Create a Site-to-Site VPN
You are here: Network > VPN > IPsec VPN.
To create a site-to-site VPN:
Field |
Action |
---|---|
Name |
Enter a name for the VPN. |
Description |
Enter a description. This description will be used for the IKE and IPsec proposals and policies. During edit, the IPsec policy description will be displayed and updated. |
Routing Mode |
Select the routing mode to which this VPN will be associated:
For each topology, J-Web auto generates the relevant CLIs. Traffic Selector is the default mode. |
Authentication Method |
Select an authentication method from the list that the device uses to authenticate the source of Internet Key Exchange (IKE) messages:
|
Auto-create Firewall Policy |
If you select Yes, a firewall policy is automatically between internal zone and tunnel interface zone with local protected networks as source address and remote protected networks as destination address. Another firewall policy will be created visa-versa. If you choose No, you don’t have a firewall policy option. You need to manually create the required firewall policy to make this VPN work. Note:
If you do not want to auto-create a firewall policy in the VPN workflow, then the protected network is hidden for dynamic routing in both local and remote gateway. |
Remote Gateway |
Displays the remote gateway icon in the topology. Click the icon to configure the remote gateway. The gateway identifies the remote peer with the IPsec VPN peers and defines the appropriate parameters for that IPsec VPN. For fields information, see Table 2. |
Local Gateway |
Displays the local gateway icon in the topology. Click the icon to configure the local gateway. For fields information, see Table 4. |
IKE and IPsec Settings |
Configure the custom IKE or IPsec proposal and the custom IPsec proposal with recommended algorithms or values. For fields information, see Table 6. Note:
|
Field |
Action |
---|---|
Gateway is behind NAT |
If enabled, the configured external IP address (IPv4 or IPv6) is referred to as the NAT device IP address. |
IKE Identity |
Select an option from the list to configure remote identity. |
Host name |
Enter a remote host name. |
IPv4 Address |
Enter a remote IPv4 address. |
IPv6 Address |
Enter a remote IPv6 address. |
Key ID |
Enter a Key ID. |
E-mail Address |
Enter an e-mail address. |
External IP Address |
Enter the peer IPv4 or IPv6 address. You can create one primary peer network with up to four backups. You must enter one IPv4 or IPv6 address or you can enter up to five IP addresses separated by comma. |
Protected Networks |
When you select a routing mode, lists all the global address(es). Select the addresses from the Available column and then click the right arrow to move it to the Selected column. When the routing mode is:
|
Add |
Click +. The Create Global Address page appears. See Table 3 for fields information. |
Field |
Action |
---|---|
Subnet |
Enter the subnet for IPv4 or IPv6 address. |
Identifier |
Enter a name for the global address. |
Field |
Action |
---|---|
Gateway is behind NAT |
Enable this option when the local gateway is behind a NAT device. |
IKE Identity |
Select an option from the list to configure local identity. When Gateway is behind NAT is enabled, you can configure an IPv4 or IPv6 address to reference the NAT device. |
Host name |
Enter a host name. Note:
This option is available only if Gateway is behind NAT is disabled. |
IPv4 Address |
Enter an IPv4 address. |
IPv6 Address |
Enter an IPv6 address. |
Key ID |
Enter a Key ID. Note:
This option is available only if Gateway is behind NAT is disabled. |
E-mail Address |
Enter an E-mail address. Note:
This option is available only if Gateway is behind NAT is disabled. |
External Interface |
Select an outgoing interface from the list for IKE negotiations. The list contains all available IP addresses if more than one IP address is configured to the specified interface. The selected IP address will be configured as the local address under the IKE gateway. |
Tunnel Interface |
Select an interface from the list to bind it to the tunnel interface (route-based VPN). Click Add to add a new interface. The Create Tunnel Interface page appears. See Table 5. |
Router ID |
Enter the routing device’s IP address. Note:
This option is available if the routing mode is Dynamic Routing - OSPF or BGP. |
Area ID |
Enter an area ID within the range of 0 to 4,294,967,295, where the tunnel interfaces of this VPN need to be configured. Note:
This option is available if the routing mode is Dynamic Routing - OSPF. |
Tunnel Interface Passive |
Enable this option to bypass traffic of the usual active IP checks. Note:
This option is available if the routing mode is Dynamic Routing - OSPF. |
ASN |
Enter the routing device’s AS number. Use a number assigned to you by the NIC. Range: 1 through 4,294,967,295 (232 – 1) in plain-number format for 4-byte AS numbers. Note:
This option is available if the routing mode is Dynamic Routing - BGP. |
Neighbor ID |
Enter IP address of a neighboring router. Note:
This option is available if the routing mode is Dynamic Routing - BGP. |
BGP Group Type |
Select the type of BGP peer group from the list:
Note:
This option is available if the routing mode is Dynamic Routing - BGP. |
Peer ASN |
Enter the neighbor (peer) autonomous system (AS) number. Note:
This option is available if you choose external as BGP Group Type. |
Import Policies |
Select one or more routing policies from the list to routes being imported into the routing table from BGP. Click Clear All to clear the selected polices. Note:
This option is available if the routing mode is Dynamic Routing - BGP. |
Export Policies |
Select one or more policies from the list to routes being exported from the routing table into BGP. Click Clear All to clear the selected polices. Note:
This option is available if the routing mode is Dynamic Routing - BGP. |
Local certificate |
Select a local certificate identifier when the local device has multiple loaded certificates. Note:
This option is available if the authentication method is Certificate Based. Click Add to generate a new certificate. Click Import to import a device certificate. For more information see Manage Device Certificates. |
Trusted CA/Group |
Select the certificate authority (CA) profile from list to associate it with the local certificate. Note:
This option is available if the authentication method is Certificate Based. Click Add to add a new CA profile. For more information see Manage Trusted Certificate Authority. |
Pre-shared Key |
Enter the value of the preshared key. The key can be one of the following:
Note:
This option is available if the authentication method is Pre-shared Key. |
Protected Networks |
Click +. The Create Protected Networks page appears. |
Create Protected Networks | |
Zone |
Select a security zone from the list that will be used as a source zone in the firewall policy. |
Global Address |
Select the addresses from the Available column and then click the right arrow to move it to the Selected column. |
Add |
Click Add. The Create Global Address page appears. See Table 3. |
Edit |
Select the protected network you want to edit and click on the pencil icon. The Edit Global Address page appears with editable fields. |
Delete |
Select the protected network you want to edit and click on the delete icon. The confirmation message pops up. Click Yes to delete. |
Field |
Action |
---|---|
Interface Unit |
Enter the logical unit number. |
Description |
Enter a description for the logical interface. |
Zone |
Select a zone for the logical interface from the list to use as a source zone in the firewall policy. Click Add to add a new zone. Enter zone name and description and click OK on the Create Security Zone page. |
Routing Instance |
Select a routing instance from the list. |
IPv4 Note:
This option is available only if you select routing mode as Dynamic Routing - OSPF or BGP. |
|
IPv4 Address |
Enter a valid IPv4 address. |
Subnet Prefix |
Enter a subnet mask for the IPv4 address. |
IPv6 Note:
This option is available only if you select routing mode as Dynamic Routing - OSPF or BGP. |
|
IPv6 Address |
Enter a valid IPv6 address. |
Subnet Prefix |
Enter a subnet mask for the network range. Once entered, the value is validated. |
Field |
Action |
---|---|
IKE Settings | |
IKE Version |
Select the required IKE version, either v1 or v2 to negotiate dynamic security associations (SAs) for IPsec. Default value is v2. |
IKE Mode |
Select the IKE policy mode from the list:
|
Encryption Algorithm |
Select the appropriate encryption mechanism from the list. Default value is aes-256-gcm. |
Authentication Algorithm |
Select the authentication algorithm from the list. For example, hmac-md5-96—Produces a 128-bit digest and hmac-sha1-96—Produces a 160-bit digest. Note:
This option is available when the encryption algorithm is not gcm. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports SHA 512-bit authentication algorithm for junos-ike package installed devices. |
DH group |
A Diffie-Hellman (DH) exchange allows participants to generate a shared secret value. Select the appropriate DH group from the list. Default value is group19. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports group 15, group 16, and group 21 DH groups for junos-ike package installed devices. |
Lifetime Seconds |
Select a lifetime of an IKE security association (SA). Default: 28,800 seconds. Range: 180 through 86,400 seconds. |
Dead Peer Detection |
Enable this option to send dead peer detection requests regardless of whether there is outgoing IPsec traffic to the peer. |
DPD Mode |
Select one of the options from the list:
|
DPD Interval |
Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds. Range is 2 to 60 seconds. |
DPD Threshold |
Select a number from 1 to 5 to set the failure DPD threshold. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times. |
Advance Configuration (Optional) | |
General IKE ID |
Enable this option to accept peer IKE ID. |
IKEv2 Re-authentication |
Configure the reauthentication frequency to trigger a new IKEv2 reauthentication. |
IKEv2 Re-fragmentation |
This option is enabled by default. |
IKEv2 Re-fragment Size |
Select the maximum size, in bytes, of an IKEv2 message before it is split into fragments. The size applies to both IPv4 and IPv6 messages. Range: 570 to 1320 bytes. Default values are:
|
NAT-T |
Enable this option for IPsec traffic to pass through a NAT device. NAT-T is an IKE phase 1 algorithm that is used when trying to establish a VPN connection between two gateway devices, where there is a NAT device in front of one of the SRX Series Firewalls. |
NAT Keep Alive |
Select appropriate keepalive interval in seconds. Range: 1 to 300. If the VPN is expected to have large periods of inactivity, you can configure keepalive values to generate artificial traffic to keep the session active on the NAT devices. |
IPsec Settings | |
Protocol |
Select either Encapsulation Security Protocol (ESP) or Authentication Header (AH) protocol from the list to establish VPN. Default value is ESP. |
