3/15/2016

UnderstandingAutoVPNTechnicalDocumentationSupportJuniperNetworks

Understanding AutoVPN
AutoVPN supports an IPsec VPN aggregator (known as a hub) that serves as a single termination point
for multiple tunnels to remote sites (known as spokes). AutoVPN allows network administrators to
configure a hub for current and future spokes. No configuration changes are required on the hub when
spoke devices are added or deleted, thus allowing administrators flexibility in managing largescale
network deployments.
Secure Tunnel Modes
Authentication
Configuration and Management

SecureTunnelModes
AutoVPN is supported on routebased IPsec VPNs. For routebased VPNs, you configure a secure tunnel
(st0) interface and bind it to an IPsec VPN tunnel. st0 interfaces in AutoVPN networks can be configured
in one of two modes:
Pointtopoint modeBy default, an st0 interface configured at the [editinterfacesst0unitx] hierarchy
level is in pointtopoint mode.
Pointtomultipoint modeIn this mode, the multipoint option is configured at the [editinterfacesst0

unitx] hierarchy level on both AutoVPN hub and spokes. st0 interfaces on the hub and spokes must be numbered
and the IP address configured on a spoke must exist in the hub's st0 interface subnetwork.

Table1 compares AutoVPN pointtopoint and pointtomultipoint secure tunnel interface modes.

Table 1: Comparison Between AutoVPN PointtoPoint and PointtoMultipoint Secure Tunnel Modes
PointtoPoint Mode

PointtoMultipoint Mode

Uses traffic selectors to forward packets through VPN

tunnels. Traffic selectors must be configured on each spoke.
Administrator needs to be aware of the types of traffic that
need to be permitted through the VPN tunnel.

Uses dynamic routing protocol to

forward packets through VPN
tunnels. The dynamic routing
protocol must run in pointto
multipoint mode.

Does not support dynamic routing protocols on the st0

interface when traffic selectors are configured.

Cannot configure an st0 interface in

pointtomultipoint mode with traffic
selectors.

Supports IPv4 traffic only.

Supports IPv4 traffic only.

Allows spoke devices to be nonSRX Series devices.

Requires that hub and spoke devices

are SRX Series devices.

Supports IKEv1 or IKEv2.

Supports IKEv1 only.

Supports dead peer detection only.

Supports dead peer detection and

VPN monitoring.

Supports larger numbers of tunnels and spokes.

http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/securityautovpnunderstanding.html

1/2

3/15/2016

UnderstandingAutoVPNTechnicalDocumentationSupportJuniperNetworks

Authentication
The supported authentication for AutoVPN hubs and spokes is X.509 public key infrastructure (PKI)
certificates. The group IKE user type configured on the hub allows strings to be specified to match the
alternate subject field in spoke certificates. Partial matches for the subject fields in spoke certificates can
also be specified. See Understanding Spoke Authentication in AutoVPN Deployments.

ConfigurationandManagement
AutoVPN is configured and managed on SRX Series devices using the CLI. Multiple AutoVPN hubs can be
configured on a single SRX Series device. The maximum number of spokes supported by a configured hub
is specific to the model of the SRX Series device.

Related Documentation
SRX Series

Previous Page
Understanding AutoVPN Limitations

Next Page

Understanding Spoke Authentication in AutoVPN Deployments

AutoVPN Configuration Overview

Published: 20150217

http://www.juniper.net/documentation/en_US/junos12.3x48/topics/concept/securityautovpnunderstanding.html

2/2