Configuring Security Level; Autogenerating Vpn Rules - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Autogenerating VPN Rules

582
The IPSec Mode is tunnel but the binding interface is not a tunnel interface.
You can set the following DSCP Marks in the AutoKey IKE Parameters page:
— You can select either enable or disable. If the selected IPSec mode is
DSCP Marking
transport, this option is automatically disabled.
DSCP Value — Set the DSCP value in the range of 0–63. Mouse over the field to see
the range of allowed values.

Configuring Security Level

For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined
or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 2 Proposals. For details on custom IKE proposals.
If your VPN includes only security devices, you can specify one predefined or custom
proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet
devices, you should use multiple proposals to increase security and ensure compatibility.
When you have completed configuring the policy- and route-based VPNs members, the
topology (if necessary) and termination points, and the IKE (if necessary) and gateway
parameters for the VPN, you are ready to autogenerate the VPN.
During autogeneration, NSM generates the VPN rules that control traffic between
policy-based VPN members, and edits the device configuration (gateways, security
parameters, and so on) of each VPN member to support the VPN.
Autogeneration does not:
Insert the VPN rules into a security policy. After you have reviewed the VPN rules and
made any necessary overrides, you must manual insert the VPN rules (known as a VPN
link) into a security policy. For details, see "Adding the VPN Link" on page 585.
Install the new VPN rules or edited device configurations on the managed devices in
the VPN. After you have inserted the VPN link into a security policy, you can install that
policy on your devices using the Updated directive.
Create static or dynamic routes for route-based VPNs.
To autogenerate the VPN, click Save.
Copyright © 2010, Juniper Networks, Inc.