IPsec VPN Configuration Overview

IKE IPsec tunnel negotiation occurs in two phases. In Phase 1, participants establish a secure channel in which to negotiate the IPsec security association (SA). In Phase 2, participants negotiate the IPsec SA for authenticating traffic that will flow through the tunnel. Just as there are two phases to tunnel negotiation, there are two phases to tunnel configuration.

The following procedure lists the recommended order in which you should configure an IPsec VPN tunnel:

1. Configure Phase 1 of the IPsec tunnel:

   1. Configure an IKE Phase 1 proposal. (See Example: Configuring an IKE Phase 1 Proposal (CLI).)
   2. Configure an IKE policy that references the proposal. (See Example: Configuring an IKE Policy (CLI).)
   3. Configure an IKE gateway that references the policy. (See Example: Configuring an IKE Gateway (CLI).)

2. Configure Phase 2 of the IPsec tunnel:

   1. Configure a Phase 2 proposal. (See Example: Configuring an IPsec Phase 2 Proposal (CLI).)
   2. Configure a policy that references the proposal. (See Example: Configuring AutoKey IKE (CLI).)
   3. Configure an Autokey IKE that references the policy and the gateway. (See Example: Configuring AutoKey IKE (CLI).)
3. Update your global VPN settings. (See Example: Configuring Global SPI and VPN Monitoring Features (CLI).)

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• VPN Overview
• Understanding IKE and IPsec Packet Processing
• Understanding Phase 1 of IKE Tunnel Negotiation
• Understanding Phase 2 of IKE Tunnel Negotiation
• Hub-and-Spoke VPN Configuration Overview