Screenos Devices Ike Ids Or Xauth Identification Number - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Table 53: Gateway Properties (continued)
Gateway Options
NAT Traversal
Auth-Method

ScreenOS Devices IKE IDs or XAuth Identification Number

224
Description
Because NAT obscures the IP address in some IPsec packet headers, a VPN node cannot receive
VPN traffic that passes through an external NAT device. To enable VPN traffic to traverse a
NAT device, you can use NAT Traversal (NAT-T) to encapsulate the VPN packets in UDP. If a
VPN node with NAT-T enabled detects an external NAT device, it checks every VPN packet to
determine if NAT-T is necessary. Because checking every packet impacts VPN performance,
you should only use NAT-T for remote users that must connect to the VPN over an external
NAT device.
You do not need to enable NAT-T for your internal security device nodes that use NAT; each
VPN node knows the correct address translations for VPN traffic and does not need to
encapsulate the traffic.
To use NAT-T, enable NAT-T and specify:
UDP Checksum—A 2-byte value (calculated from the UDP header, footer, and other UDP
message fields) that verifies packet integrity. You must enable this option for NAT devices
that require UDP checksum verification; however, most NAT devices (including security
devices) do not require it.
Keepalive Frequency—The number of seconds a VPN node waits between sending empty
UDP packets through the NAT device. A NAT device keeps translated IP addresses active
only during traffic flow, and invalidates unused IP addresses. To ensure that the VPN tunnel
remains open, you can configure the VPN node to send empty "keep alive" packets through
the NAT device.
The authentication method specified for this proposal. When the user does not specify the
authentication method in the proposal, preshared key authentication will be used as the default
authentication method. This is in line with the behavior of IKEv2.
Authentication method for this device—Select any of the authentication method you want
to use. You can use certificates or preshared objects. With certificates, IKE uses a trusted
authority defined in your network for the certificate server. You must define this trusted
certificate authority by creating a certificate authority object. With preshared secrets, IKE
generates an ephemeral secret and propagates it to each VPN node. This is secure because
it propagates only within the VPN.
Peer's authentication type—Both phases use proposals when they negotiate a connection.
Both peers must use the same authentication and encryption algorithms to establish
communication.
In ScreenOS 6.1 or later, NSM allows users to configure IKEv2. The remote gateway type
for IKEv2 can be an interface with either a static IP address type or a RAS type.
Every VPN member has a unique identification number, known as an IKE ID. During Phase
1 negotiations, the IKE protocol uses the ID to authenticate the VPN member. You must
select and configure an ID type for the VPN members at each end of the tunnel. However,
the ID type can be different for each member. Table 54 on page 225 describes the different
ID type for each member.
Copyright © 2010, Juniper Networks, Inc.