SRX Services Gateway
Highlighted
SRX Services Gateway

Does VSRX Support Dynamic VPNs?

2 weeks ago

I'm evaluating a VSRX appliance (v15.1X49) to look into the viability of using it for a remote location.  Up until now I've been having pretty good luck, but I'm having trouble getting a dynamic VPN built based on these instructions (https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dynamic-vpns-with-pulse-...)

 

The problem I am running into is that when I try to start assigning the clients defined in the config with the dynamic VPN, it's acting like that part of the tree doesn't exist.  Specifically:

 

[edit security]
root# edit ?
Possible completions:
> address-book         Security address book
> advance-policy-based-routing  Configure advance-policy-based-routing rules
> alarms               Configure security alarms
> alg                  Configure ALG security options
> analysis             Configure security analysis
> application-firewall  Configure application-firewall rule-sets
> application-tracking  Application tracking configuration
> certificates         X.509 certificate configuration
> dynamic-address      Configure security dynamic address
> firewall-authentication  Firewall authentication parameters
> flow                 FLOW configuration
> forwarding-options   Security-forwarding-options configuration
> forwarding-process   Configure security forwarding-process options
> gprs                 GPRS configuration
> group-vpn            Group VPN configuration
> idp                  Configure IDP
> ike                  IKE configuration
> ipsec                IPSec configuration
> ipsec-policy         IPSec policy configuration
> log                  Configure security log
> nat                  Configure Network Address Translation
> pki                  PKI service configuration
> policies             Configure Network Security Policies
> resource-manager     Configure resource manager security options
> screen               Configure screen feature
> softwires            Configure softwire feature
> ssh-known-hosts      SSH known host list
> tcp-encap            Configure TCP Encapsulation.
> traceoptions         Network security daemon tracing options
> user-identification  Configure user-identification
> utm                  Content security service configuration
> zones                Zone configuration

 

Have I missed something earlier in the config, or is this just somethign that VSRX doesn't do?

2 REPLIES
SRX Services Gateway

Re: Does VSRX Support Dynamic VPNs?

2 weeks ago

vSRX will never get support for dynamic vpn. This is limited to SRX100, SRX200 and SRX300 series together with SRX550 and SRX650.

 

It's replacement is called "Remote access VPN client". There are also two concurrent connections included just as dynamic vpn.

The big issue with this solution is that you either have to buy an NCP VPN client license or get an open source VPN client to work (it's IKEv2 so it's standard-based).

 

More about remote access VPN client: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-...

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC Datacom A/S (Denmark)
SRX Services Gateway

Re: Does VSRX Support Dynamic VPNs?

2 weeks ago

You can use NCP Exclusive Remote Access VPN Solution starting with  Junos "15.1x49-d80"

 

Refer the VPN subsection under "New and Changed Features" and "changes in behavior and syntax" sections.

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-not...

 

Understanding SSL Remote Access VPNs with NCP Exclusive Remote Access Client
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-remote-access-vpns-with-...

 

NCP Exclusive Remote Access VPN Solution for SRX Series/vSRX Firewalls

https://www.juniper.net/assets/de/de/local/pdf/partner-at-a-glance/3550003-en.pdf



If this worked for you please flag my post as an "Accepted Solution" so others can benefit.