forked from ndpgroup/vpnc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjuniper.txt
55 lines (52 loc) · 2.91 KB
/
juniper.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Using vpnc with Juniper / Junos / SRX
-------------------------------------
Breif instructions for using vpnc with the dynamic vpn feature of the
SRX. Make sure your SRX config is set up with "shared-ike-id". Make
sure the SRX "dynamic hostname" matches the vpnc "IPSec ID".
Example VPNC Config
-------------------
Vendor juniper
IPSec gateway 192.168.10.1
IPSec ID example.com
IPSec secret TheGroupSecret
Xauth username joe
Xauth password joespw
IKE Authmode psk
IKE DH Group dh2
Perfect Forward Secrecy dh2
Example SRX Config
------------------
# IKE Phase 1
set security ike policy DYN-VPN-IKE mode aggressive
set security ike policy DYN-VPN-IKE proposal-set standard
set security ike policy DYN-VPN-IKE pre-shared-key ascii-text "TheGroupSecret"
set security ike gateway DYN-VPN-GW ike-policy DYN-VPN-IKE
set security ike gateway DYN-VPN-GW dynamic hostname example.com
set security ike gateway DYN-VPN-GW dynamic connections-limit 10
set security ike gateway DYN-VPN-GW dynamic ike-user-type shared-ike-id
set security ike gateway DYN-VPN-GW external-interface ge-0/0/15.0
set security ike gateway DYN-VPN-GW xauth access-profile DYN-VPN-PROFILE
# IKE Phase 2
set security ipsec policy DYN-VPN-IPSEC-POLICY perfect-forward-secrecy keys group2
set security ipsec policy DYN-VPN-IPSEC-POLICY proposal-set standard
set security ipsec vpn DYN-VPN-IPSEC ike gateway DYN-VPN-GW
set security ipsec vpn DYN-VPN-IPSEC ike ipsec-policy DYN-VPN-IPSEC-POLICY
# VPN
# laptop[[email protected]] <======> 192.168.10.1[example.com] <-----> 10.10.10.0/24[internal]
set access profile DYN-VPN-PROFILE address-assignment pool DYN-VPN-POOL
set access address-assignment pool DYN-VPN-POOL family inet network 10.10.10.0/24
set access address-assignment pool DYN-VPN-POOL family inet range dvpn-range low 10.10.10.24
set access address-assignment pool DYN-VPN-POOL family inet range dvpn-range high 10.10.10.96
set access address-assignment pool DYN-VPN-POOL family inet xauth-attributes primary-dns 8.8.8.8/32
set security dynamic-vpn access-profile DYN-VPN-PROFILE
set security dynamic-vpn clients all remote-protected-resources 192.168.10.1/24
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn DYN-VPN-IPSEC
set security policies from-zone UNTRUST to-zone TRUST policy DYN-VPN match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy DYN-VPN match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy DYN-VPN match application any
set security policies from-zone UNTRUST to-zone TRUST policy DYN-VPN then permit tunnel ipsec-vpn DYN-VPN-IPSEC
set access firewall-authentication web-authentication default-profile DYN-VPN-PROFILE
# Local firewall user (joe)
set access profile DYN-VPN-PROFILE client joe firewall-user password "joespw"
set security dynamic-vpn clients all user joe