Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Dynamic VPN Configuration Overview

A dynamic VPN allows administrators to provide IPsec access to a gateway on a Juniper Networks device while also providing a way to distribute the Dynamic VPN software to remote clients through the use of a Web portal.

1. Configure authentication and address assignment for the remote clients:

   1. Configure an XAuth profile to authenticate users and assign addresses. Either local authentication or an external RADIUS server may be used. Use the profile configuration statement at the [edit access] hierarchy level to configure the XAuth profile.

      To use the XAuth profile for Web authentication, use the web-authentication configuration statement at the [edit access firewall-authentication] hierarchy level.

   2. Assign IP addresses from a local address pool if local authentication is used. Use the address-assignment pool configuration statement at the [edit access] hierarchy level. A subnet or a range of IP addresses can be specified. IP addresses for DNS and WINS servers may also be specified.

2. Configure the VPN tunnel:

   1. Configure the IKE policy. The mode must be aggressive. Basic, compatible, or standard proposal sets may be used. Only preshared keys are supported for Phase 1 authentication. Use the policy configuration statement at the [edit security ike] hierarchy level.
   2. Configure the IKE gateway. Either shared or group IKE IDs can be used. You can configure the maximum number of simultaneous connections to the gateway. Use the gateway configuration statement at the [edit security ike] hierarchy level.
   3. Configure the IPsec VPN. Basic, compatible, or standard proposal sets may be specified with the policy configuration statement at the [edit security ipsec] hierarchy level. Use the vpn configuration statement at the [edit security ipsec] hierarchy level to configure the IPsec gateway and policy.
   4. Configure a security policy to allow traffic from the remote clients to the IKE gateway. Use the policy configuration statement at the [edit security policies from-zone zone to-zone zone] hierarchy level.

      Note: Configure the security policy with the match criteria source-address any, destination-address any, and application any and the action permit tunnel ipsec-vpn with the name of the dynamic VPN tunnel. Place this policy at the end of the policy list.

   5. Configure host inbound traffic to allow specific traffic to reach the device from systems that are connected to its interfaces. For example, IKE and HTTPS traffic must be allowed. See Understanding How to Control Inbound Traffic Based on Traffic Types.
   6. (Optional) If the client address pool belongs to a subnet that is directly connected to the device, the device would need to respond to ARP requests to addresses in the pool from other devices in the same zone. Use the proxy-arp configuration statement at the [edit security nat] hierarchy level. Specify the interface that directly connects the subnet to the device and the addresses in the pool.

3. Associate the dynamic VPN with remote clients:

   1. Specify the access profile for use with dynamic VPN. Use the access-profile configuration statement at the [edit security dynamic-vpn] hierarchy level.
   2. Configure the clients who can use the dynamic VPN. Specify protected resources (traffic to the protected resource travels through the specified dynamic VPN tunnel and is therefore protected by the firewall’s security policies) or exceptions to the protected resources list (traffic that does not travel through the dynamic VPN tunnel and is sent in cleartext). These options control the routes that are pushed to the client when the tunnel is up, therefore controlling the traffic that is send through the tunnel. Use the clients configuration statement at the [edit security dynamic-vpn] hierarchy level.

   Note: The Web portal requires that HTTPS is enabled on the Juniper Networks device. If HTTPS is already enabled for J-Web access, no further action is required.