Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Creating VPN Profiles

Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. The VPN profile includes VPN proposals, VPN mode, authentication, and other parameters used in IPsec VPN. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.

Note You cannot modify or delete Juniper Networks defined VPN profiles. You can only clone them and create new profiles.

Before You Begin

Procedure

To configure a VPN profile:

  1. Select Configure > IPsec VPN > Profiles.
  2. Click the plus sign (+) to create a new VPN profile.
  3. Complete the configuration according to the guidelines provided in Table 284.

A new VPN profile with the predefined VPN configuration is created. You can use this object to create IPsec VPNs.

Table 284: VPN Profile Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, dashes and underscores; no spaces allowed; 62-character maximum.

Description

Enter a description for the VPN profile; maximum length is 255 characters.

IKE Settings

Authentication Method

Select the required authentication method:

  • Pre-shared based

  • RSA-Signatures

  • DSA-Signatures

  • ECDSA-Signatures-256

  • ECDSA-Signatures-384

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.

Mode

Select an IKE policy mode.

  • Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection.

  • Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

Note: Mode is applicable when the IKE Version is V1.

Encryption-algorithm

Select the appropriate encryption mechanism.

Authentication-algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Deffie Hellman group

Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Lifetime-seconds

Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Dead Peer Detection

Enable to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode.

  • Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode.

  • Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity.

  • Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times, with a permissible range of 1 to 5.

Advance Configuration

General IKE ID

Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

IKEv2 Re Authentication

Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0.

Range is 0 to 100.

IKEv2 Re Fragmentation Support

IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKEv2 Re-fragment Size

Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4.

Range is 570 to 1320.

IKE ID

Select an option:

  • None

  • Distinguished name

  • Hostname

  • IPv4 address

  • E-mail Address

IKE ID is applicable only when General IKE ID is disabled.

NAT-T

Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a value. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. Range is from 1 to 300 seconds.

IPsec Settings

Protocol

Select the required protocol to establish the VPN.

  • ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication.

  • AH—The Authentication Header (AH) protocol provides data integrity and data authentication.

Encryption Algorithm

Select the necessary encryption method.

This is applicable if the Protocol is ESP.

Authentication Algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Lifetime Seconds

Select the lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Lifetime kilobytes

Select the lifetime (in kilobytes) of an IPsec security association (SA). The range is from 64 through 4294967294 kilobytes.

Establish Tunnel

Select an option to specify when IKE is activated.

  • Immediately—IKE is activated immediately after VPN configuration changes are committed.

  • On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.

Advance Configuration

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

Optimized

Enable the Optimized option. When VPN monitoring optimization is enabled, the SRX Series device only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series device considers the tunnel to be active and does not send pings to the peer.

Anti Replay

By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable copying of Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit