Table of Contents
Advertisement
Network and Security Manager Administration Guide
Creating VPNs with VPN Manager
560
You must install this local certificate file on the managed device using NSM before you
can use certificates to validate that device in your VPN. Because the local certificate is
device-specific, you must use a unique local certificate for each device.
You can also use SCEP to configure the device to automatically obtain local certificate
(and a CA certificate) from the CA directly. For details on local certificates, see the Network
and Security Manager Configuring ScreenOS and IDP Devices Guide.
Configuring CA Objects
A CA certificate validates the identity of the CA that issued the local device certificate.
You can obtain a CA certificate file (.cer) from the CA that issued the local certification,
then use this file to create a Certificate Authority object.
You must install this CA certificate on the managed device using NSM before you can
use certificate to validate that device in your VPN. Because the CA certificate is an object,
however, you can use the same CA for multiple devices, as long as those devices use
local certificates that were issued by that CA.
You can also use SCEP to configure the device to automatically obtain a CA certificate
at the same time it receives the local certificate.
Configuring CRL Objects
A Certificate Revocation List (CRL) identifies invalid certificates. You can obtain a CRL
file (.crl) from the CA that issued the local certification and CA certificate for the device,
then use this file to create a Certificate Revocation object.
You must install the CRL on the managed device using NSM before you can use a CRL
to check for revoked certificates in your VPN. Because the CRL is an object, however, you
can use the same CRL for multiple devices, as long as those devices use local and CA
certificates that were issued by that CA.
After you have received a CRL list, you can use the CRL object in your VPN. For details on
configuring a certificate revocation list object
Creating PKI Defaults
You can configure default PKI settings for each security device that define how that
device handles certificates. When configuring a VPN that includes the device, you can
use these default settings. For details on PKI defaults, see the Network and Security
Manager Configuring ScreenOS and IDP Devices Guide.
Configuring a VPN using VPN Manager is an eight stage process:
"Adding the VPN" on page 561
"Configuring Members" on page 562 (policy-based, RAS users, routing-based)
"Configuring Topology" on page 566 (AutoKey IKE only)
"Configuring Gateways" on page 568
"Configuring IKE" on page 572
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
