[j-nsp] WebVPN Problem / SRX

Tim Jackson jackson.tim at gmail.com
Tue May 25 14:12:40 EDT 2010


Do you have a policy in place like:

security {
 policies {
  from-zone untrust to-zone trust {
   policy leo-vpn {
     match {
       source-address any;
       destination-address any;
       application any;
      }
      then {
        permit {
          tunnel {
            ipsec-vpn leo;
          }
         }
        }
       }
    }
}




On Tue, May 25, 2010 at 12:14 PM, Paul Stewart <paul at paulstewart.org> wrote:

> Anyone on here setup WebVPN on Juniper SRX?  I've had a JTAC ticket running
> for quite a while and they haven't been able to figure out why we can't
> connect.  according to the logs the username is getting authenticated and
> then the session drops for some reason.. I'm about 6-7 hours on the phone
> with JTAC so far - hoping someone has some ideas ;)
>
>
>
> Thanks ;)
>
>
>
>
>
> SRX210 running 10.0R3.10
>
>
>
> access {
>
>    profile user-auth-profile {
>
>        client leo {
>
>            firewall-user {
>
>                password "xxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
>
>            }
>
>        }
>
>    }
>
>    firewall-authentication {
>
>        web-authentication {
>
>            default-profile user-auth-profile;
>
>        }
>
>    }
>
> }
>
>
>
>
>
> security {
>
>    ike {
>
>        traceoptions {
>
>            flag all;
>
>        }
>
>        proposal phase1-prop {
>
>            authentication-method pre-shared-keys;
>
>            dh-group group5;
>
>            authentication-algorithm sha-256;
>
>            encryption-algorithm aes-256-cbc;
>
>        }
>
>        policy ike-pol {
>
>            mode aggressive;
>
>            proposals phase1-prop;
>
>            pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##
> SECRET-DATA
>
>        }
>
>        gateway leo {
>
>            ike-policy ike-pol;
>
>            dynamic hostname leo;
>
>            external-interface ge-0/0/0.0;
>
>            xauth access-profile user-auth-profile;
>
>        }
>
>    }
>
>    ipsec {
>
>        proposal phase2-prop {
>
>            protocol esp;
>
>            authentication-algorithm hmac-sha1-96;
>
>            encryption-algorithm aes-256-cbc;
>
>        }
>
>        policy ipsec-pol {
>
>            perfect-forward-secrecy {
>
>                keys group2;
>
>            }
>
>            proposals phase2-prop;
>
>        }
>
>        vpn leo {
>
>            ike {
>
>                gateway leo;
>
>                ipsec-policy ipsec-pol;
>
>            }
>
>        }
>
>    }
>
>
>
>   zones {
>
>        security-zone untrust {
>
>            screen untrust-screen;
>
>            interfaces {
>
>                ge-0/0/0.0 {
>
>                    host-inbound-traffic {
>
>                        system-services {
>
>                            dhcp;
>
>                            tftp;
>
>                            https;
>
>                            ssh;
>
>                            ping;
>
>                            snmp;
>
>                            ike;
>
>                        }
>
>                    }
>
>                }
>
>            }
>
>        }
>
>    }
>
>
>
>
>
>    dynamic-vpn {
>
>        access-profile user-auth-profile;
>
>        clients {
>
>            leo {
>
>                remote-protected-resources {
>
>                    10.1.1.0/24;
>
>                }
>
>                remote-exceptions {
>
>                    0.0.0.0/0;
>
>                }
>
>                ipsec-vpn leo;
>
>                user {
>
>                    leo;
>
>                }
>
>            }
>
>        }
>
>    }
>
> }
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list