page 73

• remote-protected-resources on page 73

• traceoptions (Security Dynamic VPN) on page 74

• user (Security Dynamic VPN) on page 75

• user-groups (Security Dynamic VPN) on page 75

• xauth-attributes on page 76

Security Configuration Statement Hierarchy

Supported Platforms J Series, LN Series, SRX Series

Use the statements in the securityconfiguration hierarchy to configure actions, certificates,

dynamic virtual private networks (VPNs), firewall authentication, flow, forwarding options,

group VPNs, Intrusion Detection Prevention (IDP), Internet Key Exchange (IKE), Internet

Protocol Security (IPsec), logging, Network Address Translation (NAT), public key

infrastructure (PKI), policies, resource manager, rules, screens, secure shell known hosts,

trace options, user identification, Unified Threat Management (UTM), and zones.

Statements that are exclusive to the J Series and SRX Series devices running Junos OS

are described in this section.


http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/ln1000-series/index.html

http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.html

Each of the following topics lists the statements at a sub-hierarchy of the [edit security]

hierarchy.

• [edit security address-book] Hierarchy Level

• [edit security alarms] Hierarchy Level

• [edit security alg] Hierarchy Level

• [edit security analysis] Hierarchy Level

• [edit security application-firewall] Hierarchy Level

• [edit security application-tracking] Hierarchy Level

• [edit security certificates] Hierarchy Level

• [edit security datapath-debug] Hierarchy Level

• [edit security dynamic-vpn] Hierarchy Level on page 63

• [edit security firewall-authentication] Hierarchy Level

• [edit security flow] Hierarchy Level

• [edit security forwarding-options] Hierarchy Level

• [edit security forwarding-process] Hierarchy Level

• [edit security gprs] Hierarchy Level

• [edit security group-vpn] Hierarchy Level

• [edit security idp] Hierarchy Level

• [edit security ike] Hierarchy Level

• [edit security ipsec] Hierarchy Level

• [edit security log] Hierarchy Level

• [edit security nat] Hierarchy Level

• [edit security pki] Hierarchy Level

• [edit security policies] Hierarchy Level

• [edit security resource-manager] Hierarchy Level

• [edit security screen] Hierarchy Level

• [edit security softwires] Hierarchy Level

• [edit security ssh-known-hosts] Hierarchy Level

• [edit security traceoptions] Hierarchy Level

• [edit security user-identification] Hierarchy Level

• [edit security utm] Hierarchy Level

• [edit security zones] Hierarchy Level




Master Administrator for Logical Systems Feature Guide for Security Devices•

• CLI User Guide

[edit security dynamic-vpn] Hierarchy Level

Supported Platforms SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650

security {dynamic-vpn {access-profile profile-name;clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-names;

}force-upgrade;config-check;interface;traceoptions {file filename;flag flag;

}}

}


Security Configuration Statement Hierarchy on page 61•


access-profile (Security Dynamic VPN)


Syntax access-profile profile-name;

Hierarchy Level [edit security dynamic-vpn]

Release Information Statement introduced in Junos OS Release 9.5.

Description Specify the access profile to use for Extended Authentication for remote users trying to

download the Access Manager.

Required PrivilegeLevel

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.




Chapter 8: Configuration Statements















access-profile (Security IKE Gateway)

Supported Platforms J Series, SRX Series

Syntax access-profile profile-name;

Hierarchy Level [edit security ike gateway gateway-name xauth]


Description Specify the access profile to use for Extended Authentication for remote users trying to

access a Virtual Private Network (VPN) tunnel.

Options profile-name —Name of the access profile.






clients (Security)


Syntax clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-name;

}



Description Create a client configuration for the dynamic VPN feature. Within the configuration,

specify a name for the configuration, reference a standard VPN configuration to use for

IPsec negotiations, specify which resources to protect, define any exceptions, and list

the users to which the dynamic VPN configuration applies.

Options configuration-name—Name of the client configuration.

The remaining statements are explained separately.

















config-check (Security Dynamic VPN)

Supported Platforms SRX100, SRX210, SRX220, SRX240, SRX650

Syntax config-check;


Release Information Statement introduced in Junos OS Release 12.1X44-D10.

Description Enable extra dynamic VPN configuration checking. If you include this statement in your

configuration, it is automatically enabled. If the statement is not present in your

configuration, the configuration check option is not enabled.













dynamic-vpn


Syntax dynamic-vpn {access-profile profile-name;clients configuration-name {ipsec-vpn vpn-name;remote-exceptions ip-address/mask;remote-protected-resources ip-address/mask;user username;user-groups user-group-name;

}force-upgrade;config-check;interface;traceoptions {file filename;flag flag;

}}

Hierarchy Level [edit security]

Release Information Statement introduced in Junos OS Release Release 9.5.

Description Configure the dynamic VPN feature. The dynamic VPN feature simplifies remote access

by enabling users to create IPsec VPN tunnels without having to manually configure

settings on their PCs or laptops. Instead, authenticated users can simply download a

preconfigured Web client to their computers with all the client-side information required

to create and manage an IPsec VPN tunnel to the server.

Options The remaining statements are explained separately.















force-upgrade


Syntax force-upgrade;



Description Use this statement to force users to automatically upgrade the Access Manager when

newer versions are available. If you include this statement in your configuration, it is

automatically enabled. If the statement is not present in your configuration, the force

upgrade option is not enabled.















ike (Security)


Syntax ike {gateway gateway-name {address [ip-address-or-hostname];dead-peer-detection {(always-send | optimized | probe-idle-tunnel);interval seconds;threshold number;

}dynamic {connections-limit number;(distinguished-name <container container-string> <wildcardwildcard-string> |hostname domain-name | inet ip-address | inet6 ipv6-address | user-at-hostnamee-mail-address);

ike-user-type (group-ike-id | shared-ike-id);}external-interface external-interface-name;general-ikeid;ike-policy policy-name;local-identity {(distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address |user-at-hostname e-mail-address);

}nat-keepalive seconds;no-nat-traversal;remote-identity {(distinguished-name <container container-string> <wildcardwildcard-string> |hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostnamee-mail-address);

}version (v1-only | v2-only);xauth {access-profile profile-name;

}}policy policy-name {certificate {local-certificate certificate-id;peer-certificate-type (pkcs7 | x509-signature);

}description description;mode (aggressive | main);pre-shared-key (ascii-text key | hexadecimal key);proposal-set (basic | compatible | standard } suiteb-gcm-128 | suiteb-gcm-256);proposals [proposal-name];

}proposal proposal-name {authentication-algorithm (md5 | sha-256 | sha-384| sha1);authentication-method(dsa-signatures |ecdsa-signatures-256 |ecdsa-signatures-384| pre-shared-keys | rsa-signatures);

description description;dh-group (group1 | group14 | group19 | group2 | group20 | group24 | group5);






encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);lifetime-seconds seconds;

}respond-bad-spi <max-responses>;traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(world-readable | no-world-readable);

}flag flag;no-remote-trace;rate-limitmessages-per-second;

}}


Release Information Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos

OS Release 11.1. The inet6 option added in Junos OS Release 11.1.

Description Define Internet Key Exchange (IKE) configuration.






• IKE and ESP ALG Feature Guide for Security Devices

• AutoVPN Feature Guide for SRX Series Gateway Devices


• IPsec VPN Feature Guide for Security Devices

• Master Administrator for Logical Systems Feature Guide for Security Devices



interface (Security Dynamic VPN)


Syntax interface [ interface-names ];



Description Specify a list of interfaces to set the interfaces that allow access to dynamic VPN.

Options interface-names —Names of one or more Interfaces that accept dynamic VPN client

access, separated by spaces.













ipsec (Security)


Syntax ipsec {policy policy-name {description description;perfect-forward-secrecy keys (group1 | group14 | group19 | group2 | group20 | group24 |group5);

proposal-set (basic | compatible | standard | suiteb-gcm-128 | suiteb-gcm-256);proposals [proposal-name];

}proposal proposal-name {authentication-algorithm (hmac-md5-96 | hmac-sha-256-128 | hmac-sha1-96);description description;encryption-algorithm(3des-cbc |aes-128-cbc |aes-128-gcm|aes-192-cbc |aes-192-gcm| aes-256-cbc | aes-256-gcm | des-cbc);

lifetime-kilobytes kilobytes;lifetime-seconds seconds;protocol (ah | esp);

}traceoptions {flag flag;

}vpn vpn-name {bind-interface interface-name;df-bit (clear | copy | set);establish-tunnels (immediately | on-traffic);ike {gateway gateway-name;idle-time seconds;install-interval seconds;ipsec-policy ipsec-policy-name;no-anti-replay;proxy-identity {local ip-prefix;remote ip-prefix;service (any | service-name);

}}manual {authentication {algorithm(hmac-md5-96|hmac-sha-256-128|hmac-sha-256-96|hmac-sha1-96);key (ascii-text key | hexadecimal key);

}encryption {algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);key (ascii-text key | hexadecimal key);

}external-interface external-interface-name;gateway ip-address;protocol (ah | esp);spi spi-value;

}traffic-selector traffic-selector-name {






local-ip ip-address/netmask;remote-ip ip-address/netmask;

}vpn-monitor {destination-ip ip-address;optimized;source-interface interface-name;

}}vpn-monitor-options {interval seconds;threshold number;

}}


Release Information Statement modified in Junos OS Release 8.5.

Description Define IP Security (IPsec) configuration.






• AutoVPN Feature Guide for SRX Series Gateway Devices


• IPsec VPN Feature Guide for Security Devices


ipsec-vpn (Security Dynamic VPNs)


Syntax ipsec-vpn vpn-name;

Hierarchy Level [edit security dynamic-vpn clients vpn-name]


Description Use this statement to specify which IPsec VPN configuration the dynamic VPN feature

should use to secure traffic.















remote-exceptions


Syntax remote-exceptions ip-address/mask;

Hierarchy Level [edit security dynamic-vpn clients configuration-name]


Description Use this statement to specify exceptions to the remote protected resources list for the

specified dynamic VPN configuration. Traffic to the specified IP address will not go

through the dynamic VPN tunnel and therefore will not be protected by the firewall’s

security policies.






remote-protected-resources


Syntax remote-protected-resources ip-address/mask;

Hierarchy Level [edit security dynamic-vpn clients configuration-name]


Description Use this statement to specify which resources to protect using the dynamic VPN feature.

Traffic to the protected resource will go through the specified dynamic VPN tunnel and

will therefore be protected by the firewall’s security policies.






















traceoptions (Security Dynamic VPN)


Syntax traceoptions {file filename;flag {all <detail | extensive | terse>;

}}



Description Configure dynamic VPN tracing options.

Options • file—Configure the trace file options.

file filename—Name of the file to receive the output of the tracing operation.

• flag—Trace operation to perform. To specify more than one trace operation, include

multiple flag statements.

• all—Enable all tracing operations

• detail—Display moderate amount of data in trace.

• extensive—Display extensive amount of data in trace.

• terse—Display minimum amount of data in trace.


trace—To view this statement in the configuration.

trace-control—To add this statement to the configuration.









user (Security Dynamic VPN)


Syntax user username;

Hierarchy Level [edit security dynamic-vpn client configuration-name]


Description Specify which users can access the selected dynamic VPN configuration.






user-groups (Security Dynamic VPN)


Syntax user-groups user-group-name;

Hierarchy Level [edit security dynamic-vpn client configuration-name]


Description Specify which users can access the selected dynamic VPN configuration.




















xauth-attributes


Syntax xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;

}

Hierarchy Level [edit access address-assignment pool pool-name family (inet | inet6)]


Description Configure Xauth attributes.

Options • apply-groups—Groups from which to inherit configuration data.

• apply-groups-except—Do not inherit configuration data from these groups.

• primary-dns—Specify the primary-dns IP address.

• secondary-dns—Specify the secondary-dns IP address.

• primary-wins—Specify the primary-wins IP address.

• secondary-wins—Specify the secondary-wins IP address.










