Which Junos interface type is used in route-based IPsec VPN to represent the tunnel?

Correct: c. st0 is the Junos secure-tunnel logical interface. It is created, bound to an IPsec VPN, placed in a security zone, and traffic routed to it is encrypted and forwarded through the tunnel. No other interface type serves this role.

Why does AutoVPN require IKEv2 and certificate-based authentication rather than pre-shared keys?

Correct: a. A pre-shared key is per-peer — you would need a separate IKE gateway and PSK for every spoke. Certificates with IKEv2 let the hub match any spoke whose certificate DN matches the CA, all from one gateway definition. IKEv2 is also required for ADVPN.

You need spoke SRXs to talk directly to each other without hairpinning via the hub. Which feature enables this?

Correct: b. ADVPN (Auto-Discovery VPN) is specifically designed for spoke-to-spoke shortcuts. The hub acts as an ADVPN suggester, signalling the two spokes to build a direct IKEv2 tunnel. Without ADVPN, spoke-to-spoke traffic hairpins through the hub, adding latency and hub load.

Show security ipsec security-associations shows the tunnel is active but bytes-encrypted stays at 0. What should you check next?

Correct: c. When both SAs are active but no traffic flows, the IPsec negotiation succeeded but traffic is not being directed into the tunnel. The two most common causes are: missing static/dynamic route via st0, or absent/incorrect security policy between the source and VPN zones.

A network engineer proposes using policy-based VPN for a new hub-and-spoke deployment with 30 branches. What is the strongest objection?

Correct: b. Policy-based VPN has no st0 interface, so no dynamic routing protocol can run over it. It also does not support AutoVPN or ADVPN. Managing 30 individual policy-based tunnels (one policy per subnet pair per spoke) is operationally painful and does not scale. Route-based with AutoVPN is the correct choice.

Which authentication method should be chosen for Juniper Secure Connect remote-access VPN users?

Correct: b. Juniper Secure Connect is designed to use IKEv2 with EAP. EAP allows individual user authentication (username + password) inside the IKEv2 exchange, with validation against a local user database or RADIUS. Pre-shared keys are per-gateway, not per-user, so they cannot provide individual accountability for remote access.

Juniper SRX IPsec VPN Deep Dive — Route-Based, IKEv2 & AutoVPN (2026)

Q: Which IPsec VPN mode on Juniper SRX supports running OSPF or BGP over the tunnel?

Correct: b. Route-based VPN routes traffic through the st0 logical interface. Because st0 behaves like any interface, you can run OSPF or BGP on it. Policy-based VPN has no st0, so no routing protocol can run over it.

Q: What is the minimum number of messages IKEv2 uses to establish an IKE SA and the first Child SA?

Correct: c. IKEv2 collapses everything into four messages: two IKE_SA_INIT messages (negotiate crypto) and two IKE_AUTH messages (authenticate peers and create the first Child SA). IKEv1 required nine messages minimum.

Q: You are configuring an AutoVPN hub to accept 50 spoke SRXs. How does the hub authenticate each spoke without 50 separate gateway definitions?

Correct: a. AutoVPN uses certificate-based authentication. The hub IKE gateway is configured with an IKE ID type of distinguished-name (or wildcard). Each spoke presents its X.509 certificate; the hub validates the DN against the CA and accepts it. No hub config change is needed for new spokes.

Q: A route-based IPsec tunnel shows Phase 1 and Phase 2 up, but traffic is not passing. What is the most likely cause?

Correct: d. When both IKE SAs are up but traffic does not pass, the issue is almost always routing or policy. Either the st0 interface is not in the correct VPN zone, there is no policy permitting traffic between the trust and VPN zone through st0, or the route to the remote subnet via st0 is missing.

Most engineers think…

Most people treat IPsec VPN as 'configure the pre-shared key and it works'. That mental model breaks down fast in an interview and in production the moment you need to scale beyond two sites.

Juniper SRX IPsec is a two-mode system: route-based tunnels use an st0 secure-tunnel interface and the routing table to steer traffic, while policy-based tunnels use a tunnel action in a security policy and no st0. Understanding that split — and then layering on IKEv2, PKI, AutoVPN and ADVPN — is what separates a working engineer from one who copies config and hopes.

