Category Archives: dynamic-vpn


In today’s post I will write about how we can setup Dynamic VPN connection
towards an SRX device in several scenarios This is part of my JNCIE-SEC
studies although I am falling very behind my schedule:( Let’s get started:

IPsec VPNs

  • Scenario1: Client receives an IP address which is already used inside the local network by other clients and split tunneling active
  • Scenario2: Client also accesses the Internet through the tunnel, if the term is correct no-split tunneling

Continue reading

JWEB and Dynamic VPN page

There seems to be a confusion about how JWEB and dynamic VPN authentication page are working in parallel.
I hope to give some tips I know in this post. For example, if you have the following config, what does it really mean for JWEB?

This config enforces that JWEB web service can only be served on the configured ge-0/0/0.0 and ge-0/0/1.0 interfaces. Of course if the https service is allowed on the security zone that these interfaces belong to. So far so good but what happens if you enable dynamic VPN service for which you also provide an authentication page. In that case what happens to JWEB? In this case you should look at the IKE gateway stanza. For instance if you have the following IKE gateway config;

Junos will disable JWEB on ge-0/0/1.0 interface and you will be redirected to the dynamic-vpn authentication page. What if the dynamic-vpn page itself returns a 404 not found error. In that case I would recommend you to check if you have proper configuration under “security dynamic-vpn” hierarchy. For example if you don’t have a config like below, you won’t get dynamic-vpn page but a 404 error.

I hope this helps someone out there. Of course if you see any mistake or have comments, don’t hesitate tell.

Dynamic VPN in SRX

Here is my simple dynamic vpn configuration.  I have tested it and it works:) However I could only use windows clients in my setup although I tried so hard to get a working linux client, debugging didn’t provide me any useful information. Here is the config:

1) First configure profile config which contains users and ip assignments for the VPN.

SET command output of access config

Continue reading