Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs

  • Migration of policy-based VPNs to route-based VPNs (cSRX, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)—Migrate policy-based VPNs to route-based VPNs when you run the IPsec VPN service with the iked process. You must configure multiple VPN objects on a shared point-to-point st0 logical interface to perform the migration.

    [See Shared Point to Point st0 Interface and Migrate Policy-Based VPNs to Route-Based VPNs.]

  • Signature authentication in IKEv2 (cSRX, MX240, MX304, MX480, MX960, MX10004, MX10008, SRX1500, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Secure your IPsec VPN service that runs using the iked process with IKEv2 signature authentication based on RFC 7427. Enable this feature by using the following options:

    • digital-signature—Configure this option at the [edit security ike proposal proposal-name authentication-method] hierarchy level to enable the signature authentication method. You can use this method only if your device exchanges a signature hash algorithm with the peer.

    • signature-hash-algorithm—Configure this option at the [edit security ike proposal proposal-name] hierarchy level to enable the peer device to use one or more specific signature hash algorithms (SHA1, SHA256, SHA384, and SHA512). Note that the IKE peers can use different hash algorithms in different directions.

    See [Signature Authentication in IKEv2, proposal (Security IKE), and Signature Hash Algorithm (Security IKE).]