Getting SRX5308 VPN IPSec to work with Android (when using DynDNS)
Greetings,
It appears that I can achieve a IPSec VPN Connection (both the Android device and the SRX5308 (with the latest firmware) confirm it), but there appears to be no traffic flowing through the tunnel. I am using DynDNS, though I do not know if that has any impact on the settings I should be choosing. Below is my current configuration.
Might someone take a gander at it, and spot the flaws?
Thank You,
Ryan Ross
Accepted Solutions
All Replies
The Documentation:
The Instructions:
The Screenshot from the Instructions:
'Tis an unusual paradox. One must enable Mode Config to enable the use of XAUTH & Edge Device options. But the directions clearly state, and show, that Mode Config is NOT to be enabled.
The Instructions:
The Screenshot from the Instructions:
There is no Policy Type 'Responder' from the dropdown list, but perhaps this is meant to be taken more generally (it is in the General section), since we are ultimately building a Responder IKE / VPN policy.
The Logger (newest first):
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] ERROR: Local configuration for 192.168.4.21[500] does not have mode config
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] ERROR: Local configuration for 192.168.4.21[500] does not have mode config
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] ERROR: Local configuration for 192.168.4.21[500] does not have mode config
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] ERROR: Local configuration for 192.168.4.21[500] does not have mode config
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REQUEST" from 192.168.4.21[500]
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] INFO: XAuthUser RemoteVossnetUser Logged In from IP Address 192.168.4.21
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] INFO: Login succeeded for user "RemoteVossnetUser"
Thu Nov 24 18:07:36 2016 (GMT -0500): [SRX5308] [IKE] INFO: Received attribute type "ISAKMP_CFG_REPLY" from 192.168.4.21[500]
So, it appears that XAUTHUSER will work for authentication purposes without mode config, but then the tunnel collapses becauses it doesn't have a mode config.
Attempting to provide a Mode Config and make use of a VPN Policy results in this error message:
I am confused.
Ok, so, some things have happened, and I'm not as far along as I'd like, but here's what I have, and I'll work with the commentary / feedback (if any) I get from you guys (*crickets*). The images have been redacted / modified to that I hopefully will not have any curious readers poking around my firewall; however, the configuration should still be valid, and if it isn't, tell me, and I'll check to see where I goofed in transcribing the config.
First up is DynDNS:
You are going to want the DynDNS Pro package if you are just doing VPN stuff (it's cheap). If you have a static IP, or are using some other service, feel free to ignore this part.
As you can see above, I've successfully registered bob.go.dyndns.org to my account, and can put it to use (which we will). It wants an IP address, so just click the 'Your current location's IP address' link to fill it with whatever WAN address it sees (we are going to tell the firewall to automatically login and keep this record up to date, so it's not a long term concern).
Next up is the SRX5308, where we need to double-check a few things, then make some changes.
My configuration uses NAT and IPv4 mode.
Making sure that at least one WAN interface is up, and that we have an IP address.
Going to need at least one VLAN...
Just some checking to make sure we have valid LAN settings (VLAN & DHCP): Bobnet is looking pretty good for a small business; the DNS servers (8.8.8.8, 8.8.4.4) are Google's.
Now let's get DynDNS up and running:
The username is the same as your DynDNS username, and the password is the same as your DynDNS password. Simple, right?
Next we are going to head over to the Users page, and add some users.
For our purposes, we are going to be using IPSEC and XAUTH which means -> you need a username & password plus a pre-shared key to login (it should be fairly secure). Add new users, selecting the 'IPSEC VPN User' as the type, and choosing appropriate passwords. Bear in mind that when you save the user with the default timeout settings, then edit that user, you'll find that the default timeout is actually 10 minutes. Something to keep in mind when you want to create a 'keep-alive' connection.
Next we will need to create a mode config. (I know, this is different from the other directions, don't ask, it works).
The IP Pool(s) are for addresses (subnets?) that are not be used anywhere else. Essentially, you are creating a new DHCP-ish pool of addresses. The DNS servers are, once again, Google's; I've enabled PFS Key Group (DH Group 5), AES-256 and SHA-1 which may be considered the best options available, and on any decent Android / Windows / Linux / Mac device you won't notice the extra work. The subnet we care about (Bobnet) is 192.168.1.0, as we can grasp from our earlier VLAN / DHCP settings.
Our BobnetModeConfig is ready for use.
Now the IKE policy can be created:
*It's similar in many respects to the other document, but here a mode config must be created, and a VPN policy is unneeded / can't be created.
The final result, when saved, should look like something like this:
And the SRX5308 portion of this configuration should be complete.
Now onto the Android portion:
You will want this client. The ~$4 one should be fine (it's what I'm using), get the $30 if you want the extra functionality.
This is the screen you will eventually get to, where a single slide of that button will make the VPN connection for you.
For now, follow More->Configure->Profile configuration->Add Profile. If you've been following the guide up until now, this part should be pretty easy for you. Like goes with like.
Finally made it to Starbucks. Tried out the ShrewSoft client with Mint 18.1 (I think we are up to 18.1) and Windows 10 Pro (both 64-bit, Windows 10 was a VM in VirtualBox).
Anyway, these settings should be consistent with everything else up until now (same shared key, same username, same password, etc.).
If you are on Windows, here's the link to the ShrewSoft VPN client: https://www.shrew.net/download/vpn . It's free.
So, General Settings are above, really only need to fill in your (possibly DynDNS) hostname.
Client settings. I disable / uncheck the 'Enable Client Login Banner' box.
Name Resolution: I keep this as is.
Just a side note: the Windows client has WINS settings in addition to DNS settings. I keep them as is.
Authentication Method: What method are we using? X-Authentication with a Private Shared Key. Mutual PSK + XAuth in other words.
Local Identity: It's going to be a FQDN, and we've been using "remote.com" thus far, so "remote.com" it is.
Remote Identity: IP Address. 'Use discovered remote host address' should be checked.
Once again, these settings should match the IKE Policy & friends settings from way earlier. No surprises.
Pre-shared Key: It's going to be the same one you created earlier. Don't email it, text it, instant message it, or pass it in anyway over unencrypted electronic communications: it defeats the purpose of having a PSK.
Exchange Type: Aggressive (should be the default)
DH Exchange: We are using 'Group 5', because we prefer our encrypted communications to stay that way.
Cipher Algorithm: AES (best choice, from earlier)
Cipher Key Length: 256 bits (longer is usually better, again this just reflects our settings from earlier)
Hash Algorithm: SHA1 (best choice, from earlier)
Key Life Time Limit: 28800 Secs (to match what we already have in place)
Transform Algorithm: ESP-AES
Transform Key Length: 256 Bits
HMAC Algorithm: SHA1
PFS Exchange: Group 5
Again, these settings just mirror the IKE Policy & friends.
