Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
For Phase 1, select a proposal or proposal set. You can select from predefined or
user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
NOTE: You cannot use a predefined proposal set with certificates—you must select a
user-defined proposal or change the authentication method to Preshared Key.
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 1 Proposals. For details on custom IKE proposals.
If your VPN includes only security devices, you can specify one predefined or custom
proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet
devices, you should use multiple proposals to increase security and ensure compatibility.
Preshared Secrets
You can use the same preshared secret for all nodes in the VPN, or create a unique
preshared secret for communication from a specific node to another node.
Configuring IKE IDs
Every VPN node has a unique identification number, known as an IKE ID. During Phase 1
negotiations, the IKE protocol uses the IKE ID to authenticate the VPN member.
VPN Manager automatically creates the default IKE ID for you, based on the policy- or
route-based members and RAS users, so you do not need to configure this option.
However, if you do not want to use the default IKE ID, you can select a different IKE ID
type and configure an IKE ID for each VPN gateway.
The IKE ID tab displays all security devices included as routing-based members and/or
as protected resources for policy-based members. For each device, select the IKE ID type
and enter the ID value:
ASN1-DN—Abstract Syntax Notation, version 1 is a data representation format that is
non-platform specific; Distinguished Name is the name of the computer. Use ASN1-DN
to create a Group IKE ID that enables multiple, concurrent connections to the same
VPN tunnel; use a Group IKE ID to make configuring and maintaining your VPN quicker
and easier.
For details on how Group IKE IDs work, see "Configuring Group IKE IDS" on page 541.
For details on determining the ASN1-DN container and wildcard values for Group IKE
IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
FQDN—Use a Fully Qualified Domain Name when the gateway is a dynamic IP address.
FQDN is a name that identifies (qualifies) a computer to the DNS protocol using the
computer name and the domain name, for example, server1.colorado.mycompany.com.
Chapter 11: Configuring VPNs
555
Advertisement
Table of Contents
