Professional Documents
Culture Documents
Slide 1
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Welcome to Juniper Networks SRX Series Dynamic VPN Advanced Troubleshooting eLearning module.
SERT-SRX01-A
Slide 2
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 2
Throughout this module, you will find slides with valuable detailed information. You can stop any slide with the Pause button to study the details. You can also read the notes by using the Notes tab. You can click the Feedback link at anytime to submit suggestions or corrections directly to the Juniper Networks eLearning team.
SERT-SRX01-A
Slide 3
Course Objectives
After successfully completing this course, you will be able to:
Discuss feature descriptions of and requirements for the SRX Series Dynamic VPN Describe the recommended configuration Discuss troubleshooting recommendations Describe troubleshooting examples
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 3
After successfully completing this course, you will be able to: Discuss feature descriptions of and requirements for the SRX Series Dynamic VPN Describe the recommended configuration Discuss troubleshooting recommendations, and Describe troubleshooting examples
SERT-SRX01-A
Slide 4
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 4
This course consists of four sections. The four main sections are provided in sequential order and are titled as follows: Feature Description and Requirements Recommended Configuration Troubleshooting Recommendations, and Troubleshooting Examples
SERT-SRX01-A
Slide 5
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
SERT-SRX01-A
Slide 6
Section Objectives
After successfully completing this section, you will be able to:
List JTAC software license and external RADIUS server requirements Describe Microsoft Windows and Vista client support requirements Describe how WebAuth is used to authenticate a user Discuss how Xauth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 6
After successfully completing this section, you will be able to: List JTAC software license and external RADIUS server requirements Describe Microsoft Windows and Vista client support requirements Describe how WebAuth is used to authenticate a user, and Discuss how Xauth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX
SERT-SRX01-A
Slide 7
Requirements
JTAC Recommendation: Junos 10.0R3 Platforms Supported (as of Junos 10.1)
SRX100 SRX210 SRX240
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 7
Requirements The first recommendation from JTAC is to apply the latest version of software. We also need to have a license. In this case, we can have licenses for different numbers of users. If you only have two users, the license is not required and there is no charge. An external RADIUS server for Xauth is required for the authentication, because RADIUS is going to provide the IP address information, net mask, DNS, VNS, and so on.
SERT-SRX01-A
Slide 8
Client Requirements
Microsoft Windows XP or Vista Admin rights to install the client, once installed no admin rights required Client side reference: http://www.juniper.net/techpubs/software/junossecurity/junos-security10.1/junos-security-swconfigsecurity/jd0e42056.html#jd0e42056
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 8
Client Requirements There are requirements for the client. The client supports Microsoft Windows XP or Vista. We need the admin rights to install the client, but once its installed, the admin rights are not required. This is a link to the Junos documentation. That includes the client information. Theres a detailed description of all the files that are installed in the client and the associated processes. Its a very good reference covering what is installed in the client.
SERT-SRX01-A
Slide 9
Feature Description (1 of 2)
1. Point Browser to https://<srx-ip>/dynamic-vpn
Not needed after 1st connection
2. Login using Webauth configured in the SRX 3. Download from SRX the Dynamic VPN client with IKE/IPsec configuration 4. and 5. Authenticate for Xauth 6. Obtain IP address/netmask information from remote authentication (RADIUS) 7. IKE/IPsec SAs are established with SRX and access to protected resources behind SRX is allowed
http://www.juniper.net/techpubs/software/junos-security/junossecurity10.1/junos-security-swconfig-security/frameset.html
2010 Juniper Networks, Inc. All rights reserved.
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 9
Feature Description Lets examine how other features work. First, we point our browser to this URL, which is the IP of the SRX interface thats going to receive this connection/dynamic VPN. This is only needed in the first connection, because after that, the client is downloaded. You can start the connection directly from the client. When you point the browser to this URL, you get the login prompt. Use WebAuth, configured in the SRX, to authenticate the user. At this point, the user is authenticated, the SRX will download the dynamic VPN to the client software, and that will contain the IP and IPsec configuration, to establish the tunnel. In steps four and five here, we see the authentication for the Xauth. The VPN tunnel is established with the Xauth. The client obtains the IP address thats going to be used in the client. In the next step, the IP address and net mask information are obtained from the RADIUS. Lastly, the IKE/IPsec security associations are established with the SRX. At this point, the client is able to communicate to the protected resources that are behind the SRX. The link at the bottom is for the documentation regarding dynamic VPN.
SERT-SRX01-A
10
Slide 10
Feature Description (2 of 2)
PROTECTED RESOURCES Finance
Apps
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 10
Lets look at the steps that we mentioned in the previous slide. First, we are going to point the browser to the SRX. We get the login prompt. Type the username and password. Itll be authenticated by the SRX and at this point itll start the client download with the VPN configuration. If you already have the client in your system, then it will look for the VPN configuration. It will start establishing the VPN tunnel and will do the Xauth with the help of the RADIUS server. It will again ask for the username and password to get the IP address and the net mask information from the RADIUS server. You can also receive your DNS and VNS. After we receive the information, we can finish the tunnel establishment and have the secure IPsec VPN tunnel between the client and the SRX. We are ready to access the protected resources behind the SRX.
SERT-SRX01-A
11
Slide 11
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 11
This shows you more detail for all these steps. We are looking at the first connection when we use the browser. We see a step-by-step process. We enter the URL. The client management in the SRX will give back the prompt after typing the username and password. The information is sent to the Auth authentication process to do the authentication of this user. After the user is identified, we need to check the license to see if it is present or ready to be accepted. At this point, the user is identified and the license confirmed. Then a token is generated with the initial parameters and the configuration that the client needs to use. It is sent to the client. The client will download the Juniper Access Manager software to start the VPN tunnel.
SERT-SRX01-A
12
Slide 12
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 12
This is authentication and VPN configuration. Its not only for the first connection, but for any connection. In this case, we already have the client installed. The client will start automatically, if its the first connection. If its not the first connection, then you can double-click on the client and start the connection. At this point, the client will send a token to the client manager in the SRX device. This is how the client manager will identify the user. If there is any chance the token is not new, or invalid, then the client will have to re-authenticate. We see here that the client sends the username and password again. With the help of the authentication daemon, the authentication is done. Then using the initial parameters, the VPN configuration is sent again to the client. The client is ready to initiate the VPN tunnel negotiation, the IKE negotiation. It starts the Xauth.
