[j-nsp] WebVPN Problem / SRX

Paul Stewart paul at paulstewart.org
Tue May 25 14:59:07 EDT 2010


Thanks - yes, there is a policy almost identical to that.. Missed posting
that, sorry.

 

I think the problem has been discovered already though - it appears that
XAuth requires Radius and there is no way around it that I've been able to
find.  Due to the low volume of users on this box we wanted to just use
local users but looks like I'm SOL on that.;)

 

Paul

 

 

From: Tim Jackson [mailto:jackson.tim at gmail.com] 
Sent: Tuesday, May 25, 2010 2:13 PM
To: Paul Stewart
Cc: jnsp
Subject: Re: [j-nsp] WebVPN Problem / SRX

 

Do you have a policy in place like:

 

security {

 policies {

  from-zone untrust to-zone trust {

   policy leo-vpn {

     match {

       source-address any;

       destination-address any;

       application any;

      }

      then {

        permit {

          tunnel {

            ipsec-vpn leo;

          }

         }

        }

       }

    }

}

 

     

  

 

On Tue, May 25, 2010 at 12:14 PM, Paul Stewart <paul at paulstewart.org> wrote:

Anyone on here setup WebVPN on Juniper SRX?  I've had a JTAC ticket running
for quite a while and they haven't been able to figure out why we can't
connect.  according to the logs the username is getting authenticated and
then the session drops for some reason.. I'm about 6-7 hours on the phone
with JTAC so far - hoping someone has some ideas ;)



Thanks ;)





SRX210 running 10.0R3.10



access {

   profile user-auth-profile {

       client leo {

           firewall-user {

               password "xxxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA

           }

       }

   }

   firewall-authentication {

       web-authentication {

           default-profile user-auth-profile;

       }

   }

}





security {

   ike {

       traceoptions {

           flag all;

       }

       proposal phase1-prop {

           authentication-method pre-shared-keys;

           dh-group group5;

           authentication-algorithm sha-256;

           encryption-algorithm aes-256-cbc;

       }

       policy ike-pol {

           mode aggressive;

           proposals phase1-prop;

           pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxxxxxxxx"; ##
SECRET-DATA

       }

       gateway leo {

           ike-policy ike-pol;

           dynamic hostname leo;

           external-interface ge-0/0/0.0;

           xauth access-profile user-auth-profile;

       }

   }

   ipsec {

       proposal phase2-prop {

           protocol esp;

           authentication-algorithm hmac-sha1-96;

           encryption-algorithm aes-256-cbc;

       }

       policy ipsec-pol {

           perfect-forward-secrecy {

               keys group2;

           }

           proposals phase2-prop;

       }

       vpn leo {

           ike {

               gateway leo;

               ipsec-policy ipsec-pol;

           }

       }

   }



  zones {

       security-zone untrust {

           screen untrust-screen;

           interfaces {

               ge-0/0/0.0 {

                   host-inbound-traffic {

                       system-services {

                           dhcp;

                           tftp;

                           https;

                           ssh;

                           ping;

                           snmp;

                           ike;

                       }

                   }

               }

           }

       }

   }





   dynamic-vpn {

       access-profile user-auth-profile;

       clients {

           leo {

               remote-protected-resources {

                   10.1.1.0/24;

               }

               remote-exceptions {

                   0.0.0.0/0;

               }

               ipsec-vpn leo;

               user {

                   leo;

               }

           }

       }

   }

}

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

 



More information about the juniper-nsp mailing list