Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add a Gateway

 

You are here: VPN > IKE (Phase I).

To add a gateway policy:

  1. Click the add icon (+) on the upper right side of the Gateway tab of IKE (Phase I) page.

    The Add Gateway page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1: Fields on the Add Gateway Policy Page

Field

Action

IKE Gateway

Note: When IKE gateway is configured for Dynamic VPN, please select Host Name for Identity Type.

Name

Enter the name of the gateway.

Policy

Enter the name of the policy you configured for Phase 1.

External Interface

Select an outgoing interface from the list to specify the name of the interface to be used to send traffic to the IPsec VPN.

Specifies the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Site to Site VPN

Select the Site to Site VPN radio button.

Remote Peer IP

Enter the Remote Peer IP and click + to add it. You can select the Remote Peer IP and click the delete (X) icon to delete the IP.

Address/FQDN

Specifies the address or FQDN of the peer.

Enter information about the peer IP or domain name.

Local Identity Type

Select one of the identity type options. The identify types are as follows:

  • IP Address—Enter an IP address when you select this option from the list.

  • Host Name—Enter a hostname when you select this option from the list.

  • Email Address—Enter an email address when you select this option from the list.

  • Distinguished Name—Enter the following details when you select this option:

    • Container—Enter a keyword to specify that the order of the fields in a DN and their values exactly match the configured DN.

    • Wildcard—Enter a keyword to specify that the values of fields in a DN must match but the order of the fields does not matter.

Remote Identity Type

Select one of the remote identity types from the list:

  • IP Address—Enter an IP address when you select this option from the list.

  • Host Name—Enter a hostname when you select this option from the list.

  • Email Address—Enter an email address when you select this option from the list.

  • Distinguished Name—Enter the following details when you select this option:

Remote Access VPN

Select the Remote Access VPN radio button.

Connections limit

Enter the limit on connections.

IKE user type

Select one of the IKE user types from the list:

  • group-ike-id

  • shared-ike-id

Local Identity Type

Select one of the identity types from the list:

  • IP Address—Enter an IP address when you select this option from the list.

  • Host Name—Enter a hostname when you select this option from the list.

  • Email Address—Enter an email address when you select this option from the list.

  • Distinguished Name—Enter the following details when you select this option:

Remote Identity Type

Select one of the remote identity types from the list:

  • IP Address—Enter an IP address when you select this option from the list.

  • Host Name—Enter a hostname when you select this option from the list.

  • Email Address—Enter an email address when you select this option from the list.

  • Distinguished Name—Enter the following details when you select this option:

IKE Version

Select one of the IKE versions from the list:

  • v1-only

  • v2-only

Enter the following details when you select this option:

  • IKE Fragmentation—Select the check box to enable IKE fragmentation. Enabled means that both the IKEv2 initiator and responder support message fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.

  • IKE Fragment Size—Enter a value to show the maximum size of an IKEv2 message before it is fragmented.

IKE Gateway Options

Identity Type

Specifies the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. Select one of the identity types:

  • IP Address—IPv4 IP address to identify the dynamic peer.

  • Hostname—Fully qualified domain name (FQDN) to identify the dynamic peer.

  • User at Hostname—E-mail address to identify the dynamic peer.

  • Distinguished Name—Name to identify the dynamic peer. The distinguished name appears in the subject line of the Public Key Infrastructure (PKI) certificate. For example: Organization: juniper, Organizational unit: slt, Common name: common.

Dead Peer Detection

Select the check box to enable DPD.

Note: When IKE gateway is configured for Dynamic VPN, Dead Peer Detection option is not required.

Always send

Select the check box for the device to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Interval

Specifies the amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds.

Threshold

Enter the maximum number of unsuccessful DPD requests to be sent before the peer is considered unavailable. Range: 1 through 5. Default: 5.

AAA

Select AAA from the list to provide AAA in addition to IKE authentication for remote users trying to access a VPN tunnel.

NAT-Traversal

Select the checkbox to enable NAT-T. NAT-T is enabled by default.

+

To add a TCP encapsulation:

  1. Click +

    Add TCP encapsulation window appears.

  2. Enter the following details:

    • Profile Name—Enter a name for the TCP encapsulation profile.

    • Syslogs—Select the check box to enable logging for remote access client connections.

  3. Click OK to save the changes. Else, click Cancel to discard the changes.

NAT-keepalive

Enter the interval, in seconds, at which NAT keepalive packets can be sent. Default: 5 seconds. Range: 1 through 300 seconds.

Related Documentation