of 63Ĥ ESD ALARM STATUS POWER HA MPIM-1 MPIM-2 RPS ACE STORAGE SRX AUX CONSOLE RESET CONFIG ACT LINK ACT LINK 0/0 0/1 0/2 0/3 0/4 0/5 10/100/1000 BYPASS 0/6 0/7 SFP 0/8 0/ PoE 20G PoE PoE 10G PoE Apple VPN and Juniper SRX VPN test scenario Starting point for VPN test is official Juniper article Configuring the SRX Series for Pico Cell Provisioning with IKEv2 Configuration Payload, available at and the fact that ios, starting from version 8, is supporting IKEv2 VPN connections.
As same VPN profiles can be used on MAC OS X itself, one of chapters explains procedure for configuring Apple Mac computer as VPN client.
NOTE: VPN profile used within tests were created on MacBook Pro OS X (El Capitan), using Apple Configurator (v2) utility. Installation and configuration of MS NPS, is out of scope of this document. Alternative way for user authentication is tested over Microsoft Windows 2008 Domain Controller machine, with installed Network Policy Server (NPS) role. Installation and configuration of Freeradius server, is out of scope of this document.
Starting point for SRX configuration is official Juniper article Configuring the SRX Series for Pico Cell Provisioning with IKEv2 Configuration Payload, available at Freeradius system version 2.2.6, installed on CentOS 6.5 virtual machine, was used for authentication purposes. In my lab, SRX 240H was used with version 12.3X48 D20, but same results are proved on Firefly- Perimeter virtual machine environment, version 12.1X47-D10.4. Apple smartphone (iphone 6s) is using ios There is no anything on Apple smartphone, except default ios factory settings (i.e.: no need for 3rd party VPN clients). Another Win2008 server is used for lab Certificate Authority. Test corporate server (smartcon) is located within trust zone, as well as freeradius server and MS AD domain controller (Win2008). JunOS firewall (SRX 240H) is using ge-0/0/3 interface for trust zone, while ge-0/0/2 is within untrust zone.
of 63ģ Lab Network Telco Mobile Telco WAN SW ge-0/0/2 (untrust): ge-0/0/0 (mgmt): Apple ios 9.x ge-0/0/3 (trust): LAN /24 junos VM Mgmt PC This is a simple lab network. Filip Markovic, who helped me with ios and MAC devices settings, and VPN connection testing. But probably, there are other readers, that might find useful a lot of details that I enclosed. There are probably planty of information that experienced user does not need. Read this document in a way that best suits your need.
That was triggering point for my lab investigation, and in following chapters, I'll try to give more details about the way you can connect mobile users using Apple iphone/ipad, with corporate network, using Apple's native IKEv2 VPN. From ios 9.x, another improvements were done, to enable Apple users to use IKEv2 VPNs. Latest Apple ios versions (starting from ios 8), added support for IKEv2 VPNs. 63Ģ Preface According with customer's requirement, to connect remote users using Apple IPhone/IPad devices with corporate network, over VPN connection, I made some investigation and found that up to date, there was no proved solution for Juniper JunOS SRX devices. 5 Creating certificate for Apple ios VPN client Configuring external authentication Configuring Freeradius sistem Configuring Windows Network Policy Server Configuring IKEv2 VPN between Juniper SRX and Apple ios device Juniper SRX firewall configuration Configuring Apple ios device Importing and verifying VPN Server s certificates Creating VPN Profile for Apple ios device Importing VPN profile on Apple ios device Connectivity test VPN Server logs Client logs Radius server logs Configuring IKEv2 VPN between Juniper SRX and MAC OS X Issues with certain certificates References. 5 Creating certificate for SRX security gateway. Document version: 1.0, from Contents Preface. 1 Subject: VPN connection between Apple VPN Client and Juniper SRX Author: Milan Markovic MSc.