CHAPTER 9

Configuration Statements for RemoteClient Authentication and Addresses

• Access Configuration Statement Hierarchy on page 77

• address-assignment (Access) on page 86

• firewall-authentication on page 89

• profile (Access) on page 91

Access Configuration Statement Hierarchy


Use the statements in theaccessconfiguration hierarchy to configure access to the device

and authentication methods, including address assignment and address pool, user and

firewall authentication, a group profile, LDAP options and LDAP server configuration, an

access profile, RADIUS options and RADIUS server configuration, and SecurID server

configuration.

access {address-assignment {abated-utilization percentage;abated-utilization-v6 percentage;high-utilization percentage;high-utilization-v6 percentage;neighbor-discovery-router-advertisement ndra-name;pool pool-name {family {inet {dhcp-attributes {boot-file boot-file-name;boot-server boot-server-name;domain-name domain-name;grace-period seconds;maximum-lease-time (seconds | infinite);name-server ipv4-address;netbios-node-type (b-node | h-node | m-node | p-node);next-server next-server-name;option dhcp-option-identifier-code {array {byte [8-bit-value];





flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];

}byte 8-bit-value;flag (false | off | on | true);integer 32-bit-numeric-values;ip-address ip-address;short signed-16-bit-numeric-value;string character string value;unsigned-integer unsigned-32-bit-numeric-value;unsigned-short 16-bit-numeric-value;

}option-match {option-82 {circuit-idmatch-value {range range-name;

}remote-idmatch-value;range range-name;

}}

}propagate-ppp-settings [interface-name];propagate-settings interface-name;router ipv4-address;server-identifier ip-address;sip-server {ip-address ipv4-address;name sip-server-name;

}tftp-server server-name;wins-server ipv4-address;

}host hostname {hardware-addressmac-address;ip-address reserved-address;

}network network address;range range-name {high upper-limit;low lower-limit;

}xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;

}}inet6 {dhcp-attributes {



dns-server ipv6-address;grace-period seconds;maximum-lease-time (seconds | infinite);option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];


}propagate-ppp-settings [interface-name];sip-server-address ipv6-address;sip-server-domain-name domain-name;

}prefix ipv6-network-prefix;range range-name {high upper-limit;low lower-limit;prefix-length delegated-prefix-length;

}}

link pool-name;}

}address-pool pool-name {(address address-or-address-prefix ) {address-range {high upper-limit;low lower-limit;mask network-mask;

}primary-dns name;primary-wins name;secondary-dns name;secondary-wins name;

}address-protection;domain {delimiter delimiter;map domain-map-name {aaa-logical-system logical-system-name;aaa-routing-instance routing-instance-name;access-profile access-profile-name;


Chapter 9: Configuration Statements for Remote Client Authentication and Addresses

address-pool address-pool-name;dynamic-profile dynamic-profile-name;padn destination-address; {mask destination-mask;metricmetric-value

}strip-domain;target-logical-system logical-system-name;target-routing-instance target-routing-instance;

}parse-direction (left-to-right | right-to-left);

}firewall-authentication {pass-through {default-profile profile-name;ftp {banner {fail string;login string;success string;

}}http {banner {fail string;login string;success string;

}telnet {banner {fail string;login string;success string;

}}traceoptions {file {filename;files number;flag flag;match regular-expression;no-remote-trace;sizemaximum-file-size;(world-readable | no-world-readable);

}}web-authentication {banner {success string;

}default-profile profile-name;

}}group-profile profile-name {ppp {cell-overhead;



encapsulated-overhead encapsulated-overhead-value;framed-pool address-pool-name;idle-timeout seconds;interface-id interface-identifier;keepalive seconds;ppp-options {chap;pap;

}primary-dns name;primary-wins name;secondary-dns name;secondary-wins name;

}}gx-plus {global {max-outstanding-requestsmax-outstanding-requests;

}partition partition-name {destination-host gx-plus-destination-host;destination-realm gx-plus-destination-realm;diameter-instance gx-plus-diameter-instance;

}}ldap-options {assemble {common-name common-name;

}base-distinguished-name base-distinguished-name;revert-interval seconds;search {admin-search {distinguished-name distinguished-name;password password;

}search-filter filter-name;

}}ldap-server hostname-or-address; {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;

}ppp-options {compliance {rfc(2486 | [rfc-number]);

}}profile profile-name {accounting {accounting-stop-on-access-deny;accounting-stop-on-failure;coa-immediate-update;



duplication;immediate-update;order [accounting-method];statistics (time | volume-time);update-intervalminutes;

}accounting-order [accounting-method];address-assignment pool pool-name;authentication-order [ldap | none | password | radius | securid];authorization-order [jsrc];client client-name {chap-secret chap-secret;client-group [ group-names ];firewall-user {password password;

}no-rfc2486;pap-password pap-password;x-auth ip-address;

}client-name-filter {count number;domain-name domain-name;separator special-character;

}ldap-options {assemble {common-name common-name;


}search-filter search-filter-name;

}}ldap-server server-address {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;

}provisioning-order (gx-plus | jsrc);radius {accounting-server [server];attributes {exclude {acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];acc-loop-cir-id [access-request | accounting-start | accounting-stop];accounting-authentic [accounting-off | accounting-on | accounting-start |accounting-stop];



accounting-delay-time [accounting-off | accounting-on | accounting-start |accounting-stop];

accounting-session-id [access-request];accounting-terminate-cause [accounting-off];act-data-rate-dn [access-request | accounting-start | accounting-stop];act-data-rate-up [access-request | accounting-start | accounting-stop];act-interlv-delay-dn [access-request | accounting-start | accounting-stop];act-interlv-delay-up [access-request | accounting-start | accounting-stop];att-data-rate-dn [access-request | accounting-start | accounting-stop];att-data-rate-up [access-request | accounting-start | accounting-stop];called-station-id [access-request | accounting-start | accounting-stop];calling-station-id [access-request | accounting-start | accounting-stop];class [access-request | accounting-start | accounting-stop];delegated-ipv6-prefix [accounting-start | accounting-stop];dhcp-gi-address [access-request | accounting-start | accounting-stop];dhcp-mac-address [access-request | accounting-start | accounting-stop];dhcp-options [access-request | accounting-start | accounting-stop];downstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];

dsl-forum-attributes [access-request | accounting-start | accounting-stop];dsl-line-state [access-request | accounting-start | accounting-stop];dsl-type [access-request | accounting-start | accounting-stop];dynamic-iflset-name [accounting-start | accounting-stop];event-time-stamp [accounting-off | accounting-on | accounting-start |accounting-stop];

framed-interface-id [access-request | accounting-start | accounting-stop];framed-ip-address [access-request | accounting-start | accounting-stop];framed-ip-netmask [access-request | accounting-start | accounting-stop];framed-ip-route [access-request | accounting-start | accounting-stop];framed-ipv6-pool [accounting-start | accounting-stop];framed-ipv6-prefix [accounting-start | accounting-stop];framed-ipv6-route [accounting-start | accounting-stop];framed-pool [accounting-start | accounting-stop];input-filter [accounting-start | accounting-stop];input-gigapackets [accounting-stop];input-gigawords [accounting-stop];input-ipv6-gigawords [accounting-stop];input-ipv6-octets [accounting-stop];input-ipv6-packets [accounting-stop];interface-description [access-request | accounting-start | accounting-stop];l2c-downstream-data [access-request | accounting-start | accounting-stop];l2c-upstream-data [access-request | accounting-start | accounting-stop];max-data-rate-dn [access-request | accounting-start | accounting-stop];max-data-rate-up [access-request | accounting-start | accounting-stop];max-interlv-delay-dn [access-request | accounting-start | accounting-stop];max-interlv-delay-up [access-request | accounting-start | accounting-stop];min-data-rate-dn [access-request | accounting-start | accounting-stop];min-data-rate-up [access-request | accounting-start | accounting-stop];min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];min-lp-data-rate-up [access-request | accounting-start | accounting-stop];nas-identifier [access-request | accounting-start | accounting-stop];nas-port [access-request | accounting-off | accounting-on | accounting-start |accounting-stop];

nas-port-id [access-request | accounting-start | accounting-stop];nas-port-type [access-request | accounting-start | accounting-stop];output-filter [accounting-start | accounting-stop];



output-gigapackets [accounting-stop];output-gigawords [accounting-stop];output-ipv6-gigawords [accounting-stop];output-ipv6-octets [accounting-stop];output-ipv6-packets [accounting-stop];upstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];

}ignore {dynamic-iflset-name;framed-ip-netmask;input-filter;logical-system-routing-instance;output-filter;

}}

authentication-server [server];radius-options {request-rate number;revert-interval seconds;

}radius-server server-address {accounting-port port-numbermax-outstanding-requests number-of--outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;

}service {accounting-order {activation-protocol;radius;

}}session-options {client-group [group-name];client-idle-timeoutminutes;client-session-timeoutminutes;

}}radius-options {request-rate number;revert-interval seconds;

}radius-server server-address {accounting-port port-number;max-outstanding-requests number-of-max-outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;



}securid-server server-name {configuration-file filepath;

}terminate-code {aaa {deny {authentication-denied {radius acct-terminate-cause-value;

}no-resources {radius acct-terminate-cause-value;

}server-request-timeout {radius acct-terminate-cause-value;

}}shutdown {administrative-reset {radius acct-terminate-cause-value;

}remote-reset {radius acct-terminate-cause-value;

}}

}dhcp {client-request {radius acct-terminate-cause-value;

}lost-carrier {radius acct-terminate-cause-value;

}nak {radius acct-terminate-cause-value;

}nas-logout {radius acct-terminate-cause-value;

}no-offers {radius acct-terminate-cause-value;

}}

}}


Administration Guide for Security Devices•

• Ethernet Port Switching Feature Guide for Security Devices


• Firewall User Authentication Feature Guide for Security Devices



address-assignment (Access)


Syntax address-assignment {abated-utilization percentage;abated-utilization-v6 percentage;high-utilization percentage;high-utilization-v6 percentage;neighbor-discovery-router-advertisement ndra-name;pool pool-name {family {inet {dhcp-attributes {boot-file boot-file-name;boot-server boot-server-name;domain-name domain-name;grace-period seconds;maximum-lease-time (seconds | infinite);name-server ipv4-address;netbios-node-type (b-node | h-node | m-node | p-node);next-server next-server-name;option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];


}option-match {option-82 {circuit-idmatch-value {range range-name;

}remote-idmatch-value;range range-name;

}}

}propagate-ppp-settings [interface-name];propagate-settings interface-name;router ipv4-address;






server-identifier ip-address;sip-server {ip-address ipv4-address;name sip-server-name;

}tftp-server server-name;wins-server ipv4-address;

}host hostname {hardware-addressmac-address;ip-address reserved-address;

}network network address;range range-name {high upper-limit;low lower-limit;

}xauth-attributes {primary-dns ip-address;primary-wins ip-address;secondary-dns ip-address;secondary-wins ip-address;

}}inet6 {dhcp-attributes {dns-server ipv6-address;grace-period seconds;maximum-lease-time (seconds | infinite);option dhcp-option-identifier-code {array {byte [8-bit-value];flag [ false| off |on |true];integer [32-bit-numeric-values];ip-address [ip-address];short [signed-16-bit-numeric-value];string [character string value];unsigned-integer [unsigned-32-bit-numeric-value];unsigned-short [16-bit-numeric-value];


}propagate-ppp-settings [interface-name];sip-server-address ipv6-address;sip-server-domain-name domain-name;

}prefix ipv6-network-prefix;range range-name {high upper-limit;



low lower-limit;prefix-length delegated-prefix-length;

}}

link pool-name;}

}

Hierarchy Level [edit access]


Description The address-assignment pool feature enables you to create IPv4 and IPv6 address pools

that different client applications can share. For example, multiple client applications,

such as DHCPv4 or DHCPv6, can use an address-assignment pool to provide addresses

for their particular clients.


access—To view this statement in the configuration.

access-control—To add this statement to the configuration.



