SRX Services Gateway
SRX Services Gateway

VPN licensing Question

12.07.10   |  
‎12-07-2010 03:16 PM

Should be a simple thing but I can't seem to find exactly what I need.


I wam trying to confirm how the licensing for VPNs works for SRX devices work. Is a license required for each L2L and User (dynamic) and are they the same as far as concurrent licensing would work? (Like Cisco ASA does) I only see licensing for Dynamic VPN clients. Does this mean L2L tunnels do not require a license or do they require an altogether separate licence? We'll have a SRX240H at the head end and a mix of ASAs and SRX100/220 remotely.





SRX Services Gateway

Re: VPN licensing Question

12.07.10   |  
‎12-07-2010 03:23 PM

Dynamic VPN is for a user who connects with a client to the firewall, although at this time you need a radius server to pony up the IP.  SSL VPN appliances are better for this IMO anyways.


Regular IPSEC tunnels are of no cost, and are just limited to the number of VPNs that can be up at a time per platform.


Your mix of NON headends devices will connect to the 240 just fine until you reach say...  1000.



Platform 100 210 220 240 650

Concurrent VPN tunnels 128 256 512 1,000 3,000

Tunnel interfaces 10 64 64 128 512

DES (56-bit), 3DES (168-bit) and AES


Yes Yes Yes Yes Yes

MD-5 and SHA-1 authentication Yes Yes Yes Yes Yes

Manual key, Internet Key Exchange (IKE),

public key infrastructure (PKI) (X.509)

Yes Yes Yes Yes Yes

Perfect forward secrecy (DH Groups) 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5 1, 2, 5

Prevent replay attack Yes Yes Yes Yes Yes

Dynamic remote access VPN Yes Yes Yes Yes No

IPsec NAT traversal Yes Yes Yes Yes Yes

Redundant VPN gateways Yes Yes Yes Yes Yes