Create and Manage Policy-Based Site-to-Site VPN

Create Policy-Based Site-to-Site VPN

A policy-based site-to-site VPN is a configuration in which an IPsec VPN tunnel created between two sites is specified within the security policy. The security policy specifies the VPN tunnel as the action for transit traffic that matches the policy’s match criteria. Each policy that references the VPN creates its own IPsec Security Association (SA) with the remote peer.

Before You Begin

Read the IPSec VPN overview and view the field descriptions to understand your current data set. See IPsec VPN Overview.
Create addresses and address sets. See Create and Manage Addresses or Address Groups.
Create VPN profiles. See Create and Manage VPN Profiles.
Define extranet devices. See Create Extranet Devices.

To create a policy-based site-to-site VPN:

Select Security > IPsec VPN Management > IPsec VPNs.

The IPsec VPNs page is displayed.
Click Create > Policy Based - Site to Site.

The Create Policy Based Site to Site VPN page is displayed.
Complete the VPN configuration according to the following guidelines:
- Table 1—General settings
- Table 2—Device settings
- Table 3—VPN profile settings
The VPN connectivity changes from a gray line to blue in the topology to show that the configuration is complete. The displayed topology is provided for representation purposes only.
Click Save.

The IPsec VPNs page is displayed.
Select the VPN policy, and click Deploy.
The Deploy VPN page is displayed.
Select one of the following:
- Schedule at a later time to schedule and to publish the configuration later.
- Run now to apply the configuration immediately.
Click Update.
The Affected Devices page displays the devices where the policies will be published.

General Settings

Table 1: General Settings
Field	Action
Name	Enter a unique string of maximum 63 alphanumeric characters without spaces. The string can contain colons, periods, dashes, and underscores.
Description	Enter VPN description containing maximum 255 characters.
VPN profile	Select a VPN profile based on the deployment scenario: Inline profile—Applicable only to a particular IPsec VPN. To view and edit the details, click View VPN Profile Settings on the Create VPN page. Shared profile—Used by one or more IPsec VPNs. You can only view the details of the shared profiles. To view the details, click View VPN Profile Settings.
Authentication method	Select an authentication method that the device uses to authenticate the source of IKE messages. Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. RSA-Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures, is used. DSA-Signatures—Specifies that the Digital Signature Algorithm (DSA) is used. ECDSA-Signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used. ECDSA-Signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.
Pre-shared key	Pre-shared keys are applicable only if the authentication method is pre-shared based. Establish a VPN connection using pre-shared keys, which is essentially a password that is same for both parties. Pre-shared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations. Select the type of pre-shared key to use: Autogenerate—Select to automatically generate a unique key per tunnel. When selected, the Generate Unique key per tunnel option is automatically enabled. If you disable the Generate Unique key per tunnel option, Juniper Security Director Cloud generates a single key for all tunnels. Manual—Enter the key manually. By default, the manual key is masked. To unmask the manual key, select the unmask icon.
Max transmission unit	Select the maximum transmission unit (MTU) in bytes. MTU defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The valid range is 68—9192 bytes. The default value is 1500 bytes.

Device Settings

Add devices as endpoints in the VPN. If the selected device is part of an MNHA pair, you can add the devices separately, choosing one or both as needed. You can add maximum two devices.

To add a new device or extranet device:

Click Add, and click one of the following: Device or Extranet device.

The Add Device page is displayed.
Complete the configurations.
Click OK.

Table 2: Device Settings
Field	Action
Device	Select a physical device.
External interface	Select the outgoing interface for IKE security associations (SAs). This interface is associated with a zone that acts as its carrier, providing firewall security for it.

VPN Profile Settings

Click View VPN Profile Settings to view or edit VPN profiles. If the VPN profile is inline, you can edit the configurations. If the profile is shared, you can only view the configurations.

Table 3: VPN Profile Settings
Field	Action
IKE Settings
Authentication method	Select an authentication method that the device uses to authenticate the source of IKE messages: Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. RSA-Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures, is used. DSA-Signatures—Specifies that the Digital Signature Algorithm (DSA) is used. ECDSA-Signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used. ECDSA-Signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.
IKE version	Select the V1 IKE version used to negotiate dynamic security associations (SAs) for IPsec.
Mode	Mode is applicable when the IKE Version is V1. Select an IKE policy mode: Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. This mode provides identity protection. Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection.
Encryption algorithm	Select the appropriate encryption mechanism.
Authentication algorithm	Select an algorithm that the device must use to verify the authenticity and integrity of a packet.
Diffie Hellman group	Select a Diffie-Hellman (DH) group to determine the strength of the key used in the key exchange process.
Lifetime seconds	Select the lifetime for an IKE security association (SA). The valid range is 180—86400 seconds.
Dead peer detection	Enable this option to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages negotiated during IPsec establishment.
DPD mode	Select a DPD Mode. Optimized: R-U-THERE messages are triggered if there are no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode. Probe Idle Tunnel: R-U-THERE messages are triggered if there are no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity. Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.
DPD interval	Select an interval, in seconds, to send dead peer detection messages. The default interval is 10 seconds with a valid range of 2—60 seconds.
DPD threshold	Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 with a valid range of 1—5.
Advanced Configuration
General IKE ID	Enable to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.
IKE ID	IKE ID is applicable only when General IKE ID is disabled. Select one of the following options: None Distinguished name Hostname IPv4 address E-mail Address
NAT-T	Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.
Keep alive	Select a time period to keep the connection alive. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. The range is from 1—300 seconds.
IPSec Settings
Protocol	Select the required protocol to establish the VPN. ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication. AH—The Authentication Header (AH) protocol provides data integrity and data authentication.
Encryption algorithm	Select the encryption method. This option is applicable if the Protocol is ESP.
Authentication algorithm	Select an algorithm that the device must use to verify the authenticity and integrity of a packet.
Perfect forward secrecy	Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.
Establish tunnel	Specify when to activate IKE: Immediately—IKE is activated immediately after VPN configuration changes are committed. On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.
Advanced Configuration
VPN monitor	Enable to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.
Optimized	Enable to optimize VPN monitoring. Configure SRX Series Firewalls to send ICMP echo requests, or pings, only when outgoing traffic exists without incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewalls considers the tunnel to be active and do not send pings to the peer.
Anti replay	Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet. IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers. By default, Anti replay detection is enabled. Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.
Install interval	Select the maximum number of seconds to install a re-keyed outbound security association (SA) on the device.
Idle time	Select the appropriate idle time interval, after which sessions and their corresponding translations will time out if no traffic is received.
DF bit	Select how to process the Don’t Fragment (DF) bit in IP messages. Clear—Disable the DF bit from the IP messages. This is the default option. Copy—Copy the DF bit to the IP messages. Set—Enable the DF bit in the IP messages.
Copy outer DSCP	Enable this option to copy the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plaintext message on the decryption path. The benefit in enabling this option is that after IPsec decryption, cleartext packets can follow the inner class-of-service (CoS) rules.
Lifetime seconds	Select the lifetime, in seconds, for an IKE security association (SA). The range is from 180—86,400 seconds.
Lifetime kilobytes	Select the lifetime, in kilobytes, for an IPsec security association (SA). The range is from 64—4294967294 kilobytes.

Manage Policy-Based Site-to-Site VPN

Edit—Select the IPsec VPN, and then click the pencil icon (). After editing IPsec VPN, you must deploy them to apply the configurations on the devices.

You cannot edit the IPsec VPN that is marked to be deleted.
Delete—Select the IPsec VPN, and then click the trash can icon (). Follow the on-screen instructions. The IPsec VPN is not deleted from the associated devices at this moment. You must redeploy the IPsec VPN to delete it from the devices.

To revert the IPsec VPN marked for deletion, hover over the flag in the Status column, and select Undo Delete. The IPsec VPN status is reverted to the previous status.