Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
address). If the ping activity indicates that the VPN monitoring status has changed,
the device triggers an SNMP trap; the VPN Monitor (in RealTime Monitor) tracks these
SNMP statistics for VPN traffic in the tunnel and displays the tunnel status.
Rekey—When enabled, the security devices in the VPN regenerate the IKE key after a
failed VPN tunnel attempts to reestablish itself. When disabled, each device monitors
the tunnel only when the VPN passes user-generated traffic (instead of using
device-generated ICMP echo requests). Use the rekey option to:
Enable dynamic routing protocols to learn routes and transmit messages through
the tunnel.
Automatically populate the next-hop tunnel binding table (NHTB table) and the
route table when multiple VPN tunnels are bound to a single tunnel interface.
For details on VPN monitoring at the device level, see the Juniper Networks ScreenOS 5.x
Concepts and Examples Guide.
Differentiated Services Code Point Mark
If you want to set the Differentiated Services Code Point (DSCP) field of the IPSec IPv4
header to a specified value for each route-based VPN at the Phase2 configuration level,
devices running ScreenOS 6.1 and later allow you to on both ASIC and non-ASIC platforms.
ScreenOS 6.1 and later support the DSCP value configuration for tunnel mode ESP
packets only.
You cannot configure the DSCP setting if:
The IPSec mode is transport.
The IPSec Mode is tunnel but the binding interface is not a tunnel interface.
You can set the following DSCP Marks in the AutoKey IKE Parameters page:
DSCP Marking
— You can select either enable or disable. If the selected IPSec mode is
transport, this option is automatically disabled.
— Set the DSCP value in the range of 0–63. Mouse over the field to see
DSCP Value
the range of allowed values.
Configuring Security Level
For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined
or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 2 Proposals. For details on custom IKE proposals.
Chapter 11: Configuring VPNs
557
Advertisement
Table of Contents
