Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

About the Global Settings Page

 

You are here: Configure > Security Services > IPSec VPN > Global Settings.

You can view or add the VPN Global configuration details.

Field Descriptions

Table 1 describes the fields on the VPN global settings page.

Table 1: Fields on the VPN Global Settings Page

Field

Description

IKE Global Settings

Response Bad SPI

Select the check box if you want the device to respond to IPsec packets with invalid SPI values.

Maximum Responses

Enter a value from 1 through 30 to respond to invalid SPI values per gateway. The default is 5. This option is available when Response Bad SPI is selected.

IPsec Global Settings

VPN Monitor Options

Select the check box if you want the device to monitor VPN liveliness.

Interval

Enter a value from 1 through 36,000 seconds at which ICMP requests are sent to the peer.

Threshold

Enter a value from 1 through 65,536 to specify the number of consecutive unsuccessful pings before the peer is declared unreachable.

Enable Key-protection

Select the check box to improve security. When key protection is enabled, persistent keys are encrypted when not in use.

Note: This option is available for SRX300 line of devices and SRX550M devices.

Internal SA

Select the check box for secure login and to prevent attackers from gaining privileged access through this control port by configuring the internal IPsec security association (SA).

Note: This option is available only for SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices.

Key (24 bytes)

Enter the encryption key. You must ensure that the manual encryption key is in ASCII text and 24 characters long; otherwise, the configuration will result in a commit failure.

Note: This option is available only for SRX5000 line of devices, SRX4100, SRX4200, SRX4600, and vSRX devices.

Click Refresh to activate the latest committed change of Internal SA configuration.

PowerMode IPSec

Select the check box to push the relevant IPSec configuration required for the device.

Note: Starting in Junos OS Release 19.1R1, PowerMode IPSec (PMI) configuration supports only SRX4100, SRX4200, SRX4600, SRX5000 line of devices with SPC3 card, and vSRX2.0 device.

Note:

  • By default, PFE service restarts automatically after the commit. The PFE service will not explicitly restart.

  • The J-Web user interface allows you to enable or disable PMI depending on the configuration required for each of the devices.

TCP-Encap

Profile Name

Displays the name for the TCP encapsulation profile.

Syslog Status

Displays if the log status is enabled or disabled.

+

To add a TCP encapsulation:

  1. Click +.

    Add TCP encapsulation window appears.

  2. Enter the following details:

    • Profile Name—Enter a name for the TCP encapsulation profile.

    • Syslogs—Select the check box to enable logging for remote access client connections.

  3. Click OK to save the changes. Else, click Cancel to discard the changes.

Edit

Select a TCP encapsulation profile that you want to edit and click on the pencil icon at the upper right of the table. You can enable or disable the Syslogs option. Click OK to save the changes. Else, click Cancel to discard the changes.

Delete

Select a TCP encapsulation profile that you want to delete and click on the delete icon at the upper right of the table. Click OK to save the changes. Else, click Cancel to discard the changes.

Search

Click the search icon and enter partial text or full text of the keyword in the search bar.

Click X next to a search keyword or click Clear All to clear the search results.

Related Documentation

Release History Table
Release
Description
19.1R1
Starting in Junos OS Release 19.1R1, PowerMode IPSec (PMI) configuration supports only SRX4100, SRX4200, SRX4600, SRX5000 line of devices with SPC3 card, and vSRX2.0 device.