When you configure an AutoKey Internet Key Exchange (IKE) virtual private network (VPN) tunnel, you can specify additional optional settings and parameters.
Select a Security Level, either Standard, Compatible, or Basic for Predefined levels or Custom for a User-Defined level.
If you selected Custom as the security level for the VPN tunnel, select Phase 2 proposals from the drop-down lists.
Phase 2 Proposal: Select up to four Phase 2 proposals.
Here are a few examples of the parameters that can compose a proposal:
g2 – Diffie-Hellman Group 2. The peers renegotiate a new key for Phase 2 using the Diffie-Hellman Group 2 key exchange procedure.
nopfs – No Perfect Forwarding Secrecy (PFS). The key used in Phase 2 is derived from that used in Phase 1. PFS generates each new key independently from its predecessor, which increases security but also increases processing overhead.
des – Data Encryption Standard, a cryptographic block algorithm with a 56-bit key.
3des – A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key.
md5 – Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a “fingerprint” of the input, to verify authenticity.
sha-1 – Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.)
Replay Protection: When you enable this feature, each IKE negotiation must have a sequence number. If you plan to use high availability (HA), do not enable replay protection. The HA function cannot maintain a VPN tunnel with this option. If the primary device fails, the tunnel is not maintained and IKE negotiations must begin again.
Transport Mode: Select this check box only to configure the tunnel in Transport mode for L2TP-over-IPSec tunnels. Clear it for IPSec tunnels.
Bind to:
None: Select this option to use the outgoing interface as the interface to and from the VPN tunnel. (Selecting this option has the same effect as binding the VPN tunnel to the Untrust-Tun tunnel zone.)
Tunnel Interface: Select this option to bind the VPN tunnel to the tunnel interface that you select from the drop-down list. This option creates a one-to-one relationship between the tunnel and the tunnel interface.
Note: You can bind a VPN tunnel only to a tunnel interface in a security zone, not to a tunnel interface in a tunnel zone.
Tunnel Zone: Select this option to bind the VPN tunnel to the tunnel zone that you select from the drop-down list. You can then use multiple tunnel interfaces bound to the same tunnel zone with this VPN tunnel. This option allows a one-to-many relationship between the VPN tunnel and the tunnel interfaces. (When both the interface and the tunnels are bound to the same tunnel zone, you can also link a single tunnel interface to multiple VPN tunnels.)
Proxy ID: Select this check box to provide proxy ID information during Phase 2 negotiations. You must provide proxy ID information for route-based VPN configurations, because such configurations do not involve policies, from which the following information would otherwise be extracted.
Local IP/Netmask: Enter the IP address and netmask of the host or subnet (end entity) behind the local security device.
Remote IP/Netmask: Enter the IP address and netmask of the end entity behind the remote gateway.
Service: Select the service that you want to permit through the VPN tunnel.
DSCP Marking
Disable: To disable DSCP marking for the VPN tunnel, select the Disable check box.
Enable: To enable DSCP marking, select the Enable check box.
dscp value: Enter a dscp-value value. The value is used in the DSCP field of the tunnel ID. The range is 0–63.
VPN Group: If you want to add the VPN tunnel to a VPN group, select the VPN group from the drop-down list.
Weight: You can assign each VPN tunnel in a VPN group a unique weight value, which determines its rank in the group. The available tunnel with the highest rank becomes the active (most preferred) tunnel. A value of 1 indicates the lowest (least preferred) tunnel.
VPN Monitor: Select this check box to enable VPN monitoring. The security device activates its Simple Network Management Protocol (SNMP) VPN monitoring objects, which log data on aspects of the VPN tunnel such as the number of active VPN sessions, the time a session began, the security association (SA) elements for each session, and other session status parameters.
Note: You must first import the device-specific Management Information Base (MIB) extension files for the security device into your SNMP manager application. The MIB extension files are available at the Juniper Networks support site.
Source Interface: Select the interface to be used as the source interface for VPN monitor packets. For VPN monitoring through NetScreen Remote, the source interface for VPN monitor packets must be bound to the Trust zone of the network being monitored.
Destination IP:Enter the destination IP address you want the VPN monitoring feature to ping.
Optimized: Select this check box if you want the security device to accept incoming traffic through the VPN tunnel as a substitute for Internet Control Message Protocol (ICMP) echo replies. If both incoming and outgoing traffic pass through the VPN tunnel, the device suppresses VPN monitoring pings.
Note:If you enable VPN monitoring optimization, be aware that VPN monitoring can no longer provide accurate SNMP statistics. Also, if you are using VPN monitoring to track the availability of a particular destination IP address at the remote end of a tunnel, optimization can produce misleading results.
Rekey:Select this check box if you want to keep an SA active even if there is no other VPN traffic except the ICMP echo requests (pings) sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 SA is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.
Click Return to save your settings.