vpn (Security)

Syntax

Hierarchy Level

Description

Configure an IPsec VPN. A VPN provides a means by which remote computers communicate securely across a public WAN suchas the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The trafficthat flows between these two points passes through shared resources such as routers, switches, and othernetwork equipment that make up the public WAN. To secure VPN communication while passing throughthe WAN, the two participants create an IP Security (IPsec) tunnel. IPsec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer.

Options

vpn-name	Name of the VPN.
bind-interface	Configure the tunnel interface to which the route-based virtual private network (VPN) is bound.
copy-outer-dscp	Enable copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules.
distribution-profile	Specify a distribution-profile to distribute tunnels. The `distribution-profile` option is introduced to give the administrator an option to select which PICs in the chassis should handle tunnels associated with a certain VPN object. If the default profiles such as `default-spc3-profile` or `default-spc2-profile` are not selected, a new user-defined profile can be selected. In a profile, you need to mention the Flexible PIC Concentrator (FPC) slot and the PIC number. When such a profile is associated with a VPN object, all matching tunnels are distributed across these PIC's. Values: default-spc2-profile—Default group for distributing tunnels on SPC2 only default-spc3-profile—Default group for distributing tunnels on SPC3 only distribution-profile-name—Name of the distribution profile.
df-bit	Specify how the device handles the Don't Fragment (DF) bit in the outer header. On SRX5400, SRX5600, and SRX5800 devices, the DF-bit configuration for VPN only works if the original packet size is smaller than the st0 interface MTU, and larger than the external interface-ipsec overhead. Values: `clear`—Clear (disable) the DF bit from the outer header. This is the default. `copy`—Copy the DF bit to the outer header. `set`—Set (enable) the DF bit in the outer header.
establish-tunnels	Specify when IKE is activated: immediately after VPN information is configured and configuration changes are committed, or only when data traffic flows. If this configuration is not specified, IKE is activated only when data traffic flows. Values: `immediately`—IKE is activated immediately after VPN configuration changes are committed. Starting with Junos OS Release 15.1X49-D70, a warning message is displayed if you configure the `establish-tunnels immediately` option for an IKE gateway with `group-ike-id` or `shared-ike-id` IKE user types (for example, with AutoVPN or a remote access VPN). The `establish-tunnels immediately` option is not appropriate for these VPNs because multiple VPN tunnels may be associated with a single VPN configuration. Committing the configuration will succeed, however the `establish-tunnels immediately` configuration is ignored. The state of the tunnel interface will be up all the time, which was not the case in previous releases when the `establish-tunnels immediately` option was configured. `on-traffic`—IKE is activated only when data traffic flows and must to be negotiated with the peer gateway. This is the default behavior. `responder-only`—Responds to IKE negotiations that are initiated by the peer gateway, but does not initiate IKE negotiations from the device. This option is required when another vendor’s peer gateway expects the protocol and port values in the traffic selector from the initiating gateway. `responder-only` option added in Junos OS Release 19.1R1. This option is supported on unified iked process that is not enabled by default. Administrators must execute the `request system software add optional://junos-ike.tgz` command to load the `junos-ike` package. `responder-only-no-rekey`—Option does not establish any VPN tunnel from the device, so the VPN tunnel is initiated from the remote peer. An established tunnel does not start any rekeying from the device and relies on the remote peer to initiate this rekeying. If rekeying does not occur, then the tunnel is brought down after hard-lifetime expires. This option is supported on unified iked process that is not enabled by default. Administrators must execute the `request system software add optional://junos-ike.tgz` command to load the `junos-ike` package.
ike	Define an IKE-keyed IPsec VPN.
manual	Define a manual IPsec security association (SA).
multi-sa	Negotiate multiple security association (SAs) based on configuration choice. Multiple SAs negotiates with the same traffic selector on the same IKE SA.
traffic-selector	Configure multiple sets of local IP address prefix, remote IP address prefix, source port range, destination port range, and protocol as a traffic selector for an IPsec tunnel.
match-direction	Direction for which the rule match is applied Values: input—Match on input to interface output—Match on output from interface
passive-mode-tunneling	No active IP packet checks before IPSec encapsulation
tunnel-mtu	Maximum transmit packet size Range: 256 through 9192
udp-encapsulation	(Optional) Use the specified UDP destination port for the UDP header that is appended to the ESP encapsulation. Enable multiple path forwarding of IPsec traffic by adding a UDP header to the IPsec encapsulation of packets. Doing this increases the throughput of IPsec traffic. If you do not enable UDP encapsulation, all the IPsec traffic follows a single forward path rather than using multiple available paths. Range: 1025 through 65536. Do not use 4500. Default: If you do not include the udp-dest-port statement, the default UDP destination port is 4565.
vpn-monitor	Configure settings for VPN monitoring.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Support for IPv6 addresses added in Junos OS Release 11.1.

Support for copy-outer-dscp added in Junos OS Release 15.1X49-D30.

verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70.

packet-size option added in Junos OS Release 15.1X49-D120.

Support for term, protocol, source-port, destination-port, metric, and description options introduced in Junos OS Release 21.1R1.

Support for vpn-monitor option with IPsec VPN running iked process is added in Junos OS Release 23.4R1.

ON THIS PAGE