[Prev][Next][Report an Error]

Configuring IPsec Autokey Gateway —J-Web Quick Configuration (Standard VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec AutoKey.

Before You Begin

For background information, read

  • "Internet Protocol Security (IPsec)" chapter in the JUNOS Software Security Configuration Guide.

To configure an AutoKey VPN with J-Web Quick Configuration:

  1. Select Configure>IPSec VPN>IPSec Autokey.
  2. Select the Gateway tab if it is not selected.
  3. To create a new gateway click Add.
  4. Fill in the options as described in Table 150.
  5. Click one of the following buttons:

Table 150: IPsec AutoKey Configuration Options




IPsec Autokey VPN

VPN Name

Name of the IPSec tunne.l

Enter a name.

Remote gateway

Name of the remote gateway.

Select a name.

IPsec policy

Associate a policy with this IPsec tunnel.

Select a policy.

Bind to tunnel interface

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Choose an option.

Disable anti replay

Disable the anti-replay checking feature of IPsec. By default, anti-replay checking is enabled.

Click the check box.

Destination IP

IP address of the destination peer.

Enter an IP address.


Specifies that the device uses traffic patterns as evidence of peer liveliness. If enabled, ICMP requests are suppressed. This feature is disabled by default.

Click the check box.

Source interface

The source interface for ICMP requests (VPN monitoring “ hellos” ). If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Local IP/Netmask

The local IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.

Remote IP/Netmask

The remote IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.


The service (port and protocol combination) to protect.

Select a service.

Do not Fragment bit

Specifies how the device handles the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Choose an option.

Idle time

The maximum amount of time to allow a security association (SA) to be idle before deleting it.

Specify a value between 60 and 999,999 seconds.

Install interval

The maximum number of seconds to allow the installation of a rekeyed outbound security association (SA) on the device.

Specify a value between 0 and 10 seconds.

[Prev][Next][Report an Error]