[Prev][Next][Report an Error]

Configuring Auto Tunnel in J-Web (Standard VPN)

Use the following procedure to configure the Auto Tunnel in J-Web.

Before You Begin

For background information, read

  • "Internet Protocol Security (IPsec)" chapter in the JUNOS Software Security Configuration Guide.

To access the Auto Tunnel using J-Web:

  1. In the J-Web user interface, select Configure>Auto Tunnel.The details of the display page are provided inTable 166 and Table 167.
  2. Auto Tunnel options have the following suboptions:
  3. Click one of the following:

Table 170: : Display page for Auto Tunnel – Phase 1

Field

Function

Gateway

Gateway Name

Name of the gateway to be searched.

Search

Text box for searching a gateway.

Name

Name of the destination peer gateway, specified as an alphanumeric string.

External Interface

Name of the interface to be used to send traffic to the IPsec VPN.

Remote Identity

Provides information about remote peer.

IKE Policy

Name

Name of the policy.

Description

Description of the policy.

Mode

There are two modes:

  • Main mode has three two-way exchanges between the initiator and receiver. It is secure and preferred in the Auto Tunnel
  • Aggressive mode is faster than main mode. It is less secure and used mostly for dial-up VPN.

Authentication Method

Authentication Method configured.

Proposal

Name of the proposal configured to be used by this policy in phase 1

Proposal

Name

Name of the proposal selected.

Authentication Algorithm

Hash algorithm configured or selected.

Authentication Method

Authentication method selected.

Encryption Algorithm

Supported Internet Key Exchange (IKE) proposals.

Table 171: Display page for Auto Tunnel – Phase 2

Field

Function

VPN name

Name of the VPN to be searched.

Search

Radio button to search a specific VPN listed.

Name

Name of the VPN.

Gateway

Name of the gateway.

IPSec Policy

Associate a policy with this IPsec tunnel.

Bind Interface

The tunnel interface to which the route-based VPN is bound.

Proxy Identity

The IPsec proxy identity.

VPN Monitoring

Name of the VPN monitoring option selected.

IPSec Policy

Name

Name of the IPsec policy.

Description

Description of the policy.

Perfect Forward Secrecy

The method the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key.

  • group1—Diffie-Hellman Group 1.
  • group2—Diffie-Hellman Group 2.
  • group5—Diffie-Hellman Group 5.

Proposal

Name of the proposal to be used by IPsec policy in Phase 2.

Proposal

Name

Description of the Phase 2 proposal.

Authentication Algorithm

Hash algorithm that authenticates packet data. It can be one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • Hmac-sha1-96—Produces a 160-bit digest

Protocol

The type of security protocol.

Encryption algorithm

Configures an IKE encryption algorithm.

  • des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.

Table 172: Phase 1(VPN Configuration) Add Options

Field

Function

Action

Gateway>IKE Gateway

Name

Name of the gateway

Enter the name of the gateway.

Policy

Enter the name of policy you configured for Phase 1.

External Interface

Name of the interface to be used to send traffic to the IPsec VPN.

Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Site to Site Tunnel

Configuration for VPN is of type site to site.

Click the radio button labeled Site to Site.

Address/FQDN

Address or fully qualified domain name (FQDN) of the peer.

Provide information about the peer IP or domain name

Local ID

Identify Type

There are four identify types:

  • IP Address
  • Host Name
  • Email Address
  • Distinguished Name

Select one of the identity type options.

Client Tunnel

The remote access dynamic VPN.

GatewayI>KE Gateway Options

Local Identity

The local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. You can identify the local identity in any of the following ways:

  • IP Address—IPv4 IP address to identify the dynamic peer.
  • Hostname—Fully qualified domain name (FQDN) to identify the dynamic peer.
  • User at Hostname—E-mail address to identify the dynamic peer.
  • Distinguished Name—Name to identify the dynamic peer. The distinguished name appears in the subject line of the Public Key Infrastructure (PKI) certificate. For example: Organization: juniper, Organizational unit: slt, Common name: common.

Specify an IP address, hostname, user-at-hostname, or distinguished name.

Dead Peer Detection

Always send

Instructs the device to send dead peer detection (DPD) requests regardless of whether there is outgoing IPsec traffic to the peer.

Click the check box.

Interval

The amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds.

