[j-nsp] WebVPN Problem / SRX
Tim Jackson
jackson.tim at gmail.com
Tue May 25 14:12:40 EDT 2010
Do you have a policy in place like:
security {
policies {
from-zone untrust to-zone trust {
policy leo-vpn {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn leo;
}
}
}
}
}
}
On Tue, May 25, 2010 at 12:14 PM, Paul Stewart <paul at paulstewart.org> wrote:
> Anyone on here setup WebVPN on Juniper SRX? I've had a JTAC ticket running
> for quite a while and they haven't been able to figure out why we can't
> connect. according to the logs the username is getting authenticated and
> then the session drops for some reason.. I'm about 6-7 hours on the phone
> with JTAC so far - hoping someone has some ideas ;)
>
>
>
> Thanks ;)
>
>
>
>
>
> SRX210 running 10.0R3.10
>
>
>
> access {
>
> profile user-auth-profile {
>
> client leo {
>
> firewall-user {
>
> password "xxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
>
> }
>
> }
>
> }
>
> firewall-authentication {
>
> web-authentication {
>
> default-profile user-auth-profile;
>
> }
>
> }
>
> }
>
>
>
>
>
> security {
>
> ike {
>
> traceoptions {
>
> flag all;
>
> }
>
> proposal phase1-prop {
>
> authentication-method pre-shared-keys;
>
> dh-group group5;
>
> authentication-algorithm sha-256;
>
> encryption-algorithm aes-256-cbc;
>
> }
>
> policy ike-pol {
>
> mode aggressive;
>
> proposals phase1-prop;
>
> pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##
> SECRET-DATA
>
> }
>
> gateway leo {
>
> ike-policy ike-pol;
>
> dynamic hostname leo;
>
> external-interface ge-0/0/0.0;
>
> xauth access-profile user-auth-profile;
>
> }
>
> }
>
> ipsec {
>
> proposal phase2-prop {
>
> protocol esp;
>
> authentication-algorithm hmac-sha1-96;
>
> encryption-algorithm aes-256-cbc;
>
> }
>
> policy ipsec-pol {
>
> perfect-forward-secrecy {
>
> keys group2;
>
> }
>
> proposals phase2-prop;
>
> }
>
> vpn leo {
>
> ike {
>
> gateway leo;
>
> ipsec-policy ipsec-pol;
>
> }
>
> }
>
> }
>
>
>
> zones {
>
> security-zone untrust {
>
> screen untrust-screen;
>
> interfaces {
>
> ge-0/0/0.0 {
>
> host-inbound-traffic {
>
> system-services {
>
> dhcp;
>
> tftp;
>
> https;
>
> ssh;
>
> ping;
>
> snmp;
>
> ike;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> }
>
>
>
>
>
> dynamic-vpn {
>
> access-profile user-auth-profile;
>
> clients {
>
> leo {
>
> remote-protected-resources {
>
> 10.1.1.0/24;
>
> }
>
> remote-exceptions {
>
> 0.0.0.0/0;
>
> }
>
> ipsec-vpn leo;
>
> user {
>
> leo;
>
> }
>
> }
>
> }
>
> }
>
> }
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list