Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs

  • Passive mode tunneling support (SRX4600)—Enable this feature using the configuration statement set security ipsec vpn vpn-name passive-mode-tunneling. The feature allows you to perform IPsec tunneling of malformed packets bypassing the usual active IP checks, TTL checks, and fragmentation.

    See [passive-mode-tunneling (security), show security ipsec security-associations, and show security ipsec inactive-tunnels.]

  • Enhanced QoS using DSCP per SA in IPsec VPN with iked process (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)—We provide traffic classification support with Differentiated Services Code Point (DSCP) per security association (SA) in IPsec VPNs using the iked process. This feature is available when you run the IPsec VPN service without the PowerMode IPsec (PMI) mode configuration. It allows your VPN gateways to negotiate separate child SA for each CoS type.

    [See CoS-Based IPsec VPNs, show security ipsec security-associations, and show security ipsec statistics.]

  • Juniper® Secure Connect integration with JIMS (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—The SRX Series Firewalls can send Juniper Secure Connect’s remote access VPN connection state events to Juniper® Identity Management Service (JIMS) using the push to identity management (PTIM) solution. By default, Junos OS enables this feature when you use identity-management at the [edit services user-identification] hierarchy level.

    You can use the following options to configure this feature:

    • no-push-to-identity-management at the [edit security ike gateway gateway-name aaa] hierarchy level to disable the iked process communication with JIMS.

    • user-domain at the [edit security remote-access profile realm-name options] hierarchy level to optionally configure the domain alias name.

    See [Juniper Secure Connect Integration with JIMS, identity-management, and profile (Juniper Secure Connect).]

  • Migration of policy-based VPNs to route-based VPNs (cSRX, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)—Migrate policy-based VPNs to route-based VPNs when you run the IPsec VPN service with the iked process. You must configure multiple VPN objects on a shared point-to-point st0 logical interface to perform the migration.

    [See Shared Point to Point st0 Interface and Migrate Policy-Based VPNs to Route-Based VPNs.]

  • SAML-based user authentication in Juniper® Secure Connect (SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Juniper Secure Connect remote access VPN supports user authentication using Security Assertion Markup Language (SAML) version 2. To perform the remote user authentication using SAML, run the VPN service using the iked process on your firewall and ensure you have the SAML-supported Juniper Secure Connect application.

    Configure SAML service provider and identity provider settings at the [edit access saml] hierarchy level. Enable SAML settings in the access profile configuration using the set access profile profile-name authentication-order saml command.

    See [SAML Authentication in Juniper Secure Connect, saml, authentication-order (access-profile), saml (Access Profile), saml-options, show network-access aaa saml assertion-cache, show network-access aaa statistics, request network-access aaa saml load-idp-metadata, request network-access aaa saml export-sp-metadata, clear network-access aaa saml assertion-cache, clear network-access aaa saml idp-metadata, and clear network-access aaa statistics.]

  • Signature authentication in IKEv2 (cSRX, MX240, MX304, MX480, MX960, MX10004, MX10008, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Secure your IPsec VPN service that runs using the iked process with IKEv2 signature authentication based on RFC 7427. Enable this feature by using the following options:

    • digital-signature—Configure this option at the [edit security ike proposal proposal-name authentication-method] hierarchy level to enable the signature authentication method. You can use this method only if your device exchanges a signature hash algorithm with the peer.

    • signature-hash-algorithm—Configure this option at the [edit security ike proposal proposal-name] hierarchy level to enable the peer device to use one or more specific signature hash algorithms (SHA1, SHA256, SHA384, and SHA512). Note that the IKE peers can use different hash algorithms in different directions.

    See [Signature Authentication in IKEv2, proposal (Security IKE), and Signature Hash Algorithm (Security IKE).]