IPSec VPN

Configuring IPSec VPN Global Settings in J-Web (Standard VPNs)

You can use J-Web Configuration to quickly configure VPN global settings.

Before You Begin

For background information, read

  • "Internet Protocol Security (IPsec)" chapter in the Junos OS Security Configuration Guide.

To access IPsec VPN using J-Web:

  1. Select Configure>IPSec VPN>Global Settings.

    The details of the pane are described in :Table 56

  2. Click one:
    • To apply changes to the configuration, click Save.
    • To reset the configuration without saving changes, click .Reset.

Table 56: VPN Global Configuration Options

Field

Function

Action

IKE Global Settings

Response Bad SPI

Enable response to invalid IPsec Security Parameter Index (SPI) values. If the SAs between two peers of an IPsec VPN become unsynchronized, the device resets the state of a peer so that the two peers are synchronized.

Click the check box if you want the device to respond to IPsec packets with bad SPI values.

Maximum Responses

Number of times to respond to invalid SPI values per gateway

Enter a value between 1 and 30. The default is 5. Disabled by default.

IPsec Global Settings

VPN Monitor Options

Configure VPN monitoring options.

Click the check box if you want the device to monitor VPN liveliness.

Interval

Interval at which to send ICMP requests to the peer.

Enter a value from 1 through 36,000 seconds.

Threshold

The number of consecutive unsuccessful pings before the peer is declared unreachable.

Enter a value from 1 through 65,536.

Configuring Auto Tunnel in J-Web (Standard VPN)

Use the following procedure to configure the Auto Tunnel in J-Web.

Before You Begin

For background information, read

  • "Internet Protocol Security (IPsec)" chapter in the Junos OS Security Configuration Guide.

To access the Auto Tunnel using J-Web:

  1. In the J-Web user interface, select Configure>Auto Tunnel.The details of the display page are provided inTable 57 and Table 58.
  2. Auto Tunnel options have the following suboptions:
    • Select Configure>Phase 1
    • Select Configure>Phase 2
  3. Click one of the following:
    • Add—Adds a new Gateway. Enter information as specified in Table 59 and Table 60, for Phase 1 and Phase 2, respectively.
    • Edit—Modifies a selected Gateway.
    • Delete— Deletes a selected Gateway.

Table 57: : Display page for Auto Tunnel – Phase 1

Field

Function

Gateway

Gateway Name

Name of the gateway to be searched.

Search

Text box for searching a gateway.

Name

Name of the destination peer gateway, specified as an alphanumeric string.

External Interface

Name of the interface to be used to send traffic to the IPsec VPN.

Remote Identity

Provides information about remote peer.

IKE Policy

Name

Name of the policy.

Description

Description of the policy.

Mode

There are two modes:

  • Main mode has three two-way exchanges between the initiator and receiver. It is secure and preferred in the Auto Tunnel
  • Aggressive mode is faster than main mode. It is less secure and used mostly for dial-up VPN.

Authentication Method

Authentication Method configured.

Proposal

Name of the proposal configured to be used by this policy in phase 1

Proposal

Name

Name of the proposal selected.

Authentication Algorithm

Hash algorithm configured or selected.

Authentication Method

Authentication method selected.

Encryption Algorithm

Supported Internet Key Exchange (IKE) proposals.

Table 58: Display page for Auto Tunnel – Phase 2

Field

Function

VPN name

Name of the VPN to be searched.

Search

Radio button to search a specific VPN listed.

Name

Name of the VPN.

Gateway

Name of the gateway.

IPSec Policy

Associate a policy with this IPsec tunnel.

Bind Interface

The tunnel interface to which the route-based VPN is bound.

Proxy Identity

The IPsec proxy identity.

VPN Monitoring

Name of the VPN monitoring option selected.

IPSec Policy

Name

Name of the IPsec policy.

Description

Description of the policy.

Perfect Forward Secrecy

The method the device uses to generate the encryption key. PFS generates each new encryption key independently from the previous key.

  • group1—Diffie-Hellman Group 1.
  • group2—Diffie-Hellman Group 2.
  • group5—Diffie-Hellman Group 5.

Proposal

Name of the proposal to be used by IPsec policy in Phase 2.

