Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 247

Table 53: Gateway Properties (continued)
Gateway Options
Remote Gateway
Authenticated by EAP
Outgoing Interface
Heartbeats
Dead Peer Detection
Copyright © 2010, Juniper Networks, Inc.
Description
The remote gateway is the VPN gateway on the receiving VPN node, and can be an interface
with a static or dynamic IP address, or local or external user object. From ScreenOS 6.3, Remote
Gateway supports IPv6.
Static IP Address—For remote gateways that use a static IP address, enter the IP address
and mask.
RAS User/Group—For remote gateways that are users, select the user object or user group
object that represents the RAS user.
Dynamic IP Address—For remote gateways that use a dynamic IP address, select dynamic
IP address.
This option provides IKEv2 EAP pass-through. You can enable a ScreenOS 6.1 device to use EAP
to authenticate a client with a RADIUS authentication server. The device acts as a proxy
(authenticator) and passes the EAP messages between the client (supplicant) and the RADIUS
(authentication) server.
During EAP exchanges, the device decapsulates the EAP messages in IKEv2 messages from the
peer, encapsulates them into RADIUS messages, and sends them to the RADIUS server. When
the RADIUS server responds to the authentication requests, the device decapsulates the EAP
messages, encapsulates them into IKEv2 messages, and sends them to the peer. After the
RADIUS server has authenticated the client, if there is a shared secret generated during the
exchange, the security device extracts the shared secret from the RADIUS Access-Accept
message and uses it to generate the AUTH payload. In this way, the device passes the EAP
messages between a client and an authentication server.
The outgoing interface (also known as the termination interface) is the interface on the security
device that sends and receives VPN traffic. Typically, the outgoing interface is in the untrust
zone.
Heartbeats are used to enable redundant gateways. You can use the default or set your own
thresholds:
Hello—Enter the number of seconds the security device waits between sending hello pulses.
Reconnect—Enter the maximum number of seconds the security device waits for a reply to
the hello pulse.
Threshold—Enter the number of seconds that the security device waits before attempting
to reconnect.
Dead Peer Detection (DPD) is a protocol used by network devices to verify the current existence
and availability of other peer devices. You can use DPD as an alternative to the IKE heartbeat
but you cannot use both features simultaneously. You can configure the following DPD
parameters:
Interval(Seconds) — Specifies the DPD interval. This interval is the time (in seconds) that
the device allows to pass before considering a peer to be dead.
Always Send Switch — Instructs the device to send DPD requests regardless of whether there
is IPsec traffic with the peer or not.
Retry Times — Specifies the maximum number of times to send the response request before
considering the peer to be dead.
Reconnect(Seconds) — Specifies the reconnect interval. The parameter renegotiates the
tunnel at configured intervals after it is cleaned up because of a dead peer detected.
Chapter 8: Configuring VPNs
223