SERT-SRX01-A
13
Slide 13
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 13
This shows tunnel establishment for any connection. We are already in the IKE phase, so now we do the Xauth. So the parameters, username and password, are sent to the IKE. The IKE process in the SRX will do the Xauth with the help of the authentication daemon. At this point, this Xauth is done with the help of the RADIUS server to provide the IP mask settings. They are sent to the client, so the client can finish the creation of the IKE and IPsec security associations. At this point, the IKE process will communicate to the client manager to confirm that the security associations are correct, confirm the license is correct, and create the client information based entry, to have the client registered properly in the client management database.
SERT-SRX01-A
14
Slide 14
Section Summary
In this section, we:
Listed JTAC software license and external RADIUS server requirements Described Microsoft Windows and Vista client support requirements Described how WebAuth is used to authenticate a user Discussed how XAuth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 14
In this section, we: Listed JTAC software license and external RADIUS server requirements Described Microsoft Windows and Vista client support requirements Described how WebAuth is used to authenticate a user, and Discussed how XAuth is used in the procedure for establishment of a secure IPSec VPN tunnel between the client and the SRX
SERT-SRX01-A
15
Slide 15
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 15
SERT-SRX01-A
16
Slide 16
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 16
SERT-SRX01-A
17
Slide 17
Recommended Configuration
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Recommended Configuration
SERT-SRX01-A
18
Slide 18
Section Objectives
After successfully completing this section, you will be able to:
List the 7 configuration steps that are implemented to facilitate client use Describe how to perform each of these steps
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 18
After successfully completing this section, you will be able to: List the 7 steps that are implemented to facilitate client use, and Describe how to perform each of these steps
SERT-SRX01-A
19
Slide 19
Seven Steps
1. Access configuration 2. HTTPS configuration 3. IKE configuration 4. IPsec configuration 5. Dynamic VPN configuration 6. Policy Configuration 7. Routing / Proxy-ARP
PROTECTED RESOURCES Finance 2.2.2.0/24 172.30.73.206
Apps
RADIUS
4.4.4.112/24
1.1.1.18/24
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 19
We use these seven steps to make everything easy for the client. Once we have this configured in the SRX, the client tries to connect. Its going to be totally transparent for the client. First we do access configuration. How do we make the authentication? Then we need to enable HTTPS access to the SRX, because we are accessing our URL using this service. Then we need to configure the VPN for IP and IPsec. After that, we do the dynamic VPN configuration. We are going to link all this information together. Then we have to set policy, because if we want to allow traffic through the SRX, we always need policies. Lastly, we need to configure routing or proxy ARP, depending on the case. On the bottom of the slide we have our Knowledge Base, Technote 7: Configuring Dynamic VPN.
SERT-SRX01-A
20
Slide 20
Access Profile
One access profile using RADIUS for both webauth and xauth
root@flo> show configuration access profile radius-auth { authentication-order radius; radius-server { 172.30.73.206 secret "$9$LES7dsaZjP5F245Fn/0OX7-"; ## SECRET-DATA } } firewall-authentication { web-authentication { default-profile radius-auth; } }
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 20
First, we will look at the access profile. In order to authenticate the users, we need to have webauth and a RADIUS server configured to do the xauth. In this case, we are going to use the RADIUS server for both authentications. When we do the authentication via the webauth, we are going to check with RADIUS as well. We dont need to have different users configured. We use the RADIUS for everything. We define a profile for the RADIUS and its very simple. We mention the authentication order, the IP address, and the secret. For the web authentication, we specify that the profile is the RADIUS profile that we just defined.
SERT-SRX01-A
21
Slide 21
HTTPS Configuration
Enable HTTPS Service
Remember to enable host-inbound-traffic system-services as well
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 21
For HTTPS, we are going to receive requests on this service. We need to enable, in the system services, web management HTTPS. We dont need to specify any interface, but in the zone configuration, we need to allow the host inbound traffic to permit HTTPS.
SERT-SRX01-A
22
Slide 22
IKE Configuration
Define IKE configuration
IKE proposal IKE mode Pre-shared keys
root@flo> show configuration security ike traceoptions { file ike-debug size 1m files 2; flag all; } proposal phase1-prop { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-pol { mode aggressive; proposals phase1-prop; pre-shared-key ascii-text "$9$TF6ABIcvWxp0WxNdg4QFn"; ## SECRET-DATA } gateway dyn-vpn { ike-policy ike-pol; dynamic hostname first-user-host; external-interface ge-0/0/1.0; xauth access-profile radius-auth; } gateway dyn-vpn-second { ike-policy ike-pol; dynamic hostname second-user-host; external-interface ge-0/0/1.0; xauth access-profile radius-auth; }
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 22
The third step is VPN configuration. We need to define the IKE configuration, and it has to be one gateway for each user. We can see the configuration. We create a proposal that is using pre-shared-keys. In the policy we need to use aggressive mode and in the gateway were going to use dynamic host names. This is going to be the IKE ID that will be passed to the client. We also need to specify the access profile for the xauth and this RADIUS auth is what we defined in step one. This second gateway is the same but for a different user. The external interface that we used for VPN tunnel has to be in the inet.0 routing table, with the IP address assigned to the correct zone from the base configuration. We need to configure the IKE host inbound system service to allow the IKE packets to be received by the SRX.
SERT-SRX01-A
23
Slide 23
IPsec Configuration
Define IPsec configuration
IPsec proposal PFS mandatory
root@flo> show configuration security ipsec traceoptions { flag all; } proposal phase2-prop { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsec-pol { perfect-forward-secrecy { keys group5; } proposals phase2-prop; } vpn vpn-first-user { ike { gateway dyn-vpn; ipsec-policy ipsec-pol; } } vpn vpn-second-user { ike { gateway dyn-vpn-second; ipsec-policy ipsec-pol; } }
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 23
We define the IPsec VPN. First we define a proposal, then a policy. In the policy, we must use perfect-forwardsecrecy. This is required. We define a VPN for each user. We are going to reference each user based on the gateway, because we had one gateway for each user. Here we have one VPN for each user.
