Importing IPsec VPNs

Junos Space Security Director lets you import of your existing large and complex VPN configurations into Security Director. You do not have to recreate the same VPN environment to allow Security Director to manage it. During the VPN import, all VPN-related objects are also imported along with the VPN.

Security Director supports importing the following VPN configuration:

• Site-to-site, hub-and-spoke, and full-mesh topologies

• Preshared key-based VPNs

• Certificate-based VPNs, except AutoVPN

• Route-based and policy-based VPNs

• OSPF

• RIP

• Single proxy ID

• Traffic selectors

• Static route configurations that identify the protected network objects

• Static route configurations with spoke-to-spoke communication enabled

• Numbered and unnumbered tunnel interface types

• Route-metric configuration

• Static route configuration from a virtual router

Procedure

1. Select IPSec VPN > IPSec VPNs.

   The existing VPNs are listed on the right pane.

2. select Import VPN from the More option.

   The Import VPN page appears.

3. Click Next.

   The Select Devices page appears. You can select one or more devices from which the VPN configuration must be imported. The filter option enables you to perform the free text search on the device name, IP address, and device platform.

4. Select the security device to import its VPN settings. Click Next.

   A progress bar appears showing the analysis of the device configurations.

5. After analyzing the VPN configuration, Security Director performs the configuration parsing and the endpoint correlation. During the endpoint correlation if any conflicting configurations are found, you can either proceed to ignore the conflicts during the import and log this detail as a job or cancel the operation. Click Yes to ignore the conflicts and import the remaining configuration or No to abort the import and proceed to the next step to select devices.

   The conflict occurs when the combination of IKE and IPsec parameters are same between the endpoints. The following points explain the scenarios under which the conflicts occur for different VPN configuration types:

   • Preshared key and Main Mode

     • Preshared key

     • Local IKE ID of local endpoint and remote IKE ID of remote endpoint

     • Remote IKE ID of local endpoint and local IKE ID of remote endpoint

   • Preshared key and Aggressive Mode

     • Preshared key

     • Local IKE ID of local endpoint and remote IKE ID of remote endpoint

       OR

     • Remote IKE ID of local endpoint and local IKE ID of remote endpoint

   • Certificate, Main Mode, and DN type IKE ID

     • Remote IKE ID of local endpoint and DN of the certificate of remote endpoint

     • DN of the certificate of the local endpoint and remote IKE ID of remote endpoint

   • Certificate, Main Mode and other IKE ID type

     • Local IKE ID of the local endpoint and remote IKE ID of the remote endpoint

     • Remote IKE ID of local endpoint and local IKE ID of remote endpoint

   • Certificate, Aggressive Mode, and DN type IKE ID

     • Remote IKE ID of local endpoint and DN of the certificate of remote endpoint

     • DN of the certificate of the local endpoint and remote IKE ID of remote endpoint

   • Certificate, Aggressive Mode, and other IKE ID type

     • Local IKE ID of local endpoint and remote IKE ID of remote endpoint

       OR

     • Remote IKE ID of local endpoint and local IKE ID of remote endpoint

   If there are no conflicts, you can directly proceed to Step 6.

6. The Select EndPoints page appears showing the VPN settings.

   All the imported VPNs will have autogenerated names, which you have the option to modify. Click the VPN name and enter the name. There is a predefined quick filter available to list all the errors and warnings. Click the drop-down list to select the required filter parameter.

   The Select EndPoints page lists the VPNs discovered from the configuration and allows you to explore the devices, or endpoints for each of the discovered VPNs. You can also perform a free text search on the VPN name, device name, and endpoint names.

   Table 1 shows the description of each column.

   Table 253: Settings Guidelines

   Settings	Guidelines
   Column Name	Description
   VPNs & Local Endpoints	Lists all the discovered VPNs and their associated devices and endpoints in a tree structure.
   Remote Endpoints	Shows matching endpoint details.
   Warning	Displays any information, error, and warning messages detected during the import.

7. The Summary page appears. All the VPNs listed on this page are saved in the Security Director database for further management.

   Click Finish. A progress bar appears showing the progress of the import. Once the import is successful, you can manage the VPNs from the VPN landing page.

8. The final summary page appears showing the number of VPNs, devices, and endpoints imported. To view the complete job details, click full log details. The Job Details page appears.
9. Click Close. All the imported VPN configurations appear on the VPN landing page.

   Note At any point of the import workflow, you can choose to exit. All your settings and progress are discarded.

Note:

• The schema version of the device must be mapped to the Junos version to import all the VPN settings.

• You must republish the imported VPNs before modifying them further.

• VPN imported without IKE IDs configured on devices is not available for any modifications, unless you modify any VPN settings. On modifying these imported VPNs generate local or remote IKE IDs.

• Single-ProxyID, Multi-ProxyID, and the preshared key settings are imported at the tunnel level.

• By default, for the imported VPNs, the preshared key type is shown as Auto-generate. However, a new key is not generated for the already imported tunnels. If a new device is added to the VPN, only for that device, a new key is autogenerated.

Related Documentation

• IPsec VPN Overview

• Creating IPsec VPNs