Adding A Vpn Rule - Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide
588
VPN Monitor—When enabled, the device sends ICMP echo requests (pings) through
the tunnel at specified intervals (configurable in seconds) to monitor network
connectivity (the device uses the IP address of the local outgoing interface as the
source address and the IP address of the remote gateway as the destination address).
If the ping activity indicates that the VPN monitoring status has changed, the device
triggers an SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics
for VPN traffic in the tunnel and displays the tunnel status.
Rekey—When enabled, the device regenerates the IKE key after a failed VPN tunnel
attempts to reestablish itself. When disabled, the device monitors the tunnel only when
the VPN passes user-generated traffic (instead of using device-generated ICMP echo
requests). Use the rekey option to:
Keep the VPN tunnel up even when traffic is not passing through.
Monitor devices at the remote site.
Enable dynamic routing protocols to learn routes at a remote site and transmit
messages through the tunnel.
Automatically populate the next-hop tunnel binding table (NHTB table) and the
route table when multiple VPN tunnels are bound to a single tunnel interface.
Optimized—When enabled, the device optimizes its VPN monitoring behavior as follows:
Considers incoming traffic in the VPN tunnel as ICMP echo replies. This reduces false
alarms that might occur when traffic through the tunnel is heavy and the echo replies
cannot get through.
Suppresses VPN monitoring pings when the tunnel passes both incoming and
outgoing traffic. This can help reduce network traffic.
Source Interface and Destination IP—Configure these options to use VPN Monitoring
when the other end of the VPN tunnel is not a security device. Specify the source and
destination IP addresses.

Adding a VPN Rule

After you have configured the VPN on each device you want to include in the VPN, you
can add a VPN rule to a security policy:
For policy-based VPNs, you must add a VPN rule to create the VPN tunnel.
For route-based VPNs, the VPN tunnel is already in place. However, you might want
to add a VPN rule to control traffic through the tunnel.
For details on adding and configuring a VPN rule in a security policy, see "Adding VPN
Rules" on page 590.
Copyright © 2010, Juniper Networks, Inc.