Creating VPN Profiles
Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.
You cannot modify or delete Juniper Networks Predefined VPN profiles. You can only clone them and create new profiles.
Starting in Junos Space Security Director Release 20.3, you can create a VPN profile based on a VPN topology. You can create:
Site-to-site VPN profile
Hub-and-spoke (establishment all peers) VPN profile
Hub-and-spoke (establishment by spokes) VPN profile
Hub-and-spoke Auto Discovery VPN profile
Full mesh VPN profile
Remote access (Juniper Secure Connect) profile
Remote access (NCP Exclusive Client) profile
Before You Begin
Review the VPN profiles main page for an understanding of your current data set. See VPN Profiles Main Page Fields for field descriptions.
To configure a VPN profile:
- Select Configure > IPsec VPN > Profiles.
The VPN Profiles page is displayed.
- Click Create VPN Profile and select a VPN topology
based on which you want to create a VPN profile.
The corresponding create VPN profile page is displayed.
- Complete the configuration according to the guidelines provided in Table 1 .
- Click Save.
A new VPN profile is created. You can use this object to create IPsec VPNs.
Table 1: VPN Profile Settings
Settings | Guidelines |
|---|---|
Name | Enter a unique string of alphanumeric characters, dashes and underscores; no spaces allowed; 62-character maximum. |
Description | Enter a description for the VPN profile; maximum length is 255 characters. |
| IKE Settings | |
Authentication Method | Select the required authentication method:
Note: For Remote VPN, only Pre-shared based and RSA-Signatures are supported. |
IKE Version | Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used. Note: This is not applicable for remote access VPN profiles. |
Mode | Select an IKE policy mode.
Note: Mode is applicable when the IKE Version is V1. Mode is not applicable for remote access VPN profiles. |
Encryption-algorithm | Select the appropriate encryption mechanism. |
Authentication-algorithm | Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet. |
Deffie Hellman group | Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. |
Lifetime-seconds | Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds. |
Dead Peer Detection | Enable to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment. |
DPD Mode | Select a DPD Mode.
|
DPD Interval | Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 2 to 60 seconds. |
DPD Threshold | Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times, with a permissible range of 1 to 5. |
| Advance Configuration | |
General IKE ID | Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically. Note: This is not applicable for remote access VPN profiles. |
IKEv2 Re Authentication | Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0. Range is 0 to 100. Note: This is not applicable for remote access VPN profiles. |
IKEv2 Re Fragmentation Support | IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level. This is applicable when authentication method is RSA-Signatures. |
IKEv2 Re-fragment Size | Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4. Range is 570 to 1320. This is applicable when authentication method is RSA-Signatures. |
IKE ID | Select an option:
IKE ID is applicable only when General IKE ID is disabled. Note: Only E-mail ID is applicable for remote access VPN profiles. |
NAT-T | Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device. |
Keep Alive | Select a value. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. Range is from 1 to 300 seconds. |
IKE Connection Limit | Configure the number of concurrent connections that the VPN profile supports. When the maximum number of connections is reached, no more Remote Access User (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations. Note: This is applicable only for remote access VPN profiles. |
| IPsec Settings | |
Protocol | Select the required protocol to establish the VPN.
Note: This is not applicable for remote access VPN profiles. |
Encryption Algorithm | Select the necessary encryption method. This is applicable if the Protocol is ESP. |
Authentication Algorithm | Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet. |
Perfect Forward Secrecy | Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time. |
Lifetime Seconds | Select the lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds. |
Lifetime kilobytes | Select the lifetime (in kilobytes) of an IPsec security association (SA). The range is from 64 through 4294967294 kilobytes. |
Establish Tunnel | Select an option to specify when IKE is activated.
Note: This is not applicable for remote access VPN profiles. |
| Advance Configuration | |
VPN Monitor | Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up. |
Optimized | Enable the Optimized option. When VPN monitoring optimization is enabled, the SRX Series device only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series device considers the tunnel to be active and does not send pings to the peer. |
Anti Replay | By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality. |
Install interval | Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device. |
Idle Time | Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received. |
DF Bit | Select an option to process the Don’t Fragment (DF) bit in IP messages.
|
Copy Outer DSCP | Enable copying of Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules. |