Configuring A Tunnel Interface; Using Numbered Tunnel Interfaces; Using Unnumbered Tunnel Interfaces - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring a Tunnel Interface

Using Numbered Tunnel Interfaces

Using Unnumbered Tunnel Interfaces

Copyright © 2010, Juniper Networks, Inc.
Example: Configuring a Subinterface (NSM Procedure) on page 84
A tunnel interface is a doorway to a VPN tunnel. VPN traffic enters and exits a VPN tunnel
through a tunnel interface. When you bind a tunnel interface to a VPN tunnel, you can
use that tunnel interface to route VPN traffic to a specific destination.
NOTE: VPN Manager automatically creates the necessary tunnel interfaces
for route-based VPNs. The user can set DSCP marking value for the interface.
Only Route and Policy and Route-based types support DSCP marking. For
device-level VPNs, you can create the tunnel interfaces before or after creating
the VPN.
When creating a route-based VPNs you must create a tunnel interface to enable the
security device to route VPN traffic. You can bind a route-based VPN tunnel to a tunnel
interface that is either numbered (with IP address/netmask) or unnumbered (without
IP address/netmask).
Using Numbered Tunnel Interfaces on page 87
Using Unnumbered Tunnel Interfaces on page 87
Configuring Maximum Transmission Unit Size on page 88
When the tunnel interface is numbered, you must give the interface an IP address and
bind the tunnel interface to a tunnel zone. Using numbered tunnel interfaces enables
you to use NAT services for policy-based VPN tunnels. Assign an IP address to a tunnel
interface if you want the interface to support one or more dynamic IP (DIP) pools for
source Network Address Translation (NAT-src) and mapped IP (MIP) addresses for
destination Network Address Translation (NAT-dst).
You can create a numbered tunnel interface in a security zone or a tunnel zone.
When the tunnel interface is unnumbered, you must specify the interface from which the
tunnel interface borrows an IP address. The security device uses the borrowed IP address
as a source address when the device itself initiates traffic—such as OSPF
messages—through the tunnel. Use unnumbered tunnel interfaces when the tunnel
interface does not need to support NAT services, and your configuration does not require
the tunnel interface to be bound to a tunnel zone.
You can create an unnumbered tunnel interface that borrows the IP address from an
interface in the same security zone or from an interface in a different zone, as long as
both zones are in the same routing domain. However, you cannot bind the tunnel interface
to a tunnel zone.
Chapter 3: Network Settings
87