Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring Gateways
552
Full Mesh—Select all VPN members to act as mains. All members can communicate
with any other VPN member. Do not select a hub.
Site to Site—Select both VPN members as mains. Each member can communicate
with the other VPN member. Do not select a hub.
Defining Termination Points
You must define the termination interface for each security device in the VPN. The
Termination Points tab displays the default termination points for the VPN. A termination
point is the interface on a security device that sends and receives VPN traffic to and from
the VPN tunnel, and is typically in the Untrust zone. Each VPN member (the security
devices included as routing-based members and/or as protected resources for
policy-based members) has a default termination interface.
NOTE: You do not need to select the serial interface on a NetScreen-5GT security device
to enable dial backup for the VPN tunnel. If you have enabled Dial Backup for the device
in the Route-Based Configuration area, VPN Manager automatically generates the
termination point for the serial interface during VPN creation.
To override the default termination interface, right-click the VPN member, select Edit,
and select a new termination interface for the device.
To configure the gateways for VPN, click the Gateway Parameters link.
Configuring Gateway Properties
In the Properties tab, specify the following gateway values.
Selecting a Mode
The mode determines how Phase 1 negotiations occur. Select the mode that meets your
VPN requirements:
Main mode—The IKE identity of each node is protected. Each node sends three two-way
messages (six messages total); the first two messages negotiate encryption and
authentication algorithms that protect subsequent messages, including the IKE identity
exchange between the nodes. Depending on the speed of your network connection
and the encryption and authentication algorithms you use, main mode negotiations
can take a long time to complete. Use Main mode when security is more important.
Aggressive mode—The IKE identity of each node is not protected. The initiating node
sends two messages and the receiving node sends one (three messages total); all
messages are sent in the clear, including the IKE identity exchange between the nodes.
Because Aggressive mode is typically faster but less secure than Main mode, use
Aggressive mode when speed is more important than security.
For RAS VPNs, you must use the Aggressive mode; for VPNs that do not include RAS
users, select the mode that meets your requirements.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