• Administration Guide for Security Devices



firewall-authentication


Syntax firewall-authentication {pass-through {default-profile profile-name;ftp {banner {fail string;login string;success string;

}}http {banner {fail string;login string;success string;

}telnet {banner {fail string;login string;success string;

}}traceoptions {file {filename;files number;flag flag;match regular-expression;no-remote-trace;sizemaximum-file-size;(world-readable | no-world-readable);

}}web-authentication {banner {success string;

}default-profile profile-name;

}}



Description Configure default firewall authentication settings used by firewall authentication policies

that restrict and permit access of firewall users to protected resources behind a firewall.















profile (Access)


Syntax profile profile-name {accounting {accounting-stop-on-access-deny;accounting-stop-on-failure;coa-immediate-update;duplication;immediate-update;order [accounting-method];statistics (time | volume-time);update-intervalminutes;

}accounting-order [accounting-method];address-assignment pool pool-name;authentication-order [ldap | none | password | radius | securid];authorization-order [jsrc];client client-name {chap-secret chap-secret;client-group [ group-names ];firewall-user {password password;

}no-rfc2486;pap-password pap-password;x-auth ip-address;

}client-name-filter {count number;domain-name domain-name;separator special-character;

}ldap-options {assemble {common-name common-name;


}search-filter search-filter-name;

}}ldap-server server-address {port port-number;retry attempts;routing-instance routing-instance-name;source-address source-address;timeout seconds;

}






provisioning-order (gx-plus | jsrc);radius {accounting-server [server];attributes {exclude {acc-aggr-cir-id-asc [access-request | accounting-start | accounting-stop];acc-aggr-cir-id-bin [access-request | accounting-start | accounting-stop];acc-loop-cir-id [access-request | accounting-start | accounting-stop];accounting-authentic [accounting-off | accounting-on | accounting-start |accounting-stop];

accounting-delay-time [accounting-off | accounting-on | accounting-start |accounting-stop];

accounting-session-id [access-request];accounting-terminate-cause [accounting-off];act-data-rate-dn [access-request | accounting-start | accounting-stop];act-data-rate-up [access-request | accounting-start | accounting-stop];act-interlv-delay-dn [access-request | accounting-start | accounting-stop];act-interlv-delay-up [access-request | accounting-start | accounting-stop];att-data-rate-dn [access-request | accounting-start | accounting-stop];att-data-rate-up [access-request | accounting-start | accounting-stop];called-station-id [access-request | accounting-start | accounting-stop];calling-station-id [access-request | accounting-start | accounting-stop];class [access-request | accounting-start | accounting-stop];delegated-ipv6-prefix [accounting-start | accounting-stop];dhcp-gi-address [access-request | accounting-start | accounting-stop];dhcp-mac-address [access-request | accounting-start | accounting-stop];dhcp-options [access-request | accounting-start | accounting-stop];downstream-calculated-qos-rate [access-request | accounting-start |accounting-stop];

dsl-forum-attributes [access-request | accounting-start | accounting-stop];dsl-line-state [access-request | accounting-start | accounting-stop];dsl-type [access-request | accounting-start | accounting-stop];dynamic-iflset-name [accounting-start | accounting-stop];event-time-stamp [accounting-off | accounting-on | accounting-start |accounting-stop];

framed-interface-id [access-request | accounting-start | accounting-stop];framed-ip-address [access-request | accounting-start | accounting-stop];framed-ip-netmask [access-request | accounting-start | accounting-stop];framed-ip-route [access-request | accounting-start | accounting-stop];framed-ipv6-pool [accounting-start | accounting-stop];framed-ipv6-prefix [accounting-start | accounting-stop];framed-ipv6-route [accounting-start | accounting-stop];framed-pool [accounting-start | accounting-stop];input-filter [accounting-start | accounting-stop];input-gigapackets [accounting-stop];input-gigawords [accounting-stop];input-ipv6-gigawords [accounting-stop];input-ipv6-octets [accounting-stop];input-ipv6-packets [accounting-stop];interface-description [access-request | accounting-start | accounting-stop];l2c-downstream-data [access-request | accounting-start | accounting-stop];l2c-upstream-data [access-request | accounting-start | accounting-stop];max-data-rate-dn [access-request | accounting-start | accounting-stop];max-data-rate-up [access-request | accounting-start | accounting-stop];max-interlv-delay-dn [access-request | accounting-start | accounting-stop];max-interlv-delay-up [access-request | accounting-start | accounting-stop];



min-data-rate-dn [access-request | accounting-start | accounting-stop];min-data-rate-up [access-request | accounting-start | accounting-stop];min-lp-data-rate-dn [access-request | accounting-start | accounting-stop];min-lp-data-rate-up [access-request | accounting-start | accounting-stop];nas-identifier [access-request | accounting-start | accounting-stop];nas-port [access-request | accounting-off | accounting-on | accounting-start |accounting-stop];

nas-port-id [access-request | accounting-start | accounting-stop];nas-port-type [access-request | accounting-start | accounting-stop];output-filter [accounting-start | accounting-stop];output-gigapackets [accounting-stop];output-gigawords [accounting-stop];output-ipv6-gigawords [accounting-stop];output-ipv6-octets [accounting-stop];output-ipv6-packets [accounting-stop];upstream-calculated-qos-rate[access-request |accounting-start |accounting-stop];

}ignore {dynamic-iflset-name;framed-ip-netmask;input-filter;logical-system-routing-instance;output-filter;

}}

authentication-server [server];radius-options {request-rate number;revert-interval seconds;

}radius-server server-address {accounting-port port-numbermax-outstanding-requests number-of--outstanding-requests;port port-number;retry attempts;routing-instance routing-instance-name;secret password;source-address source-address;timeout seconds;

}service {accounting-order {activation-protocol;radius;

}}session-options {client-group [group-name];client-idle-timeoutminutes;client-session-timeoutminutes;

}}





Description Create a profile containing a set of attributes that define device management access.





• Ethernet Port Switching Feature Guide for Security Devices

• Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices



• Modem Interfaces Feature Guide for Security Devices

• Junos OS Interfaces Library for Security Devices



CHAPTER 10

Configuration Statements for URLSeparation for J-Web and Dynamic VPN

• system-generated-certificate (System Services) on page 95

• wan-acceleration on page 96

• web-management (System Services) on page 98

system-generated-certificate (SystemServices)


Syntax system-generated-certificate;

Hierarchy Level [edit system services web-management https]

Description Automatically generated self-signed certificate


system—To view this statement in the configuration.

system-control—To add this statement to the configuration.






wan-acceleration


Syntax wan-acceleration {disable;traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(no-world-readable | world-readable);

}flag flag;no-remote-trace;

}}

Hierarchy Level [edit system processes]


Description Enable the WAN acceleration process.

Options disable—Disable the WAN acceleration process.•

• traceoptions—Set the trace options.

• file—Configure the trace file information.

• filename—Name of the file to receive the output of the tracing operation. Enclose

the name within quotation marks. All files are placed in the directory /var/log. By

default, the name of the file is the name of the process being traced.

• files number— Maximum number of trace files. When a trace file named trace-file

reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,

until the maximum number of trace files is reached. Then the oldest trace file is

overwritten.

If you specify a maximum number of files, you also must specify a maximum file

size with the size maximum file-size option.

Range: 2 through 1000 files

Default: 10 files

• match regular-expression—Refine the output to include lines that contain the regular

expression.

• sizemaximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes

(MB), or gigabytes (GB).

Range: 10 KB through 1 GB

Default: 128 KB





If you specify a maximum file size, you also must specify a maximum number of trace

files with the files number option.

• (world-readable | no-world-readable)— By default, log files can be accessed only by

the user who configures the tracing operation. Theworld-readable option enables

any user to read the file. To explicitly set the default behavior, use the

no-world-readable option.

• flag flag—Specify which tracing operation to perform. To specify more than one

tracing operation, include multiple flag statements. You can include the following

flags.

• all—Trace all events and messages.

• configuration—Trace configuration events.

• fpc-ipc—Trace FPC inter-process communication messages.

• fpc-ipc-heart-beat—Trace FPC inter-process communication heart beat messages.

• memory—Memory allocation or deallocation messages.

• ssam—Trace state synchronization and management events.

• wx-login—Trace ISM login events.

• no-remote-trace—Disable the remote tracing.







Chapter 10: Configuration Statements for URL Separation for J-Web and Dynamic VPN

web-management (SystemServices)


Syntax web-management {http {interfaces interface-names ;port port;

}https {interfaces interface-names;system-generated-certificate name;port port;

}management urlmanagement url;session {idle-timoutminutes;session-limit number;

}traceoptions {file {filename;files number;match regular-expression;sizemaximum-file-size;(no-world-readable | world-readable);

}flag flag;level level;no-remote-trace;

}}

Hierarchy Level [edit system services]


Description Configure settings for HTTP or HTTPS access. HTTP access allows management of the

device using the J-Web interface. HTTPS access allows secure management of the device

using the J-Web interface. With HTTPS access, communication is encrypted between

your browser and the webserver for your device.

Options control—Disable the SBC process.

• max-threads—Maximum simultaneous threads to handle requests.

Range: 0 through 16

http—Configure HTTP.

• interface [value]—Interface value that accept HTTP access.

• port number—TCP port for incoming HTTP connections.

Range: 1 through 65,535






https—Configure HTTPS.

• interface [value]—Interface value that accept HTTP access.

• port number—TCP port for incoming HTTP connections.

Range: 1 through 65,535

• local-certificate—X.509 certificate to use from configuration.

• pki-local-certificate—X.509 certificate to use from PKI local store.

• system-generated-certificate—X.509 certificate generated automatically by system.

management urlmanagement url—URL Path for Web management access.

session—Configure web management session.

• idle-timoutminutes—Default timeout of web-management sessions in minutes.

• session-limit number—Maximum number of web-management sessions to allow.



traceoptions—Set the trace options.

• file—Configure the trace file information.

• filename—Name of the file to receive the output of the tracing operation. Enclose

the name within quotation marks. All files are placed in the directory /var/log.

By default, the name of the file is the name of the process being traced.

• filesnumber— Maximum number of trace files. When a trace file named trace-file

reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,

until the maximum number of trace files is reached. Then the oldest trace file

is overwritten.

If you specify a maximum number of files, you also must specify a maximum

file size with the size maximum file-size option.

Range: 2 through 1000 files

Default: 10 files

• match regular-expression—Refine the output to include lines that contain the regular

expression.

• sizemaximum-file-size—Maximum size of each trace file, in kilobytes (KB),

megabytes (MB), or gigabytes (GB).

Range: 10 KB through 1 GB

Default: 128 KB

If you specify a maximum file size, you also must specify a maximum number of

trace files with the files number option.

• (world-readable | no-world-readable)— By default, log files can be accessed only

by the user who configures the tracing operation. Theworld-readableoption enables

any user to read the file. To explicitly set the default behavior, use the

no-world-readable option.

• flag flag—Specify which tracing operation to perform. To specify more than one

tracing operation, include multiple flag statements. You can include the following

flags.

• all—Trace all areas.

• configuration—Trace configuration.

• dynamic-vpn—Trace dynamic-vpn events.

• init—Trace daemon init process.

• mgd—Trace MGD requests.

• webauth—Trace webauth requests.

• level level —Specify the level of debugging output.

• all—Match all levels.

• error—Match error conditions.



• info—Match informational messages.

• notice—Match conditions that should be handled specially.

• verbose—Match verbose messages.

• warning—Match warning messages.

• no-remote-trace—Disable the remote tracing.





• WLAN Feature Guide for Security Devices

• Administration Guide for Security Devices







PART 3

Administration

• Junos Pulse Client on page 105

• Access Manager on page 117

• Operational Commands on page 123




CHAPTER 11

Junos Pulse Client

• Junos Pulse Client Installation Requirements on page 105


• Junos Pulse Interface and Connections on page 107

• Managing Junos Pulse Connections on page 109

Junos Pulse Client Installation Requirements


The Junos Pulse Release 2.0 client software is supported on computers that run Microsoft

Windows. Table 14 on page 105 lists the minimum hardware and software requirements

to support the Junos Pulse client software.

