Table of Contents
Advertisement
Network and Security Manager Administration Guide
Supported Configurations
Creating AutoKey IKE VPNs
602
Use an AutoKey IKE VPN to connect devices and/or protected resources. An AutoKey
IKE VPN supports mixed-mode, policy-based, and routing-based VPNs, but does not
support RAS users. For details on each step, see "Creating AutoKey IKE VPNs" on
page 602.
Use a Manual Key IKE VPNs to authenticate devices, protected resources, and RAS
users in the VPN with manual keys. For details on each step, see "Creating Manual Key
VPNs" on page 610.
Use an L2TP RAS VPN to connect L2TP RAS users and protected resources with
authentication but without encryption. For details on each step, see "Creating L2TP
VPNs" on page 614.
Use an L2TP-over-AutoKey IKE RAS VPN to connect L2TP RAS users and protected
resources. An L2TP-over-AutoKey IKE RAS VPN supports policy-based VPNs and L2TP
RAS users, but does not support routing-based VPNs. For details on each step, see
"Creating L2TP Over Autokey IKE VPNs" on page 615.
IKE VPNs support tunnel mode, and can be policy-based or route-based; however,
route-based VPNs do not support RAS users.
L2TP VPNs support transport mode, and can be policy-based.
Creating device-level AutoKey IKE VPNs is a four stage process:
Configure Gateway
Configure Routes (Route-based only)
Configure VPN on the Device
Add VPN rules to security policy
IKEv2 and EAP Support
As part of the ScreenOS support, NSM allows you to configure IKEv2 features which
include identity hiding, perfect forward secrecy, two phases, and cryptographic negotiation.
The protocol redesign makes IKEv1 incompatible with IKEv2 even though they both use
the UDP port (500 or 4500) for communication.
IKEv2 also supports Extensible Authentication Protocol (EAP). Using EAP, IKEv2 can
leverage the existing authentication infrastructure and credential databases, because
EAP allows users to choose a suitable method for existing credentials, and also facilitates
separation of the IKEv2 responder (VPN gateway) from the EAP authentication endpoint
(backend AAA server).
From the NSM UI, you can:
Set the global account type to be authenticated by the authentication server:
Navigate from
Object Manager
1.
>
Authentication Servers
.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers