Professional Documents
Culture Documents
Understanding AutoVPN - Technical Documentation - Support - Juniper Networks
Understanding AutoVPN - Technical Documentation - Support - Juniper Networks
Understanding AutoVPN - Technical Documentation - Support - Juniper Networks
UnderstandingAutoVPNTechnicalDocumentationSupportJuniperNetworks
Understanding AutoVPN
AutoVPN supports an IPsec VPN aggregator (known as a hub) that serves as a single termination point
for multiple tunnels to remote sites (known as spokes). AutoVPN allows network administrators to
configure a hub for current and future spokes. No configuration changes are required on the hub when
spoke devices are added or deleted, thus allowing administrators flexibility in managing largescale
network deployments.
Secure Tunnel Modes
Authentication
Configuration and Management
SecureTunnelModes
AutoVPN is supported on routebased IPsec VPNs. For routebased VPNs, you configure a secure tunnel
(st0) interface and bind it to an IPsec VPN tunnel. st0 interfaces in AutoVPN networks can be configured
in one of two modes:
Pointtopoint modeBy default, an st0 interface configured at the [editinterfacesst0unitx] hierarchy
level is in pointtopoint mode.
Pointtomultipoint modeIn this mode, the multipoint option is configured at the [editinterfacesst0
unitx] hierarchy level on both AutoVPN hub and spokes. st0 interfaces on the hub and spokes must be numbered
and the IP address configured on a spoke must exist in the hub's st0 interface subnetwork.
Table1 compares AutoVPN pointtopoint and pointtomultipoint secure tunnel interface modes.
Table 1: Comparison Between AutoVPN PointtoPoint and PointtoMultipoint Secure Tunnel Modes
PointtoPoint Mode
PointtoMultipoint Mode
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/securityautovpnunderstanding.html
1/2
3/15/2016
UnderstandingAutoVPNTechnicalDocumentationSupportJuniperNetworks
Authentication
The supported authentication for AutoVPN hubs and spokes is X.509 public key infrastructure (PKI)
certificates. The group IKE user type configured on the hub allows strings to be specified to match the
alternate subject field in spoke certificates. Partial matches for the subject fields in spoke certificates can
also be specified. See Understanding Spoke Authentication in AutoVPN Deployments.
ConfigurationandManagement
AutoVPN is configured and managed on SRX Series devices using the CLI. Multiple AutoVPN hubs can be
configured on a single SRX Series device. The maximum number of spokes supported by a configured hub
is specific to the model of the SRX Series device.
Related Documentation
SRX Series
Previous Page
Understanding AutoVPN Limitations
Next Page
Published: 20150217
http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/securityautovpnunderstanding.html
2/2