Table 14: Junos Pulse Client Hardware and Software Requirements

RequirementComponent

• Vista Ultimate/Business/Home- Basic/Home-Premium with ServicePack 2 on 32-bit or 64-bit platforms; Internet Explorer 9.0, InternetExplorer 7.0, Firefox 3.0, and Firefox 3.5

• Windows 7 Ultimate/Professional/Home-Basic/Home-Premiumon 32-bit or 64-bit platforms; Internet Explorer 9.0, Internet Explorer7.0, Firefox 3.0, and Firefox 3.5

• XP Home with Service Pack 3 on 32-bit platforms only; InternetExplorer 9.0, Internet Explorer 7.0, Firefox 3.0, and Firefox 3.5

Operating system andbrowser

1.8 GHzCPU

1 GB of RAMMemory

Install: 25 MB; Logging: 50 MBAvailable disk space

NOTE: Junos Pulse 2.0 is not supported onWindows Server platforms andonMacintosh or Linux platforms. It is also not supported on 64-bit browsers.






NOTE: For increased security, we recommend that you disable the Fast UserSwitching feature onWindows endpoints. The Fast User Switching featureallowsmore than one user to log on simultaneously at a single computer.The feature is enabled by default for Windows 7 andWindows Vista and fordomain users onWindowsXP.With the FastUser Switching feature enabled,all concurrent user sessions on a system can access the current desktopconnections to networks and Infranet Controllers. Thus, if one user has acurrent network connection, other users logged in on the samecomputer canaccess the same network connections, which creates a security risk.






Deploying Junos Pulse Client Software


You must configure the dynamic VPN feature, which is disabled by default on the SRX

Series device. You must enable and configure it before you can use it. The dynamic VPN

feature secures traffic through your network by passing it through IPsec VPN tunnels. As

part of the VPN configuration, you define the client configuration. The client and the

settings are downloaded to your users’ computers. The users must uninstall the Access

Manager before installing the Junos Pulse client. See “Dynamic VPN Configuration

Overview” on page 23.

Junos Pulse Client Installation Overview-This section describes how to deploy Junos

Pulse client software from SRX Series Gateways.







You can deploy Junos Pulse to endpoints from SRX Series devices in the following way:

• Web Install—With a Web install, when you log into the access gateway’s Web portal

using the Dynamic VPN URL, the Pulse client gets downloaded on the client machine.

After the Pulse client is downloaded on the client machine, you need to create a firewall

connection.

NOTE: A Junos Pulse installation causes a restart of active networkconnections on aWindows endpoint. When a user initiates a Junos Pulseinstallation through aWAN connection to theWeb interface of an accessgateway, the user might need to log in to their service provider again toreestablish network connectivity. Users need to be aware of this issuebefore they begin the installation.


Dynamic VPN Configuration Overview on page 23•




Junos Pulse Interface and Connections


• Junos Pulse Interface on page 107

• Junos Pulse Connection Type on page 108

• Junos Pulse Connection Status on page 108

• Junos Pulse Log Files on page 108

Junos Pulse Interface

The Junos Pulse interface shows your network connections and provides status about

your endpoint’s connectivity, security, and acceleration. For SRX Series devices, you have

the optional WAN acceleration software installed. WAN acceleration software interacts

with network devices to optimize application performance when you are connected over

wide area networks

If your Junos Pulse interface shows the Acceleration pane, it means that you are connected

to a network device that can improve your application performance over wide area

networks through WAN optimization. The acceleration service of Junos Pulse requires

no configuration. Junos Pulse automatically discovers Juniper Networks WXC Series

Application Acceleration Platforms in the data center and then negotiates a level of

service that can be supported by both client and server. If the service is active, a check

mark icon appears.

In some circumstances, you might find that you have better network performance for a

particular application with WAN optimization turned off.


Chapter 11: Junos Pulse Client





To enable or disable WAN optimization, on the Junos Pulse Acceleration pane, click

Enable or Disable.

• Connections—Act on a selected connection: disconnect, edit, or delete. Add a new

connection. Forget saved settings for all connections.

• Logs—Annotate, set logging level, or save log files.

• About—Display version and copyrights.

• Help—Display the Help file.

• Close—Close the Junos Pulse interface. Note that the program does not disconnect

active network connections.

Junos Pulse Connection Type

The connection type you choose when you define a new connection relates to the type

of device that provides access to protected network resources. For SRX Series Services

Gateway, use Firewall connection type.

If you want to access the SRX Series device through a wireless connection, use the

Windows supplicant to a connection to the Junos wireless network and then to connect

the SRX Series firewall through Junos Pulse.

Junos Pulse Connection Status

Junos Pulse displays the status of a connection in the Connections pane and in the system

tray. A Connections pane icon shows the state of each connection. The connection status

is also indicated by the system tray icon.

NOTE: You can right-click the system tray icon to open the Junos Pulseinterface or to close Junos Pulse.

A connection can be in any of the following states:

• No connection.

• Connecting. A connection stays in this state until it fails or succeeds.

• Connected with issues.

• Connection failed.

• Connected.

Junos Pulse Log Files

A Junos Pulse log file tracks information that can help solve connection issues. Logging

is a background operation. You do not need to make any changes to your logging

environment unless instructed to do so as part of a troubleshooting effort.



To help in a troubleshooting effort, you might be asked to do the following tasks:

• Annotate the logs—When you annotate a log file, you insert text that marks the log

file at a specific location. For example, to troubleshoot a connection problem, you

might be asked to annotate the log file with specific text, attempt the connection that

has been failing, and then annotate the log file again. This sequence of events allows

a support representative to search the log file for the text you inserted. The text brackets

the entries of the log file that track your connection issue.

• Set the log level—The default logging level is Normal. For a troubleshooting operation,

you might be asked to change the logging level to Detailed.

• Save the logs—The Save As operation gathers all of the log files into a single .zip file

and lets you specify where to place the file.


Understanding Junos Pulse Client on page 19•



Managing Junos Pulse Connections


• Add a Connection on page 109

• Connect to a Network on page 110

• Disconnect from an Active Network on page 111

• View Connection Properties on page 111

• Edit Connection Properties on page 111

• Forget Saved Settings on page 112

• Delete a Connection on page 112

• Troubleshoot a Junos Pulse Connection Issue on page 113

• Annotate Log Files on page 113

• Set Log Level on page 114

• Save Log Files on page 114

• View Component Version Information on page 114

Add a Connection

Each connection in Junos Pulse represents a protected network. Typically, your network

administrator defines the connections for you and might disable the Add a Connection

feature. If you are required to create new connections, your network administrator will

tell you the settings that you must use.







To add a new connection:

• On the Connections pane, click the Add a Connection button.

The Add Connection dialog box appears.

• For Type, choose one of the following:

• Firewall—Use this network type if you are connecting to a Juniper Networks SRX

Series device.

• For Name, specify a descriptive name for this connection. The name you specify will

appear in the Connections pane of the Junos Pulse interface.

• For Server URL, specify the network that you want to connect to. You can enter the

Server URL in any of the following formats:

• An IP address, for example 10.204.71.86

• A DNS name, for example server.mycompany.net

• Click Add to save your new connection and close the dialog box. Click Connect to

save your new connection and initiate a connection to the network.

Connect to a Network

You must have at least one connection listed in the Connections pane before you can

connect to a network. The connection prompts you see depend on your network access

environment.

NOTE: To use Junos Pulse with a wireless network, youmight need to firstconfigure your endpoint’s wireless network settings throughWindows or thewirelessdevicesoftware installedonyourendpoint. For example, inWindowsXP,useStart>ControlPanel>NetworkConnections toaccessWindowsnetwork

setup options. Or your network administrator can define your wirelessconnections and scan lists and include them in your Junos Pulse installation.

To use a defined connection to connect to a network:

1. In the Connections list, click Connect for the connection you want to establish.

2. Respond to the prompts for information such as username and password.

After you click the Connect button, you might need to respond to the following prompts:

• Certificate—If Junos Pulse needs to communicate with a certificate server, and your

network administrator has configured more than one server, you are prompted to

choose a server. A certificate issued by a certificate authority verifies that the network

resource you are connecting to is valid. If the certificate is from a trusted source, it is

automatically accepted and you do not see the certificate prompt. If there is a problem

with the certificate, you might be asked if you want to accept the certificate and proceed

with the connection.



• Credentials—Your username and password or username and token code, establish

your identity to the access device. You might also be prompted for a secondary

username and password and a username and password to a proxy server. Your

authentication environment might periodically prompt you to change your password

or your token PIN number.

A Save Settings check box might appear on each login screen. (Your administrator can

disable this feature.) If you enable the check box, you are not prompted for that

information the next time you login. If you save settings, you can use the Forget Saved

Settings feature to return to being prompted for log in information. The Save Settings

feature enables you to save the following information:

• Certificate acceptance

• Certificate selection

• Username and password

The steps that take place after you respond to all of the connection prompts depend on

the access polices that your network administrator has configured and on the type of

network access device. The connection process can include the following tasks:

• Software updates—Junos Pulse can be automatically updated at connect time. Your

system might receive updated Junos Pulse software or you might receive additional

software modules to support expanded services such as when you connect to a new

type of network access device for the first time.

Disconnect from an Active Network

To disconnect from a network:

1. On the Junos Pulse Connections pane, click Disconnect for the connection you want

to disconnect.

Or

1. On the Junos Pulse Connections pane, right-click the connection to display the pop-up

menu.

2. Click Disconnect.

View Connection Properties

To view the properties for a connection:

1. In the Connections list, click the expand icon next to the connection name. Connection

details appear beneath the connection.

Edit Connection Properties

After you create a connection, you can edit the URL and the name that appears in the

Connections pane. You can edit a connection only if that connection is not currently

active.



To edit a connection:

1. In the Connections pane, right-click the connection to display the pop-up menu, and

then click Edit.

The Edit Connection dialog box appears.

2. Edit the connection, and then click Save to save your changes and close the dialog

box, or click Connect to initiate a connection and close the dialog box.

Or

1. Click the connection to select it.

2. Click the Edit Connection button.

The Edit Connection dialog box opens.

3. Edit the connection, and then click Save to save your changes and close the dialog

box, or click Connect to initiate a connection and close the dialog box.

Forget Saved Settings

When you connect to a network, you can check the Save Settings check box to have

Junos Pulse remember your login credentials. (Note that your network administrator can

disable this feature.) Each different screen where you are prompted for a response has

its own Save Settings check box. If you save settings, you are not prompted to provide

that information on subsequent login attempts. If your login credentials change, you

must clear the saved settings in Junos Pulse and you are prompted to provide them again.

To remove saved login credentials:

1. Right-click anywhere in the Connections list to display the pop-up menu.

2. Click Forget Saved Settings. Junos Pulse clears the saved settings for all configured

Connections.

Or

1. Click the Forget Saved Settings button:

Delete a Connection

To delete a connection:

1. In the Connections list, click the connection you want to delete to select it.

2. Click the Delete button:

3. You are prompted to verify your decision before the connection is deleted.

Or

1. Right-click the connection you want to delete to display the pop-up menu, and then

click Delete.



2. You are prompted to verify your decision before the connection is deleted.

Troubleshoot a Junos Pulse Connection Issue

You can use the following troubleshooting information to help resolve connection issues.

Table 15 on page 113 lists issues, descriptions and resolution suggestions.

Table 15: Junos Pulse Troubleshooting Information

Description and Resolution SuggestionsIssue

Junos Pulse cannot verify the identity of the server.This error or any certificate error means that JunosPulse cannot ensure that you are connecting to atrusted server. The server certificate might havebeen revoked or it might have expired. It could havebeen issued by a certificate authority that is notrecognized by Junos Pulse, such as when yourorganization uses a self-signed certificate. If yournetwork administrator has enabled this permission,you can choose to proceed and connect to theserver, but you should do so only if your networkadministrator has advised you to ignore thecertificate error.

During login, the following message appears:

Youare about to authenticate to anuntrustedserver. Do you accept the certificate for thisconnection?

If you selected the Save Settings check box whenyou activated a Junos Pulse connection, thecredentials you provided are used every time youactivate that connection without prompting youto enter login information. However, Junos Pulsecannot detect when you change your networkpassword—it continues to use the saved settings,and that can result in the “Credentials were invalid”error. To resolve this issue, click the Forget SavedSettings button.

The next time you connect, you are prompted foryour login credentials, and you can specify yournew login information. If you select the SaveSettings check box, the new credential informationwill be saved.

During login, the following message appears:

Credentials were invalid. Please try again.

When you see the connection failed icon in theConnections pane, click the connection to displaythe connection status. The Details section showsthe specific error, which you can click to open awindow that shows a detailed description of theerror.

The system tray icon and a Connectionspane icon change to the failed” state:

Connection failed

Annotate Log Files

When you annotate a log file, you insert text that marks the log file at a specific location.

For example, to troubleshoot a connection problem, you might be asked to annotate the

log file with specific text, attempt the connection that has been failing, and then annotate

the log file again. This sequence of events enables a support technician to easily find the

log file entries that track your connection issue.



To annotate Junos Pulse log files:

1. Click the program icon at the top of the Junos Pulse window to display the pop-up

menu.

2. Click Logs>Annotate to open the Annotate Logs dialog box.

3. Type your annotation text, and then click OK.

Set Log Level

To set the log level:


menu.

2. Click Logs>Log Level>Detailed or Logs>Log Level>Normal. A check mark indicates the

option that is currently enabled.

Normal logging is the default. You should set logging to Normal unless you are

troubleshooting a connection issue.

Detailed logging creates a greater number of log entries and increases the size of the log

files. Detailed logging is typically enabled only when troubleshooting an issue.

Save Log Files

As part of a troubleshooting process, you might be asked to save the Junos Pulse log

files. Pulse includes a number of possible components and each component generates

one or more log files. The Save As operation combines all of the Pulse log files and other

diagnostic files into a single file named LogsAndDiagnostics.zip.

To save Junos Pulse log files:


menu.

2. Click Logs>Save As. The Save As dialog box appears.

3. Either accept the default values for location and filename or specify new values, and

then click Save.

View Component Version Information

In a troubleshooting operation, your network administrator might ask you to verify the

version numbers of the Junos Pulse programs. To view Junos Pulse version information:

1. Click Pulse>About to open the About dialog box.

2. Click version details to open the Pulse Version Details dialog box.












CHAPTER 12

Access Manager


• Access Manager Client-Side Files on page 117

• Access Manager Client-Side Registry Changes on page 120

AccessManager Client-Side SystemRequirements


The user can install Access Manager on Windows XP 32-bit, Windows Vista 64/32-bit,

and Windows 7 64/32-bit machines with an Internet connection. The user must have

administrator privileges to install the client, but not to run it.

Access Manager can run simultaneously on the same computer with other Juniper

Networks clients, including the Odyssey Access Client (OAC), Network Connect client,

Windows Secure Application Manager (WSAM) client, Host Checker client, and WX client.


Understanding Remote Client Access to the VPN on page 6•



• Access Manager Client-Side Error Messages on page 155

• Troubleshooting Access Manager Client-Side Problems on page 158


AccessManager Client-Side Files


Table 16 on page 118 lists the directories where Access Manager installs files on a user’s

computer, the files it installs, and the files that remain after the user uninstalls the client.










Table 16: AccessManager Client-Side Files

Files Remaining AfterUninstallFiles Installed in DirectoryInstallation Directory

install.log• ConnectionManagerService.dll

• install.log

• Uninstall.exe

• Uninstall.exe.manifest

• versionInfo.ini

%COMMONFILES%\JuniperNetworks\Connection Manager

install.log• ConnectionStoreService.dll

• dcfDOM.dll

• install.log

• Uninstall.exe


• versionInfo.ini

%COMMONFILES%\JuniperNetworks\ConnectionStore

install.log• install.log

• ipsecmgr.dll

• Uninstall.exe


• versionInfo.ini

%COMMONFILES%\JuniperNetworks\IPSecMgr

install.log

Log file location:C:\Documents andSettings\AllUsers\ApplicationData\JuniperNetworks\Logging

• AccessServiceComponent.x86.exe

• ConnectionMgrComponent.x86.exe

• ConnectionStoreComponent.x86.exe

• install.log

• IPSecMgrComponent.x86.exe

• JamGUIComponent.x86.exe

• JamInstaller.dep

• jnprnaInstall.exe

• TunnelManagerComponent.x86.exe

• Uninstall.exe


• versionInfo.ini

• vpnAccessMethodComponent.x86.exe

PROGRAMFILES%\JuniperNetworks\Juniper Access Manager


• jamCommand.exe

• jamTray.exe

• jamUI.exe

• jamUIResource_EN.dll

• uiPlugin.dll

• Uninstall.exe


• versionInfo.ini

%COMMONFILES%\JuniperNetworks\JamUI



Table 16: AccessManager Client-Side Files (continued)


install.log• access.ini

• dsAccessService.exe

• dsInstallerService.dll

• dsLogService.dll

• install.log

• Uninstall.exe


• versionInfo.ini

%COMMONFILES%\JuniperNetworks\JUNS

• install.log

• jnprnaNetInstall.log

• install.log

• jnprna.cat

• jnprna.inf

• jnprna.sys

• jnprnaapi.dll

• jnprnaNetInstall.dll

• jnprnaNetInstall.log

• jnprna_m.cat

• jnprna_m.inf

• jnprva.cat

• jnprva.inf

• jnprva.sys

• jnprvamgr.cat

• jnprvamgr.dll

• jnprvamgr.inf

• jnprvamgr.sys

• nsStatsDump.exe

• uninst.exe

• versionInfo.ini

• %WINDIR%\system32\drivers\jnprna.sys

• %WINDIR%\system32\drivers\jnprva.sys

• %WINDIR%\system32\drivers\jnprvamgr.sys

%COMMONFILES%\JuniperNetworks\JNPRNA

install.log• dsTMClient.dll

• dsTMService.dll

• dsTunnelManager.dll

• install.log

• TM.dep

• Uninstall.exe


• versionInfo.ini

COMMONFILES%\JuniperNetworks\Tunnel Manager


Chapter 12: Access Manager

Table 16: AccessManager Client-Side Files (continued)



• Uninstall.exe


• versionInfo.ini

• vpnAccessMethod.dll

• vpnAccessMethod_EN.dll

%COMMONFILES%\JuniperNetworks\vpnAccessMethod








AccessManager Client-Side Registry Changes


Table 17 on page 120 lists the Windows Registry changes that the Access Manager client

and components make to your users’ computers when creating dynamic VPN tunnels.

Table 17: AccessManager Client-Side Registry Changes

Registry Key ChangesRegistry Key Location

• jnprnaapi"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\jnprnaapi.dll

• jnprvamgr"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\jnprvamgr.dll

• nsStatsDump"="C:\\Program Files\\Common Files\\JuniperNetworks\\JNPRNA\\nsStatsDump.exe

• dsLogService"="C:\\Program Files\\Common Files\\JuniperNetworks\\JUNS\\dsLogService.dll

• dsTMClient"="C:\\Program Files\\Common Files\\JuniperNetworks\\Tunnel Manager\\dsTMClient.dll

• dsTunnelManager"="C:\\Program Files\\CommonFiles\\Juniper Networks\\TunnelManager\\dsTunnelManager.dll

HKEY_LOCAL_MACHINE\SOFTWARE\JuniperNetworks\Common Files

• LogFileName"="C:\\Documents and Settings\\AllUsers\\Application Data\\JuniperNetworks\\Logging\\debuglog.log

• "Level"="3"

• "LogSizeInMB"="10"

HKEY_LOCAL_MACHINE\SOFTWARE\JuniperNetworks\Logging







Table 17: AccessManager Client-Side Registry Changes (continued)

Registry Key ChangesRegistry Key Location

(Content varies. Contains client configuration data downloadedfrom the server.)

HKCU\Software\Juniper Networks\Access Manager\












CHAPTER 13

Operational Commands

• clear security dynamic-vpn all

• clear security dynamic-vpn user

• show network-access address-assignment pool (View)

• show security dynamic-policies

• show security dynamic-vpn client version

• show security dynamic-vpn users

• show security dynamic-vpn users terse

• show security ike active-peer

• show security ike security-associations

• show security ipsec security-associations


clear security dynamic-vpn all


Syntax clear security dynamic-vpn all

Release Information Command introduced in Junos Release 10.4.

Description Clear all dynamic VPN user connections.


clear


show security dynamic-vpn users on page 133•

• show security dynamic-vpn users terse on page 135

List of Sample Output clear security dynamic-vpn all on page 124

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

clear security dynamic-vpn all

user@host> clear security dynamic-vpn all2 user connection entries cleared










clear security dynamic-vpn user


Syntax clear security dynamic-vpn user username ike-id id

Release Information Command introduced in Junos OS Release 10.4.

Description Clear the dynamic VPN user connection for the specified username.


clear




List of Sample Output clear security dynamic-vpn user on page 125

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

clear security dynamic-vpn user

user@host> clear security dynamic-vpn user user ike-id bob.example.netConnection entry for user user has been cleared


Chapter 13: Operational Commands








show network-access address-assignment pool (View)


Syntax show network-access address-assignment pool name

Release Information Command introduced in Release 10.4 of Junos OS.

Description Display information summary about a specific pool.


view


Dynamic VPN Feature Guide for SRX Series Gateway Devices•

Output Fields Table 18 on page 126 lists the output fields for theshownetwork-accessaddress-assignment

pool command. Output fields are listed in the approximate order in which they appear.

Table 18: show network-access address-assignment pool Output Fields

Field DescriptionField Name

IP address assigned to a client.IP address

MAC address of the client. For XAuth clients, the value is NA.Hardware address

For static IP address assignment, the user name and profile are displayed in the formatusername@profile. If the client is assigned an IP address from an address pool and a username exists, the user name is displayed. For DHCP applications, if the host name isconfigured the host name is displayed; otherwise NA is displayed.

Host/User

Either XAuth or DHCP attributes are configured.Type

Sample Output

user@host> show network-access address-assignment pool xauth1IP address Hardware address Host/User Type40.0.0.1 NA jason@dvpn-auth XAUTH40.0.0.2 NA jacky XAUTH40.0.0.3 00:05:1b:00:b9:01 host1 DHCP40.0.0.4 00:05:1b:00:b9:02 NA DHCP





show security dynamic-policies

Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650

Syntax show security dynamic-policies [detail] [from-zone zone] [scope-id id] [to-zone zone]


Description Display dynamic policies downloaded on the group member.

Options • none—Display basic information about all policies installed on the group member.

• detail—(Optional) Display a detailed view of all of the policies installed on the group

member.

• from-zone—(Optional) Display information about the policies installed on the group

member for the specified source zone.

• scope-id—(Optional) Display information about the policies installed on the group

member for the specified policy identifier.

• to-zone—(Optional) Display information about the policies installed on the group

member for the specified destination zone.


view


show security policies•

• Group VPN Feature Guide for Security Devices

List of Sample Output show security dynamic-policies on page 128show security dynamic-policies detail on page 129show security dynamic-policies from-zone Internal on page 130show security dynamic-policies scope-id 8 from-zone Internal on page 130show security dynamic-policies detail from-zone Internal on page 130show security dynamic-policies detail from-zone Internal to-zone Host on page 131

Output Fields Table 19 on page 127 lists the output fields for theshowsecuritydynamic-policiescommand.

Output fields are listed in the approximate order in which they appear.

Table 19: show security dynamic-policies Output Fields


Name of the applicable Policy.Policy

Status of the policy:

• enabled: The policy can be used in the policy lookup process, which determines accessrights for a packet and the action taken in regard to it.

• disabled: The policy cannot be used in the policy lookup process, and therefore it isnot available for access control.

State












Table 19: show security dynamic-policies Output Fields (continued)


An internal number associated with the policy.Index

Policy identifier.Scope Policy

Number of the policy within a given context. For example, three policies that are applicablein a from-zoneA-to-zoneB context might be ordered with sequence numbers 1, 2, and 3.Also, in a from-zoneC-to-zoneD context, four policies might have sequence numbers 1,2, 3, and 4.

Sequence number

For standard display mode, the names of the source addresses for a policy. Address setsare resolved to their individual names. (In this case, only the names are given, not theirIP addresses.)

For detail display mode, the names and corresponding IP addresses of the sourceaddresses for a policy. Address sets are resolved to their individual address name-IPaddress pairs.

Source addresses

Name of the destination address (or address set) as it was entered in the destinationzone’s address book. A packet’s destination address must match this value for the policyto apply to it.

Destination addresses

Name of a preconfigured or custom application whose type the packet matches, asspecified at configuration time.

• IP protocol: The IP protocol used by the application—for example, TCP, UDP, ICMP.

• ALG: If an ALG is associated with the session, the name of the ALG. Otherwise, 0.

• Inactivity timeout: Elapse time without activity after which the application is terminated.

• Source port range: The low-high source port range for the session application.

• Destinationport range: The low-high destination port range for the session application.

Application

Must be permit.action-type

Must be dynamic.Policy Type

Name of the source zone.From zone

Name of the destination zone.To zone

Tunnel name, type (IPsec), and index number.Tunnel

Sample Output

show security dynamic-policies

user@host> show security dynamic-policiesPolicy: policy_forward-0001, State: enabled, Index: 1048580, Scope Policy: 4 Sequence number: 1 Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Applications: Unknown



action-type: permit, tunnel:Policy: policy_forward-0002, State: enabled, Index: 2097156, Scope Policy: 4 Sequence number: 2 Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Applications: Unknownaction-type: permit, tunnel:

Sample Output

show security dynamic-policies detail

user@host> show security dynamic-policies detailPolicy: policy_forward-0001, action-type: permit, State: enabled, Index: 1048580,AI: disabled, Scope Policy: 4 Policy Type: Dynamic Sequence number: 1 From zone: Host, To zone: untrust Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [23-23] Tunnel: Test Tunnel, Type: IPSec, Index: 1001Policy: policy_backward-0001, action-type: permit, State: enabled, Index: 1048582,AI: disabled, Scope Policy: 6 Policy Type: Dynamic Sequence number: 1 From zone: untrust, To zone: Host Source addresses:20.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1003Policy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005Policy: policy_external-0001, action-type: permit, State: enabled, Index: 1048584,AI: disabled, Scope Policy: 8 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: untrust Source addresses:192.168.1.0/24 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1006



Policy: policy_forward-0002, action-type: permit, State: enabled, Index: 2097156,AI: disabled, Scope Policy: 4 Policy Type: Dynamic Sequence number: 2 From zone: Host, To zone: untrust Source addresses:10.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1002Policy: policy_backward-0002, action-type: permit, State: enabled, Index: 2097158,AI: disabled, Scope Policy: 6 Policy Type: Dynamic Sequence number: 2 From zone: untrust, To zone: Host Source addresses:20.10.10.0/16 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [23-23] Tunnel: Test Tunnel, Type: IPSec, Index: 1004

Sample Output

show security dynamic-policies from-zone Internal

user@host> show security dynamic-policies from-zone InternalPolicy: policy_internal-0001, State: enabled, Index: 1048583, Scope Policy: 7 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:Policy: policy_external-0001, State: enabled, Index: 1048584, Scope Policy: 8 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:

Sample Output

show security dynamic-policies scope-id 8 from-zone Internal

user@host> show security dynamic-policies scope-id 8 from-zone InternalPolicy: policy_external-0001, State: enabled, Index: 1048584, Scope Policy: 8 Sequence number: 1 Applications: Unknownaction-type: permit, tunnel:

Sample Output

show security dynamic-policies detail from-zone Internal

user@host> show security dynamic-policies detail from-zone InternalPolicy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16



Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005Policy: policy_external-0001, action-type: permit, State: enabled, Index: 1048584,AI: disabled, Scope Policy: 8 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: untrust Source addresses:192.168.1.0/24 Destination addresses:20.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1006

Sample Output

show security dynamic-policies detail from-zone Internal to-zone Host

user@host> show security dynamic-policies detail from-zone Internal to-zone HostPolicy: policy_internal-0001, action-type: permit, State: enabled, Index: 1048583,AI: disabled, Scope Policy: 7 Policy Type: Dynamic Sequence number: 1 From zone: Internal, To zone: Host Source addresses:192.168.1.0/24 Destination addresses:10.20.20.0/16 Application: Unknown IP protocol: 6, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [80-80] Tunnel: Test Tunnel, Type: IPSec, Index: 1005



show security dynamic-vpn client version


Syntax show security dynamic-vpn client version


Description Display the client software version.


view





Sample Output

user@host> show security dynamic-vpn client versionJuniper Access Manager version: 1.1.0.4165










show security dynamic-vpn users


Syntax show security dynamic-vpn users


Description Display all relevant user information.


view


show security dynamic-vpn client version on page 132•


• clear security dynamic-vpn user on page 125

• clear security dynamic-vpn all on page 124


Output Fields Table 20 on page 133 lists the output fields for the show security dynamic-vpn users

command. Output fields are listed in the approximate order in which they appear.

Table 20: show security dynamic-vpn users Output Fields


Username.User

Remote IPSec VPN usergroupsUser-groups

Number of connections currently active.Number of connections

IP address of the client.Remote IP

Name of the IPsec VPN.IPsec VPN

Name of the IKE gateway.IKE gateway

IKE ID configured for the client.IKE ID

Status of the connection.Status

Sample Output

user@host> show security dynamic-vpn usersUser: alice , User group: group-one , Number of connections: 1Remote IP: 2.2.2.10 IPSEC VPN: dyn_vpn2










IKE gateway: gw2 IKE ID : alicegw2.example.net IKE Lifetime: 72000 IPSEC Lifetime: 3600 Status: CONNECTED



show security dynamic-vpn users terse


Syntax show security dynamic-vpn users terse

Release Information This command introduced in Junos OS Release 10.0.

Description Display all relevant user information.


view



• clear security dynamic-vpn user on page 125

• clear security dynamic-vpn all on page 124

• show security dynamic-vpn client version on page 132


Output Fields Table 21 on page 135 lists the output fields for the show security dynamic-vpn users terse


Table 21: show security dynamic-vpn users terse Output Fields


Username.User

Remote IPSec VPN usergroupsUser-groups

IP address of the client.Remote IP

IKE ID configured for the client.IKE ID

Status of the connection.Status

Name of the client configuration.Client Config Name

Time that the user connection was established.Time Established

Sample Output

user@host> show security dynamic-vpn users terse

User User Remote IKE Status IKE IPSEC Client Time Groups IP ID Lifetime Lifetime Config Established

Name alice group-one 2.2.2.10 alicegw2.CONNECTED 72000 3600 group Wed










example. Aug 8 10: net 26:39 2012



show security ike active-peer


Syntax show security ike active-peer


Description This command is used to display the list of connected active users with details about

the peer addresses and ports they are using.


view


show security ike security-associations on page 138•

• show security ipsec security-associations on page 145

• Junos OS VPN Library for Security Devices

List of Sample Output show security ike active-peer on page 137

Sample Output

show security ike active-peer

user@host> show security ike active-peer

Remote Address Port Peer IKE-ID XAUTH username Assigned IP172.27.6.136 8034 tleungjtac@650a tleung 10.123.80.225






show security ike security-associations


Syntax show security ike security-associationspeer-addressbrief | detailfpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-numberfamily (inet | inet6)

Release Information Command introduced in Junos OS Release 8.5 . The fpc, pic, and kmd-instance options

added in Junos OS Release 9.3. The family option added in Junos OS Release 11.1.

Description Display information about Internet Key Exchange security associations (IKE SAs).

Options • none—Display standard information about existing IKE SAs, including index numbers.

• peer-address—(Optional) Display details about a particular SA based on the IPv4 or

IPv6 address of the destination peer. This option and index provide the same level of

output.

• brief—(Optional) Display standard information about all existing IKE SAs. (Default)

• detail—(Optional) Display detailed information about all existing IKE SAs.

• fpc slot-number—(Optional) Specific to SRX Series devices. Display information about

existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter

the output.

• index SA-index-number—(Optional) Display information for a particular SA based on

the index number of the SA. For a particular SA, display the list of existing SAs by using

the command with no options. This option and peer-address provide the same level of

output.

• kmd-instance—(Optional) Specific to SRX Series devices. Display information about

existing IKE SAs in the key management process (in this case, it is KMD) identified by

FPC slot-number and PIC slot-number. This option is used to filter the output.

• all—All KMD instances running on the Services Processing Unit (SPU).

• kmd-instance-name—Name of the KMD instance running on the SPU.

• pic slot-number—(Optional) Specific to SRX Series devices. Display information about

existing IKE SAs in this PIC slot. This option is used to filter the output.

• family—(Optional) Display IKE SAs by family. This option is used to filter the output.

• inet—IPv4 address family.

• inet6—IPv6 address family.







view


clear security ike security-associations•



List of Sample Output show security ike security-associations (IPv4) on page 141show security ike security-associations (IPv6) on page 141showsecurity ikesecurity-associationsdetail (BranchSRXSeriesDevices)onpage 142show security ike security-associations detail (For High-End SRX SeriesDevices) on page 142show security ike security-associations family inet6 on page 143show security ike security-associations index 8 detail on page 143show security ike security-associations 1.1.1.2 on page 144show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX SeriesDevices) on page 144

Output Fields Table 22 on page 139 lists the output fields for the show security ike security-associations


Table 22: show security ike security-associations Output Fields


IP address of the destination peer with which the local peer communicates.IKE Peer or Remote Address

Index number of an SA. This number is an internally generated number you can use todisplay information about a single SA.

Index

Name of the IKE gateway.Gateway Name

• FPC—Flexible PIC Concentrator (FPC) slot number.

• PIC—PIC slot number.

• KMD-Instance—The name of the KMD instance running on the SPU, identified by FPCslot-number and PIC slot-number. Currently, 4 KMD instances are running on eachSPU, and any particular IKE negotiation is carried out by a single KMD instance.

Location

Part played in the IKE session. The device triggering the IKE negotiation is the initiator,and the device accepting the first IKE exchange packets is the responder.

Role

State of the IKE SAs:

• DOWN—SA has not been negotiated with the peer.

• UP—SA has been negotiated with the peer.

State

Random number, called a cookie, which is sent to the remote node when the IKEnegotiation is triggered.

Initiator cookie



Table 22: show security ike security-associations Output Fields (continued)


Random number generated by the remote node and sent back to the initiator as averification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spendingexcessive CPU resources to determine the cookie's authenticity.

Responder cookie

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchangeinformation between one another. Each exchange type determines the number ofmessages and the payload types that are contained in each message. The modes, orexchange types, are:

• main—The exchange is done with six messages. This mode or exchange type encryptsthe payload, protecting the identity of the neighbor. The authentication method usedis displayed: preshared keys or certificate.

• aggressive—The exchange is done with three messages. This mode or exchange typedoes not encrypt the payload, leaving the identity of the neighbor unprotected.

NOTE: IKEv2 protocol does not use the mode configuration for negotiation. Therefore,mode displays the version number of the security association.

Mode or Exchange type

Address of the local peer.Local

Address of the remote peer.Remote

Number of seconds remaining until the IKE SA expires.Lifetime

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsecPhase 2 process:

• Authentication—Type of authentication algorithm used:

• sha1—Secure Hash Algorithm 1 authentication.

• md5—MD5 authentication.

• Encryption—Type of encryption algorithm used:

• aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

• aes-192-cbc— AES192-bit encryption.

• aes-128-cbc—AES 128-bit encryption.

• 3des-cbc—3 Data Encryption Standard (DES) encryption.

• des-cbc—DES encryption.

Algorithms

Specifies the IKE Diffie-Hellman group.Diffie-Hellman group

• Input bytes—Number of bytes received.

• Output bytes—Number of bytes transmitted.

• Input packets—Number of packets received.

• Output packets—Number of packets transmitted.

Traffic statistics



Table 22: show security ike security-associations Output Fields (continued)


Notification to the key management process of the status of the IKE negotiation:

• caller notification sent—Caller program notified about the completion of the IKEnegotiation.

• waiting for done—Negotiation is done. The library is waiting for the remote endretransmission timers to expire.

• waiting for remove—Negotiation has failed. The library is waiting for the remote endretransmission timers to expire before removing this negotiation.

• waiting for policymanager—Negotiation is waiting for a response from the policymanager.

