SRX

Hi Experts

Is it possible that when users connect to SRX thourgh dynamic VPN in untrust zone then users can get the IP address from the VPN Zone Subnet, So that I can control the dynamic vpn traffic from VPN zone to other zones?

Thanks

Hi,

According to my knowledge, it is not possible. You create a policy for dynamic VPN traffic, which has a "then permit tunnel ipsec-vpn dyn-vpn" type of action, see e.g.

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf

for details. You cannot filter the same traffic with some other security policy.

It could be possible with route-based dynamic VPN but that is currently not supported.

Thanks Dear. There should be the route based VPN so that we can control the traffic. Also with Dynamic VPN, we can not make separate XAUTH profile with different IP pool and associated with different IPSEC VPN. In Dynamic VPN directory, you can specify only one access profile.

Also with Dynamic VPN, is it possible that we can define the group of users and give them different protected resources instead of giving per user? I believe it is not possible too

Thanks

I just recently had a situation where i wanted my dynamic vpn client to be able to access multple trusted zones, i had to create a differnet dynamic vpn for each zone, so I'm going to say that yes dynamic vpn's with different trusted resources are possible.  In my case i had 4 subnets so i did something like 10.10.0.0 255.255.252.0 to include 10.10.0.0/24 10.10.1.0/24 10.10.2.0/24 and 10.10.3.0/24.  When i created my clients for each vpn i used the same protected resource with a /22 but i believe i could have specified the individual /24.  I'm wondering if it wasnt a bug in the code that made me do the 4 vpn's, I'm wondering if I used multple /24's in the protected resource if i could have done it with one vpn, it seem kind of crazy that i had to create 4 identical vpns and apply the differenent vpns to the different policies for each zone.