Create and Manage Route-Based Site-to-Site VPN

Create Route-Based Site-to-Site VPN

A route-based site-to-site VPN is a configuration that utilizes IP routing to direct traffic through an IPsec VPN tunnel between two sites. In this setup, the VPN tunnel is treated as a virtual network interface, and routing decisions determine which traffic is sent through the tunnel based on destination IP addresses.

With route-based VPNs, you can configure many security policies to manage traffic through a single VPN tunnel. Only one set of IKE and IPsec SAs operates in this setup. Unlike policy-based VPNs, for route-based VPNs, a policy refers to a destination address, not a VPN tunnel.

Before You Begin

Read the IPSec VPN overview and view the field descriptions to understand your current data set. See IPsec VPN Overview.
Create addresses and address sets. See Create and Manage Addresses or Address Groups.
Create VPN profiles. See Create and Manage VPN Profiles.
Define extranet devices. See Create Extranet Devices.

To create a route-based site-to-site VPN:

Select Security > IPsec VPN Management > IPsec VPNs.

The IPsec VPNs page is displayed.
Click Create > Site to Site.

The Create Site to Site VPN page is displayed.
Complete the VPN configuration according to the following guidelines:
- Table 1—General settings
- Table 2—Device settings
- Table 3—VPN Profile settings
- Table 4—Tunnel settings
The VPN connectivity changes from gray to blue line in the topology to show that the configuration is complete. The topology displayed is used only for a representation.
Click Save.

The IPsec VPNs page is displayed.
Select the VPN policy, and click Deploy.
The Deploy VPN page is displayed.
Select one of the following:
- Schedule at a later time to schedule and to publish the configuration later.
- Run now to apply the configuration immediately.
Click Update.
The Affected Devices page displays the devices where the policies will be published.

General Settings

Table 1: General Settings
Field	Action
Name	Enter a unique string of maximum 63 alphanumeric characters without spaces. The string can contain colons, periods, dashes, and underscores.
Description	Enter VPN description containing maximum 255 characters.
Routing topology	Select one of the following options: Traffic selector (Auto route insertion)—A traffic selector is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Static routing—Generates static routing based on the protected networks. OSPF-dynamic routing—Generates OSPFv2 configuration for IPv4 or OSPFv3 configuration for IPv6, based on the tunnel interface address configuration. RIP-dynamic routing—Generates RIP configuration for IPv4 or RIPng configuration for IPv6, based on the tunnel interface address configuration. eBGP-dynamic routing—Generates eBGP configuration for both IPv4 and IPv6. The Routing topology is applicable only to route-based VPNs. For information about tunnel settings for these routing topologies, see Table 4.
VPN profile	Select a VPN profile based on the deployment scenario: Inline Profile— Applicable only to a particular IPsec VPN. MainMode Profile—Predefined main mode profile with standard proposal set. AggressiveMode Profile— Predefined agrressive mode profile with standard proposal set. RSA Profile—Predefined profile for certificate based authentication (RSA SIGNATURE) with the Distinguished Name (DN) as IKE ID type. ADVPN Profile—Predefined profile for ADVPN. You can view and edit the details of the VPN profiles by clicking View VPN Profile settings on the Create VPN page.
Authentication method	Select an authentication method that the device uses to authenticate the source of IKE messages. Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. RSA-Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures, is used. DSA-Signatures—Specifies that the Digital Signature Algorithm (DSA) is used. ECDSA-Signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used. ECDSA-Signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.
Network IP	Enter the IPv4 or IPv6 address of the numbered tunnel interface. This is the subnet address from where the IP address is automatically assigned for tunnel interfaces. This option is available only when you select dynamic routing topologies.
Pre-shared key	Establish a VPN connection using pre-shared keys, which is essentially a password that is same for both parties. Pre-shared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations. Pre-shared keys are applicable only if the authentication method is pre-shared based. Select the type of pre-shared key to use: Autogenerate—Select if you want to automatically generate a unique key per tunnel. Manual—Select to enter the key manually. By default, the manual key is masked. To unmask the manual key, select the unmask icon.
Max transmission unit	Select the maximum transmission unit (MTU) in bytes. MTU defines the maximum size of an IP packet, including the IPsec overhead. You can specify the MTU value for the tunnel endpoint. The range is 68—9192 bytes, and the default value is 1500 bytes.

Device Settings

Add devices as endpoints in the VPN. If the selected device is part of an MNHA pair, you can add the devices separately, choosing one or both as needed. You can add maximum two devices.

To add devices in route-based VPNs:

Click Add, and click one of the following: Device or Extranet Device.

The Add Device page is displayed.
Configure the device parameters as described in Table 2.
Click OK.

Table 2: Add Device Settings
Field	Action
Device	Select a device.
External interface	Select the outgoing interface for IKE security associations (SAs).
IKE address	Enter the IPv4 or IPv6 address of the primary Internet Key Exchange (IKE) gateway.
Tunnel zone	Select the tunnel zone. Tunnel zones are logical areas of address spaces that can support dynamic IP (DIP) address pools for NAT applications to pre and post-encapsulated IPsec traffic. Tunnel zones also provide flexibility in combining tunnel interfaces with VPN tunnels. Tunnel zones are applicable only for route-based site-to-site VPN.
Routing instance	Select the required routing instance. Routing instances are applicable only for route-based site-to-site VPNs.
Initiator/Recipient	Select one of the following options: Initiator Recipient This option is applicable when the VPN profile is Aggressive Mode profile.
Certificate	Select a certificate to authenticate the VPN initiator and recipient. Authentication certificates are applicable in one of the following scenarios: The VPN profile is RSA profile or ADVPN profile. The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.
Trusted CA/Group	Select the CA profile from the list to associate it with the local certificate. CA profiles are applicable in one of the following scenarios: The VPN profile is RSA profile, ADVPN profile, or default profile with any signature type. The authentication method is RSA-Signatures, DSA-Signatures, ECDSA-Signatures-256, or ECDSA-Signatures-384.
Export	Select the type of routes to export. Static Routes—Export static routes. Juniper Security Director Cloud simplifies VPN address management by enabling administrators to export static routes to a remote site over a tunnel, allowing the static route networks to participate in the VPN. For eBGP Dynamic Routing, the Static Routes check box is selected by default. RIP Routes—Export RIP routes for IPv4 or RIPng routes for IPv6. You can export RIP routes only when Routing Topology is OSPF Dynamic Routing. OSPF Routes— Export OSPFv2 routes for IPv4 and OSPFv3 routes for IPv6. You can export OSPF routes only when Routing Topology is RIP-Dynamic Routing. If you select OSPF or RIP export, the OSPF or RIP routes outside the VPN network is imported into a VPN network through OSPF or RIP Dynamic routing protocols.
OSPF area	Select an OSPF area ID within the range of 0—4,294,967,295 where the tunnel interfaces of this VPN must be configured. The OSPF area ID is applicable when the routing topology is OSPF-Dynamic Routing in route-based site-to-site VPNs.
Max retransmission time	Select the retransmission timer to limit the number of times the RIP demand circuit re-sends update messages to an unresponsive peer. If the configured retransmission threshold is reached, routes from the next-hop router are marked as unreachable and the hold-down timer starts. You must configure a pair of RIP demand circuits for this timer to take effect. The retransmission range is from 5—180 seconds. The default value is 50 seconds. This option is applicable only when the routing topology is RIP-Dynamic Routing in route-based site-to-site VPN.
AS number	Select a unique number to assign to the autonomous system (AS). The AS number identifies an autonomous system and enables the system to exchange exterior routing information with other neighboring autonomous systems. The valid range is from 0—4294967294. The AS number is applicable only when the routing topology is e-BGP Dynamic Routing in route-based site-to-site VPN.
Protected networks	Configure the addresses or the interface type for the selected device to protect one area of the network from the other. When a dynamic routing protocol (DRP) is selected, the interface option is displayed. You can also create addresses by clicking the + sign. This option is applicable only for route-based site-to-site VPNs.

VPN Profile Settings

Click View VPN Profile Settings to view or edit VPN profiles. If the VPN profile is inline, you can edit the configurations. If the profile is shared, you can only view the configurations.

Table 3: VPN Profile Settings
Field	Action
IKE Settings
Authentication method	Select an authentication method that the device uses to authenticate the source of IKE messages. Pre-shared based—Specifies that a pre-shared key, which is a secret key shared between the two peers, is used during authentication to identify the peers to each other. The same key must be configured for each peer. RSA-Signatures—Specifies that a public key algorithm, which supports encryption and digital signatures, is used. DSA-Signatures—Specifies that the Digital Signature Algorithm (DSA) is used. ECDSA-Signatures-256—Specifies that the Elliptic Curve DSA (ECDSA) using the 256-bit elliptic curve secp256r1, as specified in the Federal Information Processing Standard (FIPS) Digital Signature Standard (DSS) 186-3, is used. ECDSA-Signatures-384—Specifies that the ECDSA using the 384-bit elliptic curve secp384r1, as specified in the FIPS DSS 186-3, is used.
IKE version	Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKE V2 is used.
Mode	Select an IKE policy mode. Main—Uses six messages in three peer-to-peer exchanges to establish the IKE SA. These three steps include the IKE SA negotiation, a Diffie-Hellman exchange, and authentication of the peer. This mode provides identity protection. Aggressive—Takes half the number of messages of main mode, has less negotiation power, and does not provide identity protection. Mode is applicable when the IKE Version is V1.
Encryption algorithm	Select the appropriate encryption mechanism.
Authentication algorithm	Select an algorithm for the device to verify the authenticity and integrity of a packet.
Deffie Hellman group	Select a Diffie-Hellman (DH) group to determine the strength of the key used in the key exchange process.
Lifetime seconds	Select a lifetime of an IKE security association (SA). The valid range is from 180—86400 seconds.
Dead peer detection	Enable this option to allow the two gateways to determine if the peer gateway is up and responding to Dead Peer Detection (DPD) messages negotiated during IPsec establishment.
DPD mode	Select a DPD Mode. Optimized—R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode. Probe Idle Tunnel—R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity. Always-send—R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.
DPD interval	Select an interval in seconds to send dead peer detection messages. The default interval is 10 seconds with a valid range of 2—60 seconds.
DPD threshold	Select the failure DPD threshold value. This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1—5.
Advance Settings
General IKE ID	Enable this option to accept peer IKE ID. This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.
IKEv2 re authentication	Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0. The valid range is 0—100.
IKEv2 re fragmentation support	Enable this option to split a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.
IKEv2 re-fragment size	Select the size of the packet at which messages are fragmented. By default, the size is 576 bytes for IPv4, and the valid range is 570 —1320 bytes.
IKE ID	Select one of the following options: None Distinguished name Hostname IPv4 address E-mail Address IKE ID is applicable only when General IKE ID is disabled.
NAT-T	Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.
Keep alive	Select a time period, in seconds, to keep the connection alive. NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. The valid range is from 1—300 seconds.
IPsec Settings
Protocol	Select the required protocol to establish the VPN. ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication. AH—The Authentication Header (AH) protocol provides data integrity and data authentication.
Encryption algorithm	Select the encryption method. This option is applicable if the Protocol is ESP.
Authentication algorithm	Select an algorithm for the device to verify the authenticity and integrity of a packet.
Perfect forward secrecy	Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key. The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.
Establish tunnel	Specify when to activate IKE: Immediately—IKE is activated immediately after VPN configuration changes are committed. On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.
Advance Settings
VPN monitor	Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.
Optimized	Enable this option to optimize VPN monitoring and configure SRX Series Firewalls to send ICMP echo requests, also called pings, only when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewalls considers the tunnel to be active and do not send pings to the peer.
Anti replay	Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet. IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers. Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality. By default, Anti-Replay detection is enabled.
Install interval	Select the maximum time, in seconds, allowed for the installation of a re-keyed outbound security association (SA) on the device.
Idle time	Select the appropriate idle time interval, after which sessions and their corresponding translations will time out if no traffic is received.
DF bit	Select an option to process the Don’t Fragment (DF) bit in IP messages. Clear—Disable the DF bit from the IP messages. This is the default option. Copy—Copy the DF bit to the IP messages. Set—Enable the DF bit in the IP messages.
Copy outer DSCP	Enable this option to copy the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message during decryption. The benefit in enabling this feature is that, after IPsec decryption, cleartext packets adhere to the inner class-of-service (CoS) rules.
Lifetime seconds	Select the lifetime, in seconds, for an IKE security association (SA). The range is from 180—86,400 seconds.
Lifetime kilobytes	Select the lifetime, in kilobytes, for an IPsec security association (SA). The range is from 64—4294967294 kilobytes.

Tunnel Settings

Table 4: Tunnel Settings
Settings	Guidelines
Preshared Key	Enter the Internet Key Exchange (IKE) pre-shared key used by the Virtual Private Network (VPN) gateway to authenticate the remote access user.
Tunnel Interface	Enter the tunnel interface for the route-based VPN.
Max Transmission Unit	Enter the maximum transmit packet size for IPsec tunnels. The Maximum Transmission Unit (MTU) option is available only when you select either Traffic-Selector or Static Routing as the routing topology in route-based site-to-site VPNs.
VPN Name	Enter a name for the remote access connection.
IKE Identity	Select one of the following options: Host Name IPv4/IPv6 Address E-mail Address
Host Name	Enter the hostname (FQDN) to use as the IKE ID for peer identification.
IPv4/IPv6 Address	Enter an IPv4 or IPv6 address to use as the IKE ID for peer identification.
Email Address	Enter the e-mail address to use as the IKE ID for peer identification.
Tunnel Address	Enter the tunnel interface address (IPv4 or IPv6) for the client to connect to. The Tunnel Address option is available only when the routing topology is OSPF-Dynamic Routing, RIP-Dynamic Routing, or eBGP-Dynamic Routing in route-based site-to-site VPNs.
Local Proxy ID	Enter the local IP address or prefix. The Local Proxy ID option is available only when the routing topology is Static Routing, OSPF-Dynamic Routing, RIP-Dynamic Routing, or eBGP-Dynamic Routing in route-based site-to-site VPNs.
Remote Proxy ID	Enter the remote IP address or prefix. The Remote Proxy ID option is available only when the routing topology is OSPF-Dynamic Routing, RIP-Dynamic Routing, or eBGP-Dynamic Routing in route-based site-to-site VPNs.

Manage Route-Based Site-to-Site VPN

Edit—Select the IPsec VPN, and then click the pencil icon (). After editing IPsec VPN, you must deploy them to apply the configurations on the devices.

You cannot edit the IPsec VPN that is marked to be deleted.
Delete—Select the IPsec VPN, and then click the trash can icon (). Follow the on-screen instructions. The IPsec VPN is not deleted from the associated devices at this moment. You must redeploy the IPsec VPN to delete it from the devices.

To revert the IPsec VPN marked for deletion, hover over the flag in the Status column, and select Undo Delete. The IPsec VPN status is reverted to the previous status.