Table of Contents
Advertisement
VPN Checklist
Copyright © 2010, Juniper Networks, Inc.
About Policy-Based VPNs
A policy-based VPN tunnels traffic between two security devices or between one security
device and a remote user. Each time a security device detects traffic that matches the
from zone, source, to zone, destination, and service in the VPN rule, it creates the VPN
tunnel to encrypt, authenticate, and send the data to the specified destination. When no
traffic matches the VPN rule, the firewall tears down the VPN tunnel.
To create a policy-based VPN, use NSM to configure a policy based on the network
components you want to protect, including protected resources, then push the
configuration to the security devices. The security devices use the configuration to create
the VPN tunnel. A protected resource is a combination of a network component and a
service; protected resources in a VPN can communicate with other protected resources
using the specified services. In a VPN rule, you add protected resources as the source
and destination IP addresses.
Policy-based VPNs can use any of the supported data protection methods. Use
policy-based VPNs when you want to enable Remote Access Services (RAS). You can
add users to the VPN just as you add devices, enabling user access to all resources within
the VPN.
About Route-Based VPNs
Like a policy-based VPN, a route-based VPN tunnels traffic between two security devices
or between one security device and a remote user. However, a route-based VPN
automatically tunnels all traffic between two termination points, without regard for the
type of traffic. Because the tunnel is an always-on connection between two network
points, the security device views the tunnel as a static network resource through which
to route traffic.
To create the termination points of the tunnel, you designate an interface on the security
device as a tunnel interface, then define a static route or use a dynamic routing protocol
(BGP, OSPF) between all tunnel interfaces in the VPN. The tunnel interface, just like a
physical interface, maintains state to enable dynamic routing protocols to make route
decisions. When using VPN Manager to create your route-based VPNs, the tunnel
interfaces are automatically created for you.
After you have carefully considered your VPN requirements, create a VPN checklist to
help you determine the VPN components you need to create. You might also want to
create a network diagram of your topology that includes protected resources, VPN
members, their IP addresses and gateways, and the type of tunnel between them.
Define Members and Topology
What do you want to connect?
Devices
Network Components/Protected Resources
Chapter 12: Configuring VPNs
559
Advertisement
Table of Contents
