Configuring Ike; Ike Properties - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Configuring IKE

572
IP Address—Use an IP address when the gateway has a static IP address.
U-FQDN—Use a User Fully Qualified Domain Name when the gateway is a dynamic IP
address, such as a RAS user. A U-FQDN is an e-mail address. For example:
user1@mycompany.com.
To configure the IKE properties and Phase 2 Proposals for the VPN, click the IKE
Parameters link. Because L2TP RAS VPNs do not support encryption, you do not need
to configure IKE properties for L2TP RAS VPNs.

IKE Properties

Configure the IKE properties:
Idle Time to Disable SA—Configure the number of minutes before a session that has
no traffic automatically disables the SA.
Replay Protection—In a replay attack, an attacker intercepts a series of legitimate
packets and uses them to create a denial-of-service (DoS) against the packet
destination or to gain entry to trusted networks. If replay protection is enabled, your
security devices inspect every IPSec packet to see if the packet has been received
before—if packets arrive outside a specified sequence range, the security device rejects
them.
IPSec Mode—Configure the mode:
Use tunnel mode for IPSec. Before an IP packet enters the VPN tunnel, NSM
encapsulates the packet in the payload of another IP packet and attaches a new IP
header. This new IP packet can be authenticated, encrypted, or both.
Use transport mode for L2TP-over-AutoKey IKE VPNs. NSM does not encapsulate
the IP packet, meaning that the original IP header must remain in plaintext. However,
the original IP packet can be authenticated, and the payload can be encrypted.
Do not set Fragment Bit in the Outer Header—The Fragment Bit controls how the IP
packet is fragmented when traveling across networks.
Clear. Use this option to enable IP packets to be fragmented.
Set. Use this option to ensure that IP packets are not fragmented.
Copy. Select to use the same option as specified in the internal IP header of the
original packet.
Monitor
You can enable VPN Monitor and configure the monitoring parameters for the device.
Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display
statistics for the VPN tunnel, configure the following:
VPN Monitor—When enabled, the security devices in the VPN send ICMP echo requests
(pings) through the tunnel at specified intervals (configurable in seconds) to monitor
network connectivity (each device uses the IP address of the local outgoing interface
as the source address and the IP address of the remote gateway as the destination
Copyright © 2010, Juniper Networks, Inc.