Dynamic VPN in SRX

Here is my simple dynamic vpn configuration.  I have tested it and it works:) However I could only use windows clients in my setup although I tried so hard to get a working linux client, debugging didn’t provide me any useful information. Here is the config:

1) First configure profile config which contains users and ip assignments for the VPN.

SET command output of access config

2) Enable https on SRX

SET command output of https config

3) Setup IKE Configuration

SET command output of IKE

4) Setup IPSEC configuration

SET Command output of IPSEC config

5) Setup Dynamic VPN Configuration

SET command output of dynamic vpn config

6) dyn-vpn Zone Configuration

SET command output of dyn-vpn zone configuration

7) Security Policy Configuration

SET command output of policy configuration

Client SIDE:

After all this configuration if you point your browser at (assuming is outside ip address on vlan.11 interface) you will receive authentication window and after providing john as username and password, you should be able to download Network Access Manager or Junos Pulse (depending on the version of Junos) and connect to internal network.


If you want to authenticate users via radius instead of local, you should change access-profile as below;

SET command output:

Below is also my MySQL table in my freeradius database for a single user:

After I wrote this document, while I was playing with dynamic VPN on junos 10.4R6.5, I noticed that my vpn client cannot pass phase1 and it fails on IKE. When I checked my ike debug log, I saw the following error logs;

The thing is junos doesn’t force you to set this max connection limit. After I set the connection limit in my config then my client could connect. Here is the config snippet;

10 thoughts on “Dynamic VPN in SRX

  1. IonelG

    I am a newbie in juniper field.
    I’ve tried your example of Dynamic VPN in SRX but there are a few problems.
    Vlan.11 is not defined
    home-pcs – is not defined

    1. rtoodtoo Post author

      Apparently I forgot to paste interface and zone config. Thanks for pointing this but I don’t have the config at the moment. vlan.11 seems to have address and home-pcs should be a simple internal facing zone.

    1. rtoodtoo Post author

      Aaron, I think I did dynamic VPN tests both on 11.4 and 12.1 and don’t recall of having seen this issue.
      As recommended in the forum, I think it is better to contact JTAC for investigation if it hasn’t been done so far.

  2. Matthias Šubik

    Thanks for your insight. I’m struggling in getting more then one hard coded user to work. There is the possibility to name “user-groups” instead of “user”, but I can’t figure out what to fill in here.
    Also if I look at the ldap lookup via traceoptions it stops where the bind succeeds.

    1. rtoodtoo Post author

      Gregory, currently it doesn’t have this feature. Who knows maybe in the future.

    1. rtoodtoo Post author

      If you provide your input, I would appreciate it Emil as I can’t update SRX posts anymore.


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.