Configuring Required Routing-Based Vpn Components - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Configuring Required Routing-Based VPN Components

Copyright © 2010, Juniper Networks, Inc.
The container part contains a continuous section of the DN; for example, "OU=a,O=b"
. Any DN containing all specified elements in correct order are accepted.
Up to seven wildcards can be specified, one for each of the following element: CN, OU,
O, L, ST, C, Email.
NSM needs to support DC container type when using ASN1-DN to create IKE ID or a group
of IKE ID that enables multiple, concurrent connections to the same VPN tunnel. During
Phase 1 negotiations, IKE first attempts to make an exact match between the RAS IKE
ID and peer gateway IKE ID.
If no match is found, IKE then attempts to make a partial match between the RAS IKE
ID and Group IKE ID. When selecting this type, you must enter a container identity or a
wildcard ID (CN, OU, O, L, ST, C, Email).
NSM devices authenticate a RAS IKE user's ID if the values in the RAS IKE user's ASN-1DN
identity fields exactly match the values in the group IKE user's ASN1-DN identity fields.
The container ID type supports multiple entries for each identity field (for example,
"ou=eng,ou=sw,ou=screenos"). The ordering of the values in the identity fields of the
two ASN1-DN strings must be identical. In this IKE ID matching part, we need to allow
DC element to be matched.
NSM also supports DC in wildcard when using ASN1-DN to create IKE ID or a group of
Wildcard ID.
NSM devices authenticate a RAS IKE user's ID if the values in the RAS IKE user's ASN1-DN
identity fields match those in the group IKE user's ASN1-DN identity fields. The wildcard
ID supports only one value per identity field (for example, "ou=eng" or "ou=sw", but not
"ou=eng, ou=sw"). The ordering of the identity fields in the two ASN1-DN strings are
inconsequential. In this IKE ID matching part, we need to support DC as a wildcard element.
Configuring Group IKE IDS
If your VPN includes multiple remote users, it can be impractical to create an IKE ID and
VPN rule for each. Instead, you can use a Group IKE ID to authenticate multiple users in
a single VPN rule. In the security device configuration VPN settings, create a VPN Group
and specify the maximum number of concurrent connections that the group supports
(cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number
of VPN tunnels allowed on the Juniper Networks security device platform).
For details on group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples
Guide.
A route-based VPNs requires two components:
Tunnel Interface or Zone
Route (Static or Dynamic)
The following sections detail how to configure each required component.
Chapter 12: Configuring VPNs
565