Dynamic VPN Configuration Overview

The dynamic VPN feature secures traffic through your network by passing it through IPsec VPN tunnels. To configure an IPsec VPN tunnel, you must specify Phase 1 settings (which enable participants to establish a secure channel in which to negotiate the IPsec security association (SA), and Phase 2 settings (which enable participants to negotiate the IPsec SA that authenticates traffic flowing through the tunnel). This topic describes the order in which you must configure these tunnel negotiation settings as well as other tasks you must complete to enable the tunnels on your network.

To configure the dynamic VPN feature, you must do the following:

1. Define an outgoing interface by using the interfaces configuration statement.

   Use this interface to pass IKE security associations (SAs) through the device. (You need to select this interface when configuring your IKE gateway.) See the JUNOS Software Interfaces Configuration Guide for Security Devices.

2. Create security policies by using the security policies configuration statement.

   Use these policies to define which traffic can pass through your network. (After you create your VPN configuration, you need to add it to this policy.) See Example: Configuring a Security Policy to Permit and Deny Traffic.

3. Create at least one access profile by using the access profile configuration statement.

   Use the access profile(s) to control the authentication of users who want to download Access Manager and users who want to establish dynamic VPN tunnels to your firewall. (You need to select these access profiles when configuring your IKE gateway and dynamic VPN global options. Note that you can use the same access profile to authenticate users in both cases, or you can use separate access profiles to authenticate downloads and VPN sessions.) See:

   • Example: Configuring Pass-Through Authentication
   • Example: Configuring Web Authentication
4. Create an IKE gateway to include in your VPN configuration:
   1. Create one or more IKE Phase 1 proposals by using the security ike proposal configuration statement. (You need to select this proposal when configuring your IKE policy.) See Example: Configuring an IKE Phase 1 Proposal (CLI).
   2. Create one or more IKE policies by using the security ike policy configuration statement. (You need to select this policy when configuring your IKE gateway.) See Example: Configuring an IKE Policy (CLI).
   3. Create an IKE gateway configuration by using the security ike gateway configuration statement. (You need to select this gateway when configuring your IPsec AutoKey.) See Example: Configuring an IKE Gateway (CLI).
5. Create an IPsec AutoKey to include in your VPN configuration:
   1. Create one or more IPsec Phase 2 proposals by using the security ipsec proposal configuration statement. (You need to select this proposal when configuring your IPsec policy.) See Example: Configuring an IPsec Phase 2 Proposal (CLI).
   2. Create one or more IPsec policies by using the security ipsec policy configuration statement. (You need to select this policy when configuring your IPsec AutoKey.) See Example: Configuring an IPsec Policy (CLI).
   3. Create an IKE AutoKey configuration by using the security ipsec autokey configuration statement. (You need to select this IKE AutoKey configuration when configuring your VPN client configuration.) See Example: Configuring AutoKey IKE (CLI).
6. Create a client VPN configuration by using the security dynamic-vpn clients configuration statement.

   The settings are downloaded as part of the client to your users’ computers and are used to establish the dynamic VPN tunnels between the clients and the server. For more detailed configuration instructions, see Example: Creating a Dynamic VPN Client Configuration (CLI) .

7. Update your security policy (or policies) to include your client VPN configuration by using the security from-zone zone-name to-zone zone-name policy then permit tunnel ipsec-vpn vpn-name configuration statement. See Example: Configuring a Security Policy to Permit and Deny Traffic.
8. Specify global settings for client downloads by using the security dynamic-vpn access-profile configuration statement and the security dynamic-vpn force-upgrade configuration statement. For more detailed configuration instructions, see Example: Configuring Dynamic VPN Global Client Download Settings (CLI)

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Dynamic VPN Overview