How to Migrate to Juniper Secure Connect

Advantages of Juniper Secure Connect over Dynamic VPN

Dynamic VPN is a legacy offering from Juniper Networks. Read this topic to understand the differences between Juniper Secure Connect and Dynamic VPN, and why Juniper Secure Connect is preferred over Dynamic VPN.

Figure 1 shows the high-level comparison between Juniper Secure Connect and Dynamic VPN.

Table 1 shows the connection feature related differences between dynamic VPN and Juniper Secure Connect on SRX Series Firewalls:

Table 1: Differences Between Dynamic VPN and Juniper Secure Connect on SRX Series Firewalls

Connection Features	Dynamic VPN	Juniper Secure Connect
Connection mode	IPsec mode	IPsec is the preferred mode. Juniper Secure Connect automatically changes the protocol to SSL-VPN on need basis to bypass restrictive networks where IPsec traffic is blocked.
VPN connectivity mode	Policy-based VPN, which requires each firewall policy to define the connectivity and VPN establishment.	Route-based VPN connectivity. Allows you to define fine granular firewall policies including other services, such as Advanced Threat Prevention (ATP) Cloud, User Firewall, and so on.

Note:

With Juniper Secure Connect offering more benefits, we do not provide Dynamic VPN as a solution for remote access VPN deployment. While we plan to discontinue support for Dynamic VPN, we recommend you to migrate existing Dynamic VPN deployments to Juniper Secure Connect. For migrating to Juniper Secure Connect, see Migrating from Junos OS Dynamic VPN to Juniper Secure Connect.

Licensing Requirements

As a first step, ensure that you have installed the license for Juniper Secure Connect if you need more than two concurrent users.

Licenses for Juniper Secure Connect

Configuration Requirements

Note:

Dynamic VPN documentation is archived at Junos OS and Junos OS Evolved 23.1 Portable Library. To access the documentation, download and unzip the archived file. Locate the vpn-ipsec.pdf file in the unzipped folder and navigate to Remote Access VPN chapter.

Complete the following tasks that are related to Dynamic VPN:

• Update your firewall policies used for Dynamic VPN:

  • Verify the from-zone option in the current Dynamic VPN policies. The from-zone option will be the source-zone used in the Juniper Secure Connect VPN wizard.

  • Remove firewall policies that refer Dynamic VPN.

• Delete IKE and IPsec configurations created for the Dynamic VPN configuration under edit security dynamic-vpn, edit security ike, and edit security ipsec hierarchies.

J-Web Wizard for Migration

You can use J-Web wizard for Juniper Secure Connect configuration.

We recommend you to start with a new deployment of Juniper Secure Connect. Because migrating the current settings is likely to cause overlooking of one or more values. Use the following guidance for the fresh setup of Juniper Secure Connect.

• Check if you have any split tunneling rules. These rule specify remote protected resources behind the SRX Series Firewall, that the client communicates with, over the VPN tunnel. You can check your rules at [set security dynamic-vpn clients configuration-name remote-protected-resources] hierarchy-level. The same split tunnel definitions are used in the Secure Connect VPN wizard as protected-networks.

• Start a new deployment in the J-Web deployment wizard. We recommend enabling the Auto-create Firewall Policy option to create a firewall policy automatically.

• You can reuse the access profiles and address-assignment pool in this workflow.

• If you already have a route from your network pointing to the SRX Series Firewalls and included that IP address in the address assignment pool or defined through the RADIUS, you can disable the use of source NAT.

• Now you are ready to start configuring Juniper Secure Connect.