Security
Security

How-To: Apple iPhone/iPad VPN to Juniper SRX

by Cordelia on ‎04-05-2016 08:00 AM - edited on ‎09-22-2017 03:54 PM by Administrator Administrator (22,561 Views)

With the latest Apple iOS improvements, and support for IKEv2, it's now possible to establish a VPN connection between Apple iPhone/iPad devices and Juniper SRX devices.

Note: You must have Apple iOS 9.x installed and have access to an Apple MAC to prepare an Apple VPN profile.

Read Milan's attached PDF, which provides instructions based on his personal lab tests.

 

Note: The same VPN profile can be used on a Apple Mac, at least on MacBook Pro, with El Capitan OSX (what Milan tested).

 

'
Comments
Apr 11, 2016
Distinguished Expert

Very cool!

 

However I would like to know 2 things:

- Is this solution considered to be "supported" by Juniper;

- Does it require the license on the SRX side, like "dynamic VPN" license

Apr 11, 2016
Cordelia

Hi Peter,

 

AFAIK, this is not supported by Juniper, but verifying that with support. The TechWiki allows for non-supported solutions from customers in the TechWiki and on J-Net in general, as covered in our disclaimer.

 

For your second question, not sure, will check back with you as well on that.

 

Regards,

 

Cordelia

Apr 11, 2016
Distinguished Expert

Thanks Cordelia -- sorry for tricky questions!

 

- PK

Apr 11, 2016
Distinguished Expert

Hi Petr,

 

I can answer the second question. There are included support for 2 concurrent users. If you need more than this, you can purchase a license for this "SRX-RAC-<number>-LTU" where I remember  5, 10, 25, 50, 100 and 250 as possible numbers.

 

The sad part is that the dynamic VPN functionality has been complete removed from Junos 15.1X meaning that this will not work on the new SRX300 series or SRX1500. This means you will need a seperate device to handle you end user VPN client termination.

 

I know that there are dialogues about solutions to this, but nothing commited yet.

 

-- 

Best regards,

 

Jonas Hauge

Apr 11, 2016
Distinguished Expert

 Hi Jonas,

 

Thanks for your answer, I have heard about dynamic VPN going away and that is actually one reason why I was asking (if we don't have dynamic VPN, is there any other supported solution currently? If just using standard protocols to connect, why can not that be supported?).

 

However I'm still not sure about licenses. Dynamic VPN license seems to be needed for dynamic VPN only, and this solution is only using IKEv2/IPsec, so should work with no license, right?

 

Sincerely,

PK

Aug 10, 2016
victim_john

good

Aug 11, 2016
Distinguished Expert

Hi pk,

 

a followup on my comment. If you are using plain IKEv2/IPsec I don't see the need for a license, but then it cannot be authenticated on username+password.

 

Regarding Dynamic VPN for SRX300 series, it will be reintroduced in 15.1X49-D60 which is expected to be released in September 2016. I don't know how licensing will be but I expect something similar to the licensing scheme on the old series.

Jan 6, 2017
serdar

Hi all,

 

Thanks for this wonderfull pdf with all the information!!!

I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work. Im runnning SRX210H with 12.1R1.9

 

I did add in the following range:

First interface st0, routing-options, ike proposal, ike policy, acces profile, security flow, ike gateway. So far so good, after every part i did commit with completion. But when i did add the ipsec vpn part, it got bumped. Can someone please advise me whatever is going wrong?

 

 

serdar@SRX210# commit
[edit security ipsec vpn picotest ike gateway]
  'gateway gw_picotest'
Shared or group ike policy cannot refer to route-based vpn
error: commit failed: (statements constraint check failed) [edit] serdar@SRX210# show | compare [edit security ipsec] + vpn picotest { + bind-interface st0.2; + ike { + gateway gw_picotest; + proxy-identity { + local 192.168.0.0/16; + remote 0.0.0.0/0; + service any; + } + ipsec-policy ipsec_pol_picotest; + } + }

serdar@SRX210> show configuration security ike
gateway gw_picotest {
ike-policy ike_pol_picotest;
dynamic {
hostname .local;
ike-user-type group-ike-id;
}
local-identity hostname xxxxxxxxxx.org;
external-interface ge-0/0/0.0; ## this is my interface facing to my ISP
xauth access-profile picotest;
version v2-only;
}

 All help would be appreciated!!