Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

vpn (Security)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5. Support for IPv6 addresses added in Junos OS Release 11.1. Support for copy-outer-dscp added in Junos OS Release 15.1X49-D30. verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70. packet-size option added in Junos OS Release 15.1X49-D120.

Description

Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN suchas the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The trafficthat flows between these two points passes through shared resources such as routers, switches, and othernetwork equipment that make up the public WAN. To secure VPN communication while passing throughthe WAN, the two participants create an IP Security (IPsec) tunnel. IPsec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer.

Options

vpn-nameName of the VPN.
bind-interfaceConfigure the tunnel interface to which the route-based virtual private network (VPN) is bound.
copy-outer-dscpEnable copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.
distribution-profileSpecify a distribution-profile to distribute tunnels. The distribution-profile option is introduced to give the administrator an option to select which PICs in the chassis should handle tunnels associated with a certain VPN object. If the default profiles such as default-spc3-profile or default-spc2-profile are not selected, a new user-defined profile can be selected. In a profile, you need to mention the Flexible PIC Concentrator (FPC) slot and the PIC number. When such a profile is associated with a VPN object, all matching tunnels are distributed across these PIC's.

Values:

  • default-spc2-profile—Default group for distributing tunnels on SPC2 only

  • default-spc3-profile—Default group for distributing tunnels on SPC3 only

  • distribution-profile-name—Name of the distribution profile.

df-bitSpecify how the device handles the Don't Fragment (DF) bit in the outer header.

On SRX5400, SRX5600, and SRX5800 devices, the DF-bit configuration for VPN only works if the original packet size is smaller than the st0 interface MTU, and larger than the external interface-ipsec overhead.

Values:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

establish-tunnelsSpecify when IKE is activated: immediately after VPN information is configured and configuration changes are committed, or only when data traffic flows. If this configuration is not specified, IKE is activated only when data traffic flows.

Values:

  • immediately—IKE is activated immediately after VPN configuration changes are committed.

    Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the establish-tunnels immediately option for an IKE gateway with group-ike-id or shared-ike-id IKE user types (for example, with AutoVPN or a remote access VPN). The establish-tunnels immediately option is not appropriate for these VPNs because multiple VPN tunnels may be associated with a single VPN configuration. Committing the configuration will succeed, however the establish-tunnels immediately configuration is ignored. The state of the tunnel interface will be up all the time, which was not the case in previous releases when the establish-tunnels immediately option was configured.

  • on-traffic—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior.

  • responder-only—Responds to IKE negotiations that are initiated by the peer gateway, but does not initiate IKE negotiations from the device. This option is required when another vendor’s peer gateway expects the protocol and port values in the traffic selector from the initiating gateway. responder-only option added in Junos OS Release 19.1R1.

  • responder-only-no-rekey—Option does not establish any VPN tunnel from the device, so the VPN tunnel is initiated from the remote peer. An established tunnel does not start any rekeying from the device and relies on the remote peer to initiate this rekeying. If rekeying does not occur, then the tunnel is brought down after hard-lifetime expires.

ikeDefine an IKE-keyed IPsec VPN.
manualDefine a manual IPsec security association (SA).
multi-saNegotiate multiple security association (SAs) based on configuration choice. Multiple SAs negotiates with the same traffic selector on the same IKE SA.
traffic-selectorConfigure local and remote IP addresses for a traffic selector.
match-directionDirection for which the rule match is applied

Values:

  • input—Match on input to interface

  • output—Match on output from interface

passive-mode-tunnelingNo active IP packet checks before IPSec encapsulation
tunnel-mtuMaximum transmit packet size

Range: 256 through 9192

udp-encapsulation(Optional) Use the specified UDP destination port for the UDP header that is appended to the ESP encapsulation. Enable multiple path forwarding of IPsec traffic by adding a UDP header to the IPsec encapsulation of packets. Doing this increases the throughput of IPsec traffic. If you do not enable UDP encapsulation, all the IPsec traffic follows a single forward path rather than using multiple available paths.

Range: 1025 through 65536. Do not use 4500.

Default: If you do not include the udp-dest-port statement, the default UDP destination port is 4565.

vpn-monitorConfigure settings for VPN monitoring.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related Documentation