IKE (Phase I) Configuration Page Options
- Select Configure>IPSec VPN>Auto Tunnel> Phase I in the J-Web user interface if you are using SRX5400, SRX5600, or
SRX5800 platforms.
Or
Select Configure>Security>IPSec VPN>VPN Tunnel I in the J-Web user interface.
The VPN Gateway configuration page appears.
- (Junos OS Release 18.3R1 and later releases) Select Configure > Security Services > IPsec VPN > IKE (Phase I) in
the J-Web user interface.
The IKE (Phase I) configuration page appears. Table 1 explains the contents of this page.
- Click one:
Add or +—Adds a new or duplicate VPN gateway configuration. Enter information as specified in Table 2.
Edit or /—Edits a selected VPN gateway configuration.
Delete or X—Deletes the selected VPN gateway configuration.
- Click one:
OK—Saves the configuration and returns to the main configuration page.
Commit Options>Commit—Commits the configuration and returns to the main configuration page.
Cancel—Cancels your entries and returns to the main configuration page.
Table 1: IKE (Phase I) Configuration Page
Field | Function |
|---|---|
| Gateway | |
Gateway Name | Displays the name of the gateway to be searched. |
Search | Displays the text box for searching a gateway. |
Name | Displays the name of the destination peer gateway, specified as an alphanumeric string. |
IKE Policy | Displays the name of the IKE policy. |
External Interface | Displays the name of the interface to be used to send traffic to the IPsec VPN. |
Remote Identity | Displays information about the remote peer. |
| IKE Policy | |
Name | Displays the name of the policy. |
Description | Provides a description of the policy. |
Mode | Displays the mode of configuration. |
Authentication Method | Displays the authentication method configured. |
Proposal | Displays the name of the proposal configured to be used by this policy in Phase 1. |
| Proposal | |
Name | Displays the name of the proposal selected. |
Authentication Algorithm | Displays the hash algorithm configured or selected. |
Authentication Method | Displays the authentication method selected. |
Encryption Algorithm | Displays the supported IKE proposals. |
Table 2: Add Gateway Configuration Details
Field | Function | Action |
|---|---|---|
| IKE Gateway | ||
Name | Specifies the name of the gateway. | Enter the name of the gateway. |
Policy | Specifies the name of the policy. | Enter the name of the policy you configured for Phase 1. |
External Interface | Specifies the name of the interface to be used to send traffic to the IPsec VPN. Specifies the outgoing interface for IKE SAs. This interface is associated with a zone that acts as its carrier, providing firewall security for it. | Select an outgoing interface from the list. |
Site to Site VPN | Specifies the VPN configuration type as site to site. | Click the Site to Site radio button. |
Address/FQDN | Specifies the address or FQDN of the peer. | Enter information about the peer IP or domain name. |
Local ID | ||
Identify Type | Specifies the identity type. The identify types are as follows:
| Select one of the identity type options. |
Client Tunnel | Specifies the remote access dynamic VPN. | Select the Client Tunnel radio button. |
Connections limit | Specifies the limit on connections. | Enter the connection limit. |
IKE user type | Specifies the Internet Key Exchange user type. The IKE user types are as follows:
| Select one of the IKE user type options. |
Remote ID | ||
Identity type | Specifies the identity type. The identify types are as follows:
| Select one of the identity type options. |
IKE Gateway Options | ||
Identity Type | Specifies the local IKE identity to send in the exchange with the destination peer so that the destination peer can communicate with the local peer. If you do not configure a local identity, the device uses the IP address corresponding to the local endpoint. You can identify the local identity in any of the following ways:
| Select one of the identity type options. |
Dead Peer Detection | Specifies whether to enable DPD. | Select the check box. |
Always send | Specifies the device to send DPD requests regardless of whether there is outgoing IPsec traffic to the peer. | Select the check box. |
Interval | Specifies the amount of time that the peer waits for traffic from its destination peer before sending a DPD request packet. | Enter the interval at which to send DPD messages. Range: 1 through 60 seconds. |
