Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add a VPN

 

You are here: VPN > IPsec (Phase II).

To add a VPN:

  1. Click the add icon (+) on the upper right side of the VPN tab of IPsec (Phase II) page.

    The Add VPN page appears.

  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. If you want to discard your changes, click Cancel.

Table 1: Fields on the Add VPN Page

Field

Action

IPsec VPN

VPN Name

Enter a name of the remote gateway.

Remote Gateway

Select a name from the list to associate a policy with IPsec tunnel.

IPsec Policy

Select a policy name from the list.

Bind to tunnel interface

Select an interface from the list for the tunnel interface to which the route-based VPN is bound.

Note: When the IPsec VPN is configured for Dynamic VPN, Bind to tunnel interface is not required.

You can add or edit a logical interface inline.

To add a logical interface inline:

  1. Click +.

    The Add logical interface st0 page appears.

  2. Enter the following details:

    • Tunnel Interface st0—Enter the logical unit number.

    • Zone—Select a zone for the logical interface.

    • Description—Enter a description for the logical interface.

    • Unnumbered—Disables the configuration for logical interface.

    • Numbered—Determines if the logical unit is numeric.

    • IPv4 Address—Displays the IPv4 address.

      Note: This field is disabled if Unnumbered is selected.

    • IPv4 Subnet Mask—Displays the subnet mask for IPv4 address.

    • IPv6 Address—Displays the IPv6 address.

      Note: This field is disabled if Unnumbered is selected.

    • IPv6 Subnet Mask—Displays the subnet mask for IPv6 address.

    • MultiPoint—Enable to configure multipoint.

    • St0 Interface Configuration—Enable this option.

      • Automatic—Enables the configuration to automatically specify the next hop tunnel address and VPN name.

      • Manual—Enables the configuration to manually provide the next-hop tunnel address and VPN name. Enables the Add and Delete options.

Establish tunnels

Select an option from the list:

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.

  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

  • responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.

    Note:

    • When responder-only mode is configured for multiple VPN objects with single gateway configuration, all VPN objects must be configured with responder-only mode only.

    • Responder-only mode is supported only for site-to-site VPN and it is not supported on AutoVPN.

  • responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.

Disable anti replay

Select the check box to disable the anti replay checking feature of IPsec. By default, anti replay checking is enabled.

IPSec VPN Options

Enable VPN Monitor

Select the check box to enable VPN monitor.

When the IPSec VPN is configured for Dynamic VPN, Enable VPN monitor is not required.

Destination IP

Enter an IP address to associate a policy with IPsec tunnel.

Optimized

Select the check box for the tunnel interface to which the route-based VPN is bound.

Source Interface

Enter a source interface for ICMP requests. If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Use Proxy Identity

Local IP/Netmask

Enter a local IP address.

Remote IP/Netmask

Enter a remote IP address and subnet mask for proxy identity.

Service

Select a service (port and protocol combination) from the list.

Traffic Selector

+

Click plus to add a traffic selector.

Name

Enter a name of the Traffic Selector.

Local IP/Netmask

Enter a local IP address and subnet mask for proxy identity.

Remote IP/Netmask

Enter a remote IP address and subnet mask for proxy identity.

X

Click X to delete a traffic selector.

Do not fragment bit

Specifies how the device handles the DF bit in the outer header.

Select an option from the list:

  • clear—Clear (disable) the DF bit from the outer header. This is the default.

  • copy—Copy the DF bit to the outer header.

  • set—Set (enable) the DF bit in the outer header.

Idle Time

Enter the idle time to delete an SA. Range: 60 through 999999 seconds.

Install interval

Specify a value from 0 through 10 seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Release History Table
Release
Description
responder-only—Starting in Junos OS Release 19.1R1, this option is supported. IKE is activated only when the device responds to negotiation request received from the peer.
responder-only-no-rekey—Starting in Junos OS Release 19.1R1, this option is supported. Disables rekey in the responder-only mode.