Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Create a Remote Access VPN—NCP Exclusive Client


The Network Control Protocol (NCP) Exclusive Remote Access Client is part of the NCP Exclusive Remote Access solution for Juniper SRX Series Gateways. The VPN client is only available with NCP Exclusive Remote Access Management. Use the NCP Exclusive Client to establish secure, IPsec-based data links from any location when connected with SRX Series Gateways.

Before You Begin

To configure a remote access NCP exclusive client:

  1. Select Configure > IPsec VPN > IPsec VPNs.

    The IPsec VPNs page is displayed.

  2. Click Create VPN > <Route Based> Remote Access NCP Exclusive Client.

    The Create Remote Access (NCP Exclusive Client) page is displayed.

  3. Complete the IPsec VPN configuration parameters according to the guidelines provided in Table 1 through Table 4.Note

    Click Local Gateway icon in the topology to configure a local gateway. Click View IKE/IPSec Settings to view or edit VPN profiles. If the VPN profile is default, you can edit the configurations. If the profile is shared, you can only view the configurations.

    The VPN connectivity will change from gray to blue line in the topology to show that the configuration is complete.

    The topology displayed is only for representation.

  4. Click Save to save the IPsec configuration.
Figure 1: Create Remote Access NCP Exclusive Client
Create Remote Access NCP Exclusive Client

Table 1: IPsec VPN Configuration Parameters




Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores; spaces are not allowed; maximum length is 62 characters.


Enter a description for the VPN; maximum length is 255 characters.

Routing Topology

Traffic Selector (Auto Route Insertion)—A traffic selector is an agreement between Internet Key Exchange (IKE) peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses.

VPN Profile

Select a VPN profile from the drop-down list based on the deployment scenario.

Default profile is applicable to a particular IPsec VPN only. You can view and edit the details by clicking View IKE/IPsec settings on the Create IPsec VPN page.

Shared profile can be used by one or more IPsec VPNs. You can only view the details of the shared profiles by clicking View IKE/IPsec settings on the Create IPsec VPN page.

If you select the VPN Profile value as Default, then while saving the IPsec VPN, you’ll need to save the new profile as either VPN specific or shared. If you are saving it as shared, then the profile will be listed on the VPN Profiles page.

Authentication Method

Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages.

  • Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer.

  • RSA Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures is used.

Global Tunnel Settings

Pre-shared Key

Establish a VPN connection using preshared keys, which is essentially a password that is same for both parties.

Select the type of pre-shared key you want to use:

  • Autogenerate—Select if you want to automatically generate a unique key per tunnel. When selected, the Generate Unique key per tunnel option is automatically enabled. If you disable the Generate Unique key per tunnel option, Security Director generates a single key for all tunnels.

  • Manual—Select to enter the key manually. By default, the manual key is masked.

Note: This is applicable only if the authentication method is pre-shared-based.

Max Transmission Unit

Select the maximum transmission unit (MTU) in bytes. This defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68 to 9192 bytes. The default value is 1500 bytes.

Table 2: View or Select Devices




Select a device to add it as an endpoint.


View all devices from the current and child domains, with view parent enabled. Devices from the child domain with view parent disabled are not shown.

Select a device and add it as an endpoint.

The following filter criteria are applied for the device selection:

  • SRX Series devices mapped to Junos OS Release 12.1X46 and later Junos-es schemas are not listed.

  • Logical systems and tenant systems are not listed.

  • Routing option is not applicable.

Table 3: Local Gateway Configuration Parameters



External Interface

Select the outgoing interface for IKE security associations (SAs). This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Tunnel Zone

Select the tunnel zone. They are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre and post-encapsulated IPsec traffic.

Tunnel zones also provide great flexibility in combining tunnel interfaces with VPN tunnels.

User Authentication

Select the authentication profile from the list that will be used to authenticate a user accessing the remote access VPN.

Click Add to create a new access profile. For more information on creating a new access profile, see Creating Access Profiles.

Note: LDAP authentication is not supported in a remote VPN.

SSL VPN Profile

Select a SSL VPN profile from the list to terminate the remote access connection.

To create a new SSL VPN profile:

  1. Click Add.

    The Add SSL VPN Profile page is displayed.

  2. Enter the SSL VPN profile name.
  3. Enable Logging option to log for SSL VPN.
  4. Enter a SSL termination profile name.
  5. Select a server certificate.
  6. Click OK.

NAT Traffic

Enable this option so that all traffic from the Juniper Secure Connect client is NATed to the selected interface by default.

If disabled, you must ensure that you have a route from your network pointing to the SRX Series devices for handling the return traffic correctly.


Select a certificate to authenticate the virtual private network (VPN) initiator and recipient.

Trusted CA/Group

Select the certificate authority (CA) profile from the list to associate it with the local certificate.

This is applicable when authentication method is RSA-Signatures.

Protected Networks

Configure the addresses type for the selected device to protect one area of the network from the other.

Note: You can also create addresses by clicking Add New Address.

Table 4: View or Edit IKE or IPsec Settings



IKE Settings

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.


Select an IKE policy mode.

  • Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection.

  • Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

Note: Mode is applicable when the IKE Version is V1.


Select the appropriate encryption mechanism.


Select an algorithm. The device uses this algorithm to verify the authenticity and integrity of a packet.

Deffie Hellman group

Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.


Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Dead Peer Detection

Enable to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode.

  • Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode.

  • Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity.

  • Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times, with a permissible range of 1 to 5.

Advance Configuration

IKEv2 Re Fragmentation Support

IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKEv2 Re-fragment Size

Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4.

Range is 570 to 1320.


Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a value. NAT keepalives are required to maintain the NAT translation during the connection between the VPN peers. Range is from 1 to 300 seconds.

IKE Connection Limit

Select the number of concurrent connections that the VPN profile supports. When the maximum number of connections is reached, no more Remote Access User (VPN) endpoints attempting to access an IPsec VPN can begin Internet Key Exchange (IKE) negotiations.

IPSec Settings

Encryption Algorithm

Select the necessary encryption method.

This is applicable if the Protocol is ESP.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Advance Configuration

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.


When VPN monitoring optimization is enabled, the SRX Series device only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer, through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series device considers the tunnel to be active and does not send pings to the peer.

Anti Replay

By default, Anti-Replay detection is enabled. IPsec protects against a VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable copying of Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.

Lifetime Seconds

Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Lifetime kilobytes

Select the lifetime (in kilobytes) of an IPsec security association (SA). The range is from 64 through 4294967294 kilobytes.