How-To: Apple iPhone/iPad VPN to Juniper SRX

By Elevate posted 04-05-2016 08:00


With the latest Apple iOS improvements, and support for IKEv2, it's now possible to establish a VPN connection between Apple iPhone/iPad devices and Juniper SRX devices.

Note: You must have Apple iOS 9.x installed and have access to an Apple MAC to prepare an Apple VPN profile.

Read Milan's attached PDF, which provides instructions based on his personal lab tests.


Note: The same VPN profile can be used on a Apple Mac, at least on MacBook Pro, with El Capitan OSX (what Milan tested).



Apple VPN and Juniper SRX.pdf



01-06-2017 05:52

Hi all,


Thanks for this wonderfull pdf with all the information!!!

I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work. Im runnning SRX210H with 12.1R1.9


I did add in the following range:

First interface st0, routing-options, ike proposal, ike policy, acces profile, security flow, ike gateway. So far so good, after every part i did commit with completion. But when i did add the ipsec vpn part, it got bumped. Can someone please advise me whatever is going wrong?



serdar@SRX210# commit
[edit security ipsec vpn picotest ike gateway]
  'gateway gw_picotest'
Shared or group ike policy cannot refer to route-based vpn
error: commit failed: (statements constraint check failed) [edit] serdar@SRX210# show | compare [edit security ipsec] + vpn picotest { + bind-interface st0.2; + ike { + gateway gw_picotest; + proxy-identity { + local; + remote; + service any; + } + ipsec-policy ipsec_pol_picotest; + } + }

serdar@SRX210> show configuration security ike
gateway gw_picotest {
ike-policy ike_pol_picotest;
dynamic {
hostname .local;
ike-user-type group-ike-id;
local-identity hostname;
external-interface ge-0/0/0.0; ## this is my interface facing to my ISP
xauth access-profile picotest;
version v2-only;

 All help would be appreciated!!

08-11-2016 00:01

Hi pk,


a followup on my comment. If you are using plain IKEv2/IPsec I don't see the need for a license, but then it cannot be authenticated on username+password.


Regarding Dynamic VPN for SRX300 series, it will be reintroduced in 15.1X49-D60 which is expected to be released in September 2016. I don't know how licensing will be but I expect something similar to the licensing scheme on the old series.

08-10-2016 13:04


04-11-2016 13:42

 Hi Jonas,


Thanks for your answer, I have heard about dynamic VPN going away and that is actually one reason why I was asking (if we don't have dynamic VPN, is there any other supported solution currently? If just using standard protocols to connect, why can not that be supported?).


However I'm still not sure about licenses. Dynamic VPN license seems to be needed for dynamic VPN only, and this solution is only using IKEv2/IPsec, so should work with no license, right?




04-11-2016 13:19

Hi Petr,


I can answer the second question. There are included support for 2 concurrent users. If you need more than this, you can purchase a license for this "SRX-RAC-<number>-LTU" where I remember  5, 10, 25, 50, 100 and 250 as possible numbers.


The sad part is that the dynamic VPN functionality has been complete removed from Junos 15.1X meaning that this will not work on the new SRX300 series or SRX1500. This means you will need a seperate device to handle you end user VPN client termination.


I know that there are dialogues about solutions to this, but nothing commited yet.



Best regards,


Jonas Hauge

04-11-2016 13:05

Thanks Cordelia -- sorry for tricky questions!


- PK

04-11-2016 11:39

Hi Peter,


AFAIK, this is not supported by Juniper, but verifying that with support. The TechWiki allows for non-supported solutions from customers in the TechWiki and on J-Net in general, as covered in our disclaimer.


For your second question, not sure, will check back with you as well on that.





04-11-2016 10:53

Very cool!


However I would like to know 2 things:

- Is this solution considered to be "supported" by Juniper;

- Does it require the license on the SRX side, like "dynamic VPN" license