Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Create a Site-to-Site VPN

 

You are here: VPN > IPsec VPN.

To create a site-to-site VPN:

  1. Click Create VPN and select Site to Site on the upper right side of the IPsec VPN page.

    The Create Site to Site VPN page appears.

  2. Complete the configuration according to the guidelines provided in Table 1 through Table 6.

    The VPN connectivity will change from gray to blue line in the topology to show that the configuration is complete.

  3. Click Save to save the changes.

    If you want to discard your changes, click Cancel.

Table 1: Fields on the Create IPsec VPN Page

Field

Action

Name

Enter a name for the VPN.

Description

Enter a description. This description will be used for the IKE and IPsec proposals and policies. During edit, the IPsec policy description will be displayed and updated.

Routing Mode

Select the routing mode to which this VPN will be associated:

  • Traffic Selector (Auto Route Insertion)

  • Static Routing

  • Dynamic Routing – OSPF

  • Dynamic Routing – BGP

For each topology, J-Web auto generates the relevant CLIs. Traffic Selector is the default mode.

Authentication Method

Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:

  • Certificate Based—Types of digital signatures, which are certificates that confirm the identity of the certificate holder.

    The following are the authentication methods for a certificate based:

    • rsa-signatures—Specifies that a public key algorithm, which supports encryption and digital signatures, is used.

    • dsa-signatures—Specifies that the Digital Signature Algorithm (DSA) is used.

    • ecdsa-signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used.

    • ecdsa-signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.

    • ecdsa-signatures-521—Specifies that the ECDSA using the 521-bit elliptic curve secp521r1 is used.

      Note: ecdsa-signatures-521 supports only SRX5000 line of devices with SPC3 card and junos-ike package installed.

  • Pre-shared Key (default method)—Specifies that a preshared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. This is the default method.

Auto-create Firewall Policy

If you select Yes, a firewall policy is automatically between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address.

Another firewall policy will be created visa-versa.

If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work.

Note: If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway.

Remote Gateway

Displays the remote gateway icon in the topology. Click the icon to configure the remote gateway.

The gateway identifies the remote peer with the IPsec VPN peers and defines the appropriate parameters for that IPsec VPN.

For fields information, see Table 2.

Local Gateway

Displays the local gateway icon in the topology. Click the icon to configure the local gateway.

For fields information, see Table 4.

IKE and IPsec Settings

Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values.

For fields information, see Table 6.

Note:

  • J-Web supports only one custom IKE proposal and does not support the predefined proposal-set. Upon edit and save, J-Web deletes the predefined proposal set if configured.

  • On the remote gateway of the VPN tunnel, you must configure the same custom proposal and policy.

  • Upon edit, J-Web shows the first custom IKE and IPsec proposal when more than one custom proposal is configured.

Table 2: Fields on the Remote Gateway Page

Field

Action

Gateway is behind NAT

If enabled, the configured external IP address (IPv4 or IPv6) is referred to as the NAT device IP address.

IKE Identity

Select an option from the list to configure remote identity.

Host name

Enter a remote host name.

IPv4 Address

Enter a remote IPv4 address.

IPv6 Address

Enter a remote IPv6 address.

Key ID

Enter a Key ID.

E-mail Address

Enter an e-mail address.

External IP Address

Enter the peer IPv4 or IPv6 address. You can create one primary peer network with up to four backups.

You must enter one IPv4 or IPv6 address or you can enter up to five IP addresses separated by comma.

Protected Networks

When you select a routing mode, lists all the global address(es).

Select the addresses from the Available column and then click the right arrow to move it to the Selected column.

When the routing mode is:

  • Traffic Selector—The IP addresses will be used as remote IP in traffic selector configuration.

  • Static Routing:

    • Static route will be configured for the selected global address(es).

    • The tunnel interface (st0.x) of the local gateway will be used as the next-hop.

  • Dynamic Routing—Default value is any. You can also select specific global address(es). The selected value is configured as destination address in the firewall policy.

Add

Click +.

The Create Global Address page appears. See Table 3 for fields information.

Table 3: Fields on the Create Global Address Page

Field

Action

Name

Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

IP Type

Select IPv4 or IPv6.

IPv4

IPv4 Address—Enter a valid IPv4 address.

Subnet—Enter the subnet for IPv4 address.

IPv6

IPv6 Address—Enter a valid IPv6 address.

Subnet Prefix—Enter a subnet mask for the network range. Once entered, the value is validated.

Table 4: Fields on the Local Gateway Page

Field

Action

Gateway is behind NAT

Enable this option when the local gateway is behind a NAT device.

