CCNA FAQ: Virtual Private Networks Q1. Your organization has just opened a new office in Detroit. You have existing offices in Phoenix, San Diego, and Albuquerque that are tied together using VPN technology. What physical or logical changes should you add to support the VPN connection to the new office? A. No new interfaces are needed. The VPN configuration needs only to be … [Read more...]
VPN comes up even if there is a proxy-identity mismatch
This article discusses the scenario in which a VPN comes up even when there is a proxy-id mismatch (one of the proxy-ids is a subset of the other). This is expected behavior. Two SRX devices are directly connected. Configuration on the devices is as follows: Device-1: root@240-POE-1# show security ipsec policy ipsecp { proposal-set standard; } vpn vpn1 { … [Read more...]
Troubleshooting auto-export with diagnostic commands
This article discusses the diagnostic commands available for troubleshooting auto-export. The auto-export statement is particularly useful for configuring overlapping VPNs—VPN configurations where more than one VRF routing instance lists the same community route target in its vrf-import policy. The auto-export statement finds out which routing tables to export routes from … [Read more...]
VPN local-address support in 12.1X44 & 12.1X45
This describes supported use of local-address for VPN gateways When the VPN egress interface has multiple IPs associated use of local-address can be used to select a specific IP from the egress interface for VPN use on a per VPN gateway basis When the VPN egress interface has multiple IPs, the default selection IP used to source VPN traffic is based upon the Primary … [Read more...]
DHCP assignment on a different subnet against a Microsoft DHCP server
How to setup DHCP assignment on a different subnet, against a Microsoft DHCP server. The VPN connection profile is configured for DHCP; but the IP addresses are not assigned, when users get connected (nc.windows.app.23791). The Junos Pulse Secure Access Gateway (SA) is configured to provide VPN tunneling to users. In the VPN connection profile, the IP addresses are … [Read more...]
VPN on Demand fails to launch from iPhone
This article describes the workaround to be used when a VPN on Demand from the iPhone fails to launch. This issue is apparent under the following conditions: Users receive User authentication failed error message when VPN is launched from settings VPN on Demand fails and the error message plugin.error VPN disconnecting due to an authentication failure is displayed in … [Read more...]
SHA2-256 compatibility on SRX branch series and other platforms
This article describes the issue of the SRX device, which has configured VPN with SHA2 in the IPsec proposal, being unable to decrypt the encrypted traffic; even though it has established the VPN tunnel. Junos and SSG have two generations of SHA2-256 algorithms; the first one uses the 96 bit-length data field and the second one uses the 128 bit-length data field. Due to … [Read more...]
Junos Pulse for Android does not display the ‘Intranet’ link when connected to a VPN tunnel on a device running Android 4.0 and later
This article explains why Junos Pulse for Android does not display the Intranet link when connected to a VPN tunnel on a device running Android 4.0 and later. The Intranet link is not displayed by the Junos Pulse for Android application, when connected to a VPN tunnel on a device running Android 4.0 and later. This issue will occur when the following conditions are … [Read more...]
Can a static MAC address for the VPN Tunneling virtual adapter be configured?
Can a static MAC address for the VPN Tunneling virtual adapter be configured? This article explains why this is not supported. It is desired to assign a static MAC address for the VPN tunneling virtual adapter, either Junos Pulse or Network Connect, due to the requirement of third-party software. No, it is not possible to have a static MAC address for the VPN Tunneling … [Read more...]
Configuring VPN on Demand for iPhone/iPad
This article describes how to implement VPN on Demand for the iPhone/iPad. Configure VPN on Demand on iPhone/iPad. From the App Store, download Apple Configurator on a Mac OS X device. Certificate authentication MUST be configured on the Pulse Secure gateway. Client certificates need to be issued for each user to install on their device (Refer to #7 for installation … [Read more...]