Configuring an IKE Gateway—Quick Configuration (Dynamic VPNs)

For background information, read:

• "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Name

Name to identify the IKE gateway.

Enter a name.

IKE Policy

IKE policy to associate with the IKE gateway. An IKE policy specifies the type of preshared key to use during Phase 1 negotiations as well as which Phase 1 proposal(s) to use.

Select a previously created IKE policy.

External Interface

Outgoing interface to use when establishing security associations (SAs). An interface acts as a doorway through which traffic enters and exits the JUNOS device.

Specify a previously created interface.

NAT Keepalive Interval

The dynamic VPN feature automatically includes support for NAT traversal (NAT-T). The NAT keepalive interval controls how often NAT keepalive packets can be sent so that NAT translation continues.

Specify a maximum interval in seconds at which NAT keepalive packets can be sent. Range: 1 through 300 seconds. Default: 5 seconds.

Local Identity

Local identity of the endpoint computer to send in the IKE exchange. You can identify the local identity in any of the following ways:

• IP Address—Use an IPv4 IP address to identify the endpoint computer.
• Hostname—Use a fully qualified domain name (FQDN) to identify the endpoint computer.
• User at Hostname—Use an e-mail address to identify the endpoint computer.

If you do not configure a local identity, the device uses the virtual IP address assigned by the Radius server during the Xauth configuration exchange.

Specify an IP address, hostname, or user-at-hostname.

Connections limit

Maximum number of concurrent connections allowed. When the maximum number of connections is reached, no more dynamic VPN endpoint users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations.

Specify the maximum number of concurrent users that can be connected to the gateway (Remote Access Server).

IKE User Hostname

Name or identifier to use when establishing the VPN tunnel. We recommend entering the fully qualified domain name to identify the dynamic peer, but you can enter any name or identifier as long as it is unique.

Specify one primary name or identifier and up to four backups.

Enable DPD

Enable dead peer detection (DPD), as outlined in RFC 3706 Dead Peer Detection.

Click the check box to disable or enable. (Disabled by default.)

Always Send

Send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Click the check box to disable or enable. (Disabled by default.)

Interval

Amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. Default: 10.

Threshold

Maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

Access Profile

Provide extended authentication (XAuth), in addition to IKE authentication, for remote users trying to access a VPN tunnel.

Note: This Access Profile option does not control authentication for users trying to download Access Manager. For client download authentication, use the Access Profile option on the Global Settings Quick Configuration page. For more information, see "Configuring Global Client Download Settings-Quick Configuration (Dynamic VPNs)".

Select a previously created access profile.