Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating VPN Profiles

 

Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. The VPN profile includes VPN proposals, VPN mode, authentication, and other parameters used in IPsec VPN. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.

Note

You cannot modify or delete Juniper Networks defined VPN profiles. You can only clone them and create new profiles.

You can also configure the Internet Key Exchange (IKE) negotiation phases known as Phase 1 and Phase 2 settings in a VPN profile. SRX Series devices support the following authentication methods in IKE negotiations for IPsec VPN:

  • Preshared key

  • ECDSA certificate

  • RSA certificate

  • DSA certificate

The predefined VPN profile is available for RSA certificates-based authentication. The PKI certificate list from the device is automatically retrieved during the device discovery.

Before You Begin

To configure a VPN profile:

  1. Select Configure > IPsec VPN > Profiles.
  2. Click the plus sign (+) to create a new VPN profile.
  3. Complete the configuration according to the guidelines provided in Table 1 and Table 2.

A new VPN profile with the predefined VPN configuration is created. You can use this object to create IPsec VPNs.

Table 1: VPN Profiles Settings – Phase 1 IKE Negotiation Configuration

Setting

Guideline

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores; no spaces allowed; 255-character maximum.

Description

Enter a description for the VPN profile; maximum length is 1024 characters.

Phase 1

Authentication Type

Select the required authentication type:

  • Preshared key

  • RSA signature

  • DSA signature

  • ECDSA signature (256)

  • ECDSA signature (384)

Mode

Select a VPN mode:

  • Main—The most common and secure way to establish a VPN when building site-to-site VPNs. The IKE identities are encrypted and cannot be determined by eavesdroppers.

  • Aggressive—This is an alternative to main mode IPsec negotiation. This is the most common mode when building VPNs from client workstations to VPN gateways, where the IP address of the client is neither known in advance nor fixed.

General-IkeID

Starting Junos Space Security Director Release 16.1, you can enable this option to accept peer IKE ID in general. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

Note:

  • This option is not available in Aggressive VPN mode.

  • You cannot use a VPN profile with the General IKE ID option enabled for the Auto VPN and ADVPN.

IKE Id

Configure the following Internet Key Exchange (IKE) identifiers, as needed:

  • Hostname—The hostname or fully qualified domain name is essentially a string that identifies the end system.

  • User@hostname—A simple string that follows the same format as an e-mail address.

    • User—Enter the e-mail address of the user. We recommend that you use the valid e-mail address of the user for ease of management.

  • IPAddress—This is the most common form of IKE identity for site-to-site VPNs. This can be either an IPv4 or IPv6 address. This option is available only if the VPN mode is Aggressive and the authentication type is Preshared Key.

  • DN—The distinguished name used in certificates to identify a unique user in a certificate. This option is available only for RSA, DSA, and ECDSA signature authentication types.

Note:

  • For the Preshared Key authentication type:

    • If you have enabled the General IKE ID option, the IKE ID option is automatically set to None and you cannot edit this option.

    • When modifying a IPsec VPN, you cannot edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled.

  • For the certificate-based authentication type:

    • You can edit the IKE ID option even if you have enabled the General IKE ID option because, the local-identity CLI is used for certificate authentication.

    • When modifying a IPsec VPN, you can edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled.

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKEv1 is used.

Starting in Junos Space Security Director 17.1, IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA). IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKE Fragment

On SRX Series devices, IKEv2 fragmentation is enabled by default for IPv4 and IPv6 messages. You can disable the IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated.

IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. On the receiver, the fragments are collected, verified, decrypted, and merged into the original message.

IKE Fragment Size

Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages. Range: 500 to 1300 bytes.

Default: 570 bytes for IPv4 messages and 1280 bytes for IPv6 messages

Proposals

Select the type of proposal as either Predefined or Custom.

For the custom proposal, click the plus sign (+) to create a new proposal. You can provide Diffie-Hellman (DH) group, authentication, or encryption detail while creating custom proposal.

  • Name—Enter the name of the proposal.

  • DH Group—A DH exchange allows the participants to produce a shared secret value. Select the appropriate DH group:

    • Group1

    • Group2

    • Group5

    • Group14

    • Group19

    • Group20

    • Group24

  • Authentication–Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

    • MD5

    • SHA-1

    • SHA-256

    • SHA-384

  • Encryption—Select the appropriate encryption mechanism:

    • 3DES

    • AES(128)

    • AES(192)

    • AES(256)

  • Lifetime—Select a lifetime of an IKE security association (SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds.

