Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Overview of VPNEP


This Extended Package (EP) describes security requirements for a VPN Gateway. This is defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The EP is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats to VPN Gateway technology. However, this EP is not complete in itself, but rather extends the collaborative Protection Profile for Network Devices (NDcPPv2) and the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP). This introduction will describe the features of a compliant Target of Evaluation (TOE), and will also discuss how this EP is to be used in conjunction with the NDcPPv2 and/or FWcPP

Configuring IPsec VPN Extended Package (EP)

In this section, you configure devices running Junos OS for IPsec VPN using a preshared key as the IKE authentication method.

To configure the IPsec VPN with preshared key IKE authentication on the initiator:

  1. Configure the IPsec rule on R0.
  2. Configure Routing options on R0.
  3. Configure Interfaces on R0.
  4. Configure Interfaces on R1.
  5. Configure the IPsec rule on R2.
  6. Configure Routing options on R2.
  7. Configure interfaces on R2.

Sample output for IPsec VPN:

security-administrator@host:fips>show services ipsec-vpn ike security-associations
security-administrator@host:fips>show services ipsec-vpn ipsec security-associations

Supported encryption algorithms for IPsec:

Supported encryption algorithms for IKE:

IKE DH groups supported:

IPsec authentication algorithm:

IKE authentication algorithms:

Supported authentication methods:


For more information on IKE/IPsec lifetime, see

IPsec VPN Configuration with Reference Identifier

MX devices support the following reference identifiers for IPsec VPN configuration:

  • IP address

  • FQDN

  • Distinguished Name

Sample IPsec VPN Configuration with IPv4 Address as Reference Identifier



Sample IPsec VPN Configuration with FQDN as Reference Identifier



Sample Configuration for Distinguished Name as Reference Identifier



Generating Certificate Signing Request (CSR)

Sample commands for generating key-pair and CSR:

Configuring Firewall Rules

MX devices allow configuring firewall filter to allow or reject specific traffic.

The following procedures explain how to configure IPSec VPN and firewall rules:

  1. Configure IPsec VPN between R0-R1.



  2. Configure firewall rule.

    Enable firewall filter to allow traffic from specific source and destination addresses and reject all other traffic. For example, the first rule term 1 allows traffic from source-address to communicate with only address. The second rule rejects all other traffic.


    The firewall rules are processed in the order they are configured.

  3. Apply input firewall filter on R0 router MS-MPC interface.
  4. Send traffic from H1 to H0 and monitor firewall logs based on accept or reject rule.

    Accepted traffic logs on R0:

    Rejected traffic logs on R0: