Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Migrating from Junos OS Dynamic VPN to Juniper Secure Connect

SUMMARY This topic is intended for the users who have existing dynamic VPN deployments and are planning to migrate to Juniper Secure Connect. If you are a new user for Juniper Secure Connect, you can skip this topic.

Before You Begin:

Best Practice:

We recommend you to backup the current working configuration if you later need to rollback and have a rolled over your history of rollbacks for some reason.

For more information, see Rescue and Recovery of Configuration File.

Licensing Requirements

As a first step, ensure that you have installed the license for Juniper Secure Connect if you need more than two concurrent users.

Licenses for Juniper Secure Connect

Before You Start


Dynamic VPN documentation is archived at Junos OS and Junos OS Evolved 23.1 Portable Library. To access the documentation, download and unzip the archived file. Locate the vpn-ipsec.pdf file in the unzipped folder and navigate to Remote Access VPN chapter.

Completed the following tasks that are related to Dynamic VPN:

  • Update your firewall policies used for Dynamic VPN:

    • Verify the from-zone option in the current Dynamic VPN policies. The from-zone option will be the source-zone used in the Juniper Secure Connect VPN wizard.

    • Remove firewall policies that refer Dynamic VPN.

  • Delete IKE and IPsec configurations created for the Dynamic VPN configuration under edit security dynamic-vpn, edit security ike, and edit security ipsec hierarchies.

Getting Started with J-Web Wizards

We recommend you to use J-Web wizard for Juniper Secure Connect configuration.

We recommend you to start with a new deployment of Juniper Secure Connect. Because migrating the current settings is likely to cause overlooking of one or more values. Use the following guidance for the fresh setup of Juniper Secure Connect.

  • Check if you have any split tunneling rules. These rule specify remote protected resources behind the SRX Series Firewall, that the client communicates with, over the VPN tunnel. You can check your rules at [set security dynamic-vpn clients configuration-name remote-protected-resources] hierarchy-level. The same split tunnel definitions are used in the Secure Connect VPN wizard as protected-networks.

  • Start a new deployment in the J-Web deployment wizard. We recommend enabling the Auto-create Firewall Policy option to create a firewall policy automatically.

  • You can reuse the access profiles and address-assignment pool in this workflow.

  • If you already have a route from your network pointing to the SRX Series Firewalls and included that IP address in the address assignment pool or defined through the RADIUS, you can disable the use of source NAT.

  • Now you are ready to start configuring Juniper Secure Connect.