Creating VPN Profiles
Use the VPN Profiles page to configure VPN profiles that define
security parameters when establishing a VPN connection. You can reuse
the same profile to create more VPN tunnels. The VPN profile includes
VPN proposals, VPN mode, authentication, and other parameters used
in IPsec VPN. When a VPN profile is created, Junos Space creates an
object in the Security Director database to represent the VPN profile.
You can use this object to create either route-based or policy-based
IPsec VPNs.
Note: You cannot modify or delete Juniper Networks defined VPN
profiles. You can only clone them and create new profiles.
You can also configure the Internet Key Exchange (IKE) negotiation
phases known as Phase 1 and Phase 2 settings in a VPN profile. SRX
Series devices support the following authentication methods in IKE
negotiations for IPsec VPN:
- Preshared key
- ECDSA certificate
- RSA certificate
- DSA certificate
The predefined VPN profile is available for RSA certificates-based
authentication. The PKI certificate list from the device is automatically
retrieved during the device discovery.
Before You Begin
Configuring VPN Profiles Settings
Procedure
To configure a VPN profile:
- Select Configure > IPsec VPN > Profiles.
- Click the plus sign (+) to create a new VPN profile.
- Complete the configuration according to the guidelines
provided in Table 178 and Table 179.
A new VPN profile with the predefined VPN configuration is created.
You can use this object to create IPsec VPNs.
Table 178: VPN Profiles Settings
– Phase 1 IKE Negotiation Configuration
Setting | Guideline |
|---|
Name | Enter a unique string of alphanumeric characters, colons,
periods, dashes, and underscores; no spaces allowed; 255-character
maximum. |
Description | Enter a description for the VPN profile; maximum length
is 1024 characters. |
Phase 1 |
Authentication Type | Select the required authentication type: - Preshared key
- RSA signature
- DSA signature
- ECDSA signature (256)
- ECDSA signature (384)
|
Mode | Select a VPN mode: - Main—The most common and secure way to establish
a VPN when building site-to-site VPNs. The IKE identities are encrypted
and cannot be determined by eavesdroppers.
- Aggressive—This is an alternative to main mode IPsec
negotiation. This is the most common mode when building VPNs from
client workstations to VPN gateways, where the IP address of the client
is neither known in advance nor fixed.
|
General-IkeID | Enable this option to accept peer IKE ID in general.
This option is disabled by default. If General IKE ID is enabled,
the IKE ID option is disabled automatically. Note:
- This option is not available in Aggressive VPN mode.
- You cannot use a VPN profile with the General IKE ID option
enabled for the Auto VPN and ADVPN.
|
IKE Id | Configure the following Internet Key Exchange (IKE) identifiers,
as needed: - Hostname—The hostname or fully qualified domain
name is essentially a string that identifies the end system.
- User@hostname—A simple string that follows the same
format as an e-mail address.
- User—Enter the e-mail address of the user. We recommend
that you use the valid e-mail address of the user for ease of management.
- IPAddress—This is the most common form of IKE identity
for site-to-site VPNs. This can be either an IPv4 or IPv6 address.
This option is available only if the VPN mode is Aggressive and the
authentication type is Preshared Key.
- DN—The distinguished name used in certificates to
identify a unique user in a certificate. This option is available
only for RSA, DSA, and ECDSA signature authentication types.
Note:
- For the Preshared Key authentication type:
- If you have enabled the General IKE ID option, the IKE
ID option is automatically set to None and you cannot edit this option.
- When modifying a IPsec VPN, you cannot edit the IKE ID
column in the View/Edit Tunnel page, if you have chosen a VPN profile
with the General IKE ID option enabled.
- For the certificate-based authentication type:
- You can edit the IKE ID option even if you have enabled
the General IKE ID option because, the local-identity CLI
is used for certificate authentication.
- When modifying a IPsec VPN, you can edit the IKE ID column
in the View/Edit Tunnel page, if you have chosen a VPN profile with
the General IKE ID option enabled.
|
IKE Version | Select the required IKE version, either V1 or V2, that
is used to negotiate dynamic security associations (SAs) for IPsec.
By default, IKEv1 is used. |
Proposals | Select the type of proposal as either Predefined or Custom.
For the Custom proposal, click the plus sign (+) to create a new proposal. - Name—Enter the name of the proposal.
- DH Group—A Diffie-Hellman (DH) exchange allows the
participants to produce a shared secret value. Select the appropriate
DH group:
- Group1
- Group2
- Group5
- Group14
- Group19
- Group20
- Group24
- Authentication–Select an algorithm. The device uses
these algorithms to verify the authenticity and integrity of a packet.
- Encryption—Select the appropriate encryption mechanism:
- 3DES
- AES(128)
- AES(192)
- AES(256)
- Lifetime—Select a lifetime of an IKE security association
(SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds.
Note:
For the RSA-signature and DSA-signature authentication
types, you can only use the custom proposals. |
Predefined Proposal Sets | If you have opted for the predefined proposal, specify
a set of default IKE proposals: - Basic
- Proposal 1—Preshared key, Data Encryption Standard
(DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash
Algorithm 1 (SHA-1) authentication.
- Proposal 2—Preshared key, DES encryption, and DH
group 1 and Message Digest 5 (MD5) authentication.
- Standard
- Proposal 1—Preshared key, triple DES (3DES) encryption,
and Gnutella2 (G2) and SHA-1 authentication.
