Setting up and debugging Dynamic VPN (Client-VPN) with LDAP on Juniper SRX 300

The below configuration script can be used to setup a SRX 300 or similar Juniper Firewall with Dynamic VPN support. You will need to change the following —

  • LDAP-Server
  • DN of the account used to search AD
  • Password for the above DN
  • Address Pool for VPN Users
  • VPN Key
  • Remote-Protected Resources (VPN Client Routes)
#Setup new access profile
set access profile dyn-vpn-ldap-xauth authentication-order ldap
#Define IP pool for access profile
set access profile dyn-vpn-ldap-xauth address-assignment pool dyn-vpn-pool
 
#(Location from were LDAP will start searching for users)
set access profile dyn-vpn-ldap-xauth ldap-options base-distinguished-name DC=company,DC=local
 
set access profile dyn-vpn-ldap-xauth ldap-options search search-filter sAMAccountName=
#User who is authorized to search tree
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search distinguished-name CN=admin,OU=Users,OU=MyBusiness,DC=company,DC=local
 
#AD user password
set access profile dyn-vpn-ldap-xauth ldap-options search admin-search password adminpassword
set access profile dyn-vpn-ldap-xauth ldap-server 10.0.0.1 port 389
set access firewall-authentication pass-through default-profile dyn-vpn-ldap-xauth
set access firewall-authentication web-authentication default-profile dyn-vpn-ldap-xauth
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth    
 
#associate gateway with access profile
set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-ldap-xauth    
#set security for dynamic-vpn to allow AD Group to authenticate
set security dynamic-vpn clients all user-group insert-ad-group-here
 
 
 
#create pool for VPN users
set access address-assignment pool dyn-vpn-address-pool family inet network 10.2.0.0/24
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 10.0.0.1/32
 
 
 
 
##Dynamic VPN Tunnel for vpn users
set security ike policy ike-dyn-vpn-policy mode aggressive
set security ike policy ike-dyn-vpn-policy proposal-set standard
set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123"
set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/0
set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/15.0 host-inbound-traffic system-services ping
 
##Associate dynamic vpn with remote clients
set security dynamic-vpn access-profile dyn-vpn-ldap-xauth
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all default-profile dyn-vpn-ldap-xauth

Sometimes you need to debug the authentication requests. The following can be done for troubleshooting XAUTH (LDAP in this case) authentication attempts. It will enable the traceoptions for LDAP and other authentication attempts.

 set system processes general-authentication-service file general_auth flag all

After that, we can do a “show log general_auth” or from the bash shell – “tail -f /var/log/general_log” to follow the attempts in real time. This log will give you clues into what is going on. As an example, Here’s a failed attempt —

Jun  2 13:07:50.365359 ###################################################################
Jun  2 13:07:50.365390 ########################### AUTH REQ RCVD #########################
Jun  2 13:07:50.365414 ###################################################################
Jun  2 13:07:50.365439 Auth-FSM: Process Auth-Request for session-id:9281637515948036499
Jun  2 13:07:50.365482 Framework: Starting authentication
Jun  2 13:07:50.365514 authd_advance_module_for_aaa_request_msg: result:0
Jun  2 13:07:50.365548 Authd module start session-id:9281637515948036499
Jun  2 13:07:50.365583 Local : authd_local_start_auth: got params  profile=dyn-vpn-access-profile, username=test
Jun  2 13:07:50.365610 Local : start authd_local_lookup
Jun  2 13:07:50.365636 Local : profile dyn-vpn-access-profile found
Jun  2 13:07:50.365665 Local : client test NOT found
Jun  2 13:07:50.365692 authd_auth_module_start: session-id:9281637515948036499 result = 3 start_auth; state = 0
Jun  2 13:07:50.365754 authd_auth_module_start: Error in calling the start_auth
Jun  2 13:07:50.365790 REQUEST: AUTHEN - module_index 0 module(password) return: FAILURE
Jun  2 13:07:50.365823 Framework: auth result is 11. Performing post-auth operations
Jun  2 13:07:50.365850 Framework: result is 11.
Jun  2 13:07:50.365879 authd_auth_send_answer: conn=2878000, reply-code=2 (FAIL), result-subopcode=11 (ACCESS_DENY), session-id:9281637515948036499, cookie=38, rply_len=28, num_tlv_blocks=0
Jun  2 13:07:50.365954 Delete session-id:9281637515948036499

Here’s a successful attempt:

Jun  2 13:16:18.410450 ###################################################################
Jun  2 13:16:18.410926 ########################### AUTH REQ RCVD #########################
Jun  2 13:16:18.411047 ###################################################################
Jun  2 13:16:18.411277 Auth-FSM: Process Auth-Request for session-id:9281637520243046915
Jun  2 13:16:18.412288 Framework: Starting authentication
Jun  2 13:16:18.412466 authd_advance_module_for_aaa_request_msg: result:0
Jun  2 13:16:18.412933 Authd module start session-id:9281637520243046915
Jun  2 13:16:18.413131 REQUEST: AUTHEN - module_index 0 module(ldap) return: ASYNC
Jun  2 13:16:18.413518 UserAccess:test session-id:9281637520243046915 state:start
Jun  2 13:16:18.448773 Framework - module(ldap) return: SUCCESS
Jun  2 13:16:18.450504 authd_advance_module_for_aaa_response_msg: result:2
Jun  2 13:16:18.452502 ../../../../../../src/junos/usr.sbin/authd/aaa-service/authd_aaa_astable.cc:1507 Authd-Lite update user-name = No username found
Jun  2 13:16:18.454595 authd_auth_update_local_server_address Searching access profile dyn-vpn-ldap-xauth for local DNS Server
Jun  2 13:16:18.456524 Auth-FSM: reinterpretFsmEvent 2 to 12
Jun  2 13:16:18.458508 AuthFsm::current state=AuthStart(1) event=12 astEntry=0x1773a24 aaa msg=0xda406c
Jun  2 13:16:18.459618 Auth-FSM: Process Auth-Response for session-id:9281637520243046915 and client type auth-lite
Jun  2 13:16:18.460509 Framework: auth result is 1. Performing post-auth operations
Jun  2 13:16:18.462516 (authd_update_session_options) num_tlv_blocks:0
Jun  2 13:16:18.464546 Framework: Updating session timeout (599999940) in response for user 'test' from profile 'dyn-vpn-ldap-xauth'
Jun  2 13:16:18.466524 Framework: length of first client-group if already present = 11
Jun  2 13:16:18.468521 Framework: result is 1.
Jun  2 13:16:18.469515 authd_auth_send_answer: conn=2878000, reply-code=1 (OK), result-subopcode=1 (ACCESS_OK), session-id:9281637520243046915, cookie=39, rply_len=4476, num_tlv_blocks=1
Jun  2 13:16:18.470590 sess_timeout: 599999940
Jun  2 13:16:18.472561 authd_auth_send_answer,tlv_begin:800 tot_tlv_buf_len:0 num_tlv_blocks:0
Jun  2 13:16:18.474567 authd_auth_send_answer, rply_len:4476
Jun  2 13:16:18.476553 authd_auth_send_answer: conn is 2878000 response is 289f000 result is 1, cookie = 39 rply_len:4476 num_tlv_block = 0

 

Share this content:

1 thought on “Setting up and debugging Dynamic VPN (Client-VPN) with LDAP on Juniper SRX 300”

Leave a Comment

Your email address will not be published. Required fields are marked *