Flags

• number created: The number of SAs created.

• number deleted: The number of SAs deleted.

IPSec security associations

Number of Phase 2 IKE negotiations in progress and status information:

• Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quickmode.

• Message ID—Unique identifier for a Phase 2 negotiation.

• Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name(proto-name:port-number,[0..id-data-len] = iddata-presentation).

• Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name(proto-name:port-number,[0..id-data-len] = iddata-presentation).

• Flags—Notification to the key management process of the status of the IKE negotiation:

• caller notification sent—Caller program notified about the completion of the IKEnegotiation.

• waiting for done—Negotiation is done. The library is waiting for the remote endretransmission timers to expire.

• waiting for remove—Negotiation has failed. The library is waiting for the remote endretransmission timers to expire before removing this negotiation.

• waiting for policymanager—Negotiation is waiting for a response from the policymanager.

Phase 2 negotiations in progress

Sample Output

show security ike security-associations (IPv4)

user@host> show security ike security-associationsIndex Remote Address State Initiator cookie Responder cookie Mode8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb MainIndex Remote Address State Initiator cookie Responder cookie Mode9 1.2.1.3 UP 5ba96hfa9f65067 1 70890755b65b80b d Main

Sample Output

show security ike security-associations (IPv6)

user@host> show security ike security-associationsIndex State Initiator cookie Responder cookie Mode Remote Address

5 UP e48efd6a444853cf 0d09c59aafb720be Aggressive 1212::1112



Sample Output

show security ike security-associations detail (Branch SRX Series Devices)

user@host> show security ike security-associations detailIKE peer 25.191.134.245, Index 2577565, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3 Exchange type: Main, Authentication method: Pre-shared-keys Local: 25.191.134.241:500, Remote: 25.191.134.245:500 Lifetime: Expires in 169 seconds Peer ike-id: 25.191.134.245 Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes128-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1012 Output bytes : 1196 Input packets: 4 Output packets: 5 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 25.191.134.241:500, Remote: 25.191.134.245:500 Local identity: 25.191.134.241 Remote identity: 25.191.134.245 Flags: IKE SA is created

Sample Output

show security ike security-associations detail (For High-End SRX Series Devices)

user@host> show security ike security-associations detailIKE peer 1.1.1.2, Index 914039858, Gateway Name: tropic Location: FPC 3, PIC 1, KMD-Instance 3 Role: Initiator, State: UP Initiator cookie: 219a697652bdde37, Responder cookie: b49c30b229d36bcd Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Lifetime: Expires in 26297 seconds Peer ike-id: 1.1.1.2 Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 IPSec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1



Sample Output

show security ike security-associations family inet6

user@host> show security ike security-associations family inet6 IKE peer 1212::1112, Index 5, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 1212::1111:500, Remote: 1212::1112:500 Lifetime: Expires in 19518 seconds Peer ike-id: not valid Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1568 Output bytes : 2748 Input packets: 6 Output packets: 23 Flags: Caller notification sent IPSec security associations: 5 created, 0 deleted Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624 Local: 1212::1111:500, Remote: 1212::1112:500 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Flags: Caller notification sent, Waiting for done

Sample Output

show security ike security-associations index 8 detail

user@host> show security ike security-associations index 8 detailIKE peer 1.1.1.2, Index 8, Gateway Name: tropic Role: Responder, State:UP Initiator cookie: 3a895f8a9f620198, Responder cookie: 9040753e66d700bb Exchange type; main, Authentication method: Pre-shared-keys Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Lifetime: Expired in 381 seconds Algorithms: Authentication: md5 Encryption: 3des-cbc Pseudo random function hmac-md5 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes: 11268 Output bytes: 6940 Input packets: 57 Output packets: 57 Flags: Caller notification sent IPsec security associations: 0 created, 0 deleted Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Responder, Message ID: 1765792815 Local: 1.1.1.1:500, Remote: 1.1.1.2:500 Local identity: No Id



Remote identity: No Id Flags: Caller notification sent, Waiting for remove

Sample Output

show security ike security-associations 1.1.1.2

user@host> show security ike security-associations 1.1.1.2Index State Initiator cookie Responder cookie Mode Remote Address 8 UP 3a895f8a9f620198 9040753e66d700bb Main 1.1.1.2

Sample Output

show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)

user@host> show security ike security-associations fpc 6 pic 1 kmd-instance allIndex Remote Address State Initiator cookie Responder cookie Mode

1728053250 1.1.1.2 UP fc959afd1070d10b bdeb7e8c1ea99483 Main



show security ipsec security-associations


Syntax show security ipsec security-associationsbrief | detailfpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-number>family (inet | inet6)vpn-name vpn-name <traffic-selector traffic-selector-name>

Release Information Command introduced in Junos OS Release 8.5. Support for the fpc,pic, and kmd-instance

options added in Junos OS Release 9.3. Support for the family option added in Junos OS

Release 11.1. Support for the vpn-name option added in Junos OS Release 11.4R3. Support

for the traffic-selector option and traffic selector field added in Junos OS Release

12.1X46-D10.

Description Display information about the IPsec security associations (SAs).

Options • none—Display information about all SAs.

• brief | detail—(Optional) Display the specified level of output.

• fpc slot-number—(Optional) Specific to SRX Series devices. Display information about

existing IPsec SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to

filter the output.

• index SA-index-number—(Optional) Display detailed information about the specified

SA identified by this index number. To obtain a list of all SAs that includes their index

numbers, use the command with no options.

• kmd-instance—(Optional) Specific to SRX Series devices. Display information about

existing IPsec SAs in the key management process (in this case, it is KMD) identified

by the FPC slot-number and PIC slot-number. This option is used to filter the output.

• all—All KMD instances running on the Services Processing Unit (SPU).

• kmd-instance-name—Name of the KMD instance running on the SPU.

• pic slot-number—(Optional) Specific to SRX Series devices. Display information about

existing IPsec SAs in this PIC slot. This option is used to filter the output.

• family—(Optional) Display SAs by family. This option is used to filter the output.

• inet—IPv4 address family.

• inet6—IPv6 address family.

• vpn-name vpn-name—Name of the VPN. If configured, traffic-selector

traffic-selector-name can optionally be specified.







view


MPLS Feature Guide for Security Devices•

• clear security ipsec security-associations



List of Sample Output show security ipsec security-associations (IPv4) on page 149show security ipsec security-associations (IPv6) on page 149show security ipsec security-associations index 5 on page 149show security ipsec security-associations brief on page 150show security ipsec security-associations detail on page 150show security ipsec security-associations detail (SRX Series Devices) on page 150show security ipsec security-associations family inet6 on page 152show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX SeriesDevices) on page 152

Output Fields Table 23 on page 146 lists the output fields for the showsecurity ipsecsecurity-associations


Table 23: show security ipsec security-associations


Total number of active IPsec tunnels.Total active tunnels

Index number of the SA. You can use this number to get additional information aboutthe SA.

ID

IPsec name for VPN.VPN name

IP address of the remote gateway.Gateway

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is thestandard IKE port, 500.

Port

Cryptography used to secure exchanges between peers during the IKE Phase 2negotiations includes:

• An authentication algorithm used to authenticate exchanges between the peers.Options are hmac-md5-95, hmac-sha1-96, or ESP.

• An encryption algorithm used to encrypt data traffic. Options are3des-cbc, aes-128-cbc,aes-192-cbc, aes-256-cbc, or des-cbc.

Algorithm

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Eachentry includes the name of the VPN, the remote gateway address, the SPIs for eachdirection, the encryption and authentication algorithms, and keys. The peer gatewayseach have two SAs, one resulting from each of the two phases of negotiation: Phase 1and Phase 2.

SPI



Table 23: show security ipsec security-associations (continued)


The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.Life: sec/kb

State has two options, Installed and Not Installed.

• Installed—The SA is installed in the SA database.

• Not Installed—The SA is not installed in the SA database.

For transport mode, the value of State is always Installed.

Sta

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then thisfield displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabledfor this SA.

Mon

The root system.vsys or Virtual-system

Numeric identifier of the specific IPsec tunnel for the SA.Tunnel index

Gateway address of the local system.Local gateway

Gateway address of the remote system.Remote gateway

Name of the traffic selector.Traffic selector

Identity of the local peer so that its partner destination gateway can communicate withit. The value is specified as an IP address, fully qualified domain name, e-mail address,or distinguished name (DN).

Local identity

IP address of the destination peer gateway.Remote identity

State of the don't fragment bit: set or cleared.DF-bit

The tunnel interface to which VPN is bound.Bind interface

Name of the applicable policy.Policy-name

FPC—Flexible PIC Concentrator (FPC) slot number.

PIC—PIC slot number.

KMD-Instance—The name of the KMD instance running on the SPU, identified by FPCslot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, andany particular IPsec negotiation is carried out by a single KMD instance.

Location

Direction of the SA; it can be inbound or outbound.Direction

Value of the auxiliary security parameter index(SPI).

• When the value is AH or ESP, AUX-SPI is always 0.

• When the value is AH+ESP, AUX-SPI is always a positive integer.

AUX-SPI





Mode of the SA:

• transport—Protects host-to-host connections.

• tunnel—Protects connections between security gateways.

Mode

Type of the SA:

• manual—Security parameters require no negotiation. They are static and are configuredby the user.

• dynamic—Security parameters are negotiated by the IKE protocol. Dynamic SAs arenot supported in transport mode.

Type

State of the SA:

• Installed—The SA is installed in the SA database.

• Not Installed—The SA is not installed in the SA database.

For transport mode, the value of State is always Installed.

State

Protocol supported.

• Transport mode supports Encapsulation Security Protocol (ESP) and AuthenticationHeader (AH).

• Tunnel mode supports ESP and AH.

• Authentication—Type of authentication used.

• Encryption—Type of encryption used.

Protocol

The soft lifetime informs the IPsec key management system that the SA is about toexpire.

Each lifetime of an SA has two display options, hard and soft, one of which must bepresent for a dynamic SA. This allows the key management system to negotiate a newSA before the hard lifetime expires.

• Expires in seconds—Number of seconds left until the SA expires.

Soft lifetime

The hard lifetime specifies the lifetime of the SA.

• Expires in seconds—Number of seconds left until the SA expires.

Hard lifetime

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified,it shows unlimited.

• Expires in kilobytes—Number of kilobytes left until the SA expires.

Lifesize Remaining

State of the service that prevents packets from being replayed. It can be Enabled orDisabled.

Anti-replay service

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replaywindow size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting oldor duplicate packets.

