Creating VPN Profiles

Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. The VPN profile includes VPN proposals, VPN mode, authentication, and other parameters used in IPsec VPN. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.

Note You cannot modify or delete Juniper Networks defined VPN profiles. You can only clone them and create new profiles.

You can also configure the Internet Key Exchange (IKE) negotiation phases known as Phase 1 and Phase 2 settings in a VPN profile. SRX Series devices support the following authentication methods in IKE negotiations for IPsec VPN:

Preshared key
ECDSA certificate
RSA certificate
DSA certificate

The predefined VPN profile is available for RSA certificates-based authentication. The PKI certificate list from the device is automatically retrieved during the device discovery.

Before You Begin

Review the VPN profiles main page for an understanding of your current data set. SeeVPN Profiles Main Page Fields for field descriptions.
Read the VPN Profiles Overview topic.

Procedure

To configure a VPN profile:

Select Configure > IPsec VPN > Profiles.
Click the plus sign (+) to create a new VPN profile.
Complete the configuration according to the guidelines provided in Table 265 and Table 266.

A new VPN profile with the predefined VPN configuration is created. You can use this object to create IPsec VPNs.

Table 265: VPN Profiles Settings – Phase 1 IKE Negotiation Configuration

Setting	Guideline
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores; no spaces allowed; 255-character maximum.
Description	Enter a description for the VPN profile; maximum length is 1024 characters.
Phase 1
Authentication Type	Select the required authentication type: Preshared key RSA signature DSA signature ECDSA signature (256) ECDSA signature (384)
Mode	Select a VPN mode: Main—The most common and secure way to establish a VPN when building site-to-site VPNs. The IKE identities are encrypted and cannot be determined by eavesdroppers. Aggressive—This is an alternative to main mode IPsec negotiation. This is the most common mode when building VPNs from client workstations to VPN gateways, where the IP address of the client is neither known in advance nor fixed.
General-IkeID	Starting Junos Space Security Director Release 16.1, you can enable this option to accept peer IKE ID in general. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically. Note: This option is not available in Aggressive VPN mode. You cannot use a VPN profile with the General IKE ID option enabled for the Auto VPN and ADVPN.
IKE Id	Configure the following Internet Key Exchange (IKE) identifiers, as needed: Hostname—The hostname or fully qualified domain name is essentially a string that identifies the end system. User@hostname—A simple string that follows the same format as an e-mail address. User—Enter the e-mail address of the user. We recommend that you use the valid e-mail address of the user for ease of management. IPAddress—This is the most common form of IKE identity for site-to-site VPNs. This can be either an IPv4 or IPv6 address. This option is available only if the VPN mode is Aggressive and the authentication type is Preshared Key. DN—The distinguished name used in certificates to identify a unique user in a certificate. This option is available only for RSA, DSA, and ECDSA signature authentication types. Note: For the Preshared Key authentication type: If you have enabled the General IKE ID option, the IKE ID option is automatically set to None and you cannot edit this option. When modifying a IPsec VPN, you cannot edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled. For the certificate-based authentication type: You can edit the IKE ID option even if you have enabled the General IKE ID option because, the local-identity CLI is used for certificate authentication. When modifying a IPsec VPN, you can edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled.
IKE Version	Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKEv1 is used. Starting in Junos Space Security Director 17.1, IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA). IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.
IKE Fragment	On SRX Series devices, IKEv2 fragmentation is enabled by default for IPv4 and IPv6 messages. You can disable the IKEv2 packet fragmentation and, optionally, configure the maximum size of an IKEv2 message before the message is split into fragments that are individually encrypted and authenticated. IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. Fragmentation takes place before the original message is encrypted and authenticated, so that each fragment is separately encrypted and authenticated. On the receiver, the fragments are collected, verified, decrypted, and merged into the original message.
IKE Fragment Size	Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages. Range: 500 to 1300 bytes. Default: 570 bytes for IPv4 messages and 1280 bytes for IPv6 messages
Proposals	Select the type of proposal as either Predefined or Custom. For the custom proposal, click the plus sign (+) to create a new proposal. You can provide Diffie-Hellman (DH) group, authentication, or encryption detail while creating custom proposal. Name—Enter the name of the proposal. DH Group—A DH exchange allows the participants to produce a shared secret value. Select the appropriate DH group: Group1 Group2 Group5 Group14 Group19 Group20 Group24 Authentication–Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet. MD5 SHA-1 SHA-256 SHA-384 Encryption—Select the appropriate encryption mechanism: 3DES AES(128) AES(192) AES(256) Lifetime—Select a lifetime of an IKE security association (SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds. Note: For the RSA-signature and DSA-signature authentication types, you can only use the custom proposals.
Predefined Proposal Sets	If you have opted for the predefined proposal, specify a set of default IKE proposals: Basic Proposal 1—Preshared key, Data Encryption Standard (DES) encryption, and DH group 1 and Secure Hash Algorithm 1 (SHA-1) authentication. Proposal 2—Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication. Standard Proposal 1—Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) and SHA-1 authentication. Proposal 2—Preshared key, 3DES encryption, and DH group 2 and MD5 authentication. Proposal 3—Preshared key, DES encryption, and DH group 2 and SHA-1 authentication. Proposal 4—Preshared key, DES encryption, and DH group 2 and MD5 authentication. Compatible Proposal 1—Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication. Proposal 2—Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.
Advanced Settings
NAT Traversal	NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where a NAT device exists in front of one of the devices (in this case a Juniper Firewall device). By enabling this option, IPsec traffic can pass through a NAT device. By default, NAT-T is enabled on SRX Series devices. You must explicitly clear the Enable check box to turn it off on a gateway-by-gateway basis. Keepalive Interval (secs)—Select the appropriate keepalive interval in seconds. If the VPN is expected to have large periods of inactivity, these keepalives are configured to generate artificial traffic to keep the session active on the NAT devices. Range: 1 through 300 seconds.
DPD	Select the check box to permit the two gateways to determine if the peer gateway is up and responding to the DPD messages that are negotiated during IPsec establishment. Always Send DPD—Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer. DPD Interval (secs)—Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 10 to 60 seconds. DPD Threshold—Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.

