Configuring an IPsec Autokey—Quick Configuration (Dynamic VPNs)

You can use J-Web Quick Configuration to quickly configure IPsec AutoKey.

Before You Begin
For background information, read: "Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

Before You Begin

For background information, read:

"Dynamic Virtual Private Networks (VPNs)" chapter in the JUNOS Software Security Configuration Guide.

IPsec Autokey Quick Configuration Page shows the Quick Configuration page where you can select an existing policy, or click Add to create a new one.

To configure an IPsec AutoKey with Quick Configuration:

Select Configure>IPSec VPN>Dynamic VPN>IPSec Autokey.
Select the IPSec AutoKey tab if it is not selected.
To modify an existing IPsec AutoKey configuration, click the appropriate link in the Name column to go to the configuration page. Or, select the policy from among those listed and click one of the following buttons:
- To apply the configuration, click Apply.
- To delete the configuration, click Delete.
To configure a new IPsec AutoKey, click Add.
Fill in the options as described in Table 89.
Click one of the following buttons:
- To apply the configuration, click OK.
- To cancel the configuration and return to the main Configuration page, click Cancel.

Table 89: IPsec AutoKey Configuration Options

Field	Function	Action
IPsec Autokey VPN
VPN Name	Name to identify the IPsec AutoKey.	Enter a name.
Remote gateway	IKE gateway to associate with the IPsec AutoKey. An IKE gateway specifies a variety of IKE configuration options, including which IKE policy to use, how to identify endpoint computers during IKE exchanges, NAT options, dead peer detection options, and Xauth options.	Select a previously created IKE gateway.
Idle time	Maximum amount of time to allow a security association (SA) to remain idle before deleting it.	Specify a value between 60 and 999,999 seconds.
Install interval	Maximum number of seconds to allow the installation of a rekeyed outbound SA on the device.	Specify a value between 0 and 10 seconds.
IPsec policy	IPsec policy to associate with the IPsec AutoKey. An IPsec policy specifies the Diffie-Hellman group to use when generating encryption keys as well as the Phase 2 proposals to use.	Select a previously created IPsec policy.
Disable anti replay	Replay attacks occur when somebody intercepts a series of packets and uses them to flood the system or gain entry into a trusted system. Select this option to enable replay protection.	Click the check box to disable or enable. (Disabled by default.)
Use proxy identity	(Optional) Specify the IPsec proxy identity to use in IKE negotiations. The default behavior is to use the identities taken from the firewall policies.	Click the check box to disable or enable. (Disabled by default.)
Local IP/Netmask	Local IP address and subnet mask for the proxy identity.	Enter an IP address and subnet mask.
Remote IP/Netmask	Remote IP address and subnet mask for the proxy identity.	Enter an IP address and subnet mask.
Service	Service (port and protocol combination) to protect.	Select a service.
Don't fragment bit	Specify how the device should handle the Don't Fragment (DF) bit in the outer header. clear—Clear (disable) the DF bit from the outer header. This is the default. copy—Copy the DF bit to the outer header. set—Set (enable) the DF bit in the outer header.	Choose an option.
Establish tunnels	Specify when to activate IKE: immediately—Activate IKE immediately after the VPN is configured and changes are committed. on-traffic—Activate IKE only when data traffic flows and must be negotiated.	Choose an option.