Note: For the RSA-signature and DSA-signature authentication types, you can only use the custom proposals.

Predefined Proposal Sets

If you have opted for the predefined proposal, specify a set of default IKE proposals:

  • Basic

    • Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and DH group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.

    • Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.

  • Standard

    • Proposal 1—Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) and SHA-1 authentication.

    • Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.

    • Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication.

  • Compatible

    • Proposal 1—Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.

    • Proposal 2—Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.

Advanced Settings

NAT Traversal

NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where a NAT device exists in front of one of the devices (in this case a Juniper Firewall device). By enabling this option, IPsec traffic can pass through a NAT device.

By default, NAT-T is enabled on SRX Series devices. You must explicitly clear the Enable check box to turn it off on a gateway-by-gateway basis.

  • Keepalive Interval (secs)—Select the appropriate keepalive interval in seconds. If the VPN is expected to have large periods of inactivity, these keepalives are configured to generate artificial traffic to keep the session active on the NAT devices.

Range: 1 through 300 seconds.

DPD

Select the check box to permit the two gateways to determine if the peer gateway is up and responding to the DPD messages that are negotiated during IPsec establishment.

  • Always Send DPD—Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer.

  • DPD Interval (secs)—Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 10 to 60 seconds.

  • DPD Threshold—Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.

Table 2: VPN Profiles Settings – Phase 2 IKE Negotiation Configuration

Setting

Guideline

Proposal

Select the type of proposal as either Predefined or Custom. For the Custom proposal, click the plus sign (+) to create a new proposal.

  • Name—Enter the name of the custom proposal.

  • Authentication—Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

    • MD5

    • SHA-1

    • SHA-256(96)

    • SHA-256(28)

  • Protocol—Select the required protocol to establish the VPN.

  • Encryption—Select the necessary encryption method:

    • DES

    • 3DES

    • AES(128)

    • AES(192)

    • AES(256)

    • AES-GCM(128)

    • AES-GCM(192)

    • AES-GCM(256)

  • Lifetime—Select a lifetime of an IKE security association (SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds.

  • Life Size—The lifetime of the SA, after which it expires, expressed in kilobytes.

Predefined Proposal Sets

Select the appropriate predefined proposal set:

  • Basic

  • Standard

  • Compatible

  • SuiteB-GCM-128

    • ESP—Advanced Encryption Standard (AES) encryption with 128-bit keys and 16-octet integrity check value (ICV) in Galois Counter Mode (GCM).

    • IKE—AES encryption with 128-bit keys in cipher block chaining (CBC) mode, integrity using SHA-256 authentication, and key establishment using DH group 19 and authentication using Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit elliptic curve signatures.

  • SuiteB-GCM-256

    • ESP—AES encryption with 256-bit keys and 16-octet ICV in GCM for ESP.

    • IKE—AES encryption with 256-bit keys in CBC mode, integrity using SHA-384 authentication, and key establishment using DH group 20 and authentication using ECDSA 384-bit elliptic curve signatures.

Perfect Forward Secrecy

Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time.

The available options are:

  • Group1

  • Group2

  • Group5

  • Group14

  • Group19

  • Group20

  • Group24

Advanced Settings

Establish tunnel immediately

Enable this option to establish the IPsec tunnel. IKE is activated immediately after VPN configuration and configuration changes are committed.

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

  • VPN Optimized—This is the VPN monitoring option. It sends only the ICMP traffic through the tunnel where there is an absence of user traffic.

DF bit

Enable this option to process the Don’t Fragment (DF) bit in IP messages. You can set it to copy, clear, or set the bits to the IPsec header.

Select the following options:

  • None—No action.

  • Clear—Clear (disable) the DF bit from the IP messages. This is the default.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Set (enable) the DF bit in the IP messages.

Idle time (secs)

Select the appropriate idle time interval from the selector. The sessions and their corresponding translations typically time out after a certain period of time if no traffic is received.

Install Time

Specify the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10.

Anti Replay

By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It essentially checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Release History Table
Release
Description
Starting in Junos Space Security Director 17.1, IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA).
Starting Junos Space Security Director Release 16.1, you can enable this option to accept peer IKE ID in general.