Proposal

Name

Description of the Phase 2 proposal.

Authentication Algorithm

Hash algorithm that authenticates packet data. It can be one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • Hmac-sha1-96—Produces a 160-bit digest

Protocol

The type of security protocol.

Encryption algorithm

Configures an IKE encryption algorithm.

  • des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.

Table 59: Phase 1(VPN Configuration) Add Options

Field

Function

Action

Gateway>IKE Gateway

Name

Name of the gateway

Enter the name of the gateway.

Policy

Enter the name of policy you configured for Phase 1.

External Interface

Name of the interface to be used to send traffic to the IPsec VPN.

Specify the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Site to Site Tunnel

Configuration for VPN is of type site to site.

Click the radio button labeled Site to Site.

Address/FQDN

Address or fully qualified domain name (FQDN) of the peer.

Provide information about the peer IP or domain name

Local ID

Identify Type

There are four identify types:

  • IP Address
  • Host Name
  • Email Address
  • Distinguished Name

Select one of the identity type options.

Client Tunnel

The remote access dynamic VPN.

GatewayI>KE Gateway Options

Local Identity

The local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. You can identify the local identity in any of the following ways:

  • IP Address—IPv4 IP address to identify the dynamic peer.
  • Hostname—Fully qualified domain name (FQDN) to identify the dynamic peer.
  • User at Hostname—E-mail address to identify the dynamic peer.
  • Distinguished Name—Name to identify the dynamic peer. The distinguished name appears in the subject line of the Public Key Infrastructure (PKI) certificate. For example: Organization: juniper, Organizational unit: slt, Common name: common.

Specify an IP address, hostname, user-at-hostname, or distinguished name.

Dead Peer Detection

Always send

Instructs the device to send dead peer detection (DPD) requests regardless of whether there is outgoing IPsec traffic to the peer.

Click the check box.

Interval

The amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds.

Threshold

The maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Provides extended authentication (XAuth) in addition to IKE authentication for remote users trying to access a VPN tunnel.

Enter extended authentication (XAuth).

NAT-Traversal

Network Address Translation Traversal (NAT-T). NAT-T is enabled by default.

Click the check box to disable or enable.

IKE Policy >IKE Policy

Name

Name of the IKE Policy.

Enter the policy.

Description

Description of the policy.

Enter the description of the policy.

Mode

Select a mode.

Use Main or Aggressive mode.

Proposal

Predefined

Use one of the following types of predefined Phase 1 proposals:

  • Basic
  • Compatible
  • Standard

Click Predefined and select a proposal type.

User defined

Use a user-defined Phase 1 Proposal.

Click User Defined, select a proposal from the pop-up menu, and click Add.

Proposal List

Specfies one or more proposals that can be used during key negotiation:

  • Available P1 proposal
  • Selected P1 proposal

Click the Predefined Proposal radio button to select proposals preconfigured by JUNOS Software.

Select User Defined Proposal if you want to use proposals that you have created.

IKE Policy >IKE Policy Options

Radio Buttons

Select the preshared key of use of certificate for the VPN.

If a preshared key is selected, then configure the appropriate key in the form of ASCII text or hexadecimal.

Local Certificate

Use a particular certificate when the local device has multiple loaded certificates.

Enter a local certificate identifier.

Peer Certificate Type

Use a preferred type of certificate (PKCS7 or X509).

Select a certificate type.

Trusted CA

Name

Name of the proposal.

Enter the name of the proposal.

Authentication Algorithm

The Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

Select a hash algorithm.

Authentication Method

The method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. Options include:

  • pre-shared-keys—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.
  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

Select an authentication method.

Description

Easy identification of the proposal.

Enter a brief description of the IKE proposal.

DH Group

The Diffie-Hellman exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption Algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm.
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm.

Lifetime seconds

The lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds.

Table 60: Phase 2 (IPsec Autokey Configuration) Add Options

Field

Function

Action

Gateway>IPsec VPN

VPN Name

Name of the remote gateway.

Enter a name.

Remote Gateway

Associates a policy with this IPsec tunnel.

Select a name.

IPsec Policy

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select a policy.

Bind to tunnel interface

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Select an interface.

Establish tunnels

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Choose an option.

