Security Methods For Screenos Devices - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Security Methods for ScreenOS Devices

226
Select the authentication method you want to use in the VPN:
Preshared Key—Use if your VPN includes security devices and/or RAS users. VPN nodes
use the preshared key during Phase 1 negotiations to authenticate each other; because
each node knows the key in advance, negotiations use fewer messages and are quicker.
To generate a random key, enter a value for the seed, and then click Generate Key.
NSM uses the seed value to generate a random key, which is used to authenticate
VPN members.
NOTE: Using a random key can generate a value in excess of 255
characters, which exceeds ScreenOS limits and might not be accepted
by the security device during update. To reduce the key size, shorten the
autogenerated key value by deleting characters.
To use a predefined value for the key, enter a value for the Preshared Key.
PKI—Use if your VPN includes extranet devices or you require the additional security
provided by certificates (PKI uses certificates for VPN member authentication).
For Phase 1 negotiations, select a proposal or proposal set. You can select from predefined
or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
NOTE: You cannot use a predefined proposal set with certificates—you
must select a user-defined proposal or change the authentication method
to Preshared Key.
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 1 proposals. For details on custom IKE proposals, see "Configuring
IKE Proposals" in the Network and Security Manager Administration Guide.
If your VPN includes only security devices, you can specify one predefined or custom
proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet
devices, you should use multiple proposals to increase security and ensure compatibility.
In ScreenOS 6.1 or later, the user can set the following IKEv2 parameters:
Half opened IKE session threshold for triggering stateless cookie exchange.
Initiator sending dummy IPsec packet.
Copyright © 2010, Juniper Networks, Inc.