Importing IPsec VPNs
Junos Space Security Director lets you import of your existing
large and complex VPN configurations into Security Director. You do
not have to recreate the same VPN environment to allow Security Director
to manage it. During the VPN import, all VPN-related objects are also
imported along with the VPN.
Security Director supports importing the following VPN configuration:
- Site-to-site, hub-and-spoke, and full-mesh topologies
- Preshared key-based VPNs
- Certificate-based VPNs, except AutoVPN
- Route-based and policy-based VPNs
- OSPF
- RIP
- Single proxy ID
- Traffic selectors
- Static route configurations that identify the protected
network objects
- Static route configurations with spoke-to-spoke communication
enabled
- Numbered and unnumbered tunnel interface types
- Route-metric configuration
- Static route configuration from a virtual router
Procedure
- Select IPSec VPN > IPSec VPNs.
The existing VPNs are listed on the right pane.
- select Import VPN from the More option.
The Import VPN page appears.
- Click Next.
The Select Devices page appears. You can select one or more
devices from which the VPN configuration must be imported. The filter
option enables you to perform the free text search on the device name,
IP address, and device platform.
- Select the security device to import its VPN settings.
Click Next.
A progress bar appears showing the analysis of the device configurations.
- After analyzing the VPN configuration, Security Director
performs the configuration parsing and the endpoint correlation. During
the endpoint correlation if any conflicting configurations are found,
you can either proceed to ignore the conflicts during the import and
log this detail as a job or cancel the operation. Click Yes to ignore
the conflicts and import the remaining configuration or No to abort
the import and proceed to the next step to select devices.
The conflict occurs when the combination of IKE and IPsec parameters
are same between the endpoints. The following points explain the scenarios
under which the conflicts occur for different VPN configuration types:
- Preshared key and Main Mode
- Preshared key
- Local IKE ID of local endpoint and remote IKE ID of remote
endpoint
- Remote IKE ID of local endpoint and local IKE ID of remote
endpoint
- Preshared key and Aggressive Mode
- Preshared key
- Local IKE ID of local endpoint and remote IKE ID of remote
endpoint
OR
- Remote IKE ID of local endpoint and local IKE ID of remote
endpoint
- Certificate, Main Mode, and DN type IKE ID
- Remote IKE ID of local endpoint and DN of the certificate
of remote endpoint
- DN of the certificate of the local endpoint and remote
IKE ID of remote endpoint
- Certificate, Main Mode and other IKE ID type
- Local IKE ID of the local endpoint and remote IKE ID of
the remote endpoint
- Remote IKE ID of local endpoint and local IKE ID of remote
endpoint
- Certificate, Aggressive Mode, and DN type IKE ID
- Remote IKE ID of local endpoint and DN of the certificate
of remote endpoint
- DN of the certificate of the local endpoint and remote
IKE ID of remote endpoint
- Certificate, Aggressive Mode, and other IKE ID type
- Local IKE ID of local endpoint and remote IKE ID of
remote endpoint
OR
- Remote IKE ID of local endpoint and local IKE ID of
remote endpoint
If there are no conflicts, you can directly proceed to Step
6.
- The Select EndPoints page appears showing the VPN settings.
All the imported VPNs will have autogenerated names, which you
have the option to modify. Click the VPN name and enter the name.
There is a predefined quick filter available to list all the errors
and warnings. Click the drop-down list to select the required filter
parameter.
The Select EndPoints page lists the VPNs discovered from the
configuration and allows you to explore the devices, or endpoints
for each of the discovered VPNs. You can also perform a free text
search on the VPN name, device name, and endpoint names.
Table 1 shows the description of each column.
Table 178: Settings Guidelines
Settings | Guidelines |
|---|
Column Name | Description |
VPNs & Local Endpoints | Lists all the discovered VPNs and their associated devices
and endpoints in a tree structure. |
Remote Endpoints | Shows matching endpoint details. |
Warning | Displays any information, error, and warning messages
detected during the import. |
- The Summary page appears. All the VPNs listed on this
page are saved in the Security Director database for further management.
Click Finish. A progress bar appears showing the
progress of the import. Once the import is successful, you can manage
the VPNs from the VPN landing page.
- The final summary page appears showing the number of VPNs,
devices, and endpoints imported. To view the complete job details,
click full log details. The Job Details page appears.
- Click Close. All the imported VPN configurations
appear on the VPN landing page.
Note: At any point of the import workflow, you can choose to
exit. All your settings and progress are discarded.
Note:
- The schema version of the device must be mapped to the
Junos version to import all the VPN settings.
- You must republish the imported VPNs before modifying
them further.
- VPN imported without IKE IDs configured on devices is
not available for any modifications, unless you modify any VPN settings.
On modifying these imported VPNs generate local or remote IKE IDs.
- Single-ProxyID, Multi-ProxyID, and the preshared key settings
are imported at the tunnel level.
- By default, for the imported VPNs, the preshared key type
is shown as Auto-generate. However, a new key is not generated for
the already imported tunnels. If a new device is added to the VPN,
only for that device, a new key is autogenerated.
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!