Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IPsec VPN Global Settings

You are here: Network > VPN > IPsec VPN.

Use this page to view or add the VPN global configuration details. Click Global Settings on the IPsec VPN page.

Field Descriptions

Table 1 describes the fields on the Global Settings page.

Table 1: Fields on the Global Settings Page

Field

Description
General

IKE - respond to bad-spi

Enable this option if you want the device to respond to IPsec packets with invalid IPsec Security Parameter Index (SPI) values.

Max responses

Enter a value from 1 through 30 to respond to invalid SPI values per gateway. The default is 5. This option is available when Response Bad SPI is selected.

IKE SNMP trap

Enable this option to control the sending of SNMP traps.

Tunnel down

Enable this option to generate traps for IPsec tunnel going down only when the associated peer IKE SA is up.

Note:

This option is available when IKE SNMP trap is selected.

Peer down

Enable this option to generate traps when peer goes down.

Note:

This option is available when IKE SNMP trap is selected.

IPsec VPN monitor options

Enable this option if you want the device to monitor VPN liveliness.

Interval (seconds)

Enter a value from 2 through 3600 seconds after which Internet Control Message Protocol (ICMP) requests are sent to the peer.

Threshold

Enter a value from 1 through 65,536 to specify the number of consecutive unsuccessful pings before the peer is declared unreachable.
Remote Access VPN

Default profile name

Select a default profile name from the list.

Note:

  • This option is available when at least one Juniper Secure Connect VPN is created.

  • Starting in Junos OS 23.1R1 Release, default profile is deprecated in J-Web.

SSL VPN tunnel tracking

Enable this option to track Encapsulated Security Payload (ESP) tunnels.

SSL VPN profiles

Lists the SSL VPN profiles.

Note:

This option displays associated IPsec VPNs when at least one Juniper Secure Connect VPN is created.

To add a new SSL VPN profile:

  1. Click +.

    The Add SSL VPN Profile page appears.

  2. Enter the following details:

    • Name—Enter the name for an SSL VPN profile.

    • Logging—Enable this option to log for SSL VPN.

    • SSL Termination Profile—Select an SSL termination profile from the list.

      To add a new SSL termination profile:

      1. Click Add.

        The Create SSL Termination Profile page appears.

      2. Enter the following details:

        • Name—Enter a name for the SSL termination profile.

        • Server Certificate—Select a server certificate from the list.

          To add a certificate, click Add. For more information on adding a device certificate, see Add a Device Certificate.

          To import a certificate, click Import. For more information on importing a device certificate, see Import a Device Certificate.

        • Click OK.

      3. Click OK.

  3. Click OK.

To edit an SSL termination profile, select the profile you want to edit and click on the pencil icon.

To delete an SSL termination profile, select the profile you want to delete and click on the delete icon.
Internal SA Encryption

Algorithm

Select an encryption algorithm from the list. That is, 3DES-CBC or AES-128-CBC.

Key

Enter the encryption key. You must ensure that the manual encryption key is in ASCII text and 16 (for AES-128-CBC algorithm) or 24 (for 3DES-CBC algorithm) characters long; otherwise, the configuration will result in a commit failure.

Note:

Key field will be enabled only if you select an algorithm.

IKE HA link

Use this toggle to enable or disable HA link encryption IKE internal messages for HA devices. By default, IKE HA link is disabled.
IKE Package
Note:

  • If the device is in chassis cluster mode, you must install junos-ike package on both primary node and secondary node. As J-Web server runs only on primary node, you can install junos-ike package only on primary node. Use the CLI to install junos-ike package on secondary node.

  • Junos-ike package is not supported for SRX300 Series Firewall.

  • For SRX1600 and SRX2300 Firewalls, junos-ike package is already installed.

Install IKE package

Use this to install junos-ike package on your device.

Note:

You must reboot your device once the junos-ike package is installed on your device to avoid configuration mismatch error.

Uninstall IKE package

Use this to uninstall junos-ike package from your device.

Note:

You must reboot your device once the junos-ike package is uninstalled from your device to avoid configuration mismatch error.

Reboot Device

To reboot your device, do the following:

  1. Click the reboot device button. The Reboot Device window appears.

  2. Select and set the reboot time. That is:

    • Now— Device reboots immediately

    • In— Set the Reboot Time (minutes).

    • At— Set the Reboot atto schedule the reboot at particulat time.

    Note:

    Restart your device to ensure proper operation of J-web.

  3. Click OK.

Related Documentation