IKE Identity

Select an option from the list to configure local identity. When Gateway is behind NAT is enabled, you can configure an IPv4 or IPv6 address to reference the NAT device.

Host name

Enter a host name.

Note: This option is available only if Gateway is behind NAT is disabled.

IPv4 Address

Enter an IPv4 address.

IPv6 Address

Enter an IPv6 address.

Key ID

Enter a Key ID.

Note: This option is available only if Gateway is behind NAT is disabled.

E-mail Address

Enter an E-mail address.

Note: This option is available only if Gateway is behind NAT is disabled.

External Interface

Select an outgoing interface from the list for IKE negotiations.

The list contains all available IP addresses if more than one IP address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway.

Tunnel Interface

Select an interface from the list to bind it to the tunnel interface (route-based VPN).

Click Add to add a new interface. The Create Tunnel Interface page appears. See Table 5.

Router ID

Enter the routing device’s IP address.

Note: This option is available if the routing mode is Dynamic Routing - OSPF or BGP.

Area ID

Enter an area ID within the range of 0 to 4,294,967,295, where the tunnel interfaces of this VPN need to be configured.

Note: This option is available if the routing mode is Dynamic Routing - OSPF.

Tunnel Interface Passive

Enable this option to bypass traffic of the usual active IP checks.

Note: This option is available if the routing mode is Dynamic Routing - OSPF.

ASN

Enter the routing device’s AS number.

Use a number assigned to you by the NIC. Range: 1 through 4,294,967,295 (232 – 1) in plain-number format for 4-byte AS numbers.

Note: This option is available if the routing mode is Dynamic Routing - BGP.

Neighbor ID

Enter IP address of a neighboring router.

Note: This option is available if the routing mode is Dynamic Routing - BGP.

BGP Group Type

Select the type of BGP peer group from the list:

  • external—External group, which allows inter-AS BGP routing.

  • internal—Internal group, which allows intra-AS BGP routing.

Note: This option is available if the routing mode is Dynamic Routing - BGP.

Peer ASN

Enter the neighbor (peer) autonomous system (AS) number.

Note: This option is available if you choose external as BGP Group Type.

Import Policies

Select one or more routing policies from the list to routes being imported into the routing table from BGP.

Click Clear All to clear the selected polices.

Note: This option is available if the routing mode is Dynamic Routing - BGP.

Export Policies

Select one or more policies from the list to routes being exported from the routing table into BGP.

Click Clear All to clear the selected polices.

Note: This option is available if the routing mode is Dynamic Routing - BGP.

Local certificate

Select a local certificate identifier when the local device has multiple loaded certificates.

Note: This option is available if the authentication method is Certificate Based.

Click Add to generate a new certificate. Click Import to import a device certificate. For more information see Manage Device Certificates.

Trusted CA/Group

Select the certificate authority (CA) profile from list to associate it with the local certificate.

Note: This option is available if the authentication method is Certificate Based.

Click Add to add a new CA profile. For more information see Manage Trusted Certificate Authority.

Pre-shared Key

Enter the value of the preshared key. The key can be one of the following:

  • ascii-text—ASCII text key.

  • hexadecimal—Hexadecimal key.

Note: This option is available if the authentication method is Pre-shared Key.

Protected Networks

Click +. The Create Protected Networks page appears.

Create Protected Networks

Zone

Select a security zone from the list that will be used as a source zone in the firewall policy.

Global Address

Select the addresses from the Available column and then click the right arrow to move it to the Selected column.

Add

Click Add.

The Create Global Address page appears. See Table 3.

Edit

Select the protected network you want to edit and click on the pencil icon.

The Edit Global Address page appears with editable fields.

Delete

Select the protected network you want to edit and click on the delete icon.

The confirmation message pops up.

Click Yes to delete.

Table 5: Fields on the Create Tunnel Interface Page

Field

Action

Interface Unit

Enter the logical unit number.

Description

Enter a description for the logical interface.

Zone

Select a zone for the logical interface from the list to use as a source zone in the firewall policy.

Routing Instance

Select a routing instance from the list.

IPv4

Note: This option is available only if you select routing mode as Dynamic Routing - OSPF or BGP.

IPv4 Address

Enter a valid IPv4 address.

Subnet Prefix

Enter a subnet mask for the IPv4 address.

IPv6

Note: This option is available only if you select routing mode as Dynamic Routing - OSPF or BGP.

IPv6 Address

Enter a valid IPv6 address.

Subnet Prefix

Enter a subnet mask for the network range. Once entered, the value is validated.

Table 6: IKE and IPsec Settings

Field

Action

IKE Settings

IKE Version

Select the required IKE version, either v1 or v2 to negotiate dynamic security associations (SAs) for IPsec.

