http://www.juniper.fr/techpubs/software/junos-security/junos-security10.

0/junos-
security-swconfig-security/vpn-dynamic-config-overview.html#vpn-dynamic-config-o
verview
Configuring a Dynamic VPN¡ªOverview
The dynamic VPN feature secures traffic through your network by passing it throu
gh IPsec VPN tunnels. To configure an IPsec VPN tunnel, you must specify Phase 1
settings (which enable participants to establish a secure channel in which to n
egotiate the IPsec security association (SA)), and Phase 2 settings (which enabl
e participants to negotiate the IPsec SA that authenticates traffic flowing thro
ugh the tunnel). This section describes the order in which you must configure th
ese tunnel negotiation settings as well as other tasks you must complete in orde
r to enable the tunnels on your network.
The dynamic VPN feature is disabled by default on the device. You must enable an
d configure it before you can use it.
Before You Begin
For background information, read
Dynamic VPN Overview.
Virtual Private Networks (VPNs) Overview.
Understanding IKE and IPsec Packet Processing.

To configure the dynamic VPN feature, you must do the following:

Define an outgoing interface by using the edit interfaces configuration statemen
t. Use this interface to pass IKE security associations (SAs) through the device
. (You will need to select this interface when configuring your IKE gateway.) Fo
r more information about interfaces, see the JUNOS Software Interfaces and Routi
ng Configuration Guide.
Create security policies by using the edit security policies configuration state
ment. Use these policies to define which traffic can pass through your network.
(After you create your VPN configuration, you will need to add it to this policy
.) For more information about security policies, see Security Policies Overview
Create at least one access profile by using the edit access profile configuratio
n statement. Use the access profile(s) to control the authentication of users wh
o want to download Access Manager and users who want to establish dynamic VPN tu
nnels to your firewall. (You will need to select these access profiles when conf
iguring your IKE gateway and dynamic VPN global options. Note that you can use t
he same access profile to authenticate users in both cases, or you can use separ
ate access profiles to authenticate downloads and VPN sessions.) For more inform
ation about access profiles, see Understanding Authentication Schemes.
Create an IKE gateway to include in your VPN configuration:
Create one or more IKE Phase 1 proposals by using the edit security ike proposal
configuration statement. (You will need to select this proposal when configurin
g your IKE policy.) For more detailed configuration instructions, see:
Configuring an IKE Phase 1 Proposal (Standard and Dynamic VPNs)
Configuring an IKE Phase 1 Proposal¡ª (Dynamic VPNs)
Create one or more IKE policies by using the edit security ike policy configurat
ion statement. (You will need to select this policy when configuring your IKE ga
teway.) For more detailed configuration instructions, see:
Configuring an IKE Policy (Standard and Dynamic VPNs)
Configuring an IKE Policy¡ª(Dynamic VPNs)
Create an IKE gateway configuration by using the edit security ike gateway confi
guration statement. (You will need to select this gateway when configuring your
IPsec AutoKey.) For more detailed configuration instructions, see:
Configuring an IKE Gateway (Standard and Dynamic VPNs)
Configuring an IKE Gateway¡ªQuick Configuration (Dynamic VPNs)
Create an IPsec AutoKey to include in your VPN configuration:
Create one or more IPsec Phase 2 proposals by using the edit security ipsec prop
osal configuration statement. (You will need to select this proposal when config
uring your IPsec policy.) For more detailed configuration instructions, see:
Configuring an IPsec Phase 2 Proposal (Standard and Dynamic VPNs)
Configuring an IPsec Phase 2 Proposal¡ªQuick Configuration (Dynamic VPNs)
Create one or more IPsec policies by using the edit security ipsec policy config
uration statement. (You will need to select this policy when configuring your IP
sec AutoKey.) For more detailed configuration instructions, see:
Configuring an IPsec Policy (Standard and Dynamic VPNs)
Configuring an IPsec Policy¡ªQuick Configuration (Dynamic VPNs)
Create an IKE AutoKey configuration by using the edit security ipsec autokey con
figuration statement. (You will need to select this IKE AutoKey configuration wh
en configuring your VPN client configuration.) For more detailed configuration i
nstructions, see:
Configuring IPsec AutoKey (Standard and Dynamic VPNs)
Configuring an IPsec Autokey¡ªQuick Configuration (Dynamic VPNs)
Create a client VPN configuration by using the edit security dynamic-vpn clients
configuration statement. The settings are downloaded as part of the client to y
our users¡‾ computers and are used to establish the dynamic VPN tunnels between the
clients and the server. For more detailed configuration instructions, see:
Creating a Client Configuration¡ªQuick Configuration (Dynamic VPNs)
Creating a Client Configuration (Dynamic VPNs)
Update your security policy (or policies) to include your client VPN configurati
on by using the edit security from-zone zone-name to-zone zone-name policy then
permit tunnel ipsec-vpn vpn-name configuration statement. For more information a
bout policies, see Security Policies Overview.
Specify global settings for client downloads by using the edit security dynamic-
vpn access-profile configuration statement and the edit security dynamic-vpn for
ce-upgrade configuration statement. For more detailed configuration instructions
, see:
Configuring Global Client Download Settings¡ªQuick Configuration (Dynamic VPNs)
Configuring Global Client Download Settings (Dynamic VPNs)