Setting up and debugging Dynamic VPN (Client-VPN) with LDAP on Juniper SRX 300

The below configuration script can be used to setup a SRX 300 or similar Juniper Firewall with Dynamic VPN support. You will need to change the following —

  • LDAP-Server
  • DN of the account used to search AD
  • Password for the above DN
  • Address Pool for VPN Users
  • VPN Key
  • Remote-Protected Resources (VPN Client Routes)

Sometimes you need to debug the authentication requests. The following can be done for troubleshooting XAUTH (LDAP in this case) authentication attempts. It will enable the traceoptions for LDAP and other authentication attempts.

 set system processes general-authentication-service file general_auth flag all

After that, we can do a “show log general_auth” or from the bash shell – “tail -f /var/log/general_log” to follow the attempts in real time. This log will give you clues into what is going on. As an example, Here’s a failed attempt —


Here’s a successful attempt:

 

1 thought on “Setting up and debugging Dynamic VPN (Client-VPN) with LDAP on Juniper SRX 300”

Leave a Comment

Your email address will not be published. Required fields are marked *