SERT-SRX01-A
24
Slide 24
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 24
Next, we configure the dynamic VPN configuration. Its where we are going to link this together. There are two steps. First, we specify the access profile, which is the RADIUS profile. Then we define clients for all the users that are going to connect. For each user, we specify the protected resources the networks behind the SRX that are going to be accessed by this client. Remote exceptions are configured for the networks that the client doesnt want to send via the tunnel. These two destinations will not be sent via the tunnel. Then we use the VPN that was specified in the previous step. We define the username. This username must match what is defined in the RADIUS server. This is passed to the RADIUS, so that it can be authenticated. On the bottom of the slide is a configuration for a second user as an example.
SERT-SRX01-A
25
Slide 25
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 25
The next step is the security policy. If we want to allow traffic from one zone to the other, we need to specify the policy. Here, its from zone untrust to zone trust. We define the policy for source address, destination address, and application as any. We put the tunnel action in the permit and then specify the VPN for the user. We need to configure a policy for each user, because each user will use different VPNs. We need a policy for each user.
SERT-SRX01-A
26
Slide 26
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 26
The last step is the proxy ARP and routing configuration. Basically, we have two cases. If the IP address assigned to the client is on the same subnet of the protected resources, we need to have proxy ARP configured in the SRX, in the interface thats facing the protected resource. This is because the protected resource will think that the client in the same subnet will send an ARP request at the IP address and the firewall has to respond on behalf of the client. If the IP is not in the same subnet, then we need to have routing as usual.
SERT-SRX01-A
27
Slide 27
Section Summary
In this section, we:
Listed the 7 configuration steps that are implemented to facilitate client use Described how to perform each of these steps
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 27
In this section, we: Listed the 7 steps that are implemented to facilitate client use, and Described how to perform each of these steps
SERT-SRX01-A
28
Slide 28
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 28
SERT-SRX01-A
29
Slide 29
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 29
SERT-SRX01-A
30
Slide 30
Troubleshooting Recommendations
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Troubleshooting Recommendations
SERT-SRX01-A
31
Slide 31
Section Objectives
After successfully completing this section, you will be able to:
List the major commands that are used in SRX, VPN-related troubleshooting Discuss the 4 types of traceoptions that are used in the troubleshooting process Describe the use of the show log command Describe the use of the Juniper Access Manager client for troubleshooting Describe the available client-side command line capabilities
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 31
After successfully completing this section, you will be able to: List the major commands that are used in SRX, VPN-related troubleshooting Discuss the 4 types of traceoptions that are used in the troubleshooting process Describe the use of the show log command Describe the use of the Juniper Access Manager client for troubleshooting, and Describe the available client-side command line capabilities
SERT-SRX01-A
32
Slide 32
Troubleshooting Recommendations (1 of 3)
Commands
show security dynamic-vpn users show security dynamic-vpn client version file list /var/db/dynamic-vpn-ipsec/ file show /var/db/dynamic-vpn-ipsec/tokens-info show security ike security-associations show security ike security-associations index <number> detail show security ipsec security-associations show security ipsec security-associations index <number> detail show security ipsec statistics index <number> show security policies from-zone <name> to-zone <name> policy <name> detail show security flow session show security flow session session-identifier <number>
CONFIDENTIAL
SERT-SRX01-A www.juniper.net | 32
We need to look at several things. First, we look at dynamic VPN. Then we can check some files that have information about the users. We can check VPN-related commands, policy, and flows. We confirm its working and check how the flows are going through the SRX.
SERT-SRX01-A
33
Slide 33
Troubleshooting Recommendations (2 of 3)
Traceoptions
set system services web-management traceoptions file https-debug set system services web-management traceoptions level all set system services web-management traceoptions flag all set system processes general-authentication-service traceoptions file auth-debug set system processes general-authentication-service traceoptions flag all set security ike traceoptions file ike-debug set security ike traceoptions flag all set security ipsec traceoptions flag all set security flow traceoptions file flow-debug set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter dyn-vpn-filter source-prefix 18.18.18.0/24
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 33
Lets look at four different traceoptions. One is for the client management, the dynamic VPN feature. Then second one is for the authentication. If we are having problems authenticating the user, we do these traceoptions. If we are having problems with VPN tunnel establishment, we set the IKE traceoptions. If we are having problems with the flows, we configure flow traceoptions. For each of them, we can create the file for it so we know exactly where the output will go. We can also leave it as default, and it will go to the default file.
SERT-SRX01-A
34
Slide 34
Troubleshooting Recommendations (3 of 3)
Logs
show log https-debug show log auth-debug show log ike-debug show log flow-debug
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 34
We can enter show log with the filename to check the output.
SERT-SRX01-A
35
Slide 35
Client Side (1 of 4)
From Juniper Access Manager client:
Right click on the connection and select Status to see the error messages
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 35
On the client side, we have the Juniper Access Manager open. We right-click the connection and select status to see the connection result. If there is any problem here, we can use this message.
SERT-SRX01-A
36
Slide 36
Client Side (2 of 4)
From Juniper Access Manager client:
Enable detailed logging Reproduce the issue Save logs and diagnostics File debuglog.log contains the debug messages
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 36
More detailed information can also be obtained. We select File, then Enable Detailed Login. We can try and reproduce the problem and then select File, Save Logs and Diagnostics to create a zip file with a lot of information. The most important file is debuglog.log, because thats where the debug messages are.
SERT-SRX01-A
37
Slide 37
Client Side (3 of 4)
Start -> Run -> cmd
ipconfig /all shows the virtual adapter
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 37
Also, we can check ipconfig/all on the client side. We can see that the virtual adapter was created.