Default value is v2.

IKE Mode

Select the IKE policy mode from the list:

  • aggressive—Take half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

  • main—Use six messages, in three peer-to-peer exchanges, to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection.

Encryption Algorithm

Select the appropriate encryption mechanism from the list.

Default value is aes-256-gcm.

Authentication Algorithm

Select the authentication algorithm from the list. For example, hmac-md5-96—Produces a 128-bit digest and hmac-sha1-96—Produces a 160-bit digest.

Note: This option is available when the encryption algorithm is not gcm.

DH group

A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19.

Lifetime Seconds

Select a lifetime of an IKE security association (SA). Default: 28,800 seconds. Range: 180 through 86,400 seconds.

Dead Peer Detection

Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer.

DPD Mode

Select one of the options from the list:

  • optimized—Send probes only when there is outgoing traffic and no incoming data traffic - RFC3706 (default mode).

  • probe-idle-tunnel—Send probes same as in optimized mode and also when there is no outgoing and incoming data traffic.

  • always-send—Send probes periodically regardless of incoming and outgoing data traffic.

DPD Interval

Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds.

DPD Threshold

Select a number from 1 to 5 to set the failure DPD threshold.

This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times.

Advance Configuration (Optional)

General IKE ID

Enable this option to accept peer IKE ID.

IKEv2 Re-authentication

Configure the reauthentication frequency to trigger a new IKEv2 reauthentication.

IKEv2 Re-fragmentation

This option is enabled by default.

IKEv2 Re-fragment Size

Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments.

The size applies to both IPv4 and IPv6 messages. Range: 570 to 1320 bytes.

Default values are:

  • IPv4 messages—576 bytes.

  • IPv6 messages—1280 bytes.

NAT-T

Enable this option for IPsec traffic to pass through a NAT device.

NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series devices.

NAT Keep Alive

Select appropriate keepalive interval in seconds. Range: 1 to 300.

If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices.

IPsec Settings

Protocol

Select either Encapsulation Security Protocol (ESP) or Authentication Header (AH) protocol from the list to establish VPN. Default value is ESP.

Encryption Algorithm

Select the encryption method. Default value is aes-256-gcm.

Note: This option is available only for the ESP protocol.

Authentication Algorithm

Select the IPsec authentication algorithm from the list. For example, hmac-md5-96—Produces a 128-bit digest and hmac-sha1-96—Produces a 160-bit digest.

Note: This option is available when the encryption algorithm is not gcm.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19.

PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time.

Note: group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed.

Lifetime Seconds

Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds.

Lifetime Kilobytes

Select the lifetime (in kilobytes) of an IPsec SA. Default is 128kb. Range: 64 through 4294967294.

Establish Tunnel

Enable this option to establish the IPsec tunnel. IKE is activated immediately (default value) after a VPN is configured and the configuration changes are committed.

Advanced Configuration

VPN Monitor

Enable this option to use it in a destination IP address.

Note: This option is not available for Traffic Selectors routing mode.

Destination IP

Enter the destination of the Internet Control Message Protocol (ICMP) pings. The device uses the peer's gateway address by default.

Note: This option is not available for Traffic Selectors routing mode.

Optimized

Enable this option for the VPN object. If enabled, the SRX Series device only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series device considers the tunnel to be active and does not send pings to the peer.

This option is disabled by default.

Note: This option is not available for Traffic Selectors routing mode.

Source Interface

Select the source interface for ICMP requests from the list. If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Note: This option is not available for Traffic Selectors routing mode.

Verify-path

Enable this option to verify the IPsec datapath before the secure tunnel (st0) interface is activated and route(s) associated with the interface are installed in the Junos OS forwarding table.

This option is disabled by default.

Note: This option is not available for Traffic Selectors routing mode.

Destination IP

Enter the destination IP address. Original, untranslated IP address of the peer tunnel endpoint that is behind a NAT device. This IP address must not be the NAT translated IP address. This option is required if the peer tunnel endpoint is behind a NAT device. The verify-path ICMP request is sent to this IP address so that the peer can generate an ICMP response.

Note: This option is not available for Traffic Selectors routing mode.

Packet size

Enter the size of the packet that is used to verify an IPsec datapath before the st0 interface is brought up. Range: 64 to 1350 bytes. Default value is 64 bytes.

Note: This option is not available for Traffic Selectors routing mode.

Anti Replay

IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number.

This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers.

Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality.

Install Interval

Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10.

Idle Time

Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds.

DF Bit

Select how the device handles the Don't Fragment (DF) bit in the outer header:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Copy Outer DSCP

This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.