Configuring Vpns; Creating Device-Level Vpns In Device Manager; Supported Vpn Configurations; Planning For Your Vpn - Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual

Creating Device-Level VPNs in Device Manager

Supported VPN Configurations

Planning for Your VPN

Copyright © 2010, Juniper Networks, Inc.
rules, configure additional rule options (such as traffic shaping, attack protection, and
logging), then insert the rules into a security policy.
Autogenerated VPN Routes—Automatically add virtual router information using the
VPN Manager for each device based on the routing type. Specify a routing type of
topology to autogenerate a route for all VPN members based on the configured routing
type (static or dynamic). This information changes the tunnel interface data and virtual
router data for each device.
To view all VPNs created with VPN Manager, select VPN Manager in the navigation tree.
A list of saved VPNs appears in the main display area in table format. You can add and
delete VPNs from this view.
VPN Manager does not support Manual Key VPNs; to create a Manual Key VPN in NSM,
you must create the VPN at the device-level in Device Manager.
For Manual Key VPNs, create the VPN at the device-level by manually configuring VPN
information for each security device.
After you have configured the VPN on each security device in the VPN, add VPN rules to
a security policy to create the VPN tunnel (for policy-based VPNs) or to control traffic
through the tunnel (for route-based VPNs).
You can also create AutoKey IKE, L2TP, and L2TP-over-AutoKey IKE VPNs at the
device-level.
NSM supports all possible VPN configurations that are supported by the CLI and Juniper
Networks ScreenOS WebUI, including:
NAT-Traversal—Because NAT obscures the IP address in some IPSec packet headers,
VPN nodes cannot receive VPN traffic that passes through an external NAT device. To
enable VPN traffic to traverse a NAT device, you can use NAT Traversal (NAT-T) to
encapsulate the VPN packets in UDP. If a VPN node with NAT-T enabled detects an
external NAT device, it checks every VPN packet to determine if NAT-T is necessary.
XAuth—To authenticate remote access services (RAS) users, use XAuth to assign
users an authentication token (such as SecureID) and to make TCP/IP settings (IP
address, DNS server, and WINS server) for the peer gateway.
NSM offers you maximum flexibility for creating a VPN. You can choose your topology,
authentication level, and creation method. Because you have so many choices, it's a
good idea to determine what your needs are before you create the VPN so you can make
the right decisions for your network.
These decisions include:
Chapter 11: Configuring VPNs
529