Table 266: VPN Profiles Settings – Phase 2 IKE Negotiation Configuration

Setting	Guideline
Proposal	Select the type of proposal as either Predefined or Custom. For the Custom proposal, click the plus sign (+) to create a new proposal. Name—Enter the name of the custom proposal. Authentication—Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet. MD5 SHA-1 SHA-256(96) SHA-256(28) Protocol—Select the required protocol to establish the VPN. Encryption—Select the necessary encryption method: DES 3DES AES(128) AES(192) AES(256) AES-GCM(128) AES-GCM(192) AES-GCM(256) Lifetime—Select a lifetime of an IKE security association (SA). Default: 3,600 seconds. Range: 180 through 86,400 seconds. Life Size—The lifetime of the SA, after which it expires, expressed in kilobytes.
Predefined Proposal Sets	Select the appropriate predefined proposal set: Basic Standard Compatible SuiteB-GCM-128 ESP—Advanced Encryption Standard (AES) encryption with 128-bit keys and 16-octet integrity check value (ICV) in Galois Counter Mode (GCM). IKE—AES encryption with 128-bit keys in cipher block chaining (CBC) mode, integrity using SHA-256 authentication, and key establishment using DH group 19 and authentication using Elliptic Curve Digital Signature Algorithm (ECDSA) 256-bit elliptic curve signatures. SuiteB-GCM-256 ESP—AES encryption with 256-bit keys and 16-octet ICV in GCM for ESP. IKE—AES encryption with 256-bit keys in CBC mode, integrity using SHA-384 authentication, and key establishment using DH group 20 and authentication using ECDSA 384-bit elliptic curve signatures.
Perfect Forward Secrecy	Specify Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time. The available options are: Group1 Group2 Group5 Group14 Group19 Group20 Group24
Advanced Settings
Establish tunnel immediately	Enable this option to establish the IPsec tunnel. IKE is activated immediately after VPN configuration and configuration changes are committed.
VPN Monitor	Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up. VPN Optimized—This is the VPN monitoring option. It sends only the ICMP traffic through the tunnel where there is an absence of user traffic.
DF bit	Enable this option to process the Don’t Fragment (DF) bit in IP messages. You can set it to copy, clear, or set the bits to the IPsec header. Select the following options: None—No action. Clear—Clear (disable) the DF bit from the IP messages. This is the default. Copy—Copy the DF bit to the IP messages. Set—Set (enable) the DF bit in the IP messages.
Idle time (secs)	Select the appropriate idle time interval from the selector. The sessions and their corresponding translations typically time out after a certain period of time if no traffic is received.
Install Time	Specify the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10.
Anti Replay	By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It essentially checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Creating VPN Profiles

Before You Begin

Procedure

Related Documentation

Help us to improve. Rate this article.