The below configuration script can be used to setup a SRX 300 or similar Juniper Firewall with Dynamic VPN support. You will need to change the following —
- LDAP-Server
- DN of the account used to search AD
- Password for the above DN
- Address Pool for VPN Users
- VPN Key
- Remote-Protected Resources (VPN Client Routes)
#Setup new access profile set access profile dyn-vpn-ldap-xauth authentication-order ldap #Define IP pool for access profile set access profile dyn-vpn-ldap-xauth address-assignment pool dyn-vpn-pool #(Location from were LDAP will start searching for users) set access profile dyn-vpn-ldap-xauth ldap-options base-distinguished-name DC=company,DC=local set access profile dyn-vpn-ldap-xauth ldap-options search search-filter sAMAccountName= #User who is authorized to search tree set access profile dyn-vpn-ldap-xauth ldap-options search admin-search distinguished-name CN=admin,OU=Users,OU=MyBusiness,DC=company,DC=local #AD user password set access profile dyn-vpn-ldap-xauth ldap-options search admin-search password adminpassword set access profile dyn-vpn-ldap-xauth ldap-server 10.0.0.1 port 389 set access firewall-authentication pass-through default-profile dyn-vpn-ldap-xauth set access firewall-authentication web-authentication default-profile dyn-vpn-ldap-xauth set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth #associate gateway with access profile set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth #set security for dynamic-vpn to allow AD Group to authenticate set security dynamic-vpn clients all user-group insert-ad-group-here #create pool for VPN users set access address-assignment pool dyn-vpn-address-pool family inet network 10.2.0.0/24 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 10.0.0.1/32 ##Dynamic VPN Tunnel for vpn users set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123" set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0 set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services ping ##Associate dynamic vpn with remote clients set security dynamic-vpn access-profile dyn-vpn-ldap-xauth set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0 set security dynamic-vpn clients all default-profile dyn-vpn-ldap-xauth
Sometimes you need to debug the authentication requests. The following can be done for troubleshooting XAUTH (LDAP in this case) authentication attempts. It will enable the traceoptions for LDAP and other authentication attempts.
set system processes general-authentication-service file general_auth flag all
After that, we can do a “show log general_auth” or from the bash shell – “tail -f /var/log/general_log” to follow the attempts in real time. This log will give you clues into what is going on. As an example, Here’s a failed attempt —
Jun 2 13:07:50.365359 ################################################################### Jun 2 13:07:50.365390 ########################### AUTH REQ RCVD ######################### Jun 2 13:07:50.365414 ################################################################### Jun 2 13:07:50.365439 Auth-FSM: Process Auth-Request for session-id:9281637515948036499 Jun 2 13:07:50.365482 Framework: Starting authentication Jun 2 13:07:50.365514 authd_advance_module_for_aaa_request_msg: result:0 Jun 2 13:07:50.365548 Authd module start session-id:9281637515948036499 Jun 2 13:07:50.365583 Local : authd_local_start_auth: got params profile=dyn-vpn-access-profile, username=test Jun 2 13:07:50.365610 Local : start authd_local_lookup Jun 2 13:07:50.365636 Local : profile dyn-vpn-access-profile found Jun 2 13:07:50.365665 Local : client test NOT found Jun 2 13:07:50.365692 authd_auth_module_start: session-id:9281637515948036499 result = 3 start_auth; state = 0 Jun 2 13:07:50.365754 authd_auth_module_start: Error in calling the start_auth Jun 2 13:07:50.365790 REQUEST: AUTHEN - module_index 0 module(password) return: FAILURE Jun 2 13:07:50.365823 Framework: auth result is 11. Performing post-auth operations Jun 2 13:07:50.365850 Framework: result is 11. Jun 2 13:07:50.365879 authd_auth_send_answer: conn=2878000, reply-code=2 (FAIL), result-subopcode=11 (ACCESS_DENY), session-id:9281637515948036499, cookie=38, rply_len=28, num_tlv_blocks=0 Jun 2 13:07:50.365954 Delete session-id:9281637515948036499
Here’s a successful attempt:
Jun 2 13:16:18.410450 ################################################################### Jun 2 13:16:18.410926 ########################### AUTH REQ RCVD ######################### Jun 2 13:16:18.411047 ################################################################### Jun 2 13:16:18.411277 Auth-FSM: Process Auth-Request for session-id:9281637520243046915 Jun 2 13:16:18.412288 Framework: Starting authentication Jun 2 13:16:18.412466 authd_advance_module_for_aaa_request_msg: result:0 Jun 2 13:16:18.412933 Authd module start session-id:9281637520243046915 Jun 2 13:16:18.413131 REQUEST: AUTHEN - module_index 0 module(ldap) return: ASYNC Jun 2 13:16:18.413518 UserAccess:test session-id:9281637520243046915 state:start Jun 2 13:16:18.448773 Framework - module(ldap) return: SUCCESS Jun 2 13:16:18.450504 authd_advance_module_for_aaa_response_msg: result:2 Jun 2 13:16:18.452502 ../../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_astable.cc:1507 Authd-Lite update user-name = No username found Jun 2 13:16:18.454595 authd_auth_update_local_server_address Searching access profile dyn-vpn-ldap-xauth for local DNS Server Jun 2 13:16:18.456524 Auth-FSM: reinterpretFsmEvent 2 to 12 Jun 2 13:16:18.458508 AuthFsm::current state=AuthStart(1) event=12 astEntry=0x1773a24 aaa msg=0xda406c Jun 2 13:16:18.459618 Auth-FSM: Process Auth-Response for session-id:9281637520243046915 and client type auth-lite Jun 2 13:16:18.460509 Framework: auth result is 1. Performing post-auth operations Jun 2 13:16:18.462516 (authd_update_session_options) num_tlv_blocks:0 Jun 2 13:16:18.464546 Framework: Updating session timeout (599999940) in response for user 'test' from profile 'dyn-vpn-ldap-xauth' Jun 2 13:16:18.466524 Framework: length of first client-group if already present = 11 Jun 2 13:16:18.468521 Framework: result is 1. Jun 2 13:16:18.469515 authd_auth_send_answer: conn=2878000, reply-code=1 (OK), result-subopcode=1 (ACCESS_OK), session-id:9281637520243046915, cookie=39, rply_len=4476, num_tlv_blocks=1 Jun 2 13:16:18.470590 sess_timeout: 599999940 Jun 2 13:16:18.472561 authd_auth_send_answer,tlv_begin:800 tot_tlv_buf_len:0 num_tlv_blocks:0 Jun 2 13:16:18.474567 authd_auth_send_answer, rply_len:4476 Jun 2 13:16:18.476553 authd_auth_send_answer: conn is 2878000 response is 289f000 result is 1, cookie = 39 rply_len:4476 num_tlv_block = 0
Thanks for the clean example.