Encryption Algorithm |
Select the encryption method. Default value is aes-256-gcm. Note:
This option is available only for the ESP protocol. |
Authentication Algorithm |
Select the IPsec authentication algorithm from the list. For example, hmac-md5-96—Produces a 128-bit digest and hmac-sha1-96—Produces a 160-bit digest. Note:
This option is available when the encryption algorithm is not gcm. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports HMAC-SHA 384 and HMAC-SHA 512 authentication algorithm for junos-ike package installed devices. |
Perfect Forward Secrecy |
Select Perfect Forward Secrecy (PFS) from the list. The device uses this method to generate the encryption key. Default value is group19. PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security, but require more processing time. Note:
group15, group16, and group21 support only the SRX5000 line of devices with an SPC3 card and junos-ike package installed. Note:
Starting in Junos OS 23.4R1 Release, J-Web supports group 15, group 16, and group 21 PFS for junos-ike package installed devices. |
Lifetime Seconds |
Select the lifetime (in seconds) of an IPsec security association (SA). When the SA expires, it is replaced by a new SA and security parameter index (SPI) or terminated. Default is 3,600 seconds. Range: 180 through 86,400 seconds. |
Lifetime Kilobytes |
Select the lifetime (in kilobytes) of an IPsec SA. Default is 128kb. Range: 64 through 4294967294. |
Establish Tunnel |
Enable this option to establish the IPsec tunnel. IKE is activated immediately (default value) after a VPN is configured and the configuration changes are committed. |
Advanced Configuration | |
VPN Monitor |
Enable this option to use it in a destination IP address. Note:
This option is not available for Traffic Selectors routing mode. |
Destination IP |
Enter the destination of the Internet Control Message Protocol (ICMP) pings. The device uses the peer's gateway address by default. Note:
This option is not available for Traffic Selectors routing mode. |
Optimized |
Enable this option for the VPN object. If enabled, the SRX Series Firewall only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewall considers the tunnel to be active and does not send pings to the peer. This option is disabled by default. Note:
This option is not available for Traffic Selectors routing mode. |
Source Interface |
Select the source interface for ICMP requests from the list. If no source interface is specified, the device automatically uses the local tunnel endpoint interface. Note:
This option is not available for Traffic Selectors routing mode. |
Verify-path |
Enable this option to verify the IPsec datapath before the secure tunnel (st0) interface is activated and route(s) associated with the interface are installed in the Junos OS forwarding table. This option is disabled by default. Note:
This option is not available for Traffic Selectors routing mode. |
Destination IP |
Enter the destination IP address. Original, untranslated IP address of the peer tunnel endpoint that is behind a NAT device. This IP address must not be the NAT translated IP address. This option is required if the peer tunnel endpoint is behind a NAT device. The verify-path ICMP request is sent to this IP address so that the peer can generate an ICMP response. Note:
This option is not available for Traffic Selectors routing mode. |
Packet size |
Enter the size of the packet that is used to verify an IPsec datapath before the st0 interface is brought up. Range: 64 to 1350 bytes. Default value is 64 bytes. Note:
This option is not available for Traffic Selectors routing mode. |
Anti Replay |
IPsec protects against VPN attack by using a sequence of numbers built into the IPsec packet—the system does not accept a packet with the same sequence number. This option is enabled by default. The Anti-Replay checks the sequence numbers and enforce the check, rather than just ignoring the sequence numbers. Disable Anti-Replay if there is an error with the IPsec mechanism that results in out-of-order packets, which prevents proper functionality. |
Install Interval |
Select the maximum number of seconds to allow for the installation of a rekeyed outbound security association (SA) on the device. Select a value from 1 to 10. |
Idle Time |
Select the idle time interval. The sessions and their corresponding translations time out after a certain period of time if no traffic is received. Range is 60 to 999999 seconds. |
DF Bit |
Select how the device handles the Don't Fragment (DF) bit in the outer header:
|
Copy Outer DSCP |
This option enabled by default. This enables copying of Differentiated Services Code Point (DSCP) (outer DSCP+ECN) from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. Enabling this feature, after IPsec decryption, clear text packets can follow the inner CoS (DSCP+ECN) rules. |
ICMP big packet warning |
Use this option to enable or disable sending ICMP packet too big notifications for IPv6 packets. Note:
This option is available only for junos-ike package installed devices. |
ESN |
Enable this to allow IPsec to use 64-bit sequence number. If ESN is not enabled, 32-bit sequence number will be used by default. Ensure ESN is not enabled when anti-replay is disabled. Note:
This option is available only for junos-ike package installed devices. |
Tunnel MTU |
Enter the maximum transmit packet size for IPsec tunnels. Range: 256 through 9192. Note:
This option is available only for junos-ike package installed devices. |