Disable anti replay

Disable the anti-replay checking feature of IPsec. By default, anti-replay checking is enabled.

Click the check box.

Gateway > IPsec VPN Options

Enable VPN Monitor

Destination IP

Associates a policy with this IPsec tunnel.

Enter an IP address.

Optimized

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Click the check box.

Source Interface

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Specify a source interface.

Use Proxy Identity

Remote IP/Netmask

The remote IP address and subnet mask for proxy identity.

Enter an IP address and

Service

The service (port and protocol combination) to protect.

Select a service.

Do not fragment bit

Specifies how the device handles the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Choose an option.

Install interval

The maximum number of seconds to allow installation of a rekeyed outbound security association (SA) on the device.

Specify a value between 0 and 10 seconds.

IPsec Policy >IPsec Policy

Name

Name of the remote gateway.

Enter a name.

Description

Associates a policy with this IPsec tunnel.

Enter a text description.

Perfect Forward Secrecy

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select a method.

Proposal

Specifies when IKE is activated.

  • immediately—IKE is activated immediately after VPN configuration and configuration changes are committed.
  • on-traffic—IKE is activated only when data traffic flows and must be negotiated.

Predefined

Disable the anti-replay checking feature of IPsec. By default, anti-replay checking is enabled.

Click Predefined, and select one of the following options:

  • basic
  • predefined
  • standard

User defined

A list of proposals you previously defined.

Click User Defined , select proposals from the pop-up menu, and then click Add.

Proposal List

Available Proposal List are:

  • Available P2 Proposal
  • Selected P2 Proposal

Proposal > IPsec Proposal

Name

Name of the Phase 2 proposal.

Enter a name.

Description

Description of the Phase 2 proposal.

Enter a text description.

Authentication Algorithm

Hash algorithm that authenticates packet data. It can be one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm.

Encryption Algorithm

Configures an IKE encryption algorithm.

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.

Select an encryption algorithm.

Lifetime Kilobytes

The lifetime (in kilobytes) of an IPsec security association (SA). The SA is terminated when the specified number of kilobytes of traffic has passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime Seconds Protocol

The lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated.

Enter a value from 180 through 86,400 seconds.

Configuring the Manual Tunnel using J-Web

Use the following procedure to configuring auto tunnel.

To access Manual Tunnel using J-Web:

  1. In the J-Web user interface, select Configure>Manual Tunnel. The details of the display page are as shown in Table 61.
  2. Click one of the following:
    • Add—Adds a manual tunnel. Enter information as specified in Table 62.
    • Edit— Modifies the selected manual tunnel.
    • Delete— Deletes a selected manual tunnel.

Table 61: Display Page for Manual Tunnel

Field

Function

Name

Name of the manual tunnel.

Gateway

Gateway selected.

Bind Interface

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Df Bit

Don't Fragment (DF) bit in the outer header.

Table 62: VPN Manual Configuration Add Options

Field

Function

Action

IPsec Manual

  

VPN Name

Name of the VPN Name for the IPsec tunnel..

Enter the VPN Name.

Remote Gateway

Name of the remote gateway.

Enter the gateway.

 

Types of protocols available for configuration. AH stands for authentication and ESP stands for Encryption algorithm

  • ESP
  • AH

Select a protocol for the proposal.

SIP

Security Parameter Index values ranging from (256..16639).

Select a policy.

Blind to tunnel interface

The tunnel interface to which the route-based virtual private network (VPN) is bound.

Select an interface.

Do not fragment bit

Specifies how the device handles the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • Set—Sets the DF bot to the outer header.

Choose an option.

Enable VPN Monitor

Destination IP

IP address of the destination peer.

Enter an IP address.

Optimized

Specifies that the device uses traffic patterns as evidence of peer liveliness. If enabled, ICMP requests are suppressed. This feature is disabled by default.

Click the check box.

Source Interface

The source interface for ICMP requests (VPN monitoring “hellos”). If no source interface is specified, the device automatically uses the local tunnel endpoint interface.

Specify a source interface.

Key Values

Authentication

Algorithm

Hash algorithm that authenticates packet data. It can be one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm.

ASCII Text

Pre-shared value of key

Enable the ASCII Text option and enter the key in the appropriate format.

