Defining Termination Points; Configuring Gateways; Configuring Gateway Properties - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Configuring Gateways

576
Select the devices to act at mains; these devices can communicate with all other
VPN members.
Select remaining devices as branches; these devices communicate with all mains.
Full Mesh—Select all VPN members to act as mains. All members can communicate
with any other VPN member. Do not select a hub.
Site to Site—Select both VPN members as mains. Each member can communicate
with the other VPN member. Do not select a hub.

Defining Termination Points

You must define the termination interface for each security device in the VPN. The
Termination Points tab displays the default termination points for the VPN. A termination
point is the interface on a security device that sends and receives VPN traffic to and from
the VPN tunnel, and is typically in the Untrust zone. Each VPN member (the security
devices included as routing-based members and/or as protected resources for
policy-based members) has a default termination interface.
NOTE: You do not need to select the serial interface on a NetScreen-5GT
security device to enable dial backup for the VPN tunnel. If you have enabled
Dial Backup for the device in the Route-Based Configuration area, VPN
Manager automatically generates the termination point for the serial interface
during VPN creation.
To override the default termination interface, right-click the VPN member, select Edit,
and select a new termination interface for the device.
To configure the gateways for VPN, click the Gateway Parameters link.

Configuring Gateway Properties

In the Properties tab, specify the following gateway values.
Selecting a Mode
The mode determines how Phase 1 negotiations occur. Select the mode that meets your
VPN requirements:
Main mode—The IKE identity of each node is protected. Each node sends three two-way
messages (six messages total); the first two messages negotiate encryption and
authentication algorithms that protect subsequent messages, including the IKE identity
exchange between the nodes. Depending on the speed of your network connection
and the encryption and authentication algorithms you use, main mode negotiations
can take a long time to complete. Use Main mode when security is more important.
Aggressive mode—The IKE identity of each node is not protected. The initiating node
sends two messages and the receiving node sends one (three messages total); all
messages are sent in the clear, including the IKE identity exchange between the nodes.
Copyright © 2010, Juniper Networks, Inc.