(This draft is obsolete, due to we drop the support for Remote Access VPN on SRX)



Document History


Feature Specifications

  • The feature would add Remote Access VPN support for SRX.
  • SRX must servicing as Firewall service provider and VPN service provider.
  • SRX should running with JunOS 10.4r1 or above.
  • The feature is implemented using Dynamic-VPN technology of Juniper(refer to http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318), so
    • It would only support Juniper property VPN client(which can be downloaded from SRX directly)
    • It would only support Windows XP, Vista or Windows 7
    • Other limitation of Juniper Dynamic-VPN on SRX including you may need to buy license from Juniper for more than 2 concurrent users.

Use cases

  1. User acquire a new public IP, in a network that SRX servicing
  2. User enable Remote Access VPN on the IP.
  3. User add VPN user to it.
    1. The VPN user name would be in xxx@IP-String, which IP-String=IP.replace(".", "-")
      1. e.g. alice@10-223-69-19
    2. Because there is only one SRX handled all the VPN users, we need this way to distinguish different user for different guest networks. 
  4. VPN user open web browser in Windows, visit the SRX's public IP(which is used as the source nat ip usually), get the client and configuration.
  5. VPN user connected to the network using above username and specified password. And it's done.

Architecture and Design description

  • The whole process maybe sightly different from VPN in VR case, since SRX would take care of all the configurations.LiLi


  1. The acquired public ip cannot be used as gateway of VPN server.
    1. SRX didn't support any ip other than the public interface default IP for this purpose.
  2. User need have different names across the whole system
    1. In order to distinguish user for different subnets through user name.

Reference for SRX limitation:

1. http://kb.juniper.net/InfoCenter/index?page=content&id=KB26027

2. http://forums.juniper.net/t5/SRX-Services-Gateway/Dynamic-VPN-with-Multiple-Xauth-Profile-is-supported/td-p/101536

Web Services APIs

Reused the same API for Remote Access VPN on VR.

UI flow

  • either demonstrate it visually here or link to relevant mockups


Appendix A:

Appendix B:

  • No labels