① Route-based vs policy-based — the most important choice

Juniper SRX supports two IPsec VPN modes that are not interchangeable. In a route-based VPN, a logical st0 interface is created, bound to the VPN, and traffic is routed into it just like any other interface. Security policies allow or deny traffic between the trust and VPN zones — but the st0 binding, not the policy, selects what goes through the tunnel.

In a policy-based VPN, there is no st0 interface. Instead, a security policy is written that matches the interesting traffic, and the action is set to tunnel with a named VPN. The tunnel is brought up on demand when a policy match happens. Policy-based VPN is simpler for a single site-to-site tunnel, but it does not support dynamic routing protocols (OSPF/BGP over the tunnel), AutoVPN, or ADVPN — all of which require route-based mode.

The interview rule: if you need dynamic routing, HA, AutoVPN, or ADVPN — use route-based. If you have a single static tunnel with a known subnet on each side and simplicity matters most, policy-based is acceptable. In practice, most enterprise deployments on Junos use route-based for flexibility.

Figure 1 — Route-based vs policy-based VPN

Route-based uses the routing table and an st0 interface; policy-based uses a tunnel action in a security policy with no st0.

Default to route-based in an interview

Unless the question explicitly says 'simple static tunnel with no dynamic routing', always propose route-based VPN. It is more scalable, supports OSPF/BGP over st0, and is the only mode that works with AutoVPN and ADVPN. Mentioning this trade-off shows you understand Junos VPN architecture.

Quick check · Q1 of 10 · Understand

Which IPsec VPN mode on Juniper SRX supports running OSPF or BGP over the tunnel?

a) Policy-based VPN — it uses a tunnel action in the security policyb) Route-based VPN — traffic goes through the st0 interface which can carry dynamic routingc) Both modes support dynamic routing equallyd) Neither — Junos VPN does not support routing protocols

Correct: b. Route-based VPN routes traffic through the st0 logical interface. Because st0 behaves like any interface, you can run OSPF or BGP on it. Policy-based VPN has no st0, so no routing protocol can run over it.

👉 So far: Route-based VPN uses an st0 interface + routing; policy-based uses a tunnel action in a security policy. Only route-based supports dynamic routing, AutoVPN and ADVPN.

② IKE Phase 1 & Phase 2 — IKEv1 vs IKEv2

IPsec on SRX always follows the same two-phase model. Phase 1 (IKE SA) authenticates the two peers and establishes a secure, encrypted channel. Phase 2 (IPsec SA / Child SA) negotiates the actual encryption and integrity algorithms for the data tunnel and generates the keys. A failed Phase 1 means Phase 2 never starts — so always check Phase 1 first when debugging.

IKEv1 vs IKEv2

IKEv1 uses nine messages minimum (six for Main Mode + three for Quick Mode) split into two phases. IKEv2, defined in RFC 7296, collapses this into four messages in a single exchange: IKE_SA_INIT (2 msgs) + IKE_AUTH (2 msgs). IKEv2 gains built-in EAP support for user auth, dead peer detection built into the protocol, and stronger DOS resistance. On Junos, set version v2-only at the gateway hierarchy to lock to IKEv2. AutoVPN and ADVPN require IKEv2. Both peers must match: authentication method (pre-shared key or certificates), DH group, encryption algorithm and lifetime.

Figure 2 — IKEv2 four-message exchange

IKEv2 collapses IKEv1's nine messages into four, establishing both the IKE SA and the first Child SA in one round-trip pair.

🔐

st0 Secure-Tunnel Interface

tap to flip

A logical interface on Junos bound to an IPsec VPN. Traffic routed to st0.X is encrypted and forwarded through the tunnel. Required for route-based VPNs, AutoVPN and ADVPN.

🔑

IKEv2 vs IKEv1

tap to flip

IKEv2 uses four messages (IKE_SA_INIT x2 + IKE_AUTH x2) vs IKEv1's nine. IKEv2 adds built-in EAP, dead-peer detection and better DOS resistance. Required for AutoVPN and ADVPN on Junos.

🏢

AutoVPN

tap to flip

Hub SRX defines one tunnel; spokes authenticate by X.509 certificate DN. Any new spoke joins without touching hub config. The hub st0 runs in point-to-multipoint mode; routing runs over st0.