Replay window size





The tunnel interface to which the route-based VPN is bound.Bind-interface

Sample Output

show security ipsec security-associations (IPv4)

user@host> show security ipsec security-associationsTotal active tunnels: 1ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys 131075 11.0.28.241 500 ESP:3des/sha1 86758ff0 6918/ unlim - 0 131075 11.0.28.241 500 ESP:3des/sha1 3183ff26 6918/ unlim - 0

Sample Output

show security ipsec security-associations (IPv6)

user@host> show security ipsec security-associationsTotal active tunnels: 1ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:3des/sha1 14caf1d9 3597/ unlim - root 500 1212::1112 131074 ESP:3des/sha1 9a4db486 3597/ unlim - root 500 1212::1112

Sample Output

show security ipsec security-associations index 5

user@host> show security ipsec security-associations index 5ID: 131073 Virtual-system: root, VPN Name: tropicLocal gateway: 1.1.1.1, Remote gateway: 1.1.1.2Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Remote identity: ipv4_subnet(any:0,[0...7]=0.0.0.0/0)Version: IKEv2DF-bit: clearBind-interface: st0.3Policy-name: my-policy

Direction: inbound, SPI: 494001027, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: ExpiredHard lifetime: Expired in 130 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64

Direction: inbound, SPI: 1498711950, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: Expires in 40 secondsHard lifetime: Expires in 175 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64



Direction: outbound, SPI: 4038397695, AUX-SPI: 0Mode: tunnel, Type: dynamic, State: InstalledProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcSoft lifetime: Expires in 40 secondsHard lifetime: Expires in 175 secondsLifesize Remaining: UnlimitedAnti-replay service: Enabled, Replay window size: 64

Sample Output

show security ipsec security-associations brief

user@host> show security ipsec security-associations briefTotal active tunnels: 2ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys<16384 1.1.1.1 500 ESP:3des/sha1 af88baa 28795/unlim D 0 >16384 1.1.1.1 500 ESP:3des/sha1 f4e3e5f4 28795/unlim D 0

Sample Output

show security ipsec security-associations detail

user@host> show security ipsec security-associations detailID: 131073 Virtual-system: root, VPN Name: tropicLocal Gateway: 1.1.1.2, Remote Gateway: 1.1.1.1Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)Version: IKEv2DF-bit: clearBind-interface: st0.3Direction: inbound, SPI: 184060842, AUX-SPI: 0Hard lifetime: Expires in 28785 secondsLifesize Remaining: UnlimitedSoft lifetime: ExpiredMode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWNProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcAnti-replay service: enabled, Replay window size: 32

Direction: outbound, SPI: 4108576244, AUX-SPI: 0Hard lifetime: Expires in 28785 secondsLifesize Remaining: UnlimitedSoft lifetime: ExpiredMode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWNProtocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbcAnti-replay service: enabled, Replay window size: 32

Sample Output

show security ipsec security-associations detail (SRX Series Devices)

user@host> show security ipsec security-associations detail ID: 268173313 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS1-ipv6 Local Identity: ipv6(10::-10::ffff:ffff:ffff:ffff) Remote Identity: ipv6(20::-20::ffff:ffff:ffff:ffff) Version: IKEv1 DF-bit: clear Bind-interface: st0.1

Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29



Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 3d75aeff, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: a468fece, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2976 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2354 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

ID: 268173316 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS2-ipv4 Local Identity: ipv4(10.1.1.0-10.1.1.255) Remote Identity: ipv4(20.1.0.0-20.1.255.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.1

Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: 417f3cea, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: a4344027, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3586 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2948 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

ID: 268173317 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx Local Gateway: 2000::1, Remote Gateway: 2000::2 Traffic Selector Name: TS3-ipv4 Local Identity: ipv4(10.1.1.0-10.1.1.255) Remote Identity: ipv4(20.1.1.0-20.1.1.255) Version: IKEv1 DF-bit: clear Bind-interface: st0.1

Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29 Tunnel Down Reason: SA not initiated Direction: inbound, SPI: cc9fb573, AUX-SPI: 0 , VPN Monitoring: -



Hard lifetime: Expires in 3548 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2925 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: a4bde69b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3548 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2925 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Sample Output

show security ipsec security-associations family inet6

user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 1212::1111, Remote Gateway: 1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64

Sample Output

show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)

user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1

ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys

<2 1.1.1.2 500 ESP:3des/sha1 67a7d25d 28280/unlim - 0

>2 1.1.1.2 500 ESP:3des/sha1 a23cbcdc 28280/unlim - 0



PART 4

Troubleshooting

• Access Manager on page 155




CHAPTER 14

Access Manager



AccessManager Client-Side Error Messages


Table 24 on page 155 lists possible errors that end users might see when installing or

running Access Manager, the possible causes for the messages, and suggested actions.

Table 24: Dynamic VPN Client-Side Errors

Suggested User ActionPossible CausesError Message

Try to reconnect to the firewall.Internal error.Component instancealready in use

Try to reconnect to the firewall. If the problempersists, exit and restart Access Manager.

Internal error.Memory allocationfailure


Internal error.Failed to loadconnection store


Internal error. Could not retrieve connectioninformation for the specified firewall.

Cannot get connectioninformation for firewall

Try to reconnect to the firewall. If the problempersists, contact your system administrator.

Internal error. Could not decipher the HTTPresponse.

Authentication failure:Unknown HTTPresponse code

Reenter your credentials.The user entered an invalid username orpassword.

Authentication failure:Incorrect username orpassword

Try to reconnect to the firewall once a license hasbeen freed by another user. If the problempersists, contact your system administrator.

All available licenses are currently being used forother dynamic VPN sessions or no licenses areinstalled for the feature.

Authentication failure:Firewall is out oflicenses

Contact your system administrator.No configuration is currently available for thespecified user account.

Authentication failure:No configurationavailable






Table 24: Dynamic VPN Client-Side Errors (continued)



Internal error. Failed to read route entry from theconnection store.

Cannot create IPsecroute entry


Internal error. Failed to read the route entry fromthe connection store.

Failed to read routeentry from connectionstore


Internal error. Failed to add the route entry to theconnection store.

Failed to add routeentry to policy


Internal error. Failed to initialize the IPsecManager.

Failed to initialize IPsecManager

Try to reconnect to the firewall.Phase 1 negotiations, Extended Authentication(XAuth), or Phase 2 negotiations failed.

IPsec authenticationfailed


Internal error or policy configuration error. TheTunnel Manager was unable to configure the localIP settings.

IPsec configurationfailed

Contact your system administrator.The components cannot agree on securityparameters during the IKE exchange. Theadministrator probably needs to reconfigure thePhase 1 proposal.

IKE negotiations failed

Try to reconnect to the firewall.Failed to authenticate when connecting to thefirewall, possibly because the specified hostnamedid not resolve against the distinguished nameserver (DNS).

Failed to initializeauthentication

Try to reconnect to the firewall.The TCP connection to the webserver failedduring authentication, possibly because ofnetwork connectivity issues.

Failed to connect toserver

Try to reconnect to the firewall.Webserver authentication failed, possibly becauseof network connectivity issues.

Failed to send initialHTTP request


Webserver authentication failed.Failed to get HTTPresponse


Webserver authentication failed.Firewall refusedauthentication request


Webserver authentication failed.Client failed to providelogin page


Webserver authentication failed.Server failed to sendauthentication request






The client sent the user’s credentials to thewebserver, but the server failed to respond in auseful manner.

Server failed torespond toauthentication request


Webserver authentication failed.Authenticationnegotiation failed


Webserver authentication failed.Failed to getconfiguration fromfirewall

Try to reconnect to the firewall and reenter yourcredentials.

User canceled authenticationThe user cancelledauthentication.

Try to reconnect to the firewall and reenter yourcredentials.

Authentication request timed out.Failed to enterusername or password

Exit and restart Access Manager. If the problempersists, contact your system administrator.

The client failed to display the user interfaceasking the user for credentials.

Server failed to requestusername andpassword


The user’s client is in an inoperable state.Your client state ispreventing theconnection

Exit and restart Access Manager. If the problempersists, reinstall Access Manager.

The client could not contact the connection store.Cannot openconnection store


The script provided by the firewall was insomeway unusable. The configuration might needto be updated on the server.

Cannot processconfiguration providedby firewall

Exit and restart Access Manager.The Access Manager service is not running.Access Manager is notrunning

Select the firewall you want to connect to andthen choose Start Connection.

The user choseStartConnectionwithout selectinga connection first.

Please select aconnection

Specify whether or not you want to delete theselection connection profile.

The user chose Delete Connection.Are you sure you wantto delete the selectedconnection?

Exit and restart Access Manager. If the problempersists, reinstall Access Manager.

The Access Manager service is not running;therefore it cannot create a new connectionprofile.

Cannot add newconnection. Service isnot running.

Try again. If the problem persists, exit and restartAccess Manager.

The Access Manager failed to add the newconnection profile.

Cannot add newconnection

Specify a unique name for the connection profile.Unable to add connection profile because thespecified connection name already exists.

Connection name isalready in use





Reinstall Access Manager.Files could not be found when trying to finish theoperation.

Please reinstall AccessManager

Check client-side logs to determine why thecertificate failed.

Certificate validation failed.Invalid servercertificate

Wait for the service to finish initializing.Initializing one of the client’s core components. Ifthe component does not initialize, the clientcannot function.

Initializing service...








Troubleshooting AccessManager Client-Side Problems

Supported Platforms LN Series, SRX100, SRX210, SRX240, SRX650

Problem Description:Users are having problems connecting to the remote access server using

Access Manager.

Solution Use the following tools to troubleshoot client-side issues:

• Client-side logs—To view client-side logs, open Access Manager and choose Save logs

and diagnostics from the File menu. Select a location on your computer to save the

zipped log files and click Save.

• Detailed logs—To create more detailed client-side logs, open Access Manager and

choose Enable Detailed Logging from the File menu.

• Firewall connection information—To view connection information for a given firewall,

open Access Manager, right-click to select the firewall, and choose Status.



















PART 5

Index

• Index on page 163




Index

Symbols#, comments in configuration statements....................xv

( ), in syntax descriptions.....................................................xv

< >, in syntax descriptions....................................................xv

[ ], in configuration statements.........................................xv

{ }, in configuration statements.........................................xv

| (pipe), in syntax descriptions...........................................xv

AAccess Configuration Statement Hierarchy..................77

Access Manager

client-side files................................................................117

error messages..............................................................155

logging..............................................................................155

overview...............................................................................3

system requirements....................................................117

Windows registry changes........................................120

access-profile statement

(Dynamic VPNs)............................................................63

(IPsec VPNs)...................................................................64

address pools.....................................................................13, 39

address-assignment statement.......................................86

Bbraces, in configuration statements.................................xv

brackets

angle, in syntax descriptions......................................xv

square, in configuration statements........................xv

Cclear security dynamic-vpn all command...................124

clear security dynamic-vpn user command...............125

clients statement...................................................................64

comments, in configuration statements........................xv

config-check statement......................................................65

connection, deleting..............................................................112

conventions

text and syntax...............................................................xiv

curly braces, in configuration statements......................xv

customer support...................................................................xvi

contacting JTAC..............................................................xvi

Ddocumentation

comments on...................................................................xv

dynamic VPNs

address pools............................................................13, 39

client access.......................................................................6

configuration example.................................................25

configuration overview.................................................23

group IKE IDs.............................................................15, 43

individual user IKE IDs..................................................49

local authentication................................................13, 39

overview...............................................................................3

remote user access..........................................................3

shared IKE IDs............................................................15, 16

supported options............................................................7

tunnels..................................................................................7

dynamic-vpn statement......................................................66

Ffirewall filters

statistics

clearing ...................................................................138

firewall-authentication statement..................................89

font conventions.....................................................................xiv

force-upgrade statement....................................................67

Ggroup IKE IDs......................................................................15, 43

IIKE

group IDs.....................................................................15, 43

individual user IDs..........................................................49

shared IDs....................................................................15, 16

IKE IDs.........................................................................................49

ike statement

(Security)..........................................................................68

interface statement...............................................................70

IPsec

tunnel

creating through dynamic VPN feature...........3

ipsec statement........................................................................71

IPsec VPN client See dynamic VPNs

ipsec-vpn statement

(Dynamic VPNs).............................................................72

Llocal authentication.........................................................13, 39


Mmanuals

comments on...................................................................xv

Pparentheses, in syntax descriptions.................................xv

Primary-level entry

secondary-level entry...................................................34

Primary-level entry only.......................................................34

profile statement.....................................................................91

Rregistry changes, Access Manager.................................120

Remote Access Management SolutionSeedynamic

VPNs

remote access server

overview...............................................................................3

remote access VPN See dynamic VPNs

remote user access VPN See dynamic VPNs

remote-exceptions statement...........................................73

remote-protected-resources statement........................73

SSecurity Configuration Statement Hierarchy................61

shared IKE IDs.....................................................................15, 16

show network-access address-assignment pool

command............................................................................126

show security dynamic-policies command.................127

show security dynamic-vpn client version..................132

show security dynamic-vpn users..................................133

show security dynamic-vpn users terse.......................135

show security ike active-peer command......................137

show security ike security-associations

command............................................................................138

show security ipsec security-associations

command............................................................................145

support, technical See technical support

syntax conventions................................................................xiv

system-generated-certificate statement.....................95

Ttechnical support

contacting JTAC..............................................................xvi

traceoptions statement

(dynamic-vpn)................................................................74

Uuser statement.........................................................................75

user-groups statement.........................................................75

VVPNs

dynamic VPN See dynamic VPNs

remote user access See dynamic VPNs

Wwan-acceleration statement.............................................96

web-management statement..........................................98

Windows registry changes, Access Manager.............120

