Juniper Networks supports Internet Protocol Security (IPSec) technology for creating virtual private network (VPN) tunnels with two kinds of mechanisms for creating keys:
Manual Key
AutoKey Internet Key Exchange (IKE) with a preshared key or a certificate
When you need to create and manage numerous tunnels, you need a method that does not require you to manually configure every element. IPSec supports the automated generation and negotiation of keys and security associations (SAs) using the Internet Key Exchange (IKE) protocol. This type of automated tunnel negotiation is known as AutoKey IKE. Juniper Networks supports AutoKey IKE with preshared keys and certificates.
VPN Name: Enter the name of the VPN tunnel you want to create. You can use up to a maximum of 32 characters.
Security Level: Setting a security level is an alternative to setting Phase 1 and Phase 2 proposals. By selecting a security level, ScreenOS automatically applies the proposals predefined for that security level. Select one of the following Phase 2 security levels:
Standard: The predefined Phase 2 proposals for the Standard security level are g2-esp-3des-sha and g2-esp-aes128-sha.
Compatible: The predefined Phase 2 proposals for the Compatible security level are nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5.
Basic: The predefined Phase 2 proposals for the Basic security level are nopfs-esp-des-sha and nopfs-esp-des-md5.
Custom: Select this option if you want to define your own proposals. You can define the proposals on the advanced configuration page.
Remote Gateway: Select either:
Predefined: Select this option if you want to use a gateway that you already configured. Also select a gateway from the drop-down list.
Create a Simple Gateway: Select this option if you want to create a new gateway for this AutoKey IKE VPN tunnel.
If you select Predefined, select a remote gateway from the drop-down list.
If you select Create a Simple Gateway, enter the necessary information:
Gateway Name: Enter a name for the gateway.
Type: Select one of the following types:
Static IP: Enter the fixed IP address or hostname (or hostname + domain name) of the remote gateway.
Dynamic IP: Enter the Peer ID of the Dynamic IP Address. This can be an e-mail address, a fully qualified domain name (FQDN), or an IP address.
Dialup User: Select a dialup user from the drop-down list.
Dialup Group: Select a dialup user group from the drop-down list.
Local ID: (Required only for certificates) Enter the e-mail address, fully qualified domain name (FQDN), or IP address that appears in the certificate that you are using for authentication.
Preshared Key: Enter the same ASCII value that the user will be entering at the other end.
Use As Seed: Select this option to use the preshared key as the seed value.
Security Level: Setting a security level is an alternative to setting Phase 1 and Phase 2 proposals. By selecting a security level, ScreenOS automatically applies the proposals predefined for that security level. Select one of the following Phase 1 security levels:
Standard: The predefined Phase 1 proposals for the Standard security level are pre-g2-3des-sha and pre-g2-aes128-sha.
Compatible: The predefined Phase 1 proposals for the Compatible security level are pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and pre-g2-des-md5.
Basic: The predefined Phase 1 proposals for the Basic security level are pre-g1-des-sha and pre-g1-des-md5.
Outgoing Interface: Select the interface you want to use to terminate the VPN tunnel on the local device.
Click OK to save your settings.
Click Advanced to complete the AutoKey IKE VPN configuration. For more information, see AutoKey IKE VPN Tunnel Advanced Configuration.
VPN Name: Enter the name of the VPN tunnel you want to create for AC-VPN. You can use a maximum of 32 characters.
ACVPN-Profile: Select this option button. If you have only one AC-VPN gateway configured, it appears in the Binding To Tunnel drop-down menu. If you have more than one AC-VPN gateway configured, select the correct gateway.
Click OK.
Next, you must configure NHRP on the virtual router. Go to Network > Routing > Virtual Routers.
For trust-vr, click Edit.
Scroll down to NHRP and click NHRP Settings.
Check the NHRP Enable checkbox.
Check the NHS Setting checkbox. The ACVPN-Profile you created appears in the Profile drop-down menu. If you have created more than one ACVP-Profile, select the correct one.
Click Apply.
VPN Name: Enter the name of the VPN tunnel you want to create for AC-VPN. You can use a maximum of 32 characters.
ACVPN-Dynamic: Select this option button. The Gateway drop-down menu displays your AC-VPN gateway. If you have only one AC-VPN gateway configured, select the correct gateway. Tunnel Towards Hub displays the name of the static tunnel to the hub. If you have more than one configured, select the correct one.
Click OK.
Next, you must configure NHRP on the virtual router. Go to Network > Routing > Virtual Routers.
For trust-vr, click Edit.
Scroll down to NHRP and click NHRP Setting.
Check the NHRP Enable checkbox.
Check the NHC Setting checkbox.
In the NHS IP Address field, enter the address of the tunnel interface of the NHS.
Click Apply.
Click Cache Setting.
In the Cache field, enter the IP address and subnet mask of the subnetwork of the NHC.
Click Apply.
Go to Network > Interfaces, and click Edit for the tunnel interface.
Check the NHRP Enable checkbox.
Click OK.