VPN Gateway Configuration Page Options

  1. Select Configure>IPSec VPN>Auto Tunnel> Phase I.

    The VPN Gateway configuration page appears. Table 88 explains the contents of this page.

  2. Click one:
    • Add—Adds a new or duplicate VPN gateway configuration. Enter information as specified in Table 89.
    • Edit—Edits a selected VPN gateway configuration.
    • Delete—Deletes the selected VPN gateway configuration.
  3. Click one:
    • OK—Saves the configuration and returns to the main configuration page.
    • Commit Options>Commit—Commits the configuration and returns to the main configuration page.
    • Cancel—Cancels your entries and returns to the main configuration page.

Table 88: VPN Gateway Configuration Page

Field

Function

Gateway

Gateway Name

Displays the name of the gateway to be searched.

Search

Displays the text box for searching a gateway.

Name

Displays the name of the destination peer gateway, specified as an alphanumeric string.

IKE Policy

Displays the name of the IKE policy.

External Interface

Displays the name of the interface to be used to send traffic to the IPsec VPN.

Remote Identity

Displays information about the remote peer.

IKE Policy

Name

Displays the name of the policy.

Description

Provides a description of the policy.

Mode

Displays the mode of configuration.

Authentication Method

Displays the authentication method configured.

Proposal

Displays the name of the proposal configured to be used by this policy in Phase 1.

Proposal

Name

Displays the name of the proposal selected.

Authentication Algorithm

Displays the hash algorithm configured or selected.

Authentication Method

Displays the authentication method selected.

Encryption Algorithm

Displays the supported IKE proposals.

Table 89: Add VPN Gateway Configuration Details

Field

Function

Action

Add Gateway

IKE Gateway

Name

Specifies the name of the gateway.

Enter the name of the gateway.

Policy

Specifies the name of the policy.

Enter the name of the policy you configured for Phase 1.

External Interface

Specifies the name of the interface to be used to send traffic to the IPsec VPN.

Specifies the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Select an outgoing interface from the list.

Site to Site Tunnel

Specifies the VPN configuration type as site to site.

Click the Site to Site radio button.

Address/FQDN

Specifies the address or FQDN of the peer.

Enter information about the peer IP or domain name.

Local ID

Identify Type

Specifies the identity type. The identify types are as follows:

  • IP Address
  • Host Name
  • Email Address
  • Distinguished Name

Select one of the identity type options.

Client Tunnel

Specifies the remote access dynamic VPN.

Select the Client Tunnel radio button.

Connections limit

Specifies the limit on connections.

Enter the connection limit.

IKE user type

Specifies the Internet Key Exchange user type. The IKE user types are as follows:

  • group-ike-id
  • shared-ike-id

Select one of the IKE user type options.

Remote ID

Identity type

Specifies the identity type. The identify types are as follows:

  • IP Address
  • Host Name
  • Email Address
  • Distinguished Name

Select one of the identity type options.

IKE Gateway Options

Local Identity

Specifies the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. You can identify the local identity in any of the following ways:

  • IP Address—IPv4 IP address to identify the dynamic peer.
  • Hostname—Fully qualified domain name (FQDN) to identify the dynamic peer.
  • User at Hostname—E-mail address to identify the dynamic peer.
  • Distinguished Name—Name to identify the dynamic peer. The distinguished name appears in the subject line of the Public Key Infrastructure (PKI) certificate. For example: Organization: juniper, Organizational unit: slt, Common name: common.

Select one of the identity type options.

Dead Peer Detection

Specifies whether to enable DPD.

Select the check box.

Always send

Specifies the device to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer.

Select the check box.

Interval

Specifies the amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet.

Enter the interval at which to send DPD messages. Range: 1 through 60 seconds.

Threshold

Specifies the maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable.

Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5.

XAuth

Provides XAuth in addition to IKE authentication for remote users trying to access a VPN tunnel.

