Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

IKE (Phase II) Configuration Page Options

 
  1. Select Configure>IPSec VPN>Auto Tunnel>Phase II in the J-Web user interface if you are using SRX5400, SRX5600, or SRX5800 platforms.

    Or

    Select Configure>Security>IPSec VPN>VPN Tunnel II in the J-Web user interface.

    The VPN Auto Key configuration page appears.

  2. (Junos OS Release 18.3R1 and later releases) Select Configure > Security Services > IPsec VPN > IPsec (Phase II) in the J-Web user interface.

    The IKE (Phase II) configuration page appears. Table 227 explains the contents of this page.

  3. Click one:

    • Add or +—Adds a new or duplicate VPN AutoKey configuration. Enter information as specified in Table 228.

    • Edit or /—Edits a selected VPN AutoKey configuration.

    • Delete or X—Deletes the selected VPN AutoKey configuration.

  4. Click one:

    • OK—Saves the configuration and returns to the main configuration page.

    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.

    • Cancel—Cancels your entries and returns to the main configuration page.

Table 227: IKE (Phase II) Configuration Page

Field

Function

VPN

VPN name

Enter the name of the VPN to be searched.

Search

Displays the search specific to a VPN.

Name

Displays the name of the VPN.

Gateway

Displays the name of the gateway.

IPSec Policy

Displays the policy associated with this IPsec tunnel.

Bind Interface

Displays the tunnel interface to which the route-based VPN is bound.

Proxy Identity

Displays the IPsec proxy identity.

VPN Monitoring

Displays the name of the VPN monitoring option selected.

IPSec Policy

Name

Displays the name of the IPsec policy.

Description

Displays the description of the policy.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

Proposal

Displays the name of the proposal to be used by the IPsec policy in Phase 2.

Proposal

Name

Displays the name of the Phase 2 proposal.

Authentication Algorithm

Displays the hash algorithm that authenticates packet data.

Protocol

Displays the type of security protocol.

Encryption algorithm

Displays the IKE encryption algorithm type.

Table 228: Add VPN Configuration Details

Field

Function

Action

Add VPN

IPsec VPN

VPN Name

Specifies the name of the remote gateway.

Enter a name.

Remote Gateway

Provides association of a policy with IPsec tunnel.

Select a name.

IPsec Policy

Specifies the tunnel interface to which the route-based VPN is bound.

Select a policy.

Bind to tunnel interface

Specifies the tunnel interface to which the route-based VPN is bound.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.

  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

  • responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.

    Note:

    • The responder-only mode supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

    • When responder-only mode is configured for multiple VPN objects with single gateway configuration, all VPN objects must be configured with responder-only mode only.

    • Responder-only mode is supported only for site-to-site VPN and it is not supported on AutoVPN.

  • responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.

Select any of the available options.

Disable anti replay

Specifies to disable the antireplay checking feature of IPsec. By default, antireplay checking is enabled.

Select the check box.

Add St Logical Interface

Tunnel Interface st0

Specifies the logical unit number.

Enter the logical unit number.

Zone

Specifies the zones for the logical interface.

Select a zone.

Unnumbered

Disables the configuration for logical interface.

Select Unnumbered.

Numbered

Determines if the logical unit is numeric.

Select Numbered.

IPV4 Address

Displays the IPV4 address.

Note: This field is disabled if Unnumbered is selected.

Enter an IPV4 address.

IPV6 Address

Displays the IPV6 address.

Note: This field is disabled if Unnumbered is selected.

Enter an IPV6 address.

Multipoint

Multipoint

Enable to configure multipoint.

Select the check box.

St0 Interface Configuration

Automatic

Enables the configuration to automatically specify the next hop tunnel address and VPN name.

Select Automatic.

Manual

Enables the configuration to manually provide the next-hop tunnel address and VPN name. Enables the Add and Delete options.

Select Manual.

Next hop tunnel address

Specifies the next-hop tunnel address. Ensure that no two configurations have the same IP address.

Select the check box and enter the IP address.

VPN Name

Specifies the VPN name, displays a list of route-based VPNs.

Select a VPN name.

Routing Protocols

Enable routing protocols.

Enable the available routing protocols.

Select the check boxes to select protocols.

IPSec VPN Options

Enable VPN Monitor

Specifies whether to enable VPN monitor.

