Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create a Hub-and-Spoke Auto Discovery VPN

The Auto-Discovery VPN (ADVPN) dynamically establishes VPN tunnels between spokes to avoid routing traffic through the hub.

Before You Begin

  1. Select SRX > IPsec VPN > IPsec VPNs.

    The IPsec VPNs page opens.

  2. Click Create > Route Based - Hub and Spoke (ADVPN - Auto Discovery VPN).

    The Create Hub-and-Spoke (ADVPN - Auto Discovery VPN) page opens.

  3. Complete the VPN configuration parameters according to the guidelines provided in Table 1.
    Note:

    Click View IKE/IPSec Settings to view or edit VPN profiles. If the VPN profile is default, you can edit the configurations. If the profile is shared, you can only view the configurations.

    The VPN connectivity will change from gray to blue line in the topology to show that the configuration is complete. The topology displayed for hub-and-spoke is only a representation. You can configure any number of hubs and spokes.

  4. Click Save to save the IPsec VPN configuration.
Table 1: Create Hub-and-Spoke (ADVPN - Auto Discovery VPN) Page Settings

Settings

Guidelines

Name

Enter a unique string of maximum 63 alphanumeric characters without spaces.

The string can contain colons, periods, dashes, and underscores.

Description

Enter a description containing maximum 255 characters for the VPN.

Routing Topology

Select OSPF-dynamic routing to generate the OSPF configuration.

VPN Profile

Select a VPN profile from the drop-down list based on the deployment scenario.

  • The Inline profile is applicable only to a particular IPsec VPN. You can view and edit the details by clicking View IKE/IPsec settings on the Create VPN page.

  • The Shared profile can be used by one or more IPsec VPNs. You can only view the details of the shared profiles by clicking View IKE/IPsec settings.

Authentication Method

Select an authentication method from the list that the device uses to authenticate the source of IKE messages.

  • RSA-Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures is used.

  • DSA-Signatures—Specifies that the Digital Signature Algorithm (DSA) is used.

  • ECDSA-Signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used.

  • ECDSA-Signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.

Max Transmission Unit

Select the maximum transmission unit (MTU) in bytes.

MTU defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68 to 9192 bytes, and the default value is 1500 bytes.

Pre-shared Key

Establish a VPN connection using pre-shared keys, which is essentially a password that is same for both parties.

Select the type of pre-shared key to use:

  • Autogenerate—Select if you want to automatically generate a unique key per tunnel. When selected, the Generate Unique key per tunnel option is automatically enabled. If you disable Generate Unique key per tunnel option, Security Director generates a single key for all tunnels.

  • Manual—Select to enter the key manually. By default, the manual key is masked.

Pre-shared keys are applicable only if the authentication method is Preshared-based.

Network IP

Enter the IP address of the numbered tunnel interface.

This is the subnet address from where the IP address is automatically assigned for tunnel interfaces.

Number of Spoke Devices Per Tunnel Interface

Select All or specify the number of spoke devices to share one tunnel interface on hub.

Devices

Add devices as endpoints in the VPN. You can add maximum two devices.

To add devices in route-based VPNs:

  1. Click Add, and click one of the following: Hub Device, Spoke Device, or Extranet Spoke Device.

    The Add Device page opens.

  2. Configure the device parameters as described in Table 2.
  3. Click OK.
Table 2: Add Device Page Settings

Settings

Guidelines

Device

Select a device.

External Interface

Select the outgoing interface for IKE security associations (SAs).

This interface is associated with a zone that acts as its carrier, providing firewall security for it.

Tunnel Zone

Select the tunnel zone.

Tunnel zones are logical areas of address space that can support dynamic IP (DIP) address pools for NAT applications to pre- and post-encapsulated IPsec traffic. Tunnel zones also provide flexibility in combining tunnel interfaces with VPN tunnels.

Metric

Specify the cost for an access route for the next hop.

Routing instance

Select the required routing instance.

Certificate

Select a certificate to authenticate the VPN initiator and recipient.

This is applicable in one of the following scenarios:

  • The VPN profile is RSA profile or ADVPN profile.

  • The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

Trusted CA/Group

Select the CA profile from the list to associate it with the local certificate.

This is applicable in one of the following scenarios:

  • The VPN profile is RSA profile or ADVPN profile.

  • The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.