SERT-SRX01-A
38
Slide 38
Client Side (4 of 4)
Start -> Run -> cmd
route print
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 38
We can also use the command route print from the command line. We can see the networks that are protected, the ones that are exceptions, and the virtual adapter itself. This is the virtual adapter in this case, 18.18.18.200. This 2.2.2.0 is the protected resource, according to the configuration we just saw. This 5.5.5.0 is one of those that we configured as an exception. You can see here the gateway is not the virtual adapter. The gateway is a different gateway. In this case, this destination will not be encrypted.
SERT-SRX01-A
39
Slide 39
Section Summary
In this section, we:
Listed the major commands that are used in SRX, VPNrelated troubleshooting Discussed the 4 types of traceoptions that are used in the troubleshooting process Described the use of the show log command Described the use of the Juniper Access Manager client for troubleshooting Described the available client-side command line capabilities
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 39
In this section, we: Listed the major commands that are used in SRX, VPN-related troubleshooting Discussed the 4 types of traceoptions that are used in the troubleshooting process Described the use of the show log command Described the use of the Juniper Access Manager client for troubleshooting, and Described the available client-side command line capabilities
SERT-SRX01-A
40
Slide 40
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 40
SERT-SRX01-A
41
Slide 41
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 41
SERT-SRX01-A
42
Slide 42
Troubleshooting Examples
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
Troubleshooting Examples
SERT-SRX01-A
43
Slide 43
Section Objectives
After successfully completing this section, you will be able to:
Describe the use of different categories of show commands in the troubleshooting process Describe the use of the various traceoptions in solving Dynamic VPN problems
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 43
After successfully completing this section, you will be able to: Describe the use of different categories of show commands in the troubleshooting process, and Describe the use of the various traceoptions in solving Dynamic VPN problems
SERT-SRX01-A
44
Slide 44
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 44
Looking at a successful connection, we want to show, as a reference, what is expected when it is a working scenario. First, were going to check the authentication. This is from the authentication traceoptions. We enter a show log authdebug command and look for the return response from the RADIUS. We see Client Request Status Success and then return success. This is successful authentication. If its the first connection, were going to use the browser. We need to do one authentication using the login prompt we get in the browser to download the client. Then when the client starts, it will request a second authentication to download the VPN configuration. Once the VPN configuration is there itll start the tunnel negotiation, the IKE. At this point, we need to re-authenticate a third time for the xauth to obtain the IP address. If its any connection and we already have the client, the client will pass the token to the SRX. In this case it should need only the authentication for the xauth, so you authenticate only once. If the token is not present or its invalid, then we need to do authentication again to download the VPN configuration. It will re-authenticate to download the latest VPN configuration and then it will establish the tunnel and do the xauth.
SERT-SRX01-A
45
Slide 45
Mar 24 15:45:21 get_client_config: First connection for user first-user at IP 1.1.1.18 Mar 24 (...) Mar 24 socket Mar 24 15:45:21 get_client_config: Got a vpn config for username = first-user 15:45:21 prepare_client_config: License check request sent with token_idx 0, ike-id first-user-host, 14, gk type 3. 15:45:21 acadia_authenticate_user: return code from get_client_config: 4
Mar 24 15:45:21 acadia_authenticate_user: license response pending (...) Mar 24 15:45:21 ACADIA LOGIN request received for username (first-user) ip (1.1.1.18): Success - License available Mar 24 15:45:21 Token table (...) Mar 24 15:45:21 print_token_tbl: Contents of token table: Mar 24 15:45:21 (token: 4aa039d2bf3edf504de7e81aa58acd04, username: first-user, src_ip: 1.1.1.18, saved_src_ip: 1.1.1.18, ike-id: first-user-host, ipsec_vpn: vpn-first-user, index: 0, cib_state: 1, clientid: NULL, timestamp: Wed Mar 24 15:45:21 2010)
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 45
Lets now look at the traceoptions for the dynamic VPN management, the client management. Lets go through the output. We get the request from the client to connect and then we have a username. At this point there is no token. This is going to mean we have a first connection. The user is authenticated. You see here fwauthd succeeded and it is a first connection. We look at the configuration for this user and do a license check. We see Success License Available. Then we create the token. At this point the client will be downloaded.
SERT-SRX01-A
46
Slide 46
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 46
After the client is installed, the client will request the connection again. The token is not present. We have a client identifier, but the token is still not present. We need to do authentication again with webauth. Once it succeeds, we have the token and the license, so its fine for the client to start VPN negotiation.
SERT-SRX01-A
47
Slide 47
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 47
Check that the client is now confirming the configuration. We can see that the configuration is saved in a file. The client manager creates an entry for this user and confirms that the user is in the database and that it is connected. You see connection count is one to confirm the user is properly connected.
SERT-SRX01-A
48
Slide 48
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 48
Now we want to check how the IKE negotiation is done and how the VPN tunnel is established. We can also check that with the IKE traceoptions. If we go through the output, you can see the first packet is received by the SRX to start the IKE negotiations and the client is identified as a Juniper IPsec client. We can see that the phase 1 is finished. We go to phase 2 and we can see the messages Successful Phase 2 and Phase 2 Connection Succeeded. Here you can see the details of the security association, what algorithms are used, lifetime, group, and the type of tunnel or transport. In the end, you get the Successfully added ipsec security association PAIR message to confirm. Now we go to the Show commands.
SERT-SRX01-A
49
Slide 49
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 49
In the show commands we can get very useful information. First, for the dynamic VPN, we see the users. We can see the details of the user and the status, which is most important. We can also check which version is being used. In this case, it is 1.1.0.5783.
SERT-SRX01-A
50
Slide 50
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 50
We can also do the commands file show or file list. We can see the contents of the tokensinfo file. This is the file that contains the tokens for each user.
SERT-SRX01-A
51
Slide 51
root@flo> show security ike security-associations index 19 detail IKE peer 1.1.1.18, Index 19, Role: Responder, State: UP Initiator cookie: 017ef8c64cba11a6, Responder cookie: 1a3249baa3ddd71b Exchange type: Aggressive, Authentication method: Pre shared keys with XAuth (initiator) Local: 4.4.4.112:500, Remote: 1.1.1.18:1839 Lifetime: Expires in 622 seconds Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 42521 Output bytes : 43680 Input packets: 490 Output packets: 493 Flags: Caller notification sent IPsec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 51
Next, we check the VPN-related commands. We see the IKE security associations. We can see that its up. We see the details, for example, aggressive mode. If we select the index and the detail option, then we can see all the information. The role here should be always responder because its the client who always initiates the connection. We see the details of the security association. For example, we see Aggressive mode, Pre-shared keys with Xauth, and the IKE packet statistics.
