Network and Security Manager Administration Guide
608
Properties
Enter the following values:
VPN name—Enter a name for the VPN.
Remote Gateway—Select the gateway for the VPN.
Idle Time to Disable SA—Configure the number of minutes before a session that has
no traffic automatically disables the SA.
Replay Protection—In a replay attack, an attacker intercepts a series of legitimate
packets and uses them to create a denial-of-service (DoS) against the packet
destination or to gain entry to trusted networks. If replay protection is enabled, your
security devices inspect every IPSec packet to see if the packet has been received
before—if packets arrive outside a specified sequence range, the security device rejects
them.
IPSec Mode—Configure the mode:
Use tunnel mode for IPSec. Before an IP packet enters the VPN tunnel, NSM
encapsulates the packet in the payload of another IP packet and attaches a new IP
header. This new IP packet can be authenticated, encrypted, or both.
Use transport mode for L2TP-over-IPSec. NSM does not encapsulate the IP packet,
meaning that the original IP header must remain in plaintext. However, the original
IP packet can be authenticated, and the payload can be encrypted.
Do not set Fragment Bit in the Outer Header—The Fragment Bit controls how the IP
packet is fragmented when traveling across networks.
Clear. Use this option to enable IP packets to be fragmented.
Set. Use this option to ensure that IP packets are not fragmented.
Copy. Select to use the same option as specified in the internal IP header of the
original packet.
Security
For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined
or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha,
nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
To use a user-defined proposal, select a single proposal from the list of predefined
and custom IKE Phase 2 Proposals.
Copyright © 2010, Juniper Networks, Inc.