Home / Juniper / Dynamic VPN Configurations on Juniper Router

Dynamic VPN Configurations on Juniper Router

 Today I am going to talk about the configurations of Dynamic VPN on Juniper routers and then associate Dynamic VPN with remote clients step by step.  Now I am coming up with the Dynamic VPN Configurations on Juniper routers.


The configurations used here are for the demo purposes and has no relevance with any of the live and the enterprise networks. What kind of Topology it looks like, So i am pasting here the sample Dynamic VPN topology and has no relevance with the configuration defining below. The configuration is just for your reference to take it further.

Fig 1.1- Dynamic VPN Sample Topology 

To configure the VPN tunnel, 
First you need to configure the IKE policy.
Step -1 : The Configurations for IKE policy are shown as below:

ttlbits@juniper# set policy ike-dyn-vpn-policy mode aggressive
ttlbits@juniper#  set policy ike-dyn-vpn-policy proposal-set standard
ttlbits@juniper#  set policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC789"

Step 2: You set the IKE policy and now you need to configure the IKE gateway after configuring IKE policy.

ttlbits@juniper#  set gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
ttlbits@juniper#  set gateway dyn-vpn-local-gw dynamic hostname dynvpn
ttlbits@juniper#  set gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
ttlbits@juniper#  set gateway dyn-vpn-local-gw dynamic connections-limit 10
ttlbits@juniper#  set gateway dyn-vpn-local-gw external-interface ge-0/0/15.0
ttlbits@juniper#  set gateway dyn-vpn-local-gw aaa access-profile dyn-vpn-access-profile

Step 3: Now set and configure IPsec as it is the important phase of the configuration to secure the IP.

ttlbits@juniper#  set policy ipsec-dyn-vpn-policy proposal-set standard
ttlbits@juniper#  set vpn dyn-vpn ike gateway dyn-vpn-local-gw
ttlbits@juniper#  set vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy


Step 4: After setting IPSEC, you need to configure the security policy.

ttlbits@juniper#  set policy dyn-vpn-policy match source-address any destination-address any application any
ttlbits@juniper#  set policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

Step 5: Now you need to configure host inbound traffic.

ttlbits@juniper#  set host-inbound-traffic system-services ike
ttlbits@juniper#  set host-inbound-traffic system-services https

ttlbits@juniper#  set host-inbound-traffic system-services ping

Associate the Dynamic VPN with Remote Clients

Step 1: Specify the access profile to use with dynamic VPN.

ttlbits@juniper# set access-profile dyn-vpn-access-profile

Step 2: Configure the clients who can use the dynamic VPN.

ttlbits@juniper# set clients all ipsec-vpn dyn-vpn
ttlbits@juniper# set clients all user client1
ttlbits@juniper# set clients all user client2
ttlbits@juniper# set clients all remote-protected-resources 10.0.0.0/8
ttlbits@juniper# set clients all remote-exceptions 0.0.0.0/0

Verifications of the DMVPN on the routers, below are the commands for your reference

ttlbits@juniper> show security ike security-associations
ttlbits@juniper> show security ike active-peer
ttlbits@juniper> show security ipsec security-associations
ttlbits@juniper> show security dynamic-vpn users