There seems to be a confusion about how JWEB and dynamic VPN authentication page are working in parallel.
I hope to give some tips I know in this post. For example, if you have the following config, what does it really mean for JWEB?
|
|
[edit] root@srx# show system services web-management { https { system-generated-certificate; interface [ ge-0/0/0.0 ge-0/0/1.0 ]; } } |
This config enforces that JWEB web service can only be served on the configured ge-0/0/0.0 and ge-0/0/1.0 interfaces. Of course if the https service is allowed on the security zone that these interfaces belong to. So far so good but what happens if you enable dynamic VPN service for which you also provide an authentication page. In that case what happens to JWEB? In this case you should look at the IKE gateway stanza. For instance if you have the following IKE gateway config;
|
|
gateway gw-dyn-1 { ike-policy ike-dyn-pol1; dynamic { hostname dyn.rtoodtoo.nett; connections-limit 2; } external-interface <strong>ge-0/0/1.0</strong>; xauth access-profile dyn-vpn-prof1; } |
Junos will disable JWEB on ge-0/0/1.0 interface and you will be redirected to the dynamic-vpn authentication page. What if the dynamic-vpn page itself returns a 404 not found error. In that case I would recommend you to check if you have proper configuration under “security dynamic-vpn” hierarchy. For example if you don’t have a config like below, you won’t get dynamic-vpn page but a 404 error.
|
|
root@srx# show security dynamic-vpn access-profile vpn-prof; clients { vpn-clients { remote-protected-resources { 192.168.3.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn myvpn; user { john; } } } |
I hope this helps someone out there. Of course if you see any mistake or have comments, don’t hesitate tell.
