Configuring Topology; Configuring Common Vpn Topologies - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Configuring Topology

574
After VPN Manager generates the tunnel interfaces, you must configure static or
dynamic routes on each VPN member to route traffic to other VPN members.
In the general configuration area, you can define the topology and/or termination points
of the VPN:
The topology of the VPN determines how VPN members logically connect to each
other. The topology is the communication path that VPN traffic must take to reach a
VPN member.
The termination points of the VPN determine how VPN members physically connect
to each other. A termination point is the interface on each VPN member that sends
and receives VPN traffic to and from the VPN tunnel.
NOTE: If you change the security device that protects a resource, NSM
removes the previous security device from all affected VPNs and adds the
new security device. However, NSM does not configure the VPN topology
for the new security device—you must reconfigure the topology to include
the new device manually.
For AutoKey IKE VPNs, you must define the topology for the VPN. Each VPN member is
a node that has specific connection capabilities, and the topology describes the logical
connections between those nodes.
A node can be:
Hub—A hub can connect to a branch or main.
Main—A main can connect to a hub, branch, or another main. When configuring a VPN
that uses multiple mains, you can select to mesh all mains (all mains can communicate
with each other) or disable all main meshing.
Branch—A branch can connect to a hub or a main. Branches can send and receive VPN
traffic to and from a hub or a main device, but cannot communicate directly with other
branches unless in a dual hub setup.
Additionally, you can use a supernet to reduce the number of rules required for the hub
device in a policy-based VPN. A supernet is an address object group containing the
network address objects that represent the source and destination points of the VPN.
Use a supernet when the hub device supports a small number of rules.

Configuring Common VPN Topologies

You can use VPN Manager to configure the following common VPN topologies:
Hub and Spoke—Select a device to act as the hub; this device connects VPN members
and enables them to communicate. Next, select the VPN members to be the spokes.
You are not required to use a VPN member as a hub:
Copyright © 2010, Juniper Networks, Inc.