⚡

ADVPN Shortcut

tap to flip

Extends AutoVPN: when two spokes communicate, the hub signals them to build a direct IKEv2 shortcut tunnel, cutting latency. Hub is the ADVPN suggester; spokes are ADVPN partners.

Mismatched proposals cause Phase 1 to never come up

Both peers must agree on the same IKE proposal (DH group, encryption cipher, authentication method, lifetime) and both must use the same IKE version. A common mistake is leaving one side on IKEv1 and the other on IKEv2. Also check that the pre-shared key or certificate matches exactly — a one-character PSK typo is the most common Phase 1 failure.

Quick check · Q2 of 10 · Remember

What is the minimum number of messages IKEv2 uses to establish an IKE SA and the first Child SA?

a) Six (same as IKEv1 Main Mode)b) Nine (six Main Mode + three Quick Mode)c) Four — IKE_SA_INIT (2) + IKE_AUTH (2)d) Two — one request and one response

Correct: c. IKEv2 collapses everything into four messages: two IKE_SA_INIT messages (negotiate crypto) and two IKE_AUTH messages (authenticate peers and create the first Child SA). IKEv1 required nine messages minimum.

👉 So far: IKEv2 = 4 messages (IKE_SA_INIT x2 + IKE_AUTH x2) vs IKEv1's 9. IKEv2 adds EAP, built-in DPD and better DOS resistance. Both peers must match version, proposal and lifetime.

③ AutoVPN, ADVPN & PKI — scaling beyond two sites

AutoVPN lets a hub SRX accept connections from any number of spoke SRXs using a single tunnel definition on the hub. The hub's IKE gateway uses an IKE ID type of distinguished-name (DN) matching the subject field of the spoke's X.509 certificate, rather than a fixed peer IP. This means you enrol each spoke with a CA certificate (using request security pki local-certificate enroll), and the hub authenticates any spoke whose DN matches — no changes to hub config for new spokes.

ADVPN (Auto-Discovery VPN) extends AutoVPN by adding IKEv2-based shortcut signalling. When Spoke A needs to reach Spoke B, all traffic initially flows hub-to-spoke (hairpin). The hub signals Spoke A and Spoke B to build a direct shortcut tunnel between themselves on demand. Latency drops dramatically once the shortcut forms. ADVPN requires IKEv2 and is configured by adding advpn suggester (hub) and advpn partner (spokes) configuration.

The st0 interface on a hub in AutoVPN/ADVPN mode is configured as point-to-multipoint (add multipoint under the st0 unit). On spokes it remains point-to-point. Dynamic routing (typically OSPF or BGP) runs over the st0 interfaces, and the hub redistributes spoke routes.

Figure 3 — AutoVPN hub-and-spoke with PKI

One hub tunnel definition, PKI certificate matching by DN — spokes can join without changing hub config.

Confirm AutoVPN from the hub CLI

After spokes come up, run 'show security ike security-associations' on the hub — you should see one SA per connected spoke, all authenticated by certificate. Run 'show route table inet.0' to confirm spoke prefixes are being learned via dynamic routing over st0. An ADVPN shortcut can be confirmed with 'show security ipsec security-associations' — look for SA entries between spoke IPs that do not go through the hub.

▶ Watch an IKEv2 route-based tunnel come up end-to-end

Follow a branch SRX initiating an IKEv2 route-based IPsec tunnel to HQ. Press Play for the healthy path, then Break it to see the classic Phase 1 failure.

① IKE_SA_INITBranch SRX sends IKE_SA_INIT with its crypto proposals (DH group, cipher, lifetime) to the HQ SRX on UDP 500.

▼

② IKE_AUTHPeers exchange IKE_AUTH — present certificates (or PSK hash), prove identity. Phase 1 IKE SA is established.

▼

③ Child SAIKEv2 creates the first Child SA (IPsec SA) in the IKE_AUTH exchange — Phase 2 is done. Keys are derived.

▼

④ Data + routeBranch routes 10.20.0.0/24 traffic into st0.0 — it is encrypted with AES-GCM and forwarded to HQ. Bytes flow.

Press Play to step through the healthy IKEv2 tunnel build. Then press Break it.