Select XAuth from the list.

NAT-Traversal

Specifies whether to enable NAT-T. NAT-T is enabled by default.

Select the check box to disable or enable.

NAT-keepalive

Specifies the interval at which NAT keepalive packets can be sent so that NAT continues.

Enter the interval, in seconds, at which NAT keepalive packets can be sent. Default: 5 seconds. Range: 1 through 300 seconds.

Add Policy

IKE Policy

Name

Specifies the name of the IKE policy.

Enter the policy name.

Description

Provides a description of the policy.

Enter a description of the policy.

Mode

Specifies the mode. The available modes are as follows:

  • Main mode—This mode has three 2-way exchanges between the initiator and receiver. It is secure and preferred in the auto tunnel
  • Aggressive mode— This mode is faster than main mode. It is less secure and is used mostly for dial-up VPN.

Select a mode from the list.

Proposal

Predefined

Specifies the predefined Phase 1 proposals. Use one of the following types of predefined Phase 1 proposals:

  • Basic
  • Compatible
  • Standard

Click Predefined, and select a proposal type.

User defined

Specifies the user-defined Phase 1 proposal.

Click User Defined, select a proposal from the pop-up menu, and click Add.

Proposal List

Specifies one or more proposals that can be used during key negotiation:

Click the Predefined Proposal option button to select proposals preconfigured by JUNOS Software.

Click the User Defined Proposal option button to use proposals that you have created.

IKE Policy Options

Pre Shared Key

Specifies use of a preshared key for the VPN.

The available options are as follows:.

  • ASCII text
  • Hexadecimal

If a preshared key is selected, then configure the appropriate key.

Certificate

Specifies use of a certificate for the VPN.

Click the option button.

Local Certificate

Specifies use of a particular certificate when the local device has multiple loaded certificates.

Enter a local certificate identifier.

Peer Certificate Type

Specifies use of a preferred type of certificate.

The available options are as follows:

  • PKCS7
  • X509

Select a certificate type.

Trusted CA

Specifies the preferred CA to use when requesting a certificate from the peer. If no value is specified, then no certificate request is sent (although incoming certificates are still accepted).

The options that are available are as follows:

  • None—Use none of configured certificate authorities.
  • Use All—Device uses all configured certificate authorities.
  • CA Index—Preferred certificate authority ID for the device to use.

Select a trusted CA from the list.

Add Proposal

IKE Proposal

Name

Specifies the name of the proposal.

Enter the name of the proposal.

Authentication Algorithm

Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:

  • md5—Produces a 128-bit digest.
  • sha1—Produces a 160-bit digest.
  • sha-256—Produces a 256-bit digest.

Note: The sha-256 authentication algorithm is not supported with the dynamic VPN feature.

Select a hash algorithm from the available option.

Authentication Method

Specifies the method the device uses to authenticate the source of IKE messages. The available options are as follows:

  • pre-shared-key—Key for encryption and decryption that both participants must have before beginning tunnel negotiations.
  • rsa-key—Kinds of digital signatures, which are certificates that confirm the identity of the certificate holder.

Select an option.

Description

Provides a description of the proposal for easy identification .

Enter a brief description of the IKE proposal.

DH Group

Specifies the Diffie-Hellman group. The DH exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection.

The available options are as follows:

  • None
  • group1
  • group2
  • group5
  • group14

Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals.

Encryption Algorithm

Specifies the supported Internet Key Exchange (IKE) proposals. It includes the following:

  • 3des-cbc—3DES-CBCencryption algorithm.
  • aes-128-cbc—AES-CBC128-bit encryption algorithm.
  • aes-192-cbc—AES-CBC 192-bit encryption algorithm.
  • aes-256-cbc—AES-CBC 256-bit encryption algorithm.
  • des-cbc—DES-CBC encryption algorithm.

Select an encryption algorithm from the list.

Lifetime seconds

Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated.

Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds.

Related Documentation