Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Juniper Security Director® is the next generation on-premises security management product for SRX Series Firewalls and vSRX. For more details, visit Juniper Security Director documentation page or contact your sales team.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos Space Security Director Junos Space Security Director User Guide Configure IPsec VPN-Profiles

Junos Space Security Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos Space Security Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Creating VPN Profiles

date_range 10-Jul-23
arrow_backward
arrow_forward

Before You Begin

Review the VPN profiles main page for an understanding of your current data set. See VPN Profiles Main Page Fields for field descriptions.

Use the VPN Profiles page to configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. When a VPN profile is created, Junos Space creates an object in the Security Director database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.

Note:

You cannot modify or delete Juniper Networks Predefined VPN profiles. You can only clone them and create new profiles.

Starting in Junos Space Security Director Release 20.3, you can create a VPN profile based on a VPN topology. You can create:

  • Site-to-site VPN profile

  • Hub-and-spoke (establishment all peers) VPN profile

  • Hub-and-spoke (establishment by spokes) VPN profile

  • Hub-and-spoke Auto Discovery VPN profile

  • Full mesh VPN profile

  • Remote access (Juniper Secure Connect) profile

  • Remote access (NCP Exclusive Client) profile

To configure a VPN profile:

  1. Select Configure > IPsec VPN > Profiles.

    The VPN Profiles page is displayed.

  2. Click Create VPN Profile and select a VPN topology based on which you want to create a VPN profile.

    The corresponding create VPN profile page is displayed.

  3. Complete the configuration according to the guidelines provided in Table 1 .
  4. Click Save.

A new VPN profile is created. You can use this object to create IPsec VPNs.

Table 1: VPN Profile Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, dashes and underscores; no spaces allowed; 62-character maximum.

Description

Enter a description for the VPN profile; maximum length is 255 characters.

IKE Settings

Authentication Method

Select the required authentication method:

  • Pre-shared based

  • RSA-Signatures

  • DSA-Signatures

  • ECDSA-Signatures-256

  • ECDSA-Signatures-384

Note:

For Remote VPN, only Pre-shared based and RSA-Signatures are supported.

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.

Note:

This is not applicable for remote access VPN profiles.

Mode

Select an IKE policy mode.

  • Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. Also provides identity protection.

  • Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.

Note:

Mode is applicable when the IKE Version is V1.

Mode is not applicable for remote access VPN profiles.

Dead Peer Detection

Enable to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode.

  • Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode.

  • Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity.

  • Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds, with a permissible range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times, with a permissible range of 1 to 5.

Custom Proposal

Name

Enter a name for the VPN.

Deffie Hellman group

Select a group. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Authentication-algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Encryption-algorithm

Select the appropriate encryption mechanism.

Lifetime-seconds

Select a lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Note:

You can create a maximum of four custom profiles, and edit or delete the existing custom profiles.

Advance Configuration

General IKE ID

Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

Note:

This is not applicable for remote access VPN profiles.

IKEv2 Re Authentication

Select a re-authentication frequency. Re-authentication can be disabled by setting the re-authentication frequency to 0.

Range is 0 to 100.

Note:

This is not applicable for remote access VPN profiles.

IKEv2 Re Fragmentation Support

IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

This is applicable when authentication method is RSA-Signatures.

IKE ID

Select an option:

  • None

  • Distinguished name

  • Hostname

  • IPv4 address

  • E-mail Address

IKE ID is applicable only when General IKE ID is disabled.

Note:

Only E-mail ID is applicable for remote access VPN profiles.

NAT-T

Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a value. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. Range is from 1 to 300 seconds.

IPsec Settings

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Establish Tunnel

Select an option to specify when IKE is activated.

  • Immediately—IKE is activated immediately after VPN configuration changes are committed.

  • On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.

Note:

This is not applicable for remote access VPN profiles.

Custom Proposal

Name

Enter a name for the VPN.

Authentication Algorithm

Select an algorithm. The device uses these algorithms to verify the authenticity and integrity of a packet.

Protocol

Select the required protocol to establish the VPN.

  • ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication.

  • AH—The Authentication Header (AH) protocol provides data integrity and data authentication.

Note:

This is not applicable for remote access VPN profiles.

Encryption Algorithm

Select the necessary encryption method.

This is applicable if the Protocol is ESP.

Lifetime Seconds

Select the lifetime of an IKE security association (SA). The valid range is from 180 through 86,400 seconds.

Lifetime kilobytes

Select the lifetime (in kilobytes) of an IPsec security association (SA). The range is from 64 through 4294967294 kilobytes.

Note:

You can create a maximum of four custom profiles, and edit or delete the existing custom profiles.

Advance Configuration

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

Anti Replay

By default, Anti-Replay detection is enabled. IPsec protects against the VPN attack by using a sequence of numbers that are built into the IPsec packet—the system does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check, rather than just ignoring the sequence numbers. Disable it if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval. The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable copying of Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path. The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.

Related Documentation

arrow_backward PREVIOUS VPN Profiles Overview
NEXT arrow_forward Edit and Clone IPsec VPN profiles
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top