Creating IPsec VPNs

IPsec VPN provides a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication that passes through the WAN, create an IPsec tunnel.

After the VPN configuration is saved, you can provision this VPN on your security devices. VPN changes are published much like changes to firewall policies and IPS policies. You can publish and deploy a VPN configuration independently without waiting for a firewall, IPS, or NAT policy to get published first.

Before You Begin

Procedure

To configure an IPsec VPN:

  1. Select Configure > IPSec VPN > IPSec VPNs.
  2. Click the plus sign (+) to create a new IPSec VPN.

    The Create IPsec VPN page is displayed.

  3. Complete the IPsec VPN configuration parameters according to the guidelines provided in Table 272.
  4. Click the icon to configure the devices.

    The Device Selection page is displayed.

    Note You will be prompted to select devices before configuring the gateway. To view or edit devices click View/Select Devices.

  5. Complete the device configurations according to the guidelines provided in Table 273.
  6. Click OK.
  7. Click View IKE/IPSec Settings and complete the configurations according to the guidelines provided in Table 276.

    Note If the profile type is Default, you can edit the IKE/IPSec Settings configurations. If the profile type is Shared Profile, you can only view the IKE/IPSec Settings configurations.

  8. Click Save.

A new IPsec VPN is created.

Table 272: IPsec VPN Configuration Parameters

 

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores; spaces are not allowed; maximum length is 62 characters. This is a mandatory field.

Description

Enter a description for the VPN; maximum length is 255 characters.

Tunnel Mode

Select either route based or policy based for tunnel mode.

Note: SRX Series devices support only tunnel mode.

Use route-based tunnel mode if:

  • Participating gateways are Juniper Networks products. We recommend the route-based option.

  • Either source or destination NAT must occur when traffic traverses the VPN.

  • Dynamic routing protocols must be used for VPN routing.

  • Primary and backup VPNs are required in the setup.

Use policy-based tunnel mode if:

  • The remote VPN gateway is a non-Juniper Networks device.

  • Access to the VPN must be restricted for specific application traffic.

Note: You cannot change the tunnel mode of an existing IPsec VPN. If the Tunnel Mode is Policy Based, then VPN Topology is Site to Site and Routing Topology is not applicable.

VPN Topology

Select a topology deployment for an IPsec VPN.

  • Site to Site—Select if a tunnel must be set up between two sites.

  • Hub and Spoke (Establishment All Peers)—Select if VPN must be set up from multiple remote sites through a centralized (main office or head office) hub gateway.

  • Hub and Spoke (Establishment by Spokes)—Auto VPN allows you to configure a hub for current and future spokes. No configuration changes are required on the hub when spoke devices are added or deleted, thus allowing administrators flexibility in managing large-scale network deployments.

  • Hub and Spoke (ADVPN-Auto Discovery VPN)—ADVPN dynamically establishes VPN tunnels between spokes to avoid routing traffic through the Hub.

  • Full Mesh—Select if there are two or more participating gateways and a separate tunnel must be set up with every other device in the group.

Routing Topology

Select one of the following options:

  • Traffic Selector (Auto Route Insertion)—A traffic selector is an agreement between Internet Key Exchange (IKE) peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.

  • Static routing—Generates static routing based on the protected networks or zones per device.

  • OSPF-Dynamic Routing—Generates OSPF configuration.

  • RIP-Dynamic Routing—Generates RIP configuration.

  • eBGP-Dynamic Routing—Generates eBGP configuration.

    Note: eBGP-Dynamic Routing is not applicable for Full Mesh VPN topology.

Profile Type

Select a Profile type:

  • Shared Profile—Select an existing profile. Shared profile can be used by one or more IPsec VPNs.

    Note: You can only view the details of the shared profiles by clicking View IKE/IPsec settings on the Create IPsec VPN page.

  • Default—Create a new profile, which is applicable to this IPsec VPN only.

    Note: You can view and edit the details by clicking View IKE/IPsec settings on the Create IPsec VPN page.

VPN Profile

Select a VPN profile from the drop-down list based on the deployment scenario.

Note: The VPN profile is applicable only if the Profile Type is Shared Profile.

Authentication Method

Select an authentication method.

Note: If the Profile Type is Shared Profile, default authentication method is displayed.

Preshared Key

Establish a VPN connection using preshared keys, which is essentially a password that is same for both parties. Preshared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations.

Select the type of preshared key you want to use:

  • Autogenerate—Select if you want to automatically generate a unique key per tunnel. When selected, the Generate Unique key per tunnel check box is automatically selected. If you clear the Generate Unique key per tunnel check box, Security Director generates a single key for all tunnels.

  • Manual—Select to enter the key manually. By default, the manual key is masked. To unmask the manual key, select the Unmask check box.

Note: This is applicable only if the authentication method is Preshared based.

Max Transmission Unit

Select the maximum transmission unit (MTU) in bytes. This defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68 to 9192 bytes. The default value is 1500 bytes.

Tunnel IP

Enter the IP address of the network.

Shortcut Connection Limit

Select the maximum number of shortcut tunnels that can be created with different shortcut partners using a particular gateway. The maximum number, which is also the default, is platform-dependent.

Note: It is applicable only if the VPN topology is Hub and Spoke (ADVPN-Auto Discovery VPN).

Idle Threshold

Select the rate, in packets per second, below which the shortcut is brought down.

Range: 3 through 5,000 packets per second.

Note: It is applicable only if the VPN topology is Hub and Spoke (ADVPN-Auto Discovery VPN).

Idle Time

Select the duration, in seconds, after which the shortcut is deleted if the traffic remains below the idle-threshold value.

Range: 60 seconds through 86,400 seconds.

Note: It is applicable only if the VPN topology is Hub and Spoke (ADVPN-Auto Discovery VPN).

Table 273: VPN Topologies

 

VPN Topology

Description

Site to Site

Procedure

If the VPN topology is Site o Site:

  1. Click the device icon to configure the gateways.

    The Device Selection page is displayed.

  2. Complete the device selection according to the guidelines in Table 274.

    The Device configuration page is displayed.

  3. Complete the device configuration according to the guidelines in Table 275.

    After the configuration is complete, the device names are displayed at the gateway icons.

Hub and Spoke

Procedure

If VPN Topology is Hub and Spoke:

  1. Click the Hub or Spoke icon.

    The Device Selection page is displayed.

  2. Complete the device selection according to the guidelines in Table 274.

    The device settings page is displayed.

  3. Select a device and click the pencil icon to configure the settings.

    The Gateway Settings page is displayed.

  4. Complete the hub and spoke configuration according to the guidelines in Table 275.

Note: The topology displayed for hub and spoke is only a representation. You can configure any number of hubs and spokes.

The above procedure is applicable for Hub and Spoke (Establishment All Peers), Hub and Spoke (Establishment by Spokes), and Hub and Spoke (ADVPN-Auto Discovery VPN).

Full Mesh

Procedure

If VPN Topology is Full Mesh:

  1. Click an icon to configure a nodes.

    The Device Selection page is displayed.

  2. Complete the device selection according to the guidelines in Table 274.

    The Device Settings page is displayed.

  3. Select a device and click the pencil icon to configure the gateway settings.

    The Gateway Settings page is displayed.

  4. Complete the node configuration according to the guidelines in Table 275.

Note: The topology displayed for full mesh is only a representation. Maximum of six nodes are displayed in the topology. You can configure any number of nodes.

Table 274: View or Select Devices

 

Settings

Guidelines

Device selection for Site to Site and Full Mesh Topology

Endpoint

Select either Devices or Extranet devices as endpoints.

Note: To add extranet devices inline, click Add Extranet Devices.

Available

View all devices from the current and child domains, with view parent enabled. Devices from the child domain with view parent disabled are not shown.

You can select a device and add it as an endpoint.

The following filter criteria are applied for the device selection:

  • SRX Series devices mapped to Junos OS Release 12.1X46 and later Junos-es schemas are not shown.

  • Logical systems are not shown.

  • Routing option is not applicable.

Device selection for Hub and Spoke

Hub

Select either Devices or Extranet devices as Hub.

Spoke

Select either Devices or Extranet devices as Spoke.

Table 275: Device Configuration Parameters

 

Settings

Guidelines

IPv4 Address

Enter the IP address of the network.

Note: This is applicable only when the Routing Topology is OSPF-Dynamic Routing, RIP-Dynamic Routing, or eBGP-Dynamic Routing in case of Site to Site and Hub and Spoke topology.

In Full Mesh VPN topology, it is applicable to OSPF-Dynamic Routing Topology and RIP-Dynamic Routing Topology.

Subnet Mask

Enter the subnet mask.

Note: This is applicable only when the Routing Topology is OSPF-Dynamic Routing, RIP-Dynamic Routing, or eBGP-Dynamic Routing in case of Site to Site and Hub and Spoke topology.

In Full Mesh VPN topology, it is applicable to OSPF-Dynamic Routing Topology and RIP-Dynamic Routing Topology.

External Interface

Select the outgoing interface for IKE security associations (SAs). This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Tunnel Zone

Select the tunnel zone. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPsec traffic.

Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.

Metric

Specify the cost for an access route for the next hop.

Note: This is applicable only if the VPN topology is Hub and Spoke and Full Mesh.

Routing instance

Select the required routing instance.

Initiator/Recipient

Select an option:

  • Initiator

  • Recipient

Note: This is applicable when the IKE mode is Aggressive.

External IP address

Enter the external IP address.

Certificate

Select a certificate to authenticate the virtual private network (VPN) initiator and recipient.

This is applicable in one of the following scenarios:

  • The VPN profile with authentication method RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

  • The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

Trusted CA/Group

Select a Trusted CA/Group.

This is applicable in one of the following scenarios:

  • The VPN profile with authentication method RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

  • The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

Export

  • Select the Static Routes check box to export static routes.

    Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. However, only devices on the hub side can export static default routes to the device side. Devices at the spoke side cannot export static default routes over a tunnel.

    Note: For eBGP Dynamic Routing, by default, the Static Routes check box is selected.

  • Select the RIP Routes check box to export RIP routes.

    Note: You can export RIP routes only when Routing Topology is OSPF Dynamic Routing.

  • Select the OSPF Routes check box to export OSPF routes.

    Note: You can export OSPF routes only when Routing Topology is RIP-Dynamic Routing.

    If you select OSPF or RIP export, the OSPF or RIP network outside the VPN network are imported into a VPN network through OSPF or RIP Dynamic routing protocols.

OSPF Area

Select an OSPF area ID within the range of 0 to 4,294,967,295, where the tunnel interfaces of this VPN need to be configured.

This is applicable when the Routing Topology is OSPF-Dynamic Routing in Site to Site VPN topology.

Max Retransmission Time

Select the retransmission timer to limit the number of times the RIP demand circuit re-sends update messages to an unresponsive peer. If the configured retransmission threshold is reached, routes from the next-hop router are marked as unreachable and the hold-down timer starts. You must configure a pair of RIP demand circuits for this timer to take effect.

The retransmission range is from 5 through 180 seconds and the default value is 50 seconds.

Note: This is applicable only when Routing Topology is RIP-Dynamic Routing.

AS Number

Select a unique number to assign to the autonomous system (AS). The AS number identifies an autonomous system and enables the system to exchange exterior routing information with other neighboring autonomous systems. The valid range is from 0 through 4294967295.

Note: This is applicable only when Routing Topology is e-BGP Dynamic Routing.

Protected Networks

Configure the addresses or interface type for the selected device to protect one area of the network from the other.

When a dynamic routing protocol is selected, the interface option is displayed.

Note: You can also create inline addresses by clicking Add New Address.

Table 276: View or Edit IKE or IPsec Settings

 

Settings

Guidelines

IKE Settings

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.

Mode

Select an IKE policy mode.

  • Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection.

  • Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

Note: Mode is applicable when the IKE Version is V1.

Encryption-algorithm

Select the appropriate encryption mechanism.

Authentication-algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Deffie Hellman group

Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Lifetime-seconds

Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Dead Peer Detection

Enable to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode. Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode. Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity. Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times, with a permissible range of 1 to 5.

Advance Configuration

General IKE ID

Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

IKEv2 Re Authentication

Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0.

Range is 0 to 100.

IKEv2 Re Fragmentation Support

IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKEv2 Re-fragment Size

Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4.

Range is 570 to 1320.

IKE ID

Select an option:

  • None

  • Distinguished name

  • Hostname

  • IPv4 address

  • E-mail Address

IKE ID is applicable only when General IKE ID is disabled.

NAT-T

Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a value. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. Range is from 1 to 300 seconds.

IPSec Settings

Protocol

Select the required protocol to establish the VPN.

  • ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication.

  • AH—The Authentication Header (AH) protocol provides data integrity and data authentication.

Encryption Algorithm

Select the necessary encryption method.

This is applicable if the Protocol is ESP.

Authentication Algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Lifetime Seconds

Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Lifetime kilobytes

Select the lifetime (in kilobytes) of an IPsec security association (SA). The range is from 64 through 4294967294 kilobytes.

Establish Tunnel

Select an option to specify when IKE is activated.

  • Immediately—IKE is activated immediately after VPN configuration changes are committed.

  • On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.

Advance Configuration

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

Optimized

Enable the Optimized option. When VPN monitoring optimization is enabled, the SRX Series device only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series device considers the tunnel to be active and does not send pings to the peer.

Anti Replay

By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It essentially checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable copying of Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner CoS rules.