Hexadecimal

Pre-shared value of key

Enable the hexadecimal option and enter the key in the appropriate format.

Encryption

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm.
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm

Select an encryption algorithm.

ASCII Text

Preshared value of key

Enable the ASCII Text option and enter the key in the appropriate format.

Hexadecimal

Pre shared

Enable the hexadecimal option and enter the key in the appropriate format.

Configuring Dynamic VPN—Quick Configuration

Dynamic VPN IKE Configuration

The following topics describe dynamic VPN IKE configuration:

Configuring an IKE Gateway—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Gateway.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IKE Gateway Quick Configuration Page shows the Quick Configuration page where you can select an existing gateway, or click Add to create a new one.

To configure an IKE gateway with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the IKE Gateway tab if it is not selected.
  3. To modify an existing IKE gateway, click the appropriate link in the Name column to go to the gateway’s configuration page. Or, select the gateway from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.

    Note: The list of IKE gateways displayed on this page includes both standard VPN gateways and dynamic VPN gateways.

  4. To configure a new IKE gateway, click Add.
  5. Fill in the options as described in Table 63.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 63: IKE Gateway Options

Field

Function

Action

IKE Gateway

Name

Name to identify the IKE gateway.

Enter a name.

IKE Policy

IKE policy to associate with the IKE gateway. An IKE policy specifies the type of preshared key to use during Phase 1 negotiations as well as which Phase 1 proposal(s) to use.

Select a previously created IKE policy.

External Interface

Outgoing interface to use when establishing security associations (SAs). An interface acts as a doorway through which traffic enters and exits the JUNOS device.

Specify a previously created interface.

NAT Keepalive Interval

The dynamic VPN feature automatically includes support for NAT traversal (NAT-T). The NAT keepalive interval controls how often NAT keepalive packets can be sent so that NAT translation continues.

Specify a maximum interval in seconds at which NAT keepalive packets can be sent. Range: 1 through 300 seconds. Default: 5 seconds.

Local Identity

Local identity of the endpoint computer to send in the IKE exchange. You can identify the local identity in any of the following ways:

  • IP Address—Use an IPv4 IP address to identify the endpoint computer.
  • Hostname—Use a fully qualified domain name (FQDN) to identify the endpoint computer.
  • User at Hostname—Use an e-mail address to identify the endpoint computer.

If you do not configure a local identity, the device uses the virtual IP address assigned by the Radius server during the Xauth configuration exchange.

Specify an IP address, hostname, or user-at-hostname.

Dynamic Remote Identifier

Connections limit

Maximum number of concurrent connections allowed. When the maximum number of connections is reached, no more dynamic VPN endpoint users attempting to access an IPsec VPN are allowed to begin Internet Key Exchange (IKE) negotiations.

Specify the maximum number of concurrent users that can be connected to the gateway (Remote Access Server).

IKE User Hostname

Name or identifier to use when establishing the VPN tunnel. We recommend entering the fully qualified domain name to identify the dynamic peer, but you can enter any name or identifier as long as it is unique.

Specify one primary name or identifier and up to four backups.

Dead Peer Detection

Enable DPD

Enable dead peer detection (DPD), as outlined in RFC 3706 Dead Peer Detection.

Click the check box to disable or enable. (Disabled by default.)

Always Send

Send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Click the check box to disable or enable. (Disabled by default.)

Interval

Amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. Default: 10.

Threshold

Maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Access Profile

Provide extended authentication (XAuth), in addition to IKE authentication, for remote users trying to access a VPN tunnel.

Note: This Access Profile option does not control authentication for users trying to download Access Manager. For client download authentication, use the Access Profile option on the Global Settings Quick Configuration page. For more information, see "Configuring Global Client Download Settings-Quick Configuration (Dynamic VPNs)".

Select a previously created access profile.

Configuring an IKE Policy—Dynamic VPNs

You can use J-Web to quickly configure an IKE policy.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

To configure an IKE policy :

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the IKE Policy tab if it is not already selected.
  3. To modify an existing policy, click the appropriate link in the Name column to go to the policy’s configuration page. Or, select the policy from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new IKE policy, click Add.
  5. Fill in the options as described in Table 64.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration, click Cancel.