- Proposal 2—Preshared key, 3DES encryption, and DH
group 2 and MD5 authentication.
- Proposal 3—Preshared key, DES encryption, and DH
group 2 and SHA-1 authentication.
- Proposal 4—Preshared key, DES encryption, and DH
group 2 and MD5 authentication.
- Compatible
- Proposal 1—Preshared key, 3DES encryption, and
DH group 2 and SHA-1 authentication.
- Proposal 2—Preshared key, Advanced Encryption Standard
(AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.
|
Advanced Settings |
NAT Traversal | NAT-T is an IKE phase 1 algorithm that is used when trying
to establish a VPN connection between two gateway devices, where a
NAT device exists in front of one of the devices (in this case a Juniper
Firewall device). By enabling this option, IPsec traffic can pass
through a NAT device. By default, NAT-T is enabled on SRX Series devices. You must
explicitly clear the Enable check box to turn it off on a gateway-by-gateway
basis. - Keepalive Interval (secs)—Select the appropriate
keepalive interval in seconds. If the VPN is expected to have large
periods of inactivity, these keepalives are configured to generate
artificial traffic to keep the session active on the NAT devices.
Range: 1 through 300 seconds. |
DPD | Select the check box to permit the two gateways to determine
if the peer gateway is up and responding to the DPD messages that
are negotiated during IPsec establishment. - Always Send DPD—Enable this option to send dead
peer detection requests regardless of whether there is outgoing IPsec
traffic to the peer.
- DPD Interval (secs)—Select an interval in seconds
to send dead peer detection messages. The default interval is 10 seconds,
with a permissible range of 10 to 60 seconds.
- DPD Threshold—Select a number from 1 to 5 to set
the failure DPD threshold. This specifies the maximum number of times
the DPD messages must be sent when there is no response from the peer.
The default number of transmissions is 5 times.
|
Table 179: VPN Profiles Settings
– Phase 2 IKE Negotiation Configuration
Setting | Guideline |
|---|
Proposal | Select the type of proposal as either Predefined or Custom.
For the Custom proposal, click the plus sign (+) to create a new proposal. - Name—Enter the name of the custom proposal.
- Authentication—Select an algorithm. The device uses
these algorithms to verify the authenticity and integrity of a packet.
- MD5
- SHA-1
- SHA-256(96)
- SHA-256(28)
- Protocol—Select the required protocol to establish
the VPN.
- Encryption—Select the necessary encryption method:
- DES
- 3DES
- AES(128)
- AES(192)
- AES(256)
- AES-GCM(128)
- AES-GCM(192)
- AES-GCM(256)
- Lifetime—Select a lifetime of an IKE security association
(SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds.
- Life Size—The lifetime of the SA, after which it
expires, expressed in kilobytes.
|
Predefined Proposal Sets | Select the appropriate predefined proposal set: - Basic
- Standard
- Compatible
- SuiteB-GCM-128
- ESP—Advanced Encryption Standard (AES) encryption
with 128-bit keys and 16-octet integrity check value (ICV) in Galois
Counter Mode (GCM).
- IKE—AES encryption with 128-bit keys in cipher block
chaining (CBC) mode, integrity using SHA-256 authentication, and key
establishment using Diffie-Hellman (DH) group 19 and authentication
using Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit elliptic
curve signatures.
- SuiteB-GCM-256
- ESP—AES encryption with 256-bit keys and 16-octet
ICV in GCM for ESP.
- IKE—AES encryption with 256-bit keys in CBC mode,
integrity using SHA-384 authentication, and key establishment using
DH group 20 and authentication using ECDSA 384-bit elliptic curve
signatures.
|
Perfect Forward Secrecy | Specify Perfect Forward Secrecy (PFS) as the method that
the device uses to generate the encryption key. PFS generates each
new encryption key independently from the previous key. The higher
numbered groups provide more security, but require more processing
time. The available options are: - Group1
- Group2
- Group5
- Group14
- Group19
- Group20
- Group24
|
Advanced Settings |
Establish tunnel immediately | Enable this option to establish the IPsec tunnel. IKE
is activated immediately after VPN configuration and configuration
changes are committed. |
VPN Monitor | Enable this option to send Internet Control Message Protocol
(ICMP) to determine if the VPN is up. - VPN Optimized—This is the VPN monitoring option.
It sends only the ICMP traffic through the tunnel where there is an
absence of user traffic.
|
DF bit | Enable this option to process the Don’t Fragment
(DF) bit in IP messages. You can set it to copy, clear, or set the
bits to the IPsec header. Select the following options: - None—No action.
- Clear—Clear (disable) the DF bit from the IP messages.
This is the default.
- Copy—Copy the DF bit to the IP messages.
- Set—Set (enable) the DF bit in the IP messages.
|
Idle time (secs) | Select the appropriate idle time interval from the selector.
The sessions and their corresponding translations typically time out
after a certain period of time if no traffic is received. |
Install Time | Specify the maximum number of seconds to allow for the
installation of a rekeyed outbound security association (SA) on the
device. Select a value from 1 to 10. |
Anti Replay | By default, Anti-Replay detection is enabled. IPsec protects
against the VPN attack by using a sequence of numbers that are built
into the IPsec packet—the system does not accept a packet for
which it has already seen the same sequence number. It essentially
checks the sequence numbers and enforces the check, rather than just
ignoring the sequence numbers. Disable it if there is an error with
the IPsec mechanism that results in out-of-order packets, preventing
proper functionality. |
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!