Quick check · Q3 of 10 · Apply

You are configuring an AutoVPN hub to accept 50 spoke SRXs. How does the hub authenticate each spoke without 50 separate gateway definitions?

a) Use PKI certificates — the hub matches each spoke by the DN in its X.509 certificate, one gateway definition covers all spokesb) Configure 50 IKE gateways, one per spoke IPc) Use a shared pre-shared key for all spokesd) ADVPN handles authentication automatically without any IKE config

Correct: a. AutoVPN uses certificate-based authentication. The hub IKE gateway is configured with an IKE ID type of distinguished-name (or wildcard). Each spoke presents its X.509 certificate; the hub validates the DN against the CA and accepts it. No hub config change is needed for new spokes.

👉 So far: AutoVPN: one hub tunnel definition, PKI cert DN matching — any spoke joins without touching hub config. ADVPN adds spoke-to-spoke shortcuts via IKEv2 signalling. Hub st0 = point-to-multipoint.

④ Remote access & operational tips — Juniper Secure Connect & debug

Juniper Secure Connect is the Junos SRX remote-access IPsec VPN solution. It uses IKEv2 with EAP for user authentication (username/password or certificate), and the SRX acts as the IKEv2 gateway. A local address pool or external RADIUS assigns a virtual IP to each client. The client software (Juniper Secure Connect app) runs on Windows/macOS/iOS/Android. On the SRX, configure an access profile with the address pool, reference it in the IKE gateway with remote-access juniper-secure-connect, and the VPN policy routes client traffic.

Operational tips

For route-based VPNs, the three debug commands you must know are: show security ike security-associations (Phase 1 state), show security ipsec security-associations (Phase 2 SAs, bytes in/out), and show route table inet.0 (verify the tunnel route is present). A tunnel that is up but passes no traffic is almost always a routing or zone/policy miss. Check that the st0 interface is in the right security zone and that a policy permits traffic between trust and the VPN zone through st0.

Figure 4 — End-to-end route-based VPN build

Every route-based IPsec VPN on SRX follows this five-step config sequence — miss one step and the tunnel fails.

Arjun at a Mumbai fintech company faces this

A new branch office IPsec VPN to HQ comes up (Phase 1 and Phase 2 both show active) but branch users cannot reach any HQ servers. Ping from the SRX itself fails too.

Likely cause

The st0.0 interface was left in the default zone (trust) instead of being placed in the dedicated VPN zone, and no policy exists permitting traffic from trust to trust via the tunnel.

Diagnosis

Run 'show security ike security-associations' — both up. Run 'show security ipsec security-associations' — SA shows 0 bytes encrypted. Check 'show interfaces st0.0' — zone shows 'trust', not 'vpn'.

CLI ▸ show interfaces st0 ▸ show security zones ▸ show security policies

Fix

Move st0.0 to the VPN zone: 'set security zones security-zone vpn interfaces st0.0'. Add a policy from trust to vpn permitting the relevant subnets. Check 'show route 10.x.x.x' to confirm the static route via st0.0 is present.

Verify

Re-run 'show security ipsec security-associations' — bytes-encrypted counter now increments. Branch users reach HQ servers.

Quick check · Q4 of 10 · Analyze

A route-based IPsec tunnel shows Phase 1 and Phase 2 up, but traffic is not passing. What is the most likely cause?

a) The IKE pre-shared key is wrongb) Phase 2 encryption mismatchc) IKEv2 is not supported on this SRX modeld) The st0 interface is in the wrong security zone or there is no security policy permitting traffic between the zones

Correct: d. When both IKE SAs are up but traffic does not pass, the issue is almost always routing or policy. Either the st0 interface is not in the correct VPN zone, there is no policy permitting traffic between the trust and VPN zone through st0, or the route to the remote subnet via st0 is missing.

👉 So far: Tunnel up, no traffic? Check: st0 in correct zone, policy permitting traffic trust-to-vpn, route via st0 present. Remote access = Juniper Secure Connect (IKEv2 + EAP + local address pool).

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: what is the single most important reason to choose route-based over policy-based VPN on Juniper SRX? Then compare with the expert version.