Table 64: IKE Policy, Authentication, and Proposal Options

Field

Function

Action

IKE Policy

Name

Name to identify the policy.

Enter a name.

Description

Description of the policy.

Enter a brief description of the policy.

Mode

Specifies how participants should exchange encryption and authentication information during Phase 1 tunnel negotiations. The dynamic VPN feature only uses aggressive mode, which transfers the information between participants in two exchanges.

No action is required. The device displays this information for informational purposes only.

Pre-shared Key

Pre-shared key

Use one of the following preshared key types:

  • ASCII text
  • Hexadecimal

Click Pre shared key, click the type of key, and enter the key in the appropriate format.

Proposal

None

Do not use proposals

Click None.

User Defined

Use up to four Phase 1 proposals that you previously defined. If you include multiple Phase1 proposals in the IKE policy, use the same Diffie-Hellman group in all of the proposals.

Click User Defined, select a proposal (or proposals) from the pop-up menu, and click Add.

Predefined

Use one of the following types of predefined Phase 1 proposals:

  • Basic
  • Compatible
  • Standard

Click Predefined, and select a proposal type.

Configuring an IKE Phase 1 Proposal— (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure an IKE Phase 1 proposal.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IKE Phase 1 Proposal Quick Configuration Page shows the Configuration page where you can select an existing proposal, or click Add to create a new one.

IKE Phase 1 Proposal Quick Configuration Page shows the Configuration page where you create a new proposal.

To configure a Phase 1 Proposal with Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IKE.
  2. Select the Phase 1 Proposal tab if it is not selected.
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new Phase 1 proposal, click Add.
  5. Fill in the options as described in Table 65.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 65: Phase 1 Proposal Configuration Options

Field

Function

Action

IKE Proposal (Phase 1)

Name

Name to identify the proposal.

Enter a name.

Authentication algorithm

Authentication Header (AH) algorithm the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Select an authentication algorithm.

Authentication method

Method the device uses to authenticate the source of Internet Key Exchange (IKE) messages. The dynamic VPN feature only uses preshared keys for authentication. With this method, both participants must have the key before beginning tunnel negotiations.

No action is required. The device displays this information for informational purposes only.

Description

Description of the proposal.

Enter a brief description of the Phase 1 proposal.

Dh group

Allow participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

Select a Diffie-Hellman group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption algorithm

Supported Internet Key Exchange (IKE) proposals include the following:

  • 3des-cbc—3DES-CBC encryption algorithm
  • aes-128-cbc—AES-CBC 128-bit encryption algorithm
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm
  • des-cbc—DES-CBC encryption algorithm

Select an encryption algorithm.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Select a lifetime for the IKE security association (SA). Range: 180 through 86,400 seconds. Default: 3,600 seconds.

Dynamic VPN IPsec Autokey Configuration

The following topics describe dynamic VPN IPsec autokey configuration:

Configuring an IPsec Autokey—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec AutoKey.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IPsec Autokey Quick Configuration Page shows the Quick Configuration page where you can select an existing policy, or click Add to create a new one.

To configure an IPsec AutoKey with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IPSec Autokey.
  2. Select the IPSec AutoKey tab if it is not selected.
  3. To modify an existing IPsec AutoKey configuration, click the appropriate link in the Name column to go to the configuration page. Or, select the policy from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new IPsec AutoKey, click Add.
  5. Fill in the options as described in Table 66.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 66: IPsec AutoKey Configuration Options

Field

Function

Action

IPsec Autokey VPN

VPN Name

Name to identify the IPsec AutoKey.

Enter a name.

Remote gateway

IKE gateway to associate with the IPsec AutoKey. An IKE gateway specifies a variety of IKE configuration options, including which IKE policy to use, how to identify endpoint computers during IKE exchanges, NAT options, dead peer detection options, and Xauth options.

Select a previously created IKE gateway.

Idle time

Maximum amount of time to allow a security association (SA) to remain idle before deleting it.

Specify a value between 60 and 999,999 seconds.

Install interval

Maximum number of seconds to allow the installation of a rekeyed outbound SA on the device.

Specify a value between 0 and 10 seconds.