SERT-SRX01-A
52
Slide 52
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 52
For VPN checks, we use IPsec. This is the phase 2 SA. Using this, we can confirm that the tunnel is up. We have the tunnel ID, the remote gateway, algorithms, SPI numbers, and lifetime. It is Important here to check the policy thats being used with this VPN. We can see the correct policy is being used for this tunnel. And we have the information for each direction.
SERT-SRX01-A
53
Slide 53
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 53
There is another command that we can use ipsec statistics. This is very useful if we want to see how traffic is flowing through the tunnel. We can see encrypted and decrypted traffic coming in or going out of the tunnel.
SERT-SRX01-A
54
Slide 54
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 54
Lets look at the policy commands. Here we show you the show security policies command. If you have the count option enabled in the policy, we can have statistics for the session creation and the number of active sessions for that policy as well as the input-output packets. This can help to check the flows. We can also confirm the VPN thats related to this policy, the type, and the tunneling index. Here we see tunnel number 2.
SERT-SRX01-A
55
Slide 55
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 55
Then we use commands to check the flows. We want to see what type of flows we have. First, if we use the tunnel option in the command, we can see the tunnel session created for this VPN. We can refer to it in this output. If we specify the session identifier, we can see the details of the session.
SERT-SRX01-A
56
Slide 56
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 56
To check the flows that are going through the firewall, so for the transit traffic through this VPN, we can use the show security flow session command to specify the destination prefix or source prefix. In this case, we see an FTP session on port 21. We can use the session identifier to see the details. Here is the application, junos-fpt. We see the policy name and the details of each wing of the session, in and out. We see the interfaces related to it. This is very useful information.
SERT-SRX01-A
57
Slide 57
Possible Issues
Download fail
httpd-gk
Login Problems
httpd-gk authd Token info (/var/db/dynamic-vpn-ipsec/tokens-nfo)
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 57
Were going to use this output to solve dynamic VPN problems. First, we try to download the client if its failing. We can check traceoptions. This is the default filename for the web management traceoptions. If we have login problems, we can check the web management traceoptions, authentication traceoptions, or look at the token information. If we have problems with xauth, we can check the IKE traceoptions or the web management traceoptions. If we have problems with tunnel not up, we need to look at the IKE traceoptions. If we have traffic not going through, we need to look at flow traceoptions.
SERT-SRX01-A
58
Slide 58
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 58
Lets look at one example of No Configuration Available. When you type in username and password and you get the message No Configuration Available, the license check could have failed or the authentication itself worked, but the dynamic VPN configuration doesnt exist for that client. In the web management traceoptions, we can clearly see that. We get No User Configuration Available.
SERT-SRX01-A
59
Slide 59
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 59
On the client side, we can also see the message. If we right-click and then select Status, we can see No Configuration Available. In this case, its important to check the configuration in the SRX.
SERT-SRX01-A
60
Slide 60
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 60
What do we do to solve this problem? First, check the configuration and the license. If the error persists, we can do a work around here. We can remove the token information file and restart the web management process with this command, restart web-management. This should recover from this problem. There is not going to be any problem for the existing users because they already have their VPN tunnels working.
SERT-SRX01-A
61
Slide 61
Xauth Failure (1 of 2)
When using JAM client, status shows Reconnecting to Server after typing username/password Check if the username and password are matching the configuration in the dynamic-vpn user and RADIUS server
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 61
Now we are looking at xauth failure. In this case, we are trying to establish the connection. In the client, we see the message Reconnecting to Server. One possible error could be incorrect credentials. We need to check the username and password. Is it really matching? What do you have in the dynamic VPN configuration in the SRX and the RADIUS server? They have to be matching and they have to be correct for the authentication to work.
SERT-SRX01-A
62
Slide 62
Xauth Failure (2 of 2)
Check if RADIUS service is up and running.
Example of RADIUS service down
root@flo> show log auth-debug Mar 30 11:03:09 authd_radius_start_auth: Starting RADIUS authentication Mar 30 11:03:09 authd_radius_build_basic_auth_request: got params profile=radius-auth, username=first-user Mar 30 11:03:09 authd_radius_server_create: ZERO radius servers added : may be all are down Mar 30 11:03:09 authd_auth_module_start: Error in calling the radius start_auth Mar 30 11:03:09 AUTHEN - module(radius) return: SERVER root@flo> show log https-debug Mar 30 11:03:09 acadia_authenticate_user: username = first-user, token = , client_identifier = 90c5bfaa69e0debdf84ca5e4ddfc223441884a86 () Mar 30 11:03:09 acadia_fwauthd_authenticate: sending auth request to fwauthd for IP 1010112 () Mar 30 11:03:09 Authentication of user first-user with fwauthd failed () Mar 30 11:03:09 ACADIA LOGIN request received for username (first-user) ip (1.1.1.18): Failed
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 62
On the SRX side, we can look at the authentication traceoptions and the xauth debug file that we created in this scenario. The example here is RADIUS Service is Down. In the xauth debug, we can see an error in calling the RADIUS. This indicates there is a communication problem with RADIUS server. If we look at the web management, the client management traceoptions, we can see that the web management will send auth requests to the authentication daemon and we will get the response back saying it failed. Then the last message, Failed, means the authentication has failed, and the client will see the message that we just saw in the previous slide. In this case, we need to look at the RADIUS server itself. Check to see if the service is up or enable debug in the RADIUS server. That would depend on the RADIUS server that you have. You could also do some packet captures.
SERT-SRX01-A
63
Slide 63
IKE Failure (1 of 4)
Check the status in the JAM client for IKE negotiations failed
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 63
Lets move on now to another type of problem, the IKE failure. The IKE failure, you might see in the client is IKE Negotiations Failed.
