Configuring a Dynamic VPN—Overview

The dynamic VPN feature secures traffic through your network by passing it through IPsec VPN tunnels. To configure an IPsec VPN tunnel, you must specify Phase 1 settings (which enable participants to establish a secure channel in which to negotiate the IPsec security association (SA)), and Phase 2 settings (which enable participants to negotiate the IPsec SA that authenticates traffic flowing through the tunnel). This section describes the order in which you must configure these tunnel negotiation settings as well as other tasks you must complete in order to enable the tunnels on your network.

The dynamic VPN feature is disabled by default on the device. You must enable and configure it before you can use it.

To configure the dynamic VPN feature, you must do the following:

1. Define an outgoing interface by using the edit interfaces configuration statement. Use this interface to pass IKE security associations (SAs) through the device. (You will need to select this interface when configuring your IKE gateway.) For more information about interfaces, see the JUNOS Software Interfaces and Routing Configuration Guide.
2. Create security policies by using the edit security policies configuration statement. Use these policies to define which traffic can pass through your network. (After you create your VPN configuration, you will need to add it to this policy.) For more information about security policies, see Security Policies Overview
3. Create at least one access profile by using the edit access profile configuration statement. Use the access profile(s) to control the authentication of users who want to download Access Manager and users who want to establish dynamic VPN tunnels to your firewall. (You will need to select these access profiles when configuring your IKE gateway and dynamic VPN global options. Note that you can use the same access profile to authenticate users in both cases, or you can use separate access profiles to authenticate downloads and VPN sessions.) For more information about access profiles, see Understanding Authentication Schemes.
4. Create an IKE gateway to include in your VPN configuration:
   1. Create one or more IKE Phase 1 proposals by using the edit security ike proposal configuration statement. (You will need to select this proposal when configuring your IKE policy.) For more detailed configuration instructions, see:
      • Configuring an IKE Phase 1 Proposal (Standard and Dynamic VPNs)
      • Configuring an IKE Phase 1 Proposal—Quick Configuration (Dynamic VPNs)
   2. Create one or more IKE policies by using the edit security ike policy configuration statement. (You will need to select this policy when configuring your IKE gateway.) For more detailed configuration instructions, see:
      • Configuring an IKE Policy (Standard and Dynamic VPNs)
      • Configuring an IKE Policy—Quick Configuration (Dynamic VPNs)
   3. Create an IKE gateway configuration by using the edit security ike gateway configuration statement. (You will need to select this gateway when configuring your IPsec AutoKey.) For more detailed configuration instructions, see:
      • Configuring an IKE Gateway (Standard and Dynamic VPNs)
      • Configuring an IKE Gateway—Quick Configuration (Dynamic VPNs)
5. Create an IPsec AutoKey to include in your VPN configuration:
   1. Create one or more IPsec Phase 2 proposals by using the edit security ipsec proposal configuration statement. (You will need to select this proposal when configuring your IPsec policy.) For more detailed configuration instructions, see:
      • Configuring an IPsec Phase 2 Proposal (Standard and Dynamic VPNs)
      • Configuring an IPsec Phase 2 Proposal—Quick Configuration (Dynamic VPNs)
   2. Create one or more IPsec policies by using the edit security ipsec policy configuration statement. (You will need to select this policy when configuring your IPsec AutoKey.) For more detailed configuration instructions, see:
      • Configuring an IPsec Policy (Standard and Dynamic VPNs)
      • Configuring an IPsec Policy—Quick Configuration (Dynamic VPNs)
   3. Create an IKE AutoKey configuration by using the edit security ipsec autokey configuration statement. (You will need to select this IKE AutoKey configuration when configuring your VPN client configuration.) For more detailed configuration instructions, see:
      • Configuring IPsec AutoKey (Standard and Dynamic VPNs)
      • Configuring an IPsec Autokey—Quick Configuration (Dynamic VPNs)
6. Create a client VPN configuration by using the edit security dynamic-vpn clients configuration statement. The settings are downloaded as part of the client to your users’ computers and are used to establish the dynamic VPN tunnels between the clients and the server. For more detailed configuration instructions, see:
   • Creating a Client Configuration—Quick Configuration (Dynamic VPNs)
   • Creating a Client Configuration (Dynamic VPNs)
7. Update your security policy (or policies) to include your client VPN configuration by using the edit security from-zone zone-name to-zone zone-name policy then permit tunnel ipsec-vpn vpn-name configuration statement. For more information about policies, see Security Policies Overview.
8. Specify global settings for client downloads by using the edit security dynamic-vpn access-profile configuration statement and the edit security dynamic-vpn force-upgrade configuration statement. For more detailed configuration instructions, see:
   • Configuring Global Client Download Settings—Quick Configuration (Dynamic VPNs)
   • Configuring Global Client Download Settings (Dynamic VPNs)