Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 629

Copyright © 2010, Juniper Networks, Inc.
In Main mode, the IKE identity of each node is protected. Each node sends three
two-way messages (six messages total); the first two messages negotiate encryption
and authentication algorithms that protect subsequent messages, including the IKE
identity exchange between the nodes. Depending on the speed of your network
connection and the encryption and authentication algorithms you use, main mode
negotiations can take a long time to complete. Use Main mode when security is more
important.
In Aggressive mode, the IKE identity of each node is not protected. The initiating node
sends two messages and the receiving node sends one (three messages total); all
messages are sent in the clear, including the IKE identity exchange between the
nodes. Because Aggressive mode is typically faster but less secure than Main mode,
use Aggressive mode when speed is more important than security. However, you
must use Aggressive mode for VPNs that include RAS users.
Remote Gateway—The remote gateway is the VPN gateway on the receiving VPN
node, and can be an interface with a static or dynamic IP address, or local or external
user object.
Static IP Address. For remote gateways that use a static IP address, enter the IP
address and mask.
RAS User/Group. For remote gateways that are users, select the User object or User
Group object that represents the RAS user.
Dynamic IP Address. For remote gateways that use a dynamic IP address, select
dynamic IP address.
Outgoing Interface—The outgoing interface (also known as the termination interface)
is the interface on the security device that sends and receives VPN traffic. Typically,
the outgoing interface is in the untrust zone.
Heartbeats—Use heartbeats to enable redundant gateways. You can use the default
or set your own thresholds:
Hello. Enter the number of seconds the security device waits between sending hello
pulses.
Reconnect. Enter the maximum number of seconds the security device waits for a
reply to the hello pulse.
Threshold. Enter the number of seconds that the security device waits before
attempting to reconnect.
NAT Traversal—Because NAT obscures the IP address in some IPSec packet headers,
a VPN node cannot receive VPN traffic that passes through an external NAT device.
To enable VPN traffic to traverse a NAT device, you can use NAT Traversal (NAT-T)
to encapsulate the VPN packets in UDP. If a VPN node with NAT-T enabled detects
an external NAT device, it checks every VPN packet to determine if NAT-T is necessary.
Because checking every packet impacts VPN performance, you should only use NAT
Traversal for remote users that must connect to the VPN over an external NAT device.
Chapter 11: Configuring VPNs
579