Select the check box.

Destination IP

Provides association of a policy with IPsec tunnel.

Enter an IP address.

Optimized

Specifies the tunnel interface to which the route-based VPN is bound.

Select the check box.

Source Interface

Specify the source interface for ICMP requests. If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Use Proxy Identity

Local IP/Netmask

Specifies the local IP address and subnet mask for proxy identity.

Enter an IP address.

Remote IP/Netmask

Specifies the remote IP address and subnet mask for proxy identity.

Enter an IP address.

Service

Specifies the service (port and protocol combination) to protect.

Select a service.

Do not fragment bit

Specifies how the device handles the DF bit in the outer header.

The options available are as follows:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Select an option from the list.

Idle Time

Specifies the maximum amount of idle time to delete an SA.

Enter the idle time. Range: 60 through 999999 seconds.

Install interval

Specifies the maximum number of seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Specify a value from 0 through 10 seconds.

Add Policy

IPSec Policy

Name

Specifies the name of the remote gateway.

Enter a name.

Description

Provides a description for associating a policy with an IPsec tunnel.

Enter a text description.

Perfect Forward Secrecy

Displays the method the device uses to generate the encryption key. PFS generates each new encryption key independent of the previous key.

  • None.

  • group1—Diffie-Hellman Group 1.

  • group2—Diffie-Hellman Group 2.

  • group5—Diffie-Hellman Group 5.

  • group14—Diffie-Hellman Group 14.

  • group19—Diffie-Hellman Group 19.

  • group20—Diffie-Hellman Group 20.

  • group24—Diffie-Hellman Group 24.

  • group15—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 15 is supported.

  • group16—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 16 is supported.

  • group21—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 21 is supported.

Note: Starting in Junos OS Release 19.1R1, the new DH-Groups supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select a method.

Proposal

Predefined

Specifies that the anti-replay checking feature of IPsec be disabled. By default, anti-replay checking is enabled.

The options available are as follows:

  • basic

  • compatible

  • standard

  • Prime-128

  • Prime-256

  • Suiteb-gcm-128

  • Suiteb-gcm-256

Click Predefined, and select one of the option.

User defined

Specifies a list of proposals previously defined by the user.

Click User Defined, select proposals from the pop-up menu, and then click Add.

Proposal List

Specifies the available proposal list.

Select the proposals for Phase 2 from the Available Phase 2 Proposal list. Rearrange the list as required.

Add Proposal

IPsec Proposal

Name

Specifies the name of the Phase 2 proposal.

Enter a name.

Description

Provides a description of the Phase 2 proposal.

Enter a text description.

Authentication Algorithm

Specifies the hash algorithm for authenticating packet data. The available options are as follows:

  • none

  • hmac-md5-96—Produces a 128-bit digest.

  • hmac-sha1-96—Produces a 160-bit digest.

  • hmac-sha-256-128—Produces a 256-bit digest.

  • hmac-sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.

  • hmac-sha-384—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 384-bit digest.

Note: Starting in Junos OS Release 19.1R1, the new Authentication algorithm SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install.

Select an option.

Encryption Algorithm

Specifies an IKE encryption algorithm.

  • none

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.

  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.

  • aes-128-cbc—AES 128-bit encryption algorithm.

  • aes-192-cbc—AES 192-bit encryption algorithm.

  • aes-256-cbc—AES 256-bit encryption algorithm.

Select an option.

Lifetime Kilobytes

Specifies the lifetime, in kilobytes, of an IPsec SA. The SA is terminated when the specified number of kilobytes of traffic has passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime Seconds Protocol

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated.

Enter a value from 180 through 86,400 seconds.

Protocol

Specifies the networking protocol name.

The options available are as follows:

  • none

  • ah—IP Security Authentication Header

  • esp—IPsec Encapsulating Security Payload

Select a protocol from the list.

Release History Table
Release
Description
19.1R1
responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.
19.1R1
responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.
19.1R1
group15—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 15 is supported.
19.1R1
group16—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 16 is supported.
19.1R1
group21—Starting in Junos OS Release 19.1R1, Diffie-Hellman Group 21 is supported.
19.1R1
hmac-sha-512—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 512-bit digest.
19.1R1
hmac-sha-384—Starting in Junos OS Release 19.1R1, this option is supported. Produces a 384-bit digest.