Monitor Management On Screenos Devices Using Autokey Ike Vpn; Device-Level Autokey Ike Vpn: Using Vpn Rule Configuration Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Monitor Management on ScreenOS Devices Using AutoKey IKE VPN

Table 57: Monitor
VPN Monitor
Status Description
VPN Monitor When enabled, the device sends ICMP echo requests (pings) through the tunnel at specified intervals
(configurable in seconds) to monitor network connectivity (the device uses the IP address of the local
outgoing interface as the source address and the IP address of the remote gateway as the destination
address). If the ping activity indicates that the VPN monitoring status has changed, the device triggers
an SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics for VPN traffic in the
tunnel and displays the tunnel status. From ScreenOS 6.3, VPN monitor supports IPv6.
Rekey When enabled, the device regenerates the IKE key after a failed VPN tunnel attempts to reestablish
itself. When disabled, the device monitors the tunnel only when the VPN passes user-generated traffic
(instead of using device-generated ICMP echo requests). Use the rekey option to:
Keep the VPN tunnel up even when traffic is not passing through
Monitor devices at the remote site.
Enable dynamic routing protocols to learn routes at a remote site and transmit messages through
the tunnel.
Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when
multiple VPN tunnels are bound to a single tunnel interface.
Optimized This option appears only for devices running ScreenOS 5.x. When enabled, the device optimizes its VPN
monitoring behavior as follows:
Considers incoming traffic in the VPN tunnel as ICMP echo replies. This reduces false alarms that
might occur when traffic through the tunnel is heavy and the echo replies cannot get through.
Suppresses VPN monitoring pings when the tunnel passes both incoming and outgoing traffic. This
can help reduce network traffic.
Source Interface and These options configure VPN monitoring when the other end of the VPN tunnel is not a security device.
Destination IP Specify the source and destination IP addresses.
Related
Documentation

Device-Level AutoKey IKE VPN: Using VPN Rule Configuration Overview

230
You can enable VPN Monitor and configure the monitoring parameters for the device.
Monitoring is off by default. Select the VPN Monitor in Realtime Monitor to display
statistics for the VPN tunnel as described in Table 57 on page 230.
Device-Level AutoKey IKE VPN: Using VPN Rule Configuration Overview on page 230
Device Level AutoKey IKE VPN: Using Routes Configuration Overview on page 227
After you have configured the VPN on each device you want to include in the VPN, you
can add a VPN rule to a security policy:
For policy-based VPNs, you must add a VPN rule to create the VPN tunnel.
For route-based VPNs, the VPN tunnel is already in place. However, you might want
to add a VPN rule to control traffic through the tunnel.
Copyright © 2010, Juniper Networks, Inc.