About Policy-Based Vpns; About Route-Based Vpns - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

About Policy-Based VPNs

About Route-Based VPNs

Related
Documentation
206
Mixed-mode VPNs—Policy-based VPNs are connected to route-based VPNs in a
mixed-mode VPN. You cannot add RAS users in a mixed-mode VPN.
The following sections detail Policy-based and Route-based VPN types.
About Policy-Based VPNs on page 206
About Route-Based VPNs on page 206
A policy-based VPN tunnels traffic between two security devices or between one security
device and a remote user. Each time a security device detects traffic that matches the
from zone, source, to zone, destination, and service in the VPN rule, it creates the VPN
tunnel to encrypt, authenticate, and send the data to the specified destination. When no
traffic matches the VPN rule, the firewall tears down the VPN tunnel.
To create a policy-based VPN, use NSM to configure a policy based on the network
components you want to protect, including protected resources, and then push the
configuration to the security device(s). The security device(s) use the configuration to
create the VPN tunnel. A protected resource is a combination of a network component
and a service; protected resources in a VPN can communicate with other protected
resources using the specified services. In a VPN rule, you add protected resources as the
source and destination IP addresses.
Policy-based VPNs can use any of the supported data protection methods. Use
policy-based VPNs when you want to enable remote access server (RAS). You can add
users to the VPN just as you add devices, enabling user access to all resources within the
VPN.
Like a policy-based VPN, a route-based VPN tunnels traffic between two security devices
or between one security device and a remote user. However, a route-based VPN
automatically tunnels all traffic between two termination points, without regard for the
type of traffic. Because the tunnel is an always-on connection between two network
points, the security device views the tunnel as a static network resource through which
to route traffic.
To create the termination points of the tunnel, you designate an interface on the security
device as a tunnel interface, then define a static route or use a dynamic routing protocol
(BGP, OSPF) between all tunnel interfaces in the VPN. The tunnel interface, just like a
physical interface, maintains state to enable dynamic routing protocols to make route
decisions. When using VPN Manager to create your route-based VPNs, the tunnel
interfaces are automatically created for you.
Defining VPN Checklist Overview on page 207
Defining Members and Topology in NSM on page 207
Traffic Protection Using L2TP Tunneling Protocol Overview on page 205
Copyright © 2010, Juniper Networks, Inc.