Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs

  • Support for ADVPN with iked process (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, we support the Auto Discovery VPN (ADVPN) configuration on firewalls that run the iked process for the IPsec VPN service. With the iked process, you can continue to configure advpn at the [edit security ike gateway gateway-name] hierarchy level.

    [See Auto Discovery VPNs.]

  • Support for lifetime-kilobytes, install-interval, and idle-time options with iked process (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, we support the idle-time, install-interval, and lifetime-kilobytes options on firewalls that run the iked process for the IPsec VPN service.

    You can continue to configure the following options:

    • lifetime-kilobytes at the [edit security ipsec proposal proposal-name] hierarchy level.

    • idle-time and install-interval at the [edit security ipsec vpn vpn-name] hierarchy level.

    [See ike (Security IPsec VPN) and proposal (Security IPsec).]

  • Support for multiple peer addresses in DPD configuration with iked process (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, when your firewall runs the iked process for the IPsec VPN service, the IKE connection supports multiple peer addresses per gateway, ensuring DPD failover. You must configure the dead-peer-detection option at the [edit security ike gateway gateway-name] hierarchy level before configuring multiple peer addresses. You can use the address option at the same hierarchy level to configure multiple peer addresses.

    Note the following behavior with the DPD failover feature:

    • You can configure one active peer and up to four backup peer addresses.

    • If the first peer address, which is the active peer, is not reachable, the IKE protocol negotiates with the next available peer based on the order of peer address configuration. You'll notice traffic disruption when DPD failover is in progress with the current active peer unreachable.

    [See gateway (Security IKE), dead-peer-detection, and Dead Peer Detection.]

  • Support for robust protection against DDoS attacks on IKE protocol with iked process (MX240, MX480, and MX960 with SPC3, SRX1500, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, you can efficiently monitor and mitigate DDoS attacks on IKEv1 and IKEv2 protocols when your firewall runs the iked process for the IPsec VPN service.

    To support the feature, we introduce the following configuration statements at the [edit security ike] hierarchy level:

    • session—Tune parameters to manage the behavior of negotiations with the remote peers to protect the security associations. Configure the parameters at the [edit security ike session half-open] and [edit security ike session full-open] hierarchy levels.

    • blocklists—Define multiple blocklists and their associated rules for blocking an IKE ID. Configure the blocklists at the [edit security ike session blocklists] hierarchy level. You must attach a blocklist to one or more IKE policies at the [edit security ike policy policy-name blocklist blocklist-name] hierarchy level.

    Use the following commands to view and clear statistics and other details about the in-progress, failed, blocked, and backoff peers:

    • show security ike peer statistics and show security ike peer.

    • clear security ike peers statistics and clear security ike peers.

    [See IKE Protection from DDoS Attacks, session (Security IKE), blocklists (Security IKE), show security ike peers statistics, show security ike peers, clear security ike peers statistics, and clear security ike peers.]

  • Support for VPN monitoring and datapath verification with the iked process (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 23.4R1, we support VPN monitoring and datapath verification on firewalls that run the iked process for the IPsec VPN service. With the iked process, you can continue to configure vpn-monitor and verify-path at the [edit security ipsec vpn vpn-name] hierarchy level.

    We provide the following enhancements with the feature:

    • Configuration and deletion of VPN monitoring functionality on an active tunnel does not cause any service disruption.

    • After you've configured VPN monitoring, the functionality is active only after the tunnel is up.

    • Configuration of verify-path on an active tunnel causes service disruption and performs renegotiation after the tunnel is down.

    [See vpn-monitor, verify-path, and VPN Tunnel Monitoring.]