Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring the VPN-as-a-Service (VPNaaS) Plug-in


Juniper Networks VPN-as-a-Service (VPNaaS) builds on top of the Juniper Networks L3 and FWaaS plug-ins. Use the VPNaaS plug-in to configure site-to-site VPN on SRX and vSRX devices.

Supported Devices

SRX and vSRX series devices

Plug-in Configuration

Before you proceed, ensure that the following pre-requisites are met:

  • Topology is set up:

    • Devices are added to jnpr_devices table.

    • Compute NIC – Physical network alias mapping is added to jnpr_nic_mapping table.

    • Compute – Switch connectivity is captured in jnpr_switchport_mapping table, which is needed for L2 VLAN orchestration.

  • L2 plug-in is setup. This is optional if you are using a 3rd party ML2 plug-in.

  • L3 plug-in is setup to use the SRX/vSRX as the router.

  • FwaaS plug-in is setup (optional).

To configure the OpenStack Neutron to use Juniper Networks VPNaaS service plug-in:

  1. Update the Neutron configuration file /etc/neutron/neutron.conf file and append service_plug-ins with the following:

    The following steps are optional if the FWaaS plug-in is already configured.

  2. Add a firewall to the topology:
    admin@controller:~$ jnpr_device add -d device-name -c firewall -u root-user -p root-password
  3. Define the downlink trunk port on the SRX device on which the RVIs are created by the plug-in.

    Update the plug-in database with the port on the SRX device to which the Aggregation Switch is connected:

    admin@controller:~$ jnpr_device_port -d srx-device-name-or-switch-ip-address -p port-on-the-srx -t port-type

    For example:

    admin@controller:~$ jnpr_device_port add -d srx1 –p ge-0/0/1 –t Downlink
  4. Allocate the firewall to a tenant or as a default for all tenants:
    admin@controller:~$ jnpr_allocate_device add -t project-id -d srx-or-vsrx-ip-address

    To allocate the firewall as a default to all the tenants who do not have a firewall allocated to them:

    admin@controller:~$ jnpr_allocate_device add -t default -d srx-or-vsrx-ip-address
  5. After completing the FWaaS plug-in configuration, restart the following:
    • Neutron-Server

      • Ubuntu - service neutron-server restart

      • CentOS - systemctl restart neutron-server

    • Apache (restarts Horizon)

      • Ubuntu - service apache2 restart

      • CentOS - systemctl restart httpd

  6. From the Horizon GUI, create a VPN IPSEC site connection along with its associated IKE, IPSEC and VPNService components. You can view the corresponding IKE, IPSEC, IKE GW configurations that are activated on the SRX/vSRX.