Migrating from Junos OS Dynamic VPN to Juniper Secure Connect
This topic is intended for the users who have existing dynamic VPN deployments and are planning to migrate to Juniper Secure Connect. If you are a new user for Juniper Secure Connect, you can skip this topic.
Before You Begin:
Learn about feature comparison. See Feature Support Comparison Between Juniper Secure Connect and Dynamic VPN
Learn about feature enhancement. See Benefits of Juniper Secure Connect
We recommend you to backup the current working configuration if you later need to rollback and have a rolled over your history of rollbacks for some reason.
For more information, see Rescue and Recovery of Configuration File.
As a first step, ensure that you have installed the license for Juniper Secure Connect if you need more than two concurrent users.
Before You Start
Completed the following tasks that are related to Dynamic VPN:
Update your firewall policies used for Dynamic VPN:
Verify the from-zone option in the current Dynamic VPN policies. The from-zone option will be the source-zone used in the Juniper Secure Connect VPN wizard.
Remove firewall policies that refer Dynamic VPN.
Delete IKE and IPsec configurations created for the Dynamic VPN configuration under edit security dynamic-vpn, edit security ike, and edit security ipsec hierarchies.
Getting Started with J-Web Wizards
We recommend you to use J-Web wizard for Juniper Secure Connect configuration.
We recommend you to start with a new deployment of Juniper Secure Connect. Because migrating the current settings is likely to cause overlooking of one or more values. Use the following guidance for the fresh setup of Juniper Secure Connect.
Check if you have any split tunneling rules. These rule specify remote protected resources behind the SRX Series device, that the client communicates with, over the VPN tunnel. You can check your rules at [set security dynamic-vpn clients configuration-name remote-protected-resources] hierarchy-level. The same split tunnel definitions are used in the Secure Connect VPN wizard as protected-networks.
Start a new deployment in the J-Web deployment wizard. We recommend enabling the Auto-create Firewall Policy option to create a firewall policy automatically.
You can reuse the access profiles and address-assignment pool in this workflow.
If you already have a route from your network pointing to the SRX Series devices and included that IP address in the address assignment pool or defined through the RADIUS, you can disable the use of source NAT.
Now you are ready to start configuring Juniper Secure Connect.