Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating IPsec VPNs

 

IPsec VPN provides a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication that passes through the WAN, create an IPsec tunnel.

Security Director supports policy-based and route-based IPsec VPNs on SRX Series devices. Policy-based VPNs are supported only in the site-to-site deployments, where you configure two endpoints. If you have two or more SRX Series devices, then route-based VPNs offer more flexibility and scalability. You can select between site-to-site, full-mesh, and hub-and-spoke for route-based VPNs. To allow data to be securely transferred between a branch office and the corporate office, configure a policy-based or route-based IPsec VPN. For an enterprise-class deployment, configure a hub-and-spoke IPsec VPN.

After the VPN configuration is saved, you can provision this VPN on your security devices. VPN changes are published much like changes to firewall policies and IPS policies. You can publish and deploy a VPN configuration independently without waiting for a firewall, IPS, or NAT policy to get published first.

Before You Begin

  • Read the IPsec VPN Overview topic.

  • Review the IPsec VPN main page for an understanding of your current data set. See IPsec VPN Main Page Fields for field descriptions.

  • Create addresses and address sets.

  • Create VPN profiles.

  • Define extranet devices.



Configuring IPsec VPNs Settings



To configure an IPsec VPN:

  1. Select Configure > IPSec VPN. > IPSec VPNs
  2. Click the plus sign (+) to create a new IPSec VPN.
  3. Complete the configuration according to the guidelines provided in the Table 1 through Table 4.

A new IPsec VPN is created.

Table 1: IPsec VPN Configuration Parameters

Settings

Guidelines

Create VPN Wizard

Use step-by-step procedures to create a new VPN. You can create site-to-site, hub-and-spoke, and full-mesh VPNs in Create VPN Wizard.

General Information

Name

Enter the name for the new VPN. This is a mandatory field.

Description

Enter a description for the new VPN.

Tunnel Mode

Select either route based or policy based for tunnel mode.

Note: SRX Series devices support only tunnel mode.

Use route-based tunnel mode if:

  • Participating gateways are Juniper Networks products. We recommend the route-based option.

  • Either source or destination NAT must occur when traffic traverses the VPN.

  • Dynamic routing protocols must be used for VPN routing.

  • Primary and backup VPNs are required in the setup.

Use policy-based tunnel mode if:

  • The remote VPN gateway is a non-Juniper Networks device.

  • Access to the VPN must be restricted for specific application traffic.

Multi-Proxy ID

Select this check box to enable Multi-Proxy ID (also known as Traffic Selector). Enable this option if unique traffic selectors must be configured for every local or remote pair of networks.

Type

Select a topology deployment for an IPsec VPN.

  • Site to Site—Select if a tunnel must be set up between two sites.

    Note: Site to Site VPN does not support Qualified Next Hop configuration in Security Director.

  • Full-Mesh—Select if there are two or more participating gateways and a separate tunnel must be set up with every other device in the group.

  • Hub and Spoke—Select if VPN must be set up from multiple remote sites through a centralized (main office or head office) hub gateway.

VPN Profile

Select a VPN profile from the drop-down list based on the deployment scenario.

Note: If you choose to create a full-mesh VPN, you can choose only MainModeProfile as the VPN profile

Preshared Key

Establish a VPN connection using preshared keys, which is essentially a password that is the same for both parties. Preshared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations.

Select the type of preshared key you want to use.

  • Auto-generate—When selected, the Generate Unique key per tunnel check box is automatically selected. If you clear the Generate Unique key per tunnel check box, Security Director generates a single key for all tunnels.

  • Manual—Enter the manual key in the Manual Key field. By default, the manual key is masked. To unmask the manual key, select the unmask check box.

Table 2: Endpoint Configuration Parameters

Settings

Guidelines

Endpoint

Select either Devices or Extranet devices as endpoints.

Available

View all devices from the current and child domains, with view parent enabled. Devices from the child domain with view parent disabled are not shown.

You can select a device and add it as an endpoint.

The following filter criteria are applied for the device selection:

  • SRX Series devices mapped to Junos OS Release 12.1X46 and later Junos-es schemas are not shown.

  • Logical systems are not shown.

  • Routing option is not applicable.

Selected

View devices added as endpoints listed in this column.

Table 3: VPN Tunnel and Route Setting Parameters

Settings

Guidelines

Tunnel Settings

Interface Type

Select the interface type in which to direct traffic•

  • Unnumbered—These tunnel interfaces do not have any IP addresses assigned to them.

  • Numbered—These tunnel interfaces have IP addresses assigned to them.

    • Network IP—Enter the IP address of the numbered interface. This is the subnet address from where the IP address is automatically assigned for tunnel interfaces.

    • Subnet Mask–Enter the subnet mask.

Number of Spoke devices per tunnel interface

Select either:

  • All—Assign all spoke devices to a single tunnel interface.

  • Specify Value—Specify the number of spoke devices to assign per tunnel interface.

Max Transmission Unit

Select the maximum transmission unit (MTU) in bytes. You can specify the MTU value for the tunnel endpoint. The default value is 9192 for SRX Series tunnel devices.

Route Settings

Routing Options

Select one of the following options:

  • Static—Generates static routing based on the protected networks or zones per device.

    • Spoke to Spoke communication—Select the Allow box to enable spoke-to-spoke communication with static routes. You can enable this option only for a hub-and-spoke VPN with static routing when you create or modify the VPN. By default, this option is not selected and you can select or clear this option during the modify workflow.

  • OSPF—Generates OSPF configuration.

    • Export—Select the Static routes box to export static routes.

      Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. However, only devices on the hub side can export static default routes to the device side. Devices at the spoke side cannot export static default routes over a tunnel.

      Select the RIP routes box to export RIP routes. You can export RIP routes only for OSPF routing.

    • Area ID—Specify an area ID within the range of 0 to 4,294,967,295, which is where the tunnel interfaces of this VPN need to be configured.

  • RIP—Generates RIP configuration.

    • Export—Select the Static routes box to export static routes.

      Select the OSPF routes box to export OSPF routes. If you select OSPF or RIP export, the OSPF or RIP network outside the VPN network are imported into a VPN network through OSPF or RIP routing protocols.

    • Max Retransmission Time—Configure the retransmission timer to limit the number of times the RIP demand circuit resends update messages to an unresponsive peer. If the configured retransmission threshold is reached, routes from the next-hop router are marked as unreachable and the hold-down timer starts. You must configure a pair of RIP demand circuits for this timer to take effect.

      The retransmission range is from 5 through 180 seconds and the default value is 50 seconds.

  • None—No routing configuration is generated.

Spoke-to-Spoke Communication

Select this option to enable spoke-to-spoke communication.

Global Settings

External Interface

Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Tunnel Zone

Configure the tunnel zone. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPSec traffic.

Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.

Protected Network Zone/Networks/Interfaces

Configure the security zone type to protect one area of the network from the other.

Table 4: Endpoint Settings Parameters

Settings

Guidelines

External Interface

Select the external interface for the selected device.

Tunnel Zone

Configure the tunnel zone for the selected device. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPSec traffic.

Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.

Protected Network Zone/Networks/Interfaces

Configure the security zone type for the selected device to protect one area of the network from the other.

Routing Instance

Select the type of routing instance.

IKE Local Address

Specify the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer.