Juniper doesn’t provide a native VPN client for OS X users. The only options are the built in client (which requires certificates and is difficult to get working properly), VPN Tracker (which costs money), and IPSecuritas (free, http://www.lobotomo.com).

This document details how to configure IPSecuritas, working with Xauth and dynamic IP pools using a route-based VPN. It is within the realm of possibility that I will eventually upload screenshots of the configuration, but don’t count on it. Sorry for the brevity, but I’m fairly busy these days.

This document is organized into two parts. The first part is the Xauth configuration on the firewall. The second part is the configuration of IP Securitas. Skip the first part if your your dialup VPN with Xauth is already working with other clients.

NetScreen Configuration

There are several steps we need to accomplish here to make this work:

1. Create a new tunnel interface, unnumbered, and in the zone you want the VPN terminated. If you are accessing hosts in your trust zone and terminate the VPN in the trust zone, then you do not need to put in any policies. However, if you terminate the tunnel in a different zone from the hosts you are accessing, you will need to create a policy to allow this traffic.
2. Create an IP Pool. This pool should NOT overlap with other addresses in use on the network. In the GUI, you create this under Objects->IP Pools. I called mine RAS-pool and it goes from 10.128.2.1 to 10.128.2.10. This will support 10 users.
3. Create an IKE user and place the user into a group. This IKE user will be used for everyone in my configuration. Essentially, I’m using this user to group my users together. In the event that I had different types of users with different access, I could create different VPN’s that used different IKE ID’s in order to hand out IP addresses from different pools and control access to the whole group by policy. Under Objects->Users->Local, create a new user. Name the user something like vpn@mydomain.com, check the IKE User box, leave the identity as Auto and put vpn@mydomain.com there also. Then set the number of simultaneous users. If this number is more than one, then we need to put this user into a User Group. Create a User Group and add this user to it. I called mine XAuth-Global.
4. Create your XAUTH users. Objects->Users->Local, create a new user. Enter the username. Select the XAUTH User checkbox, and enter the password. Click OK. Place the user into a group. I called mine RAS-users.
5. Create your Phase I. VPN’s->AutoKey Advanced->Gateway. Create new. I called mine “ras-gw”, select Dialup User Group and select your XAUTH-Global group. Enter the preshared key, or on newer versions click Advanced and then enter the PSK. Select a proposal. I suggest pre-g2-aes128-sha. Select Aggressive Mode. Enable NAT-T. Click Return, click OK.
6. Set your default XAuth settings. VPNs->AutoKey Advanced->XAuth Settings. Set the IP pool name to RAS-pool, and set your DNS servers. Click OK
7. Click the XAUTH link next to your Phase 1 you just created. Set the XAuth server to Generic. Set it to Local Auth, and set the user group to RAS-users. Click OK.
8. Create Phase 2. VPNs->AutoKey IKE. Create new, I named mine ras-vpn. Set the remote gateway to predefined and choose your ras-gw. Set your proposal to custom, I suggest g2-esp-aes128-sha. Bind to your tunnel interface created in step 1. Check Proxy-ID. Local Proxy ID should be a subnet that attempt to encompass everything your clients will access. Remote proxy ID should be 255.255.255.255/32. Click Return, click OK.
9. Create a destination route that points to your tunnel interface for the network that your IP pool uses. My route is 10.128.2.0/24 via tunnel.2. Ignore the other stuff in there, you don’t need it.
10. Optionally create an access-list and route-map that you can use in your redistribution rules if you are running dynamic routing and want remote sites to be accessible to the clients. This is out of scope of this doc, but remember you might need this if users come into a central site and need access to other sites or you have layer-3 routing internally.
11. Done!

IP Securitas Configuration

Unless it says below to change it, leave the default setting.

1. Under the top menu, Connections->Edit Connections. Create a new connection with the “+” button.
2. Under the “General Tab”, enter the IP or hostname of your firewall. For remote side, choose network and enter the same network you entered in the Proxy ID section for the Local address in step 8 above.
3. Under phase 1, Lifetime = 28800 seconds, DH Group 2, AES 128, SHA-1, Aggressive mode.
4. Under Phase 2, Lifetime = 3600 seconds, PFS Group 2, select AES 128 under encryption, and HMAC SHA-1 under authentication.
5. Under ID. Local Identifier = User FQDN (vpn@mydomain.com), Remote Identifier = Address, Auth Method = Xauth PSK, then enter the preshared key, and your username/password that you placed into the RAS-users group above.
6. Under the Options tab - Leave everything alone except for these: Check “Enable MODE_CFG”, check “Local IP in Remote Network”, set NAT-T to enable. Optionally, you can enable the connection check and put in the address you want it to ping. I would wait and make sure things come up first, or this will keep bringing the connection down if it’s inaccessible.
7. Done!

Press Start and everything should work!