Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 631

Copyright © 2010, Juniper Networks, Inc.
Use transport mode for L2TP-over-AutoKey IKE VPNs. NSM does not encapsulate
the IP packet, meaning that the original IP header must remain in plaintext. However,
the original IP packet can be authenticated, and the payload can be encrypted.
Do not set Fragment Bit in the Outer Header—The Fragment Bit controls how the IP
packet is fragmented when traveling across networks.
Clear. Use this option to enable IP packets to be fragmented.
Set. Use this option to ensure that IP packets are not fragmented.
Copy. Select to use the same option as specified in the internal IP header of the
original packet.
Monitor
You can enable VPN Monitor and configure the monitoring parameters for the device.
Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display
statistics for the VPN tunnel, configure the following:
VPN Monitor—When enabled, the security devices in the VPN send ICMP echo requests
(pings) through the tunnel at specified intervals (configurable in seconds) to monitor
network connectivity (each device uses the IP address of the local outgoing interface
as the source address and the IP address of the remote gateway as the destination
address). If the ping activity indicates that the VPN monitoring status has changed,
the device triggers an SNMP trap; the VPN Monitor (in RealTime Monitor) tracks these
SNMP statistics for VPN traffic in the tunnel and displays the tunnel status.
Rekey—When enabled, the security devices in the VPN regenerate the IKE key after a
failed VPN tunnel attempts to reestablish itself. When disabled, each device monitors
the tunnel only when the VPN passes user-generated traffic (instead of using
device-generated ICMP echo requests). Use the rekey option to:
Enable dynamic routing protocols to learn routes and transmit messages through
the tunnel.
Automatically populate the next-hop tunnel binding table (NHTB table) and the
route table when multiple VPN tunnels are bound to a single tunnel interface.
For details on VPN monitoring at the device level, see the Juniper Networks ScreenOS 5.x
Concepts and Examples Guide.
Differentiated Services Code Point Mark
If you want to set the Differentiated Services Code Point (DSCP) field of the IPSec IPv4
header to a specified value for each route-based VPN at the Phase2 configuration level,
devices running ScreenOS 6.1 and later allow you to on both ASIC and non-ASIC platforms.
ScreenOS 6.1 and later support the DSCP value configuration for tunnel mode ESP
packets only.
You cannot configure the DSCP setting if:
The IPSec mode is transport.
Chapter 12: Configuring VPNs
581