Configuring Group Ike Ids - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring Group IKE IDS

Related
Documentation
214
The server DN configuration can contain a container part and a wildcard part as follows:
The container part contains a continuous section of the D; for example, " OU=a,O=b"
. Any DN containing all specified elements in correct order are accepted.
Up to seven wildcards can be specified, one for each of the following elements: CN,
OU, O, L, ST, C, E-mail.
NSM needs to support DC container type when using ASN1-DN to create IKE ID or a group
of IKE ID that enables multiple, concurrent connections to the same VPN tunnel. During
Phase 1 negotiations, IKE first attempts to make an exact match between the RAS IKE
ID and peer gateway IKE ID.
If no match is found, IKE then attempts to make a partial match between the RAS IKE
ID and group IKE ID. When selecting this type, you must enter a container identity or a
wildcard ID (CN, OU, O, L, ST, C, Email).
NSM devices authenticate a RAS IKE user's ID if the values in the RAS IKE user's ASN-1DN
identity fields exactly match the values in the group IKE user's ASN1-DN identity fields.
The container ID type supports multiple entries for each identity field (for example,
"ou=eng,ou=sw,ou=screenos"). The ordering of the values in the identity fields of the
two ASN1-DN strings must be identical. In this IKE ID matching part, we need to allow
DC element to be matched.
NSM also supports DC in wildcard when using ASN1-DN to create IKE ID or a group of
wildcard ID. NSM devices authenticate a RAS IKE user's ID if the values in the RAS IKE
user's ASN1-DN identity fields match those in the group IKE user's ASN1-DN identity fields.
The wildcard ID supports only one value per identity field (for example, "ou=eng" or
"ou=sw", but not "ou=eng, ou=sw"). The ordering of the identity fields in the two ASN1-DN
strings are inconsequential. In this IKE ID matching part, we need to support DC as a
wildcard element.
If your VPN includes multiple remote users, it can be impractical to create an IKE ID and
VPN rule for each. Instead, you can use a group IKE ID to authenticate multiple users in
a single VPN rule. In the security device configuration VPN settings, create a VPN group
and specify the maximum number of concurrent connections that the group supports
(cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number
of VPN tunnels allowed on the Juniper Networks security device platform).
For details on group IKE IDs, see the ScreenOS 5.x Concepts and Examples Guide.
Configuring Required Routing-Based VPN Components Overview on page 215
Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview on
page 215
Policy-Based VPN Creation Using Shared NAT Objects Overview on page 212
Copyright © 2010, Juniper Networks, Inc.