Screenos Security Measures Using Vpn Configuration - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Table 55: Device-Level AutoKey IKE VPN Properties
Properties
VPN Name
Remote Gateway
Idle Time to Disable SA
Replay Protection
IPSec Mode
Do not set Fragment Bit in
the Outer Header

ScreenOS Security Measures Using VPN Configuration

228
Your Action
Enter a name for the VPN.
Select the gateway for the VPN.
Configure the number of minutes before a session that has no traffic automatically disables the
SA.
In a replay attack, an attacker intercepts a series of legitimate packets and uses them to create
a denial of service (DoS) against the packet destination or to gain entry to trusted networks. If
replay protection is enabled, your security devices inspect every IPsec packet to see if the packet
has been received before—if packets arrive outside a specified sequence range, the security
device rejects them.
Configure the mode:
Use tunnel mode for IPsec—Before an IP packet enters the VPN tunnel, NSM encapsulates
the packet in the payload of another IP packet and attaches a new IP header. This new IP
packet can be authenticated, encrypted, or both. The DSCP mark (which allows the user to
configure the DSCP value for each route based VPN) supports only Tunnel IPsec mode.
Use transport mode for L2TP-over-IPsec—NSM does not encapsulate the IP packet, meaning
that the original IP header must remain in plaintext. However, the original IP packet can be
authenticated, and the payload can be encrypted.
The Fragment Bit controls how the IP packet is fragmented when traveling across networks.
Clear—Use this option to enable IP packets to be fragmented.
Set—Use this option to ensure that IP packets are not fragmented.
Copy—Select to use the same option as specified in the internal IP header of the original
packet.
For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined
or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 2 proposals. For details on custom IKE proposals, see "
Configuring IKE Proposals" in the Network and Security Manager Administration Guide.
If your VPN includes only security devices, you can specify one predefined or custom
proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet
devices, you should use multiple proposals to increase security and ensure compatibility.
Copyright © 2010, Juniper Networks, Inc.