To
Create an AutoKey IKE VPNYou can specify additional optional settings and parameters when configuring an AutoKey IKE VPN tunnel.
To
Create an AutoKey IKE VPNSelect a Security Level, either Standard, Compatible, or Basic for Predefined levels or Custom for a User-Defined level.
If you selected Custom as the security level for the VPN tunnel, select Phase 2 proposals from the drop-down lists:
Phase 2 Proposal: Select up to four Phase 2 proposals.
Here are a few examples of the parameters that can compose a proposal:
g2 – Diffie-Hellman Group 2. The peers renegotiate a new key for Phase 2 using the Diffie-Hellman Group 2 key exchange procedure.
nopfs – No Perfect Forwarding Secrecy (PFS). The key used in Phase 2 is derived from that used in Phase 1. PFS generates each new key independently from its predecessor, which increases security but also increases processing overhead.
des – Data Encryption Standard, a cryptographic block algorithm with a 56-bit key.
3des – A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key.
md5 – Message Digest (version) 5, an algorithm that produces a 128-bit message digest (or hash) from a message of arbitrary length. The resulting hash is used, like a “fingerprint” of the input, to verify authenticity.
sha-1 – Secure Hash Algorithm-1, an algorithm that produces a 160-bit hash from a message of arbitrary length. (It is generally regarded as more secure than MD5 because of the larger hashes it produces.)
Replay Protection: Enabling this feature requires that each IKE negotiation have a sequence number. If you plan to use high availability (HA), do not enable this option. The HA function cannot maintain a VPN tunnel with this option. If the master unit fails, the tunnel is not maintained and IKE negotiations must begin again.
Transport Mode: Select this check box only to configure the tunnel in Transport mode for L2TP-over-IPSec tunnels. Clear it for IPSec tunnels.
Bind to:
None: Select this option to use the outgoing interface as the interface to and from the VPN tunnel. (Selecting this option has the same effect as binding the VPN tunnel to the Untrust-Tun tunnel zone.)
Tunnel Interface: Select this option to bind the VPN tunnel to the tunnel interface that you select from the drop-down list. This option creates a one-to-one relationship between the tunnel and the tunnel interface.
Note: You can bind a VPN tunnel only to a tunnel interface in a security zone, not to a tunnel interface in a tunnel zone.
Tunnel Zone: Select this option to bind the VPN tunnel to the tunnel zone that you select from the drop-down list. You can then use multiple tunnel interfaces bound to the same tunnel zone with this VPN tunnel. This option allows a one-to-many relationship between the VPN tunnel and tunnel interfaces. (When both the interface and tunnels are bound to the same tunnel zone, you can also link a single tunnel interface to multiple VPN tunnels.)
Proxy ID: Select this check box to provide proxy ID information during Phase 2 negotiations. You must provide proxy ID information for routing-based VPN configurations because they do not involve policies, from which the following information can otherwise be extracted.
Local IP/Netmask: Enter the IP address and netmask of the host or subnet (end entity) behind the local NetScreen device.
Remote IP/Netmask: The IP address and netmask of the end entity behind the remote gateway.
Service: Select the service that you want to permit through the VPN tunnel.
VPN Group: If you want the VPN tunnel to be member of a VPN group, select the VPN group you want it to belong to from the drop-down list.
Weight: Each VPN tunnel in a VPN group can be assigned a unique weight value, which determines the preference of the tunnel to be the active tunnel. A value of 1 indicates the lowest, or least preferred, ranking.
VPN Monitor: Select this check box to enable VPN monitoring. The NetScreen device activates its SNMP VPN monitoring objects, which note data on such aspects of the VPN tunnel as the number of active VPN sessions, the time a session began, the SA elements for each session, and session status parameters.
Note: You must first import the NetScreen-specific MIB extension files into your SNMP manager application. The MIB extension files are available at theJuniper Networks support site.
Source Interface: Select the interface to be used as the source interface for VPN monitor packets. For VPN monitoring through NetScreen Remote, the source interface for VPN monitor packets must be bound to the Trust zone of the network being monitored.
Destination IP: Type the destination IP address for the VPN monitoring feature to ping.
Optimized: Select this check box if you want the NetScreen device to accept incoming traffic through the VPN tunnel as a substitute for ICMP echo replies. If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings.
Note: If you enable VPN monitoring optimization, be aware that VPN monitoring can no longer provide accurate SNMP statistics. Also, if you are using VPN monitoring to track the availability of a particular destