Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding Dynamic VPN Tunnels

Dynamic VPN tunnels are configured in the same way as traditional IPsec VPN tunnels. However, not all IPsec VPN options are supported.

• Only policy-based VPNs are supported. Route-based VPNs are not supported with dynamic VPN tunnels. Traffic allowed from the VPN can be controlled by pushing routes to the remote client as part of the client’s configuration.
• Dynamic VPN tunnels must be configured with extended authentication (XAuth). This can be done using local authentication or an external RADIUS server. XAuth is required to obtain username and password information during IPsec negotiation and to push an IP address to the remote client. For local authentication, the IP addresses assigned to remote clients can be drawn from a local pool. Optionally, DNS and WINS server addresses may also be pushed to the remote client.
• Only preshared keys are supported for Phase 1 authentication with dynamic VPN tunnels. The same preshared key can be used for all remote clients because a different username and password is assigned to each remote client.
• When a dynamic VPN client negotiates an AutoKey IKE tunnel with a preshared key, aggressive mode must be used. Therefore, you must always configure aggressive mode with dynamic VPN tunnels.
• Shared or group IKE IDs can be used to configure a single VPN that is shared by all remote clients. When a single VPN is shared, the total number of simultaneous connections to the gateway cannot be greater than the number of dynamic VPN licenses installed. When configuring a shared or group IKE ID gateway, you can configure the maximum number of connections to be greater than the number of installed dynamic VPN licenses. However, if a new connection exceeds the number of licensed connections, the connection will be denied.

  Note: When the device disconnects abruptly, it will not release the user license immediately. This results in unavailability of licenses to new users. You can reduce the IPsec SA lifetime to a smaller value to reduce the delay of licenses to new users.

• The dynamic VPN client supports the following algorithms: MD5, SHA-1, DES, 3DES, AES (with 96-bit, 128-bit, and 256-bit keys). The dynamic VPN client supports DH groups 1,2, and 5. Tunnel negotiations will fail if other values are configured on the Juniper Networks device.
• Either proposal sets or custom proposals may be configured for IKE and IPsec negotiations. If there is a list of custom proposals referenced from the IKE or IPsec policy, only the first proposal is sent to the client and other proposals in the list are ignored.
• The same access profile should be used for both IKE and dynamic VPN tunnels. Doing so avoids unpredictable behavior if the tunnel goes down unexpectedly or the client crashes.
• The number of user licenses must be equal to the number of dynamic VPN client connections. For example, if you have 10 user licenses, you can make 10 dynamic VPN client connections. When you make the 11th dynamic VPN client connection, the connection will be denied.