Table of Contents
Advertisement
Example: Configuring a Policy-Based Site-to-Site VPN, Manual Key
Copyright © 2010, Juniper Networks, Inc.
In this example, a Manual Key tunnel provides a secure communication channel between
offices in Tokyo and Paris, using ESP with 3DES encryption and SHA-1 authentication.
The Trust zones at each site are in NAT mode. The Trust and Untrust security zones and
the Untrust-Tun tunnel zones are in the trust-vr routing domain. The Untrust zone interface
(ethernet3) serves as the outgoing interface for the VPN tunnel.
To set up the tunnel, you must configure the security devices at both ends of the tunnel.
First, you create the VPN components that you use to build the VPN, such as the security
devices and the shared address objects. Next, you configure the VPN tunnel and add the
necessary static routes on each device. Finally, you create VPN rules in a security policy
to create the VPN tunnel between the two sites.
Create VPN Components
Security Devices.
1.
Address Objects.
2.
Create the Tokyo VPN:
In the device navigation tree, select VPN Settings > AutoKey IKE/Manual VPN.
1.
Select the Manual tab, then click the Add icon. The Properties screen appears.
2.
Configure the following:
For Name, enter Tokyo_Paris.
For Gateway, enter 2.2.2.2.
For Local SP, enter 3020.
For Remote SPI, enter 3030.
For Outgoing Interface, select ethernet3.
For ESP/AH, select ESP CBC.
For Encryption Algorithm, select 3DES-CBC.
Select Generate Key by Password, then enter the password asdlk24234.
For Authentication Algorithm, select SHA-1.
Select Generate Key by Password, then enter the password PNas134a.
Select the Binding tab. Enable Tunnel Zone and select untrust-tun.
Click OK to save the new VPN.
Create Tokyo Routes.
3.
Chapter 11: Configuring VPNs
597
Advertisement
Table of Contents
