Table of Contents
Advertisement
Network and Security Manager Administration Guide
Choosing a VPN Tunnel Type
558
Replay protection—In a replay attack, an attacker intercepts a series of legitimate
packets and uses them to create a denial-of-service (DoS) against the packet
destination or to gain entry to trusted networks. Replay protection enables your security
devices to inspect every IPSec packet to see if the packet has been received before—if
packets arrive outside a specified sequence range, the security device rejects them.
Using L2TP
Layer 2 Tunneling Protocol (L2TP) is another tunneling protocol used to transmit data
securely across the Internet. Because L2TP can transport Point to Point Protocol (PPP)
frames over IP, it is often used to:
Establish PPP connections (Example: authenticate ADSL services using PPP for users
with an ISP at the opposite side of a Telco IP/ATM network
Transmit non-IP protocols (Example: bridge Novell and other network protocols)
PPP can send IP datagrams over a serial link, and is often used to enable dial-up users
to connect to their ISP and to the Internet. PPP authenticates username and password,
and assigns parameters such as IP address, IP gateway, and DNS. PPP can also tunnel
non-IP traffic across a serial link, such as Novell IPX or Appletalk.
PPP is also useful because it can carry non-IP traffic and authenticate connections to
RADIUS servers. However, because PPP is not an IP protocol, Internet routers and switches
cannot route PPP packets. To route PPP packets, you use L2TP, which encapsulates
PPP packet inside an Internet routeable, UDP packet. L2TP VPNs supports remote access
service users using Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP) authentication.
Using L2TP Over AutoKey IKE
L2TP only transmits packets; for encryption, authentication, or other data protection
services, you must further encapsulate the L2TP packet using AutoKey IKE.
You can configure three types of VPN tunnels with NSM:
Policy-based VPNs—The VPN tunnel is created and maintained only during the transfer
of network traffic that matches a VPN rule, and is torn down when the connection
ends. Use policy-based VPNs when you want to encrypt and authenticate certain types
of traffic between two VPN members.
Route-based VPNs—The VPN tunnel is created when the route is defined and is
maintained continuously. Use route-based VPNs when you want to encrypt and
authenticate all traffic between two VPN members. You cannot add RAS users in a
routing-mode VPN.
Mixed-mode VPNs—Connects policy-based VPNs to route-based VPNs in a
mixed-mode VPN. You cannot add RAS users in a mixed-mode VPN.
The following sections detail Policy-based and Route-based VPN types.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
