API tools faq
paste
Advertisement
ddivins

SRX Remote Access VPN

ddivins
Apr 5th, 2025 (edited)
58
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.16 KB | None | 0 0
raw download clone embed print report
  1. set interfaces st0 unit 0 description RAS
  2. set interfaces st0 unit 0 family inet
  3.  
  4. set security zones security-zone VPN interfaces st0.0
  5. set system services web-management https pki-local-certificate ACME-RA-CERT
  6.  
  7. set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services tcp-encap
  8. set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services https
  9. set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
  10. set security zones security-zone UNTRUST interfaces ge-0/0/0.0 host-inbound-traffic system-services http
  11.  
  12. set access address-assignment pool RA-POOL family inet network 172.16.2.0/24
  13. set access address-assignment pool RA-POOL family inet range USER_POOL_1 low 172.16.2.10
  14. set access address-assignment pool RA-POOL family inet range USER_POOL_1 high 172.16.2.100
  15. set access address-assignment pool RA-POOL family inet xauth-attributes primary-dns 9.9.9.9/32
  16. set access address-assignment pool RA-POOL family inet xauth-attributes secondary-dns 8.8.8.8/32
  17.  
  18. set access profile RA-ACCESS authentication-order password
  19. set access profile RA-ACCESS client user1 firewall-user password "XXXXXXXXXXXXXX"
  20. set access profile RA-ACCESS client user2 firewall-user password "XXXXXXXXXXXXXx"
  21. set access profile RA-ACCESS address-assignment pool RA-POOL
  22. set access firewall-authentication web-authentication default-profile RA-ACCESS
  23.  
  24. set security ike proposal REMOTE-ACCESS authentication-method pre-shared-keys
  25. set security ike proposal REMOTE-ACCESS dh-group group19
  26. set security ike proposal REMOTE-ACCESS authentication-algorithm sha-256
  27. set security ike proposal REMOTE-ACCESS encryption-algorithm aes-256-cbc
  28. set security ike proposal REMOTE-ACCESS lifetime-seconds 28800
  29. set security ike policy REMOTE-ACCESS mode aggressive
  30. set security ike policy REMOTE-ACCESS proposals REMOTE-ACCESS
  31. set security ike policy REMOTE-ACCESS pre-shared-key ascii-text "XXXXXXXXXXXXXXXX"
  32. set security ike gateway REMOTE-ACCESS ike-policy REMOTE-ACCESS
  33. set security ike gateway REMOTE-ACCESS dynamic user-at-hostname "[email protected]"
  34. set security ike gateway REMOTE-ACCESS dynamic ike-user-type shared-ike-id
  35. set security ike gateway REMOTE-ACCESS nat-keepalive 5
  36. set security ike gateway REMOTE-ACCESS external-interface ge-0/0/0
  37. set security ike gateway REMOTE-ACCESS aaa access-profile RA-ACCESS
  38. set security ike gateway REMOTE-ACCESS version v1-only
  39.  
  40. set security ipsec proposal REMOTE-ACCESS protocol esp
  41. set security ipsec proposal REMOTE-ACCESS encryption-algorithm aes-256-gcm
  42. set security ipsec proposal REMOTE-ACCESS lifetime-seconds 3600
  43. set security ipsec policy REMOTE-ACCESS perfect-forward-secrecy keys group19
  44. set security ipsec policy REMOTE-ACCESS proposals REMOTE-ACCESS
  45. set security ipsec vpn REMOTE-ACCESS bind-interface st0.0
  46. set security ipsec vpn REMOTE-ACCESS df-bit clear
  47. set security ipsec vpn REMOTE-ACCESS copy-outer-dscp
  48. set security ipsec vpn REMOTE-ACCESS ike gateway REMOTE-ACCESS
  49. set security ipsec vpn REMOTE-ACCESS ike idle-time 60
  50. set security ipsec vpn REMOTE-ACCESS ike ipsec-policy REMOTE-ACCESS
  51. set security ipsec vpn REMOTE-ACCESS ike install-interval 1
  52. set security ipsec vpn REMOTE-ACCESS traffic-selector 172.16.1.0_24 local-ip 172.16.1.0/24
  53. set security ipsec vpn REMOTE-ACCESS traffic-selector 172.16.1.0_24 remote-ip 0.0.0.0/0
  54. set security ipsec vpn REMOTE-ACCESS traffic-selector 10.0.5.0_24 local-ip 10.0.5.0/24
  55. set security ipsec vpn REMOTE-ACCESS traffic-selector 10.0.5.0_24 remote-ip 0.0.0.0/0
  56.  
  57. set security remote-access profile vpn.domain.com ipsec-vpn REMOTE-ACCESS
  58. set security remote-access profile vpn.domain.com access-profile RA-ACCESS
  59. set security remote-access profile vpn.domain.com client-config REMOTE-ACCESS
  60. set security remote-access profile REMOTE-ACCESS ipsec-vpn REMOTE-ACCESS
  61. set security remote-access profile REMOTE-ACCESS access-profile RA-ACCESS
  62. set security remote-access profile REMOTE-ACCESS client-config REMOTE-ACCESS
  63. set security remote-access client-config REMOTE-ACCESS connection-mode manual
  64.  
  65. Add Policies from zone VPN to zone TRUST or whatever... Also, I have not enabled TCP-Encap here for ssl fallback.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!