[Prev][Next][Report an Error]

Configuring an IPsec Autokey—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec AutoKey.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IPsec Autokey Quick Configuration Page shows the Quick Configuration page where you can select an existing policy, or click Add to create a new one.

To configure an IPsec AutoKey with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IPSec Autokey.
  2. Select the IPSec AutoKey tab if it is not selected.
  3. To modify an existing IPsec AutoKey configuration, click the appropriate link in the Name column to go to the configuration page. Or, select the policy from among those listed and click one of the following buttons:
  4. To configure a new IPsec AutoKey, click Add.
  5. Fill in the options as described in Table 205.
  6. Click one of the following buttons:

Table 205: IPsec AutoKey Configuration Options




IPsec Autokey VPN

VPN Name

Name to identify the IPsec AutoKey.

Enter a name.

Remote gateway

IKE gateway to associate with the IPsec AutoKey. An IKE gateway specifies a variety of IKE configuration options, including which IKE policy to use, how to identify endpoint computers during IKE exchanges, NAT options, dead peer detection options, and Xauth options.

Select a previously created IKE gateway.

Idle time

Maximum amount of time to allow a security association (SA) to remain idle before deleting it.

Specify a value between 60 and 999,999 seconds.

Install interval

Maximum number of seconds to allow the installation of a rekeyed outbound SA on the device.

Specify a value between 0 and 10 seconds.

IPsec policy

IPsec policy to associate with the IPsec AutoKey. An IPsec policy specifies the Diffie-Hellman group to use when generating encryption keys as well as the Phase 2 proposals to use.

Select a previously created IPsec policy.

Disable anti replay

Replay attacks occur when somebody intercepts a series of packets and uses them to flood the system or gain entry into a trusted system. Select this option to enable replay protection.

Click the check box to disable or enable. (Disabled by default.)

Use proxy identity

(Optional) Specify the IPsec proxy identity to use in IKE negotiations. The default behavior is to use the identities taken from the firewall policies.

Click the check box to disable or enable. (Disabled by default.)

Local IP/Netmask

Local IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.

Remote IP/Netmask

Remote IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.


Service (port and protocol combination) to protect.

Select a service.

Don't fragment bit

Specify how the device should handle the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Choose an option.

Establish tunnels

Specify when to activate IKE:

  • immediately—Activate IKE immediately after the VPN is configured and changes are committed.
  • on-traffic—Activate IKE only when data traffic flows and must be negotiated.

Choose an option.

[Prev][Next][Report an Error]