Expert version: Route-based VPN creates an st0 logical interface for the tunnel, which means the routing table — not a security policy — controls what traffic enters the tunnel. This lets you run OSPF or BGP over the tunnel, use AutoVPN to scale to many spokes with a single gateway definition, add ADVPN for spoke-to-spoke shortcuts, and integrate cleanly with HA/failover. Policy-based has none of these properties. For anything beyond a single static two-site tunnel, route-based is the only practical choice.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Juniper SRX at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

st0 (Secure Tunnel): A Junos logical interface type bound to an IPsec VPN. Traffic routed to st0.X is encrypted and forwarded through the tunnel — required for route-based VPN, AutoVPN and ADVPN.
IKE SA: The Phase 1 security association — the encrypted, authenticated channel between two peers used to negotiate IPsec (Child) SAs. IKEv2 establishes this in IKE_SA_INIT.
Child SA (IPsec SA): The Phase 2 security association that protects actual data traffic. IKEv2 creates the first Child SA inside the IKE_AUTH exchange.
AutoVPN: A Junos feature that lets a hub SRX accept any number of spoke SRXs using a single tunnel definition and certificate (PKI) authentication, with the hub st0 in point-to-multipoint mode.
ADVPN: Auto-Discovery VPN — extends AutoVPN by having the hub signal spokes to build direct IKEv2 shortcut tunnels between themselves, eliminating hub hairpin for spoke-to-spoke traffic.
IKEv2: Internet Key Exchange version 2 (RFC 7296) — four-message exchange that establishes the IKE SA and first Child SA. Adds built-in EAP, cookie-based DOS protection and mandatory DPD. Required for AutoVPN and ADVPN.
PKI / X.509: Public Key Infrastructure — uses CA-signed X.509 certificates to authenticate VPN peers. On Junos, enrol with 'request security pki local-certificate enroll'. Required for AutoVPN.
Juniper Secure Connect: Juniper's remote-access IPsec VPN solution using IKEv2 with EAP for per-user authentication. The SRX acts as the gateway and assigns client IPs from a local address pool.
EAP (Extensible Authentication Protocol): A flexible authentication framework carried inside IKEv2 that allows username/password or challenge-response authentication — used for per-user identity in remote-access VPN.
Dead Peer Detection (DPD): A keepalive mechanism (built into IKEv2, an extension in IKEv1) that detects when a VPN peer has gone silent and cleans up stale SAs.

📚 Sources

Juniper Networks — IPsec VPN User Guide (Junos OS) — Route-Based and Policy-Based VPN overview. juniper.net/documentation/us/en/software/junos/vpn-ipsec
Juniper Networks — Route-Based VPN with IKEv2 — configuration and IKE_SA_INIT / IKE_AUTH exchange detail. juniper.net/documentation/en_US/junos/topics/topic-map/security-vpns-for-ikev2.html
Juniper Networks — AutoVPN on Hub-And-Spoke Devices — single hub tunnel definition with PKI cert DN matching. juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-autovpn-on-hub-and-spoke-devices.html
Juniper Networks — Auto Discovery VPNs (ADVPN) — IKEv2 shortcut signalling between spokes. juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-auto-discovery-vpns.html
Juniper Networks — Create a Remote Access VPN — Juniper Secure Connect (J-Web SRX 23.4). juniper.net/documentation/us/en/software/jweb-srx23.4/jweb-srx/topics/task/j-web-security-ipsec-remote-access-vpn-juniper-secure-connect-creating.html
Juniper Networks — IPsec VPN Configuration Overview — IKE proposals, policies, gateways and the IPsec VPN hierarchy. juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-ipsec-vpn-configuration-overview.html

What's next?

Got VPN down? Next, go deep on Juniper SRX NAT — understand how source NAT, destination NAT, and static NAT interact with VPN traffic, including nat-traversal across PAT devices.

Next · All interview lessons → Practice on exam.techclick.in →

Juniper SRX IPsec VPN Deep Dive — Route-Based, IKEv2, AutoVPN & Remote Access

🎯 By the end you will be able to

Pick where you want to start

Two VPN modes

IKEv1 vs IKEv2

AutoVPN & ADVPN

Remote access & ops

① Route-based vs policy-based — the most important choice

② IKE Phase 1 & Phase 2 — IKEv1 vs IKEv2

IKEv1 vs IKEv2

③ AutoVPN, ADVPN & PKI — scaling beyond two sites

▶ Watch an IKEv2 route-based tunnel come up end-to-end

④ Remote access & operational tips — Juniper Secure Connect & debug

Operational tips

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?