Threshold | Specifies the maximum number of unsuccessful DPD requests that can be sent before the peer is considered unavailable. | Enter the maximum number of unsuccessful DPD requests to be sent. Range: 1 through 5. Default: 5. |
AAA | Provides AAA in addition to IKE authentication for remote users trying to access a VPN tunnel. | Select AAA from the list. |
NAT-Traversal | Specifies whether to enable NAT-T. NAT-T is enabled by default. | Select the check box to disable or enable. |
NAT-keepalive | Specifies the interval at which NAT keepalive packets can be sent so that NAT continues. | Enter the interval, in seconds, at which NAT keepalive packets can be sent. Default: 5 seconds. Range: 1 through 300 seconds. |
| Add Policy | ||
IKE Policy | ||
Name | Specifies the name of the IKE policy. | Enter the policy name. |
Description | Provides a description of the policy. | Enter a description of the policy. |
Mode | Specifies the mode. The available modes are as follows:
| Select a mode from the list. |
Proposal | ||
Predefined | Specifies the predefined Phase 1 proposals. Use one of the following types of predefined Phase 1 proposals:
| Click Predefined, and select a proposal type. |
User defined | Specifies the user-defined Phase 1 proposal. | Click User Defined, select a proposal from the pop-up menu, and click Add. |
Proposal List | Specifies one or more proposals that can be used during key negotiation: | Click the Predefined Proposal option button to select proposals preconfigured by JUNOS Software. Click the User Defined Proposal option button to use proposals that you have created. |
IKE Policy Options | ||
Pre Shared Key | Specifies use of a preshared key for the VPN. The available options are as follows:.
| If a preshared key is selected, then configure the appropriate key. |
Certificate | Specifies use of a certificate for the VPN. | Click the option button. |
Local Certificate | Specifies use of a particular certificate when the local device has multiple loaded certificates. | Enter a local certificate identifier. |
Peer Certificate Type | Specifies use of a preferred type of certificate. The available options are as follows:
| Select a certificate type. |
Trusted CA | Specifies the preferred CA to use when requesting a certificate from the peer. If no value is specified, then no certificate request is sent (although incoming certificates are still accepted). The options that are available are as follows:
| Select a trusted CA from the list. |
| Add Proposal | ||
IKE Proposal | ||
Name | Specifies the name of the proposal. | Enter the name of the proposal. |
Authentication Algorithm | Specifies the AH algorithm that the device uses to verify the authenticity and integrity of a packet. Supported algorithms include the following:
| Select a hash algorithm from the available option. |
Authentication Method | Specifies the method the device uses to authenticate the source of IKE messages. The available options are as follows:
| Select an option. |
Description | Provides a description of the proposal for easy identification . | Enter a brief description of the IKE proposal. |
DH Group | Specifies the Diffie-Hellman group. The DH exchange allows participants to produce a shared secret value over an unsecured medium without actually transmitting the value across the connection. The available options are as follows:
Note: Starting in Junos OS Release 19.1R1, the new DH-Groups supports SRX5000 Series devices with SPC3 card upon installation of junos-ike package only. To install junos-ike package from J-Web, navigate to Configure > Security Services > IPsec VPN > Global Settings and click Install. | Select a group. If you configure multiple (up to four) proposals for Phase 1 negotiations, use the same Diffie-Hellman group in all proposals. |
Encryption Algorithm | Specifies the supported Internet Key Exchange (IKE) proposals. It includes the following:
| Select an encryption algorithm from the list. |
Lifetime seconds | Specifies the lifetime, in seconds, of an IKE SA. When the SA expires, it is replaced by a new SA and SPI or is terminated. | Select a lifetime for the IKE SA. Default: 3,600 seconds. Range: 180 through 86,400 seconds. |