Threshold

The maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Provides extended authentication (XAuth) in addition to IKE authentication for remote users trying to access a VPN tunnel.

Enter extended authentication (XAuth).

NAT-Traversal

Network Address Translation Traversal (NAT-T). NAT-T is enabled by default.

Click the check box to disable or enable.

IKE Policy >IKE Policy

Name

Name of the IKE Policy.

Enter the policy.

Description

Description of the policy.

Enter the description of the policy.

Mode

Select a mode.

Use Main or Aggressive mode.

Proposal

Predefined

Use one of the following types of predefined Phase 1 proposals:

  • Basic
  • Compatible
  • Standard

Click Predefined and select a proposal type.

User defined

Use a user-defined Phase 1 Proposal.

Click User Defined, select a proposal from the pop-up menu, and click Add.

Proposal List

Specfies one or more proposals that can be used during key negotiation:

  • Available P1 proposal
  • Selected P1 proposal

Click the Predefined Proposal radio button to select proposals preconfigured by JUNOS Software.

Select User Defined Proposal if you want to use proposals that you have created.

IKE Policy >IKE Policy Options

Radio Buttons

Select the preshared key of use of certificate for the VPN.

If a preshared key is selected, then configure the appropriate key in the form of ASCII text or hexadecimal.

Local Certificate

Use a particular certificate when the local device has multiple loaded certificates.

Enter a local certificate identifier.

Peer Certificate Type

Use a preferred type of certificate (PKCS7 or X509).

Select a certificate type.

Trusted CA

Name

Name of the proposal.

Enter the name of the proposal.

Authentication Algorithm

The Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

Select a hash algorithm.

Authentication Method

The method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. Options include:

  • pre-shared-keys—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.
  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

Select an authentication method.

Description

Easy identification of the proposal.

Enter a brief description of the IKE proposal.

DH Group

The Diffie-Hellman exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption Algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm.
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm.

Lifetime seconds

The lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds.

Table 173: Phase 2 (IPsec Autokey Configuration) Add Options

Field

Function

Action

Gateway>IPsec VPN

VPN Name

Name of the remote gateway.

Enter a name.

Remote Gateway

Associates a policy with this IPsec tunnel.

Select a name.

IPsec Policy

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select a policy.

Bind to tunnel interface

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Choose an option.

Disable anti replay

Disable the anti-replay checking feature of IPsec. By default, anti-replay checking is enabled.

Click the check box.

Gateway > IPsec VPN Options

Enable VPN Monitor

Destination IP

Associates a policy with this IPsec tunnel.

Enter an IP address.

Optimized

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Click the check box.

Source Interface

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Specify a source interface.

Use Proxy Identity

Remote IP/Netmask

The remote IP address and subnet mask for proxy identity.

Enter an IP address and

Service

The service (port and protocol combination) to protect.

Select a service.

Do not fragment bit

Specifies how the device handles the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Choose an option.

Install interval

The maximum number of seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Specify a value between 0 and 10 seconds.

IPsec Policy >IPsec Policy

Name

Name of the remote gateway.

Enter a name.

Description

Associates a policy with this IPsec tunnel.

Enter a text description.

Perfect Forward Secrecy

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select a method.

Proposal

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Predefined

Disable the anti-replay checking feature of IPsec. By default, anti-replay checking is enabled.

Click Predefined, and select one of the following options:

  • basic
  • predefined
  • standard

User defined

A list of proposals you previously defined.

Click User Defined , select proposals from the pop-up menu, and then click Add.

Proposal List

Available Proposal List are:

  • Available P2 Proposal
  • Selected P2 Proposal

Proposal > IPsec Proposal

Name

Name of the Phase 2 proposal.

Enter a name.

Description

Description of the Phase 2 proposal.

Enter a text description.

Authentication Algorithm

Hash algorithm that authenticates packet data. It can be one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm.

Encryption Algorithm

Configures an IKE encryption algorithm.

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.

Select an encryption algorithm.

Lifetime Kilobytes

The lifetime (in kilobytes) of an IPsec security association (SA). The SA is terminated when the specified number of kilobytes of traffic has passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime Seconds Protocol

The lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Enter a value from 180 through 86,400 seconds.
[Prev][Next][Report an Error]

Copyright © 2010, Juniper Networks, Inc. All rights reserved. Trademark Notice.