Container

The hub authenticates the spoke’s IKE ID if the subject fields of the spoke’s certificate exactly match the values configured on the hub.

You can specify multiple entries for each subject field. The order of values in the fields must match.

Wildcard

The hub authenticates the spoke’s IKE ID if the subject fields of the spoke’s certificate match the values configured on the hub.

The wildcard match supports only one value per field. The order of the fields is inconsequential

Export

Select the type of routes to export.

  • Select the Static Routes check box to export static routes.

    Juniper Security Director Cloud simplifies VPN address management by enabling the administrator to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. However, only devices on the hub side can export static default routes to the device side. Devices at the spoke side cannot export static default routes over a tunnel.

    For eBGP Dynamic Routing, the Static Routes check box is selected by default.

  • Select the RIP Routes check box to export RIP routes.

    You can export RIP routes only when Routing Topology is OSPF Dynamic Routing.

  • Select the OSPF Routes check box to export OSPF routes.

    You can export OSPF routes only when Routing Topology is RIP-Dynamic Routing.

If you select OSPF or RIP export, the OSPF or RIP routes outside the VPN network is imported into a VPN network through OSPF or RIP Dynamic routing protocols.

OSPF Area

Select an OSPF area ID within the range of 0 to 4,294,967,295 where the tunnel interfaces of this VPN need to be configured.

The OSPF area ID is applicable when the Routing Topology is OSPF-Dynamic Routing.

Protected Networks

Configure the addresses or interface type for the selected device to protect one area of the network from the other.

When a dynamic routing protocol is selected, the interface option is displayed.

You can also create addresses by clicking Add New Address.

Table 3: View IKE/IPsec Settings

Settings

Guidelines

IKE Settings

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec.

By default, IKE V2 is used.

Mode

Select an IKE policy mode.

  • Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. This mode also provides identity protection.

  • Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

Mode is applicable when the IKE Version is V1.

Encryption Algorithm

Select the appropriate encryption mechanism.

Authentication Algorithm

Select an algorithm.

The device uses this algorithm to verify the authenticity and integrity of a packet.

Deffie Hellman group

Select a group.

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Lifetime Seconds

Select a lifetime of an IKE security association (SA).

The valid range is from 180 to 86400 seconds.

Dead Peer Detection

Enable this option to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode.

  • Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode.

  • Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity.

  • Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages.

The default interval is 10 seconds with a valid range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value.

This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1 to 5.

Advance Settings

General IKE ID

Enable this option to accept peer IKE ID

This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

IKEv2 Re Authentication

Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0.

The valid range is 0 to 100.

IKEv2 Re Fragmentation Support

Enable this option to split a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKEv2 Re-fragment Size

Select the size of the packet at which messages are fragmented.

By default, the size is 576 bytes for IPv4, and the valid range is 570 to 1320.

IKE ID

Select one of the following options:

  • None

  • Distinguished name

  • Hostname

  • IPv4 address

  • E-mail Address

IKE ID is applicable only when General IKE ID is disabled.

NAT-T

Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a period in seconds to keep the connection alive.

NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers.

The valid range is from 1 to 300 seconds.

IPSec Settings

Protocol

Select the required protocol to establish the VPN.

  • ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication.

  • AH—The Authentication Header (AH) protocol provides data integrity and data authentication.

Encryption Algorithm

Select the encryption method.

This is applicable if the Protocol is ESP.

Authentication Algorithm

Select an algorithm.

The device uses these algorithms to verify the authenticity and integrity of a packet.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key.

The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Establish Tunnel

Select an option to specify when IKE is activated.

  • Immediately—IKE is activated immediately after VPN configuration changes are committed.

  • On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.

Advance Settings

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

Optimized

Enable this option to optimize VPN monitoring and configure SRX Series devices to send ICMP echo requests, also called pings, only when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel.

If there is incoming traffic through the VPN tunnel, the SRX Series devices considers the tunnel to be active and do not send pings to the peer.

Anti Replay

Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet.

IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers.

Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

By default, Anti-Replay detection is enabled.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval.

The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default option.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable this option to allow copying of the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path.

The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.

Lifetime Seconds

Select a lifetime of an IKE security association (SA).

The valid range is from 180 to 86400 seconds.

Lifetime Kilobytes

Select the lifetime in kilobytes of an IPsec security association (SA).

The valid range is from 64 to 4294967294 kilobytes.