To Configure an AutoKey IKE
VPN TunnelJuniper Networks supports IPSec technology for creating VPN tunnels with two kinds of key creation mechanisms:
Manual Key
AutoKey IKE with a preshared key or a certificate
When you need to create and manage numerous tunnels, you need a method that does not require you to configure every element manually. IPSec supports the automated generation and negotiation of keys and security associations using the Internet Key Exchange (IKE) protocol. Juniper Networks refers to such automated tunnel negotiation as AutoKey IKE and supports AutoKey IKE with preshared keys and AutoKey IKE with certificates.
To Configure an AutoKey IKE
VPN TunnelVPN Name: Enter the name of the VPN tunnel you want to create. You can use up to a maximum of 32 characters.
Security Level: Setting a security level is an alternative to setting Phase 1 and Phase 2 proposals. By selecting a security level, ScreenOS automatically applies the proposals predefined for that security level. Select one of the following Phase 2 security levels:
Standard: The predefined Phase 2 proposals for the Standard security level are g2-esp-3des-sha and g2-esp-aes128-sha.
Compatible: The predefined Phase 2 proposals for the Compatible security level are nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5.
Basic: The predefined Phase 2 proposals for the Basic security level are nopfs-esp-des-sha and nopfs-esp-des-md5.
Custom: Select this option if you want to define your own proposals. You can define the proposals on the advanced configuration page.
Remote Gateway: Select either:
Predefined: Select this option if you want to use a gateway that you already configured. Also select a gateway from the drop-down list.
Create a Simple Gateway: Select this option if you want to create a new gateway for this AutoKey IKE VPN tunnel.
If you opt for Predefined, select a remote gateway from the drop-down list.
If you select Create a Simple Gateway, enter the necessary information:
Gateway Name: Enter a name for the gateway.
Type: Select one of the following types:
Static IP: Enter the fixed IP address or hostname (or hostname + domain name) of the remote gateway.
Dynamic IP: Enter the Peer ID of the Dynamic IP Address. This can be an e-mail address, a fully qualified domain name (FQDN), or an IP address.
Dialup User: Select a dialup user from the drop-down list.
Dialup Group: Select a dialup user group from the drop-down list.
Local ID: (Required only for certificates) Enter the e-mail address, fully qualified domain name (FQDN), or IP address that appears in the certificate that you are using for authentication.
Preshared Key: Enter the same ASCII value that the user will be entering at the other end.
Use As Seed: Select this option to use the preshared key as the seed value.
Security Level: Setting a security level is an alternative to setting Phase 1 and Phase 2 proposals. By selecting a security level, ScreenOS automatically applies the proposals predefined for that security level. Select one of the following Phase 1 security levels:
Standard: The predefined Phase 1 proposals for the Standard security level are pre-g2-3des-sha and pre-g2-aes128-sha.
Compatible: The predefined Phase 1 proposals for the Compatible security level are pre-g2-3des-sha, pre-g2-3des-md5, pre-g2-des-sha, and pre-g2-des-md5.
Basic: The predefined Phase 1 proposals for the Basic security level are pre-g1-des-sha and pre-g1-des-md5.
Outgoing Interface: Select the interface you want to use to terminate the VPN tunnel on the local device.
Click OK to save your settings.
Click Advanced to complete the AutoKey IKE VPN configuration. For more information, see AutoKey IKE VPN Tunnel Advanced Configuration.