Configuring Ike; Ike Properties - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Configuring IKE

580
The IKE ID tab displays all security devices included as routing-based members and/or
as protected resources for policy-based members. For each device, select the IKE ID type
and enter the ID value:
ASN1-DN—Abstract Syntax Notation, version 1 is a data representation format that is
non-platform specific; Distinguished Name is the name of the computer. Use ASN1-DN
to create a Group IKE ID that enables multiple, concurrent connections to the same
VPN tunnel; use a Group IKE ID to make configuring and maintaining your VPN quicker
and easier.
For details on how Group IKE IDs work, see "Configuring Group IKE IDS" on page 565.
For details on determining the ASN1-DN container and wildcard values for Group IKE
IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
FQDN—Use a Fully Qualified Domain Name when the gateway is a dynamic IP address.
FQDN is a name that identifies (qualifies) a computer to the DNS protocol using the
computer name and the domain name, for example, server1.colorado.mycompany.com.
IP Address—Use an IP address when the gateway has a static IP address.
U-FQDN—Use a User Fully Qualified Domain Name when the gateway is a dynamic IP
address, such as a RAS user. A U-FQDN is an e-mail address. For example:
user1@mycompany.com.
To configure the IKE properties and Phase 2 Proposals for the VPN, click the IKE
Parameters link. Because L2TP RAS VPNs do not support encryption, you do not need
to configure IKE properties for L2TP RAS VPNs.

IKE Properties

Configure the IKE properties:
Idle Time to Disable SA—Configure the number of minutes before a session that has
no traffic automatically disables the SA.
Replay Protection—In a replay attack, an attacker intercepts a series of legitimate
packets and uses them to create a denial-of-service (DoS) against the packet
destination or to gain entry to trusted networks. If replay protection is enabled, your
security devices inspect every IPSec packet to see if the packet has been received
before—if packets arrive outside a specified sequence range, the security device rejects
them.
IPSec Mode—Configure the mode:
Use tunnel mode for IPSec. Before an IP packet enters the VPN tunnel, NSM
encapsulates the packet in the payload of another IP packet and attaches a new IP
header. This new IP packet can be authenticated, encrypted, or both.
Copyright © 2010, Juniper Networks, Inc.