IPsec policy

IPsec policy to associate with the IPsec AutoKey. An IPsec policy specifies the Diffie-Hellman group to use when generating encryption keys as well as the Phase 2 proposals to use.

Select a previously created IPsec policy.

Disable anti replay

Replay attacks occur when somebody intercepts a series of packets and uses them to flood the system or gain entry into a trusted system. Select this option to enable replay protection.

Click the check box to disable or enable. (Disabled by default.)

Use proxy identity

(Optional) Specify the IPsec proxy identity to use in IKE negotiations. The default behavior is to use the identities taken from the firewall policies.

Click the check box to disable or enable. (Disabled by default.)

Local IP/Netmask

Local IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.

Remote IP/Netmask

Remote IP address and subnet mask for the proxy identity.

Enter an IP address and subnet mask.

Service

Service (port and protocol combination) to protect.

Select a service.

Don't fragment bit

Specify how the device should handle the Don't Fragment (DF) bit in the outer header.

  • clear—Clear (disable) the DF bit from the outer header. This is the default.
  • copy—Copy the DF bit to the outer header.
  • set—Set (enable) the DF bit in the outer header.

Choose an option.

Establish tunnels

Specify when to activate IKE:

  • immediately—Activate IKE immediately after the VPN is configured and changes are committed.
  • on-traffic—Activate IKE only when data traffic flows and must be negotiated.

Choose an option.

Configuring an IPsec Policy—Dynamic VPNs

You can use J-Web to quickly configure an IPsec policy.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

To configure an IPsec policy:

  1. Select Configure>IPSec VPN>Dynamic VPN>IPsec Autokey.
  2. Select the IPsec Policy tab if it is not already selected.
  3. To modify an existing policy, click the appropriate link in the Name column to go to the policy’s configuration page. Or, select the policy from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new IPsec policy, click Add.
  5. Fill in the options as described in Table 67.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 67: IPsec Policy Configuration Options

Field

Function

Action

IPsec Policy

Name

Name to identify the policy.

Enter a name.

Description

Description of the policy.

Enter a brief description of the policy.

Perfect Forward Secrecy

Method the device uses to generate the encryption key. Perfect Forward Secrecy generates each new encryption key independently from the previous key.

  • group1—Diffie-Hellman Group 1.
  • group2—Diffie-Hellman Group 2.
  • group5—Diffie-Hellman Group 5.

Select a method.

Proposal

None

Do not use a proposal.

Click None.

User Defined

Use up to four Phase 2 proposals that you previously defined. If you include multiple Phase2 proposals in the IPsec policy, use the same Diffie-Hellman group in all of the proposals.

Click User Defined, select a proposal (or proposals) from the pop-up menu, and click Add.

Predefined

Use one of the following types of predefined Phase 1 proposals:

  • Basic
  • Compatible
  • Standard

Click Predefined, and select a proposal type.

Configuring an IPsec Phase 2 Proposal—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec Phase 2 proposals.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Phase 2 Proposal Quick Configuration Page shows the Quick Configuration page where you can select an existing proposal, or click Add to create a new one.

To configure an IPsec Phase 2 proposal with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>IPSec AutoKey.
  2. Select the IPsec Phase 2 Proposal tab if it is not selected
  3. To modify an existing proposal, click the appropriate link in the Name column to go to the proposal’s configuration page. Or, select the proposal from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  4. To configure a new Phase 2 proposal, click Add.
  5. Fill in the options as described in Table 68.
  6. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 68: IPsec Phase 2 Proposal Options

Field

Function

Action

IPsec Proposal (Phase 2)

Name

Name to identify the Phase 2 proposal.

Enter a name.

Description

Description of the Phase 2 proposal.

Enter a brief description of the proposal.

Authentication algorithm

Hash algorithm that authenticates packet data. You can choose one of the following:

  • hmac-md5-96—Produces a 128-bit digest.
  • hmac-sha1-96—Produces a 160-bit digest.

Select a hash algorithm.

Encryption algorithm

IKE algorithm used to encrypt data. You can choose one of the following:

  • 3des-cbc—Has a block size of 24 bytes; the key size is 192 bits long.
  • aes-128-cbc—AES 128-bit encryption algorithm.
  • aes-192-cbc—AES 192-bit encryption algorithm.
  • aes-256-cbc—AES 256-bit encryption algorithm.
  • des-cbc—Has a block size of 8 bytes; the key size is 48 bits long.

