Creating VPN Profiles
Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. The VPN profile includes VPN proposals, VPN mode, authentication, and other parameters used in IPsec VPN. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.
You cannot modify or delete Juniper Networks defined VPN profiles. You can only clone them and create new profiles.
You can also configure the Internet Key Exchange (IKE) negotiation phases known as Phase 1 and Phase 2 settings in a VPN profile. SRX Series devices support the following authentication methods in IKE negotiations for IPsec VPN:
The predefined VPN profile is available for RSA certificates-based authentication. The PKI certificate list from the device is automatically retrieved during the device discovery.
Before You Begin
Review the VPN profiles main page for an understanding of your current data set. SeeVPN Profiles Main Page Fields for field descriptions.
Read the VPN Profiles Overview topic.
To configure a VPN profile:
- Select Configure > IPsec VPN > Profiles.
- Click the plus sign (+) to create a new VPN profile.
- Complete the configuration according to the guidelines provided in Table 1 and Table 2.
A new VPN profile with the predefined VPN configuration is created. You can use this object to create IPsec VPNs.
Table 1: VPN Profiles Settings – Phase 1 IKE Negotiation Configuration
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores; no spaces allowed; 255-character maximum.
Enter a description for the VPN profile; maximum length is 1024 characters.
Select the required authentication type:
Select a VPN mode:
Starting Junos Space Security Director Release 16.1, you can enable this option to accept peer IKE ID in general. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.
Configure the following Internet Key Exchange (IKE) identifiers, as needed:
Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKEv1 is used.
Starting in Junos Space Security Director 17.1, IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA). IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.
On SRX Series devices, IKEv2 fragmentation is enabled by default for IPv4 and IPv6 messages. You can disable the IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated.
IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. On the receiver, the fragments are collected, verified, decrypted, and merged into the original message.
IKE Fragment Size
Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages. Range: 500 to 1300 bytes.
Default: 570 bytes for IPv4 messages and 1280 bytes for IPv6 messages
Select the type of proposal as either Predefined or Custom.
For the custom proposal, click the plus sign (+) to create a new proposal. You can provide Diffie-Hellman (DH) group, authentication, or encryption detail while creating custom proposal.
Note: For the RSA-signature and DSA-signature authentication types, you can only use the custom proposals.
Predefined Proposal Sets
If you have opted for the predefined proposal, specify a set of default IKE proposals:
NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where a NAT device exists in front of one of the devices (in this case a Juniper Firewall device). By enabling this option, IPsec traffic can pass through a NAT device.
By default, NAT-T is enabled on SRX Series devices. You must explicitly clear the Enable check box to turn it off on a gateway-by-gateway basis.
Range: 1 through 300 seconds.
Select the check box to permit the two gateways to determine if the peer gateway is up and responding to the DPD messages that are negotiated during IPsec establishment.
Table 2: VPN Profiles Settings – Phase 2 IKE Negotiation Configuration
Select the type of proposal as either Predefined or Custom. For the Custom proposal, click the plus sign (+) to create a new proposal.
Predefined Proposal Sets
Select the appropriate predefined proposal set:
Perfect Forward Secrecy
Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time.
The available options are:
Establish tunnel immediately
Enable this option to establish the IPsec tunnel. IKE is activated immediately after VPN configuration and configuration changes are committed.
Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.
Enable this option to process the Don’t Fragment (DF) bit in IP messages. You can set it to copy, clear, or set the bits to the IPsec header.
Select the following options:
Idle time (secs)
Select the appropriate idle time interval from the selector. The sessions and their corresponding translations typically time out after a certain period of time if no traffic is received.
Specify the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10.
By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It essentially checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.