(This draft is obsolete, due to we drop the support for Remote Access VPN on SRX)
- The feature would add Remote Access VPN support for SRX.
- SRX must servicing as Firewall service provider and VPN service provider.
- SRX should running with JunOS 10.4r1 or above.
- The feature is implemented using Dynamic-VPN technology of Juniper(refer to http://kb.juniper.net/InfoCenter/index?page=content&id=KB14318), so
- It would only support Juniper property VPN client(which can be downloaded from SRX directly)
- It would only support Windows XP, Vista or Windows 7
- Other limitation of Juniper Dynamic-VPN on SRX including you may need to buy license from Juniper for more than 2 concurrent users.
- User acquire a new public IP, in a network that SRX servicing
- User enable Remote Access VPN on the IP.
- User add VPN user to it.
- The VPN user name would be in xxx@IP-String, which IP-String=IP.replace(".", "-")
- e.g. alice@10-223-69-19
- Because there is only one SRX handled all the VPN users, we need this way to distinguish different user for different guest networks.
- VPN user open web browser in Windows, visit the SRX's public IP(which is used as the source nat ip usually), get the client and configuration.
- VPN user connected to the network using above username and specified password. And it's done.
Architecture and Design description
- The whole process maybe sightly different from VPN in VR case, since SRX would take care of all the configurations.LiLi
- The acquired public ip cannot be used as gateway of VPN server.
- SRX didn't support any ip other than the public interface default IP for this purpose.
- User need have different names across the whole system
- In order to distinguish user for different subnets through user name.
Reference for SRX limitation:
Web Services APIs
Reused the same API for Remote Access VPN on VR.
- either demonstrate it visually here or link to relevant mockups