[Prev][Next][Report an Error]

Configuring an IKE Gateway—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Gateway.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Figure 28 shows the Quick Configuration page where you can select an existing gateway, or click Add to create a new one.

Figure 28: IKE Gateway Quick Configuration Page – Adding a Gateway

IKE Gateway
Quick Configuration Page – Adding a Gateway

Figure 29 shows the Quick Configuration page where you create a new IKE gateway.

Figure 29: IKE Gateway Quick Configuration Page – Configuring a Gateway

IKE Gateway Quick
Configuration Page – Configuring a Gateway

To configure an IKE gateway with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the IKE Gateway tab if it is not selected.
  3. To modify an existing IKE gateway, click the appropriate link in the Name column to go to the gateway’s configuration page. Or, select the gateway from among those listed and click one of the following buttons:

    Note: The list of IKE gateways displayed on this page includes both standard VPN gateways and dynamic VPN gateways.

  4. To configure a new IKE gateway, click Add.
  5. Fill in the options as described in Table 166.
  6. Click one of the following buttons:

Table 166: IKE Gateway Options

Field

Function

Action

IKE Gateway

Name

Name to identify the IKE gateway.

Enter a name.

IKE Policy

IKE policy to associate with the IKE gateway. An IKE policy specifies the type of preshared key to use during Phase 1 negotiations as well as which Phase 1 proposal(s) to use.

Select a previously created IKE policy.

External Interface

Outgoing interface to use when establishing security associations (SAs). An interface acts as a doorway through which traffic enters and exits the JUNOS device.

Specify a previously created interface.

NAT Keepalive Interval

The dynamic VPN feature automatically includes support for NAT traversal (NAT-T). The NAT keepalive interval controls how often NAT keepalive packets can be sent so that NAT translation continues.

Specify a maximum interval in seconds at which NAT keepalive packets can be sent. Range: 1 through 300 seconds. Default: 5 seconds.

Local Identity

Local identity of the endpoint computer to send in the IKE exchange. You can identify the local identity in any of the following ways:

  • IP Address—Use an IPv4 IP address to identify the endpoint computer.
  • Hostname—Use a fully qualified domain name (FQDN) to identify the endpoint computer.
  • User at Hostname—Use an e-mail address to identify the endpoint computer.

If you do not configure a local identity, the device uses the virtual IP address assigned by the Radius server during the Xauth configuration exchange.

Specify an IP address, hostname, or user-at-hostname.

Dynamic Remote Identifier

Connections limit

Maximum number of concurrent connections allowed. When the maximum number of connections is reached, no more dynamic VPN endpoint users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations.

Specify the maximum number of concurrent users that can be connected to the gateway (Remote Access Server).

IKE User Hostname

Name or identifier to use when establishing the VPN tunnel. We recommend entering the fully qualified domain name to identify the dynamic peer, but you can enter any name or identifier as long as it is unique.

Specify one primary name or identifier and up to four backups.

Dead Peer Detection

Enable DPD

Enable dead peer detection (DPD), as outlined in RFC 3706 Dead Peer Detection.

Click the check box to disable or enable. (Disabled by default.)

Always Send

Send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Click the check box to disable or enable. (Disabled by default.)

Interval

Amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. Default: 10.

Threshold

Maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Access Profile

Provide extended authentication (XAuth), in addition to IKE authentication, for remote users trying to access a VPN tunnel.

Note: This Access Profile option does not control authentication for users trying to download Access Manager. For client download authentication, use the Access Profile option on the Global Settings Quick Configuration page. For more information, see "Configuring Global Client Download Settings-Quick Configuration (Dynamic VPNs)".

Select a previously created access profile.


[Prev][Next][Report an Error]