Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Device-Level AutoKey IKE VPN: Using VPN Configuration Overview


When you configure the VPN, you are defining the gateway the security device uses to connect to the VPN, the IKE Phase 2 proposals used by that gateway, and how you want NSM to monitor the VPN tunnel.

For route-based VPNs, you are also binding the VPN to the tunnel interface or zone that sends and receives VPN traffic to and from the device.

The following topics explain how to configure device-level autokey IKE VPN using VPN configuration:

Device-Level AutoKey IKE VPN Properties

Enter the following values as described in Table 1.

Table 1: Device-Level AutoKey IKE VPN Properties


Your Action

VPN Name

Enter a name for the VPN.

Remote Gateway

Select the gateway for the VPN.

Idle Time to Disable SA

Configure the number of minutes before a session that has no traffic automatically disables the SA.

Replay Protection

In a replay attack, an attacker intercepts a series of legitimate packets and uses them to create a denial of service (DoS) against the packet destination or to gain entry to trusted networks. If replay protection is enabled, your security devices inspect every IPsec packet to see if the packet has been received before—if packets arrive outside a specified sequence range, the security device rejects them.

IPSec Mode

Configure the mode:

  • Use tunnel mode for IPsec—Before an IP packet enters the VPN tunnel, NSM encapsulates the packet in the payload of another IP packet and attaches a new IP header. This new IP packet can be authenticated, encrypted, or both. The DSCP mark (which allows the user to configure the DSCP value for each route based VPN) supports only Tunnel IPsec mode.

  • Use transport mode for L2TP-over-IPsec—NSM does not encapsulate the IP packet, meaning that the original IP header must remain in plaintext. However, the original IP packet can be authenticated, and the payload can be encrypted.

Do not set Fragment Bit in the Outer Header

The Fragment Bit controls how the IP packet is fragmented when traveling across networks.

  • Clear—Use this option to enable IP packets to be fragmented.

  • Set—Use this option to ensure that IP packets are not fragmented.

  • Copy—Select to use the same option as specified in the internal IP header of the original packet.

ScreenOS Security Measures Using VPN Configuration

For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined or user-defined proposals:

  • To use a predefined proposal set, select one of the following:

    • Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)

    • Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, nopfs-esp-des-md5)

    • Standard (gs-esp-3des-sha, gs-esp-aes128-sha)

  • To use a user-defined proposal, select a single proposal from the list of predefined and custom IKE Phase 2 proposals. For details on custom IKE proposals, see “ Configuring IKE Proposals” in the Network and Security Manager Administration Guide.

If your VPN includes only security devices, you can specify one predefined or custom proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet devices, you should use multiple proposals to increase security and ensure compatibility.


You can bind the VPN tunnel to a tunnel interface or tunnel zone to increase the number of available interfaces in the security device. To use a tunnel interface and/or tunnel zone in your VPN, you must first create the tunnel interface or zone on the device; for details, see Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview and Configuring a Tunnel Interface.

Table 2 describes the binding methods in the device.

Table 2: Binding/ProxyID

Binding Methods



Select none when you do not want to bind the VPN tunnel to a tunnel interface or zone.

Tunnel Interface

Select a preconfigured tunnel interface on the security device to bind the VPN tunnel to the tunnel interface. The security device routes all VPN traffic through the tunnel interface to the protected resources. The user can set DSCP marking as a system for tagging traffic at a position within a hierarchy of priority.

Tunnel Zone

Select a preconfigured tunnel zone on the security device to bind the VPN tunnel directly to the tunnel zone. The tunnel zone must include one or more numbered tunnel interfaces; when the security device routes VPN traffic to the tunnel zone, the traffic uses one or more of the tunnel interfaces to reach the protected resources.

DSCP Marking

Select an option upon which the ScreenOS device overwrites the first 3 bits in the ToS byte with the IP precedence priority.

DSCP Value

Select the DSCP Value.


Select an option to define a proxy ID through either an IP address or an address name of the local and remote device.

  • IP Address — Select this option to define multiple proxy IDs using an IP address. Upon selecting this option, you must set the new IP format settings.

  • Address Book — Select this option to define multiple proxy IDs using an address book. Upon selecting this option, you must set the new address format settings.

  • Disable — Select this option to disable the proxy parameter settings.

Proxy ID Check

Select this option to enable the proxy-ID check on a route-based VPN. From ScreenOS 6.3, proxy ID check supports IPv6.

You can also enable proxy and configure the proxy parameters. When multiple tunnels exist between peers, the security device cannot use the route to direct the traffic through a particular tunnel. In such cases, the security device uses multiple proxy IDs to direct the traffic. You can use either an IP address or an address name of the local and remote device to define a proxy ID.

Monitor Management on ScreenOS Devices Using AutoKey IKE VPN

You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. Select the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel as described in Table 3.

Table 3: Monitor

VPN Monitor Status


VPN Monitor

When enabled, the device sends ICMP echo requests (pings) through the tunnel at specified intervals (configurable in seconds) to monitor network connectivity (the device uses the IP address of the local outgoing interface as the source address and the IP address of the remote gateway as the destination address). If the ping activity indicates that the VPN monitoring status has changed, the device triggers an SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics for VPN traffic in the tunnel and displays the tunnel status. From ScreenOS 6.3, VPN monitor supports IPv6.


When enabled, the device regenerates the IKE key after a failed VPN tunnel attempts to reestablish itself. When disabled, the device monitors the tunnel only when the VPN passes user-generated traffic (instead of using device-generated ICMP echo requests). Use the rekey option to:

  • Keep the VPN tunnel up even when traffic is not passing through

  • Monitor devices at the remote site.

  • Enable dynamic routing protocols to learn routes at a remote site and transmit messages through the tunnel.

  • Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when multiple VPN tunnels are bound to a single tunnel interface.


This option appears only for devices running ScreenOS 5.x. When enabled, the device optimizes its VPN monitoring behavior as follows:

  • Considers incoming traffic in the VPN tunnel as ICMP echo replies. This reduces false alarms that might occur when traffic through the tunnel is heavy and the echo replies cannot get through.

  • Suppresses VPN monitoring pings when the tunnel passes both incoming and outgoing traffic. This can help reduce network traffic.

Source Interface and Destination IP

These options configure VPN monitoring when the other end of the VPN tunnel is not a security device. Specify the source and destination IP addresses.