Creating IPsec VPNs

IPsec VPN provides a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication that passes through the WAN, create an IPsec tunnel.

Security Director supports policy-based and route-based IPsec VPNs on SRX Series devices. Policy-based VPNs are supported only in the site-to-site deployments, where you configure two endpoints. If you have two or more SRX Series devices, then route-based VPNs offer more flexibility and scalability. You can select between site-to-site, full-mesh, and hub-and-spoke for route-based VPNs. To allow data to be securely transferred between a branch office and the corporate office, configure a policy-based or route-based IPsec VPN. For an enterprise-class deployment, configure a hub-and-spoke IPsec VPN.

After the VPN configuration is saved, you can provision this VPN on your security devices. VPN changes are published much like changes to firewall policies and IPS policies. You can publish and deploy a VPN configuration independently without waiting for a firewall, IPS, or NAT policy to get published first.

Before You Begin

Read the IPsec VPN Overview topic.
Review the IPsec VPN main page for an understanding of your current data set. See IPsec VPN Main Page Fields for field descriptions.
Create addresses and address sets.
Create VPN profiles.
Define extranet devices.

Procedure

To configure an IPsec VPN:

Select Configure > IPSec VPN > IPSec VPNs
Click the plus sign (+) to create a new IPSec VPN.
Complete the configuration according to the guidelines provided in the Table 248 through Table 251.

A new IPsec VPN is created.

Table 248: IPsec VPN Configuration Parameters

Settings	Guidelines
Create VPN Wizard	Use step-by-step procedures to create a new VPN. You can create site-to-site, hub-and-spoke, and full-mesh VPNs in Create VPN Wizard.
General Information
Name	Enter the name for the new VPN. This is a mandatory field.
Description	Enter a description for the new VPN.
Tunnel Mode	Select either route based or policy based for tunnel mode. Note: SRX Series devices support only tunnel mode. Use route-based tunnel mode if: Participating gateways are Juniper Networks products. We recommend the route-based option. Either source or destination NAT must occur when traffic traverses the VPN. Dynamic routing protocols must be used for VPN routing. Primary and backup VPNs are required in the setup. Use policy-based tunnel mode if: The remote VPN gateway is a non-Juniper Networks device. Access to the VPN must be restricted for specific application traffic.
Multi-Proxy ID	Select this check box to enable Multi-Proxy ID (also known as Traffic Selector). Enable this option if unique traffic selectors must be configured for every local or remote pair of networks.
Type	Select a topology deployment for an IPsec VPN. Site to Site—Select if a tunnel must be set up between two sites. Full-Mesh—Select if there are two or more participating gateways and a separate tunnel must be set up with every other device in the group. Hub and Spoke—Select if VPN must be set up from multiple remote sites through a centralized (main office or head office) hub gateway.
VPN Profile	Select a VPN profile from the drop-down list based on the deployment scenario. Note: If you choose to create a full-mesh VPN, you can choose only MainModeProfile as the VPN profile
Preshared Key	Establish a VPN connection using preshared keys, which is essentially a password that is the same for both parties. Preshared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations. Select the type of preshared key you want to use. Auto-generate—When selected, the Generate Unique key per tunnel check box is automatically selected. If you clear the Generate Unique key per tunnel check box, Security Director generates a single key for all tunnels. Manual—Enter the manual key in the Manual Key field. By default, the manual key is masked. To unmask the manual key, select the unmask check box.

Table 249: Endpoint Configuration Parameters

Settings	Guidelines
Endpoint	Select either Devices or Extranet devices as endpoints.
Available	View all devices from the current and child domains, with view parent enabled. Devices from the child domain with view parent disabled are not shown. You can select a device and add it as an endpoint. The following filter criteria are applied for the device selection: SRX Series devices mapped to Junos OS Release 12.1X46 and later Junos-es schemas are not shown. Logical systems are not shown. Routing option is not applicable.
Selected	View devices added as endpoints listed in this column.

Settings

Guidelines

Endpoint

Select either Devices or Extranet devices as endpoints.

Available

View all devices from the current and child domains, with view parent enabled. Devices from the child domain with view parent disabled are not shown.

You can select a device and add it as an endpoint.

The following filter criteria are applied for the device selection:

SRX Series devices mapped to Junos OS Release 12.1X46 and later Junos-es schemas are not shown.
Logical systems are not shown.
Routing option is not applicable.

Selected

View devices added as endpoints listed in this column.

Table 250: VPN Tunnel and Route Setting Parameters

Settings	Guidelines
Tunnel Settings
Interface Type	Select the interface type in which to direct traffic• Unnumbered—These tunnel interfaces do not have any IP addresses assigned to them. Numbered—These tunnel interfaces have IP addresses assigned to them. For the eBGP routing option, the interface type should be numbered. Network IP—Enter the IP address of the numbered interface. This is the subnet address from where the IP address is automatically assigned for tunnel interfaces. Subnet Mask–Enter the subnet mask.
Number of Spoke devices per tunnel interface	Select either: All—Assign all spoke devices to a single tunnel interface. Specify Value—Specify the number of spoke devices to assign per tunnel interface.
Max Transmission Unit	Select the maximum transmission unit (MTU) in bytes. You can specify the MTU value for the tunnel endpoint. The default value is 9192 for SRX Series tunnel devices.
Route Settings
Routing Options	Select one of the following options: Static—Generates static routing based on the protected networks or zones per device. Spoke to Spoke communication—Select the Allow box to enable spoke-to-spoke communication with static routes. You can enable this option only for a hub-and-spoke VPN with static routing when you create or modify the VPN. By default, this option is not selected and you can select or clear this option during the modify workflow. OSPF—Generates OSPF configuration. Export—Select the Static routes box to export static routes. Security Director simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. However, only devices on the hub side can export static default routes to the device side. Devices at the spoke side cannot export static default routes over a tunnel. Select the RIP routes box to export RIP routes. You can export RIP routes only for OSPF routing. Area ID—Specify an area ID within the range of 0 to 4,294,967,295, which is where the tunnel interfaces of this VPN need to be configured. RIP—Generates RIP configuration. Export—Select the Static routes box to export static routes. Select the OSPF routes box to export OSPF routes. If you select OSPF or RIP export, the OSPF or RIP network outside the VPN network are imported into a VPN network through OSPF or RIP routing protocols. Max Retransmission Time—Configure the retransmission timer to limit the number of times the RIP demand circuit resends update messages to an unresponsive peer. If the configured retransmission threshold is reached, routes from the next-hop router are marked as unreachable and the hold-down timer starts. You must configure a pair of RIP demand circuits for this timer to take effect. The retransmission range is from 5 through 180 seconds and the default value is 50 seconds. eBGP—Generates eBGP configuration. Export—Select the Static Routes box to export static routes. Note: For the eBGP routing option, the interface type should be numbered. None—No routing configuration is generated.
Spoke-to-Spoke Communication	Select this option to enable spoke-to-spoke communication.
Global Settings
External Interface	Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.
Tunnel Zone	Configure the tunnel zone. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPSec traffic. Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.
Protected Zone/Networks/Interfaces	Configure the security zone type to protect one area of the network from the other.

Table 251: Endpoint Settings Parameters

Settings	Guidelines
External Interface	Select the external interface for the selected device.
Tunnel Zone	Configure the tunnel zone for the selected device. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPSec traffic. Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.
Protected Network Zone/Networks/Interfaces	Configure the security zone type for the selected device to protect one area of the network from the other.
Routing Instance	Select the type of routing instance.
IKE Local Address	Provide the local IKE identity address to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. Specify the gateway address and click Add. You can create multiple IKE addresses on extranet device with dead peer detection (DPD) enabled and can provide a maximum of five IKE Addresses. To delete the IKE local addresses, select the check box and click X. Note: To add multiple IKE addresses, select one endpoint as Devices and other endpoint as Extranet.
AS Number	Specify a unique number to assign to the autonomous system (AS). The AS number identifies an autonomous system and enables the system to exchange exterior routing information with other neighboring autonomous systems. Valid range is from 0 to 4294967295. The autonomous system number is applicable only when the routing option is eBGP.

Creating IPsec VPNs

Before You Begin

Procedure

Related Documentation

Help us to improve. Rate this article.