SERT-SRX01-A
64
Slide 64
IKE Failure (2 of 4)
The detailed logs in the client show the event as well:
root@FreeBSD-server> cat debuglog.log | grep PROPOSAL 00182,09 2010/03/30 11:19:50.968 1 SYSTEM dsAccessService.exe vpnAccessMethod p1884 t9F8 vpnAccessInstance.cpp:922 - 'vpnAccessMethod' got NO PHASE1 PROPOSAL CHOSEN from firewall 4.4.4.112
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 64
If we enable the detailed logs in the client, we can also look at the debuglog.log. In this file we have detailed negotiation logs. We can see that there was no proposal chosen from the SRX. So the SRX didnt match any phase 1 proposal. It canceled the connection and we could see that also from the client detailed log.
SERT-SRX01-A
65
Slide 65
IKE Failure (3 of 4)
IKE debug in SRX should show No proposal chosen
root@flo> show log ike-debug Mar 30 11:28:14 ike_get_sa: Start, SA = { e574c215 645d40e7 - 00000000 00000000 } / 00000000, remote = 1.1.1.18:1125 Mar 30 11:28:14 ike_sa_allocate: Start, SA = { e574c215 645d40e7 - 32dc85f1 200c056a } Mar 30 11:28:14 ike_init_isakmp_sa: Start, remote = 1.1.1.18:1125, initiator = 0 () Mar 30 11:28:14 The remote server at 1.1.1.18:1125 is 'JNPR IPsec Client' () Mar 30 11:28:14 Unable to find ike gateway as remote peer:1.1.1.18 is not recognized. Mar 30 11:28:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=4.4.4.112) p1_remote=fqdn(udp:0,[0..14]=first-user-host) Mar 30 11:28:14 KMD_PM_P1_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-1 [responder] failed for p1_local=ipv4(any:0,[0..3]=4.4.4.112) p1_remote=fqdn(udp:0,[0..14]=first-user-host) () Mar 30 11:28:14 4.4.4.112:500 (Responder) <-> 1.1.1.18:1125 { e574c215 645d40e7 - 32dc85f1 200c056a [-1] / 0x00000000 } Aggr; Error = No proposal chosen (14) () Mar 30 11:28:15 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 ..., data[0..0] = 00000000 00000000 ... Mar 30 11:28:15 4.4.4.112:500 (Responder) <-> 1.1.1.18:1125 { e574c215 645d40e7 - 32dc85f1 200c056a [0] / 0x1b9704df } Info; Received notify err = No proposal chosen (14) to isakmp sa, delete it
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 65
On the SRX itself, we can also check that in the IKE traceoptions. Check the log IKE Debug that we created. If we follow the output we can see, Unable to Find the Gateway. We see that there was a phase 1 policy lookup failure. In the end, the message you get is No Proposal Chosen, like you see in the client side. How do we solve this problem?
SERT-SRX01-A
66
Slide 66
IKE Failure (4 of 4)
Check in configuration if security policy is configured properly with tunnel action using the correct VPN for the user IKE - One gateway for each user
Hostname as IKE-ID Associate with Xauth Profile which is the access profile defined in step 1.
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 66
We need to check the configuration in the security policy. Its very important that we have a security policy that has the tunnel action using the VPN that is related to that user. If you dont have a security policy, you are going to have this problem. For the IKE, we need to have one gateway for each user and we need to have xauth profile related to it. For the IPsec VPN, we also need one VPN for each user and PFS is mandatory. If the PFS is not configured, the negotiation should not complete.
SERT-SRX01-A
67
Slide 67
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 67
Lets look now at another example. In this case its a browser problem. The browser hangs, or if you look at the client, it doesnt show the login window. This could be a problem in the web management and we can look at the traceoptions for that. We first look at the license. If we are doing web management traceoptions, you show the logs, you see License Response Pending, and the output stops there, it means it got stuck in license check. For some reason, there was a problem in checking the license.
SERT-SRX01-A
68
Slide 68
Before restarting web-management, it may be needed to remove all content from /var/db/dynamicvpn directory
root@flo> file delete /var/db/dynamic-vpn-ipsec/ root@flo> file list /var/db/dynamic-vpn-ipsec/ /var/db/dynamic-vpn-ipsec/:
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 68
Confirm we have a correct license and retry the connection. Maybe this fault was temporary. Try to reconnect. If that doesnt work, we can restart the web management process. This should bring up the negotiations again. Sometimes it may be needed to remove the content of the dynamic VPN directory, because we may have incorrect configuration data. Maybe a mismatch happened. If we delete everything, then it will just reconfigure everything. It will let the client connect again. There is no loss of data, because the information is always regenerated. It will not be any problem.
SERT-SRX01-A
69
Slide 69
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 69
Lets now look at another example. Until now we had problems establishing the tunnel. Now we are looking at a problem when we already have the tunnel up. We check the output to see that the user is connected. We see the SAs are up. We have both phase 1 and phase 2. We have sessions and they are establishing the table, but the only thing we notice is that the timeout never goes to the full timeout, it stays in the initial timeout. Then we may suspect something there. The symptom here was that we are not able to reach the protected resource. We see we have a session, but we get no response from the protected resource.
SERT-SRX01-A
70
Slide 70
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 70
The next step here is to check the IPsec statistics. We see whats going through the tunnel. With this output, we can clearly see theres only traffic coming from the tunnel, and nothing going to the tunnel, so encrypted bytes are 0. Nothing is coming back to the tunnel.
SERT-SRX01-A
71
Slide 71
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 71
The next step is to check the protected resource. The protected resource may not be up, for example. Go to the protected resource and see if its responding. In this case, we checked it and we did a packet capture, using tcpdump to see whats coming in. We see the packet is arriving. The protected resource tries to get the ARP to send an ARP request, because it doesnt know the MAC address of this source, 2.2.2.201. This source is in the same network. It doesnt need to send to a gateway. It needs to know the MAC address. But this packet is actually coming from the client, behind the SRX. There is no MAC address here, no ARP packet. What we need to do is enable proxy ARP, because when this ARP request is received by the SRX, it will respond on behalf of the client. Then the protected resource can have the MAC address of the SRX and send the packet. That solves the problem. If the IP address assigned to the client is on the same subnet of the protected resource, then we go to the SRX and enable proxy ARP. We go to the interface thats connected to the protected resource and we enable proxy ARP to find the addresses of the clients that may connect.
SERT-SRX01-A
72
Slide 72
If control session is working, we can assume the client connected and established VPN tunnel successfully
2010 Juniper Networks, Inc. All rights reserved.
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 72
We now check another example of traffic not flowing and this is more specific. We have FTP file transfer failing. The client can successfully connect to FTP server. We see the connection is well, but when we try to do a file transfer, it fails. If we check the session in the SRX, we can see here the destination port 21 for FTP control. We see the session and it has the right timeout. If we look for the data sessions with the resource manager option, the data session is established with the help of FTP ALG, and the FTP ALG used the resource manager to manage these connections. If we specify resource manager in this command, we should see the active sessions for the ALG. In this case, we didnt see anything. The data session is not being established. What is the next step in this case? Next step is to do a flow traceoptions. We can see how the SRX is processing the data session.
SERT-SRX01-A
73
Slide 73
Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:<RM> Gate(1000025) hit callback... gate_ref=1 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:rm_route_lookup: ifp: in <fe-0/0/5.0> dst_ip=18.18.18.200 [pinhole info: 18.18.18.200/18.18.18.200] () Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:flow_ipv4_firstpath_route_lookup: no route to dest 18.18.18.200 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:RM <rm_route_lookup>: dst_ip=18.18.18.200, out_ifp is NULL [in_ifp=fe-0/0/5.0 vsd=0] Mar 30 12:55:23 12:55:22.1858885:CID-0:RT:route lookup failed: 0x0 Mar 30 12:55:23 12:55:22.1858885:CID-0:RT: packet dropped, denied by gate_hit callback
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 73
We check the flow processing of this packet. We see the packet coming from port 20 and some active FTP is coming from the server, going to the client. There is no session for that. It has to match the gate that was opened by the FTP ALG. We can see here we have a gate open and it will do a route lookup for the destination. This is the client IP address and in the end, we see there is a problem. There is no route to this destination. There is no route, so the outgoing interface is new. The route lookup failed, and we see a packet is dropped and denied by the gate. It goes back, so the route lookup failed. Thats why the data session was not working. In this case, we need to have a routine to solve this problem.
SERT-SRX01-A
74
Slide 74
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 74
If we add a routine to the client, this routine has to go out of the interface. The next hop needs to be out of the interface where the tunnel is established. Then it can go correctly with regards to routing. If we follow the output, we can see that route lookup will find the outgoing interface and will be able to match the policy. We see the policy, and then it will create. Do the translation information for the ALG to populate the destination information. It will create the session, so session ID. We are going to see the packet going to the tunnel and the tunnel ID. When we entered show security ipsec and security associations before, the tunnel ID was 2, so we can match the number here.
SERT-SRX01-A
75
Slide 75
Section Summary
In this section, we:
Described the use of different categories of show commands in the troubleshooting process Described the use of the various traceoptions in solving Dynamic VPN problems.
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 75
In this section, we: Described the use of different categories of show commands in the troubleshooting process, and Described the use of the various traceoptions in solving Dynamic VPN problems
SERT-SRX01-A
76
Slide 76
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 76
SERT-SRX01-A
77
Slide 77
Course Summary
In this Course, we:
Discussed feature descriptions of and requirements for the SRX Series Dynamic VPN Described the recommended configuration Discussed troubleshooting recommendations Described troubleshooting examples
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 77
In this Course, we: Discussed feature descriptions of and requirements for the SRX Series Dynamic VPN Described the recommended configuration Discussed troubleshooting recommendations, and Described troubleshooting examples
SERT-SRX01-A
78
Slide 78
2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Proprietary and Confidential
SERT-SRX01-A
79
Slide 79
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 79
If you need to open a case with JTAC, we strongly recommend that you include the required support information and output. This will contain a lot of information from the system, including the configuration logs. This can really help JTAC to find the problem and understand the scenario in question. Here is an example of how to save the output. You can enter the command and pipe (|) save to a filename. Then you can do a file transfer to the case.
SERT-SRX01-A
80
Slide 80
Logs
Located under /var/log directory
messages kmd authd httpd-gk chassisd
root@flo> show log ? Possible completions: <[Enter]> Execute this command <filename> Name of log file IKE Size: 818, Last changed: Oct 30 19:11:05 __jsrpd_commit_check__ Size: 52, Last changed: Mar 10 10:24:12 authd Size: 454880, Last changed: Mar 18 20:03:02 authd.dbg Size: 0, Last changed: Mar 17 17:24:01 authd.sta Size: 0, Last changed: Mar 17 17:24:01 authd_libstats Size: 3166, Last changed: Mar 17 17:24:07 authd_profilelib Size: 0, Last changed: Oct 01 07:41:15 authd_sdb.log Size: 10334, Last changed: Mar 18 20:03:02 autod Size: 31196, Last changed: Feb 22 20:04:23 chassisd Size: 1654463, Last changed: Mar 16 10:09:33 config-changes Size: 2061, Last changed: Sep 28 19:24:26 cosd Size: 24105, Last changed: Mar 16 10:06:23 cscript.log Size: 885, Last changed: Oct 02 09:11:54 dcd Size: 625886, Last changed: Mar 16 10:28:19 debug-flow Size: 519595, Last changed: Mar 17 15:44:24 debug-flow.0.gz Size: 55672, Last changed: Mar 17 15:44:07 dfwc Size: 0, Last changed: Aug 26 2009 dfwd Size: 1308, Last changed: Mar 16 09:59:56 eccd Size: 11638, Last changed: Mar 16 10:05:17 ext/ Last changed: Dec 31 1969 flowc/ Last changed: Dec 31 1969 ggsn/ Last changed: Dec 31 1969 gres-tp Size: 98149, Last changed: Mar 17 17:24:07 hostname-cached Size: 9659, Last changed: Mar 17 15:53:59 httpd-gk Size: 726649, Last changed: Mar 23 10:26:04 ---(more)---
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 80
We mentioned the logs during the course. We created logs for the traceoptions. There are also other logs and default logs. In the /var/log directory, we can see all the logs. The messages log is also an important log to check. These are the default logs for the traceoptions we check. kmd is for the IKE traceoptions, authd is for the authentication, and the httpd-gk is for the web management, the dynamic VPN traceoptions. Then we have chassisd logs that are also important, in case there may be things related to chassis management. In the output here we can see other logs. Which logs you see depends on which logs you enabled in the system. Were going to see them under this directory. You need to enter show log? to see all the logs.
SERT-SRX01-A
81
Slide 81
Tech Notes
Technotes contain very useful guides
http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=TE CHNOTES
TN7 Configuring Dynamic VPN (Remote Access VPN Client) detailed steps on how to configure dynamic VPN feature in SRX100, SRX210, SRX240 and SRX650 VPN Resolution Guide for SRX Series Devices JTAC-certified resolution guide for VPN configuration and troubleshooting
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_SRX_ VPN_Config_or_Trblsh.htm TN15 Configuring and Troubleshooting Policy-Based VPNs on J-Series and SRX TN14 Configuring and Troubleshooting Route-Based VPNs on J-Series and SRX
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 81
For the Knowledge Base, this is Technote 7. We strongly recommend that you check this Technote for dynamic VPN configuration, because it contains information about RADIUS. There are two examples there one with steel-belted RADIUS and the other with FreeRADIUS. For example, if you are using FreeBSD, you can easily install the FreeRADIUS service. It is easy to have it up and running quickly. In this Technote, you can see the attributes that you need to set and that we recommend. We also have a VPN Resolution Guide in the Knowledge Base. It can guide you through troubleshooting of VPNrelated issues. There are two Technotes for that as well: Technote 15 and 14.
SERT-SRX01-A
82
Slide 82
KB Articles
KB16110 SRX Getting Started Troubleshooting Traffic Flows and Session Establishment
http://kb.juniper.net/KB16110
KB16108 SRX Getting Started Configuring Traceoptions for Debugging and Trimming Output
http://kb.juniper.net/KB16108
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 82
We want to point out two KB (Knowledge Base) articles for the flow traceoptions. These articles contain suggestions on how to troubleshoot, how to configure filters, and how to trim the output. Its quite useful to trim the output, depending on what you are looking for, so you can eliminate unnecessary output and focus in on that which can help to illustrate and resolve the issues.
SERT-SRX01-A
83
Slide 83
Documentation
Dynamic VPN http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junossecurity-swconfig-security/frameset.html Feature Support Reference shows feature support in different SRX platforms
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-srx-jseries-supportreference/junos-srx-jseries-support-reference.pdf
Security Configuration Guide contains detailed information about security features (security hierarchy), including Dynamic VPN.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfigsecurity/junos-security-swconfig-security.pdf
Interfaces and Routing Configuration Guide information about different interface types and encapsulation options
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-interfacesand-routing/junos-security-swconfig-interfaces-and-routing.pdf
Release Notes always important to understand new features, existing issues and limitations.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/releasenotes/10/junos-release-notes-10.0.pdf
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 83
Here are references to Junos documentation, dynamic VPN link, and other topics covered in this course. We also have the Feature Support Reference. You can check all the supported features in each platform. This is useful to confirm the configuration that we are using. Use the Security Configuration Guide for everything under the security hierarchy in the configuration. For the System Basics, we can check everything under system hierarchy. Use the Interfaces and Routing Configuration Guide to look at interface types and routing options. Use the CLI Reference for command syntax. Use Release Notes to see the new features, existing issues, and limitations.
SERT-SRX01-A
84
Slide 84
Additional Resources
Juniper Networks Education Services Curriculum
http://www.juniper.net/us/en/training/technical_education/
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 84
For additional resources or to contact the Juniper Networks eLearning team, click the links on the screen.
SERT-SRX01-A
85
Slide 85
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 85
You have reached the end of this Juniper eLearning module. You should now return to your Juniper Learning Center to take the Practice Test and the Student Survey. The test will allow you to gauge your knowledge of the material covered in this course. The survey will allow you to give feedback on the quality and usefulness of the course.
SERT-SRX01-A
86
Slide 86
CONFIDENTIAL
SERT-SRX01-A
www.juniper.net | 86
Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks or registered service marks are the property of their respective owners. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice.
SERT-SRX01-A
87
Slide 87
CONFIDENTIAL
SERT-SRX01-A
88
e d u c a t io n se rv ic e s c o u rsew a re
Corp orat e and Sales Head q uart ers Junip er Net w orks, Inc. 119 4 Nort h Mat hild a Avenue Sunnyvale, CA 9 4 0 8 9 USA Phone: 8 8 8 .JUNIPER ( 8 8 8 .58 6 .4737) or 4 0 8 .74 5.20 0 0 Fax: 4 0 8 .74 5.210 0 w w w.junip er.net
APAC Head q uart ers Junip er Net w orks ( Hong Kong) 26 / F, Cit yp laza One 1111 Kings Road Taikoo Shing, Hong Kong Phone: 8 52.2332.36 36 Fax: 8 52.2574 .78 0 3
EMEA Head q uart ers Junip er Net w orks Ireland Airsid e Business Park Sw ord s, Count y Dub l in, Ireland Phone: 35.31.8 9 0 3.6 0 0 EMEA Sales: 0 0 8 0 0 .4 58 6 .4737 Fax: 35.31.8 9 0 3.6 0 1
Copyright 20 10 Junip er Net w orks, Inc. Al l right s reserved. Junip er Net w orks, t he Junip er Net w orks logo, Junos, Net Screen, and ScreenOS are regist ered t rad em arks of Junip er Net w orks, Inc. in t he Unit ed St at es and ot her count ries. Al l ot her t rad em arks, service m arks, regist ered m arks, or regist ered service m arks are t he p rop ert y of t heir resp ect ive ow ners. Junip er Net w orks assum es no resp onsib il it y f or any inaccuracies in t his d ocum ent . Junip er Net w orks reserves t he right t o change, m od if y, t ransf er, or ot herw ise revise t his p ub l icat ion w it hout not ice.