Screenos Devices Gateway Properties - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

ScreenOS Devices Gateway Properties

Table 53: Gateway Properties
Gateway Options
Mode
222
device member has a remote gateway that it sends and receives VPN traffic to and from.
To configure a gateway for a VPN member, you need to define the local gateway (the
interface on the VPN member that handles VPN traffic) and the remote gateway (the
interface on the other VPN member that handles VPN traffic). The interface can be
physical or virtual.
For remote gateways that use static IP addresses, specify the IP address or host name
of the remote device.
For remote gateways that use dynamic IP addresses, configure an IKE ID for the remote
device.
For remote gateways that are RAS users, specify a local user object as a remote gateway
to enable RAS user access.
To add a gateway to a security device, open the device configuration, select VPN Settings,
and click the Add icon to display the New Gateway dialog box. Configure the gateway
as detailed in the following topics.
ScreenOS Devices Gateway Properties on page 222
ScreenOS Devices IKE IDs or XAuth Identification Number on page 224
Security Methods for ScreenOS Devices on page 226
Enter a name for the new gateway, and then specify the following gateway values as
described in Table 53 on page 222:
Description
The mode determines how Phase 1 negotiations occur.
In Main mode, the IKE identity of each node is protected. Each node sends three two-way
messages (six messages total); the first two messages negotiate encryption and
authentication algorithms that protect subsequent messages, including the IKE identity
exchange between the nodes. Depending on the speed of your network connection and the
encryption and authentication algorithms you use, main mode negotiations can take a long
time to complete. Use Main mode when security is more important.
In Aggressive mode, the IKE identity of each node is not protected. The initiating node sends
two messages and the receiving node sends one (three messages total); all messages are
sent in the clear, including the IKE identity exchange between the nodes. Because Aggressive
mode is typically faster but less secure than Main mode, use Aggressive mode when speed
is more important than security. However, you must use Aggressive mode for VPNs that
include RAS users.
Copyright © 2010, Juniper Networks, Inc.