Select an encryption algorithm.

Lifetime kilobytes

Lifetime (in kilobytes) of an IPsec security association (SA). The SA is terminated when the specified number of kilobytes of traffic have passed.

Enter a value from 64 through 1,048,576 bytes.

Lifetime seconds

Lifetime (in seconds) of an IKE security association (SA). When the SA expires, it is either replaced by a new SA and security parameter index (SPI) or the SA is terminated.

Enter a value from 180 through 86,400 seconds.

Protocol

Type of security protocol. Supported options include:

  • ah—Authentication Header (AH) protocol verifies the authenticity/integrity of the content and origin of a packet.
  • esp—Encapsulating Security Payload (ESP) protocol ensures privacy (encryption) and source authentication and content integrity (authentication).

Select a protocol for the proposal.

Dynamic VPN Client

Configuring Global Client Download Settings—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure global dynamic VPN settings.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Global Settings Quick Configuration Page shows the quick configuration page where you can modify global settings.

Note: For information about creating a client configuration, see "Creating a Client Configuration-Quick Configuration (Dynamic VPNs)".

To create or modify global dynamic VPN settings with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>Global Settings.
  2. Fill in the options as described in Table 70.
  3. To apply the configuration, click OK.

Table 69: Client VPN Configuration Options

Field

Function

Action

Dynamic VPN

Access Profile

Access profile that controls the authentication of users who want to download Access Manager. (You will need to select these access profiles when configuring your IKE gateway and dynamic VPN global options. Note that you can use the same access profile to authenticate users in both cases, or you can use separate access profiles to authenticate downloads and VPN sessions.)

Note: This Access Profile option does not control authentication for VPN sessions. For session authentication, use the Access Profile option on the IKE Gateway Quick Configuration page. For more information, see "Configuring an IKE Gateway-Quick Configuration (Dynamic VPNs)".

Select a previously created access profile.

Force Upgrade

Enable this option if you want the setup program to automatically download the latest client and install it on the user’s computer when the setup program detects a version mismatch between the client and server. Otherwise, the setup program prompts the user the upgrade the client when it detects a version mismatch, but does not force the upgrade. If the user does not choose to upgrade, the setup program will launch the existing client version that resides on the user’s computer.

Click the check box to enable or disable. (Enabled by default.)

Creating a Client Configuration—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly create or modify a client configuration that downloads to the user’s computer along with the Access Manager client.

Before You Begin

For background information, read:

  • "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Client Configuration Quick Configuration Page shows the configuration options where you create a new client configuration.

To create or modify a client configuration with Quick Configuration:

  1. Select Configure>IPSec VPN>Dynamic VPN>Global Settings.
  2. To modify an existing configuration, click the appropriate link in the Client VPN Configuration column to go to the configuration page. Or, select the client configuration from among those listed and click one of the following buttons:
    • To apply the configuration, click Apply.
    • To delete the configuration, click Delete.
  3. To create a new client configuration, click Add.
  4. Fill in the options as described in Table 70.
  5. Click one of the following buttons:
    • To apply the configuration, click OK.
    • To cancel the configuration and return to the main Configuration page, click Cancel.

Table 70: Client VPN Configuration Options

Field

Function

Action

Client Configuration

Name

Name to identify the client configuration.

Enter a name.

IPSec VPN

IKE AutoKey configuration to use when establishing the VPN tunnel.

Select a previously created IKE AutoKey configuration.

Remote Address

Remote Sources IP

IP address and netmask of a resource behind the firewall. Traffic to the specified resource will go through the VPN tunnel and therefore will be protected by the firewall’s security policies.

Note: The device does not validate that the IP/netmask combination that you enter here matches up with your security policies.

Enter an IP address and netmask and click Add.

Remote Exceptions IP

IP address and netmask of exceptions to the remote protected resources list.

Enter an IP address and netmask and click Add.

Users

Users

List of users that can use this client configuration.

Note: The server does not validate the names that you enter here, but the names must be the names that the users use to log onto the device when downloading the client.

Enter a user name and click Add.