Optional Vpn Support Using Authentication Servers Overview; Optional Vpn Support Using Certificate Objects Overview; Configuring Local Certificates - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Optional VPN Support Using Authentication Servers Overview
Related
Documentation
Optional VPN Support Using Certificate Objects Overview
Configuring Local Certificates
Copyright © 2010, Juniper Networks, Inc.
Routing-Based VPN Support Using Static and Dynamic Routes Overview on page 216
To externally authenticate VPN traffic for XAuth and L2TP, you must create an
authentication server object to use in your VPN. For details on authentication servers,
see "Device Administrator Authentication Overview" on page 149.
Optional VPN Support Using Certificate Objects Overview on page 217
Preparing Optional VPN Components Overview on page 216
To authenticate external devices, use a group IKE ID to authenticate multiple RAS users
or provide additional authentication for the security devices in your VPN, you must obtain
and install a digital certificate on each VPN member. A digital certificate is an electronic
means for verifying identity through the word of a trusted third party, known as a certificate
authority (CA). The CA is a trusted partner of the VPN member using the digital certificate
as well as the member receiving it.
The CA also issues certificates, often with a set time limit. If you do not renew the
certificate before the time limit is reached, the CA considers the certificate inactive. A
VPN member attempting to use an expired certificate is immediately detected (and
rejected) by the CA.
To use certificates in your VPN, you must configure:
Local certificate—Use a local certificate for each security device that is a VPN member.
Certificate authority (CA) object—Use a CA object to obtain a local and CA certificate.
Certificate revocation list (CRL) object—Use a CRL object to ensure that expired
certificates are not accepted; a CRL is optional.
The following topics explain in more detail the optional VPN support using certificate
objects:
Configuring Local Certificates on page 217
Configuring CA Objects on page 218
Configuring CRL Objects on page 218
A local certificate validates the identity of the security device in a VPN tunnel connection.
To get a local certificate for a device, you must prompt the device to generate a certificate
request (includes public/private key pair request) using the Generate Certificate Request
directive. In response, the device provides certificate request that includes the encrypted
public key for the device. Using this encrypted public key, you can contact a independent
Chapter 7: Planning and Preparing VPNs
217
Advertisement
Table of Contents
