Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating VPN Profiles

Configure VPN profiles that define security parameters when establishing a VPN connection. You can reuse the same profile to create more VPN tunnels. The VPN profile includes VPN proposals, VPN mode, authentication, and other parameters used in IPsec VPN. When a VPN profile is created, Juniper Security Director Cloud creates an object in the database to represent the VPN profile. You can use this object to create either route-based or policy-based IPsec VPNs.

Note:

You cannot modify or delete Juniper Networks-defined VPN profiles. You can only clone the profiles and create new profiles.

You can also configure the IKE negotiation phases known as Phase 1 and Phase 2 settings in a VPN profile. SRX Series Firewalls support the following authentication methods in IKE negotiations for IPsec VPN:

  • Preshared key

  • ECDSA certificate

  • RSA certificate

  • DSA certificate

The predefined VPN profile is available for RSA certificates-based authentication. The PKI certificate list from the device is automatically retrieved during the device discovery.

Before You Begin

Read the VPN Profiles overview and view the field descriptions to understand your current data set. See VPN Profiles Overview.

  1. Select SRX > IPsec VPNs > VPN Profiles.

    The VPN Profiles page opens.

  2. Click Create to create a new VPN profile, and select one of the following options:

    • Policy Based Site to Site

    • Site to Site
    • Hub and Spoke (Establishment All Peers)
    • Hub and Spoke (Establishment by Spokes)
    • Hub and Spoke (ADVPN - Auto Discovery VPN)
    • Remote Access Juniper Secure Connect
  3. Complete the configuration according to the guidelines provided in Table 1 .

A new VPN profile with the predefined VPN configuration is created. You can use this object to create IPsec VPNs.

Table 1: VPN Profiles Settings

Setting

Guideline

Name

Enter a unique string of maximum 255 alphanumeric characters without spaces.

The string can contain colons, periods, dashes, and underscores.

Description

Enter a description containing maximum 1024 character for the VPN profile.

Authentication Type

Select the required authentication type:

  • Pre-shared based

  • RSA-Signatures

  • DSA-Signatures

  • ECDSA-Signatures-256

  • ECDSA-Signatures-384

IKE Version

Select the required IKE version, either V1 or V2, that is used to negotiate dynamic security associations (SAs) for IPsec. By default, IKEv1 is used.

In Juniper Security Director Cloud, IKEv2 message fragmentation allows IKEv2 to operate in environments where IP fragments might be blocked and peers would not be able to establish an IPsec security association (SA). IKEv2 fragmentation splits a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

Mode

Select a VPN mode:

  • Main—The most common and secure way to establish a VPN when building site-to-site VPNs. The IKE identities are encrypted and cannot be determined by eavesdroppers.

  • Aggressive—This is an alternative to main mode IPsec negotiation. This is the most common mode when building VPNs from client workstations to VPN gateways, where the IP address of the client is neither known in advance nor fixed.

Encryption Algorithm

Select the appropriate encryption mechanism.

Authentication Algorithm

Select an algorithm. The device uses this algorithm to verify the authenticity and integrity of a packet.

Deffie Hellman Group

Select a group.

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.

Lifetime Seconds

Select a lifetime of an IKE security association (SA).

The valid range is from 180 through 86400 seconds.

Dead Peer Detection

Enable this option to permit the two gateways to determine if the peer gateway is up and responding to the Dead Peer Detection (DPD) messages that are negotiated during IPsec establishment.

DPD Mode

Select a DPD Mode.

  • Optimized: R-U-THERE messages are triggered if there is no incoming IKE or IPsec traffic within a configured interval after the device sends outgoing packets to the peer. This is the default mode.

  • Probe Idle Tunnel: R-U-THERE messages are triggered if there is no incoming or outgoing IKE or IPsec traffic within a configured interval. R-U-THERE messages are sent periodically to the peer until there is traffic activity.

  • Always-send: R-U-THERE messages are sent at configured intervals regardless of traffic activity between the peers.

DPD Interval

Select an interval in seconds to send dead peer detection messages.

The default interval is 10 seconds with a valid range of 2 to 60 seconds.

DPD Threshold

Select the failure DPD threshold value.

This specifies the maximum number of times the DPD messages must be sent when there is no response from the peer. The default number of transmissions is 5 times with a valid range of 1 to 5.
Advance Settings

General-IkeID

Enable this option to accept peer IKE ID in general.

This option is disabled by default. If General IKE ID is enabled, the IKE ID option is disabled automatically.

  • This option is not available in Aggressive VPN mode.

  • You cannot use a VPN profile with the General IKE ID option enabled for the Auto VPN and ADVPN.

IKEv2 Re Authentication

Select a reauthentication frequency. Reauthentication can be disabled by setting the reauthentication frequency to 0.

The valid range is 0 to 100.

IKEv2 Re Fragmentation Support

Enable this option to split a large IKEv2 message into a set of smaller ones so that there is no fragmentation at the IP level.

IKEv2 Re-fragment Size

Select the size of the packet at which messages are fragmented.

By default, the size is 576 bytes for IPv4, and the valid range is 570 to 1320.

IKE Id

Configure the following IKE identifiers:

  • Hostname—The hostname or FQDN is a string that identifies the end system.

  • User@hostname—A simple string that follows the same format as an e-mail address.

    User—Enter the e-mail address of the user. We recommend that you use a valid e-mail address of the user for ease of management.

  • IPAddress—This is the most common form of IKE identity for site-to-site VPNs.

    This can be either an IPv4 or IPv6 address. This option is available only if the VPN mode is Aggressive and the authentication type is Preshared Key.

  • DN—The distinguished name used in certificates to identify a unique user in a certificate.

    This option is available only for RSA, DSA, and ECDSA signature authentication types.

Note:

  • For the Preshared Key authentication type:

    • If you have enabled the General IKE ID option, the IKE ID option is automatically set to None and you cannot edit this option.

    • When modifying an IPsec VPN, you cannot edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled.

  • For the certificate-based authentication type:

    • You can edit the IKE ID option even if you have enabled the General IKE ID option because, the local-identity CLI is used for certificate authentication.

    • When modifying an IPsec VPN, you can edit the IKE ID column in the View/Edit Tunnel page, if you have chosen a VPN profile with the General IKE ID option enabled.

NAT-T

Enable Network Address Translation-Traversal (NAT-T) if the dynamic endpoint is behind a NAT device.

Keep Alive

Select a period in seconds to keep the connection alive.

NAT Keepalives are required to maintain the NAT translation during the connection between the VPN peers. The valid range is from 1 to 300 seconds.

IPsec Settings

Protocol

Select the required protocol to establish the VPN.

  • ESP—The Encapsulating Security Payload (ESP) protocol provides both encryption and authentication.

  • AH—The Authentication Header (AH) protocol provides data integrity and data authentication.

Encryption Algorithm

Select the necessary encryption method.

This is applicable if the Protocol is ESP.

Authentication Algorithm

Select an algorithm.

The device uses these algorithms to verify the authenticity and integrity of a packet.

Perfect Forward Secrecy

Select Perfect Forward Secrecy (PFS) as the method that the device uses to generate the encryption key.

The PFS generates each new encryption key independently from the previous key. The higher numbered groups provide more security but require more processing time.

Establish Tunnel

Select an option to specify when IKE is activated.

  • Immediately—IKE is activated immediately after VPN configuration changes are committed.

  • On-traffic—IKE is activated only when data traffic flows and must be negotiated with the peer gateway. This is the default behavior.

Advance Settings

VPN Monitor

Enable this option to send Internet Control Message Protocol (ICMP) to determine if the VPN is up.

Optimized

Enable this option to optimize VPN monitoring and configure SRX Series Firewalls to send ICMP echo requests, also called pings, only when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel.

If there is incoming traffic through the VPN tunnel, the SRX Series Firewalls considers the tunnel to be active and do not send pings to the peer.

Anti Replay

Enable this option for the IPsec mechanism to protect against a VPN attack that uses a sequence of numbers that are built into the IPsec packet.

IPsec does not accept a packet for which it has already seen the same sequence number. It checks the sequence numbers and enforces the check rather than just ignoring the sequence numbers.

Disable this option if there is an error with the IPsec mechanism that results in out-of-order packets, preventing proper functionality.

By default, Anti-Replay detection is enabled.

Install interval

Select the maximum number of seconds to allow for the installation of a re-keyed outbound security association (SA) on the device.

Idle Time

Select the appropriate idle time interval.

The sessions and their corresponding translations typically time out after a certain period if no traffic is received.

DF Bit

Select an option to process the Don’t Fragment (DF) bit in IP messages.

  • Clear—Disable the DF bit from the IP messages. This is the default option.

  • Copy—Copy the DF bit to the IP messages.

  • Set—Enable the DF bit in the IP messages.

Copy Outer DSCP

Enable this option to allow copying of the Differentiated Services Code Point (DSCP) field from the outer IP header encrypted packet to the inner IP header plain text message on the decryption path.

The benefit in enabling this feature is that after IPsec decryption, clear text packets can follow the inner class-of-service (CoS) rules.

Lifetime Seconds

Select a lifetime of an IKE security association (SA).

The valid range is from 180 through 86400 seconds.

Lifetime Kilobytes

Select the lifetime in kilobytes of an IPsec security association (SA).

The valid range is from 64 through 4294967294 kilobytes.