Dynamic-VPN configuration (SRX series)

Do not copy-paste .

In this case :

1- the WAN interface is the dialer pp0.0 .

2- you need to choose between “standard” “basic” and “compatible” in the security ike proposal-set . If you want to know the difference, please visit this website :

> configure
# set system services web-management https system-generated-certificate
# edit access address-assignment
# set pool dyn-vpn-address-pool family inet network 10.99.99.0/24
# set pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 192.115.106.35/32
# set pool dyn-vpn-address-pool family inet xauth-attributes secondary-dns 62.219.186.7/32
# up
# set profile remote_access_profile client USER firewall-user password PASS
# set profile remote_access_profile address-assignment pool dyn-vpn-address-pool
# up
# edit firewall-authentication
# set web-authentication default-profile remote_access_profile
# top
# edit security ike
# set policy ike_pol_wizard_dyn_vpn mode aggressive
# set policy ike_pol_wizard_dyn_vpn proposal-set compatible/standard/basic
# set policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text presharedkey
# set gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
# set gateway gw_wizard_dyn_vpn dynamic hostname mokedbs
# set gateway gw_wizard_dyn_vpn dynamic connections-limit number NUMBER
# set gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id # set gateway gw_wizard_dyn_vpn external-interface pp0.0
# set gateway gw_wizard_dyn_vpn xauth access-profile remote_access_profile
# up
# edit ipsec
# set policy ipsec_pol_wizard_dyn_vpn proposal-set compatible/standard/basic
# set vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
# set vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn
# top
# edit security policies from-zone Internet to-zone Internal
# set policy policy_in_wizard_dyn_vpn match source-address any
# set policy policy_in_wizard_dyn_vpn match destination-address any
# set policy policy_in_wizard_dyn_vpn match application any
# set policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn
# top # edit security zones security-zone Internet interfaces pp0.0
# set host-inbound-traffic system-services https
# set host-inbound-traffic system-services ping
# set host-inbound-traffic system-services ike
# set host-inbound-traffic system-services ssh
# top
# edit security dynamic-vpn
# set force-upgrade
# set access-profile remote_access_profile
# set clients all remote-protected-resources 192.168.1.0/24 << Networks you want the VPN client to remote .

**please note : if there is more than one network to remote , you need to configure VPN policy for each network .

# set clients all remote-exceptions 0.0.0.0/0
# set clients all ipsec-vpn wizard_dyn_vpn
# set clients all user user
# commit and-quit

Good Luck 🙂

By : Abed AL-R. Bishara

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s