SRX Services Gateway
SRX Services Gateway

Apple iPhone/iPad VPN to Juniper SRX - now possible!

‎03-02-2016 06:22 AM


For a long time, I was trying to find solution to establish VPN connection between Apple iPhone/iPad devices and Juniper SRX devices, but without success. Now, with latest Apple iOS improvements, and support for IKEv2, it is possible.

In attach, I am uploading document, based on my lab tests, so I hope that some of you, that are using Apple smartphones, will be now able to access your corporate network, behind Juniper SRX devices.

Have in mind, that you should have Apple iOS 9.x installed, and need someone with Apple MAC, in order to prepare Apple VPN profile. More details in attached PDF.


BTW, same VPN profile can be used on Apple Mac computer, at least on MacBook Pro, with ElCapitan OS X (what I tested).


In short, you do not need now any 3rd party VPN client on your Mac and/or iOS iPhone/iPad (v9.x), if you want to establish IPSec VPN connection with Juniper SRX device.



SRX Services Gateway

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

‎10-23-2016 09:19 PM

Hey Milan,


Would love to get this going.


Do you know if this would be possible without an external RADIUS server?


I know the "Dynamic VPN" can use local accounts on the SRX itself, but can only use a full PC (not phones) with the Pulse Secure VPN client to connect. Smiley Sad


SRX Services Gateway

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

‎12-09-2016 05:30 AM
Hello, can I make my own sertifiate not from authorised certification center?
SRX Services Gateway

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

[ Edited ]
‎01-06-2017 05:48 AM

Hi all,


Thanks for this wonderfull pdf with all the information!!!


I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work. Im runnning SRX210H with 12.1R1.9


I did add in the following range:

First interface st0, routing-options, ike proposal, ike policy, acces profile, security flow, ike gateway. So far so good, after every part i did commit with completion. But when i did add the ipsec vpn part, it got bumped. Can someone please advise me whatever is going wrong?



serdar@SRX210# commit
[edit security ipsec vpn picotest ike gateway]
  'gateway gw_picotest'
Shared or group ike policy cannot refer to route-based vpn
error: commit failed: (statements constraint check failed) [edit] serdar@SRX210# show | compare [edit security ipsec] + vpn picotest { + bind-interface st0.2; + ike { + gateway gw_picotest; + proxy-identity { + local; + remote; + service any; + } + ipsec-policy ipsec_pol_picotest; + } + }

serdar@SRX210> show configuration security ike
gateway gw_picotest {
ike-policy ike_pol_picotest;
dynamic {
hostname .local;
ike-user-type group-ike-id;
local-identity hostname;
external-interface ge-0/0/0.0; ## this is my interface facing to my ISP
xauth access-profile picotest;
version v2-only;


UPDATE 1: After long battles with the SRX, the problem seems to be the firmware! Updated to 12.1X46-D60, and it accepted the configuration. Still some steps to do! I will keep you all updated.

SRX Services Gateway

Re: Apple iPhone/iPad VPN to Juniper SRX - now possible!

‎01-09-2017 06:57 PM


[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]