VPN licensing Question

JohnnyHeavens · ‎12-07-2010

Should be a simple thing but I can't seem to find exactly what I need.

I wam trying to confirm how the licensing for VPNs works for SRX devices work. Is a license required for each L2L and User (dynamic) and are they the same as far as concurrent licensing would work? (Like Cisco ASA does) I only see licensing for Dynamic VPN clients. Does this mean L2L tunnels do not require a license or do they require an altogether separate licence? We'll have a SRX240H at the head end and a mix of ASAs and SRX100/220 remotely.

Thanks!

~John

colemtb · ‎09-30-2009

Dynamic VPN is for a user who connects with a client to the firewall, although at this time you need a radius server to pony up the IP. SSL VPN appliances are better for this IMO anyways.

Regular IPSEC tunnels are of no cost, and are just limited to the number of VPNs that can be up at a time per platform.

Your mix of NON headends devices will connect to the 240 just fine until you reach say... 1000.

IPsec VPN

Platform 100 210 220 240 650

Concurrent VPN tunnels 128 256 512 1,000 3,000

Tunnel interfaces 10 64 64 128 512

DES (56-bit), 3DES (168-bit) and AES

(256-bit)

Yes Yes Yes Yes Yes

MD-5 and SHA-1 authentication Yes Yes Yes Yes Yes

Manual key, Internet Key Exchange (IKE),

public key infrastructure (PKI) (X.509)

Yes Yes Yes Yes Yes

Perfect forward secrecy (DH Groups) 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5

Prevent replay attack Yes Yes Yes Yes Yes

Dynamic remote access VPN Yes Yes Yes Yes No

IPsec NAT traversal Yes Yes Yes Yes Yes

Redundant VPN gateways Yes Yes Yes Yes Yes

VPN licensing Question

Re: VPN licensing Question