Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 620

Network and Security Manager Administration Guide
Configuring Members
570
Type (AutoKey IKE VPN Only). Select the components you want to configure for
the VPN: Route-based components, Policy-based components, or both. By default,
VPN Manager displays all Route- and Policy-based components for an AutoKey
IKE VPN.
Dial Backup. When enabled, VPN Manager displays the dial backup option for
route-based components (dial backup is supported only on NetScreen-5GT
devices running ScreenOS 5.1 and later).
Click OK to save the VPN and return to VPN Manager.
3.
The second step in configuring your VPN is to add members to the VPN. Depending on
the type of VPN you are creating, you can add protected resources, security devices,
and/or RAS users as VPN members.
Adding Policy-Based Members
In policy-based configuration area, you can add protected resources to the VPN. Click
Protected Resources link and select the predefined Protected Resources you want to
include in the VPN.
After you have added the protected resources, you can configure NAT and/or L2TP
settings on the security device that protects each resource:
For L2TP RAS VPNs and L2TP over AutoKey IKE VPN protected resources, you must
configure L2TP settings.
For all protected resources, you can configure policy-based NAT. Use policy-based
NAT to translate private source IP addresses to Internet-routeable IP addresses.
Configuring NAT is optional; if you do not use NAT on your network, you do not need
to configure NAT for the VPN.
The following sections detail how to configure NAT and L2TP.
Configuring NAT
Below the Protected Resources window, select NAT to display the protecting security
devices for each protected resource. Select the device for which you want to configure
NAT. Enable NAT and specify the following values (you cannot edit the name of the
device or the zone that contains the protected resource).
Configure Incoming DIP—You can enable the security device to use a Dynamic IP pool
for incoming VPN traffic. For each incoming VPN packet, the device translates the
destination address into a IP address that is selected from the DIP pool.
Interface for Incoming DIP. Select the interface that receives traffic addressed to
Dynamic IP addresses.
Incoming Global DIP. Select the Global DIP object that represents range of IP
addresses available to the security device. (This DIP pool must include IP addresses
that are routeable on your internal network.)
For details on configuring DIP objects.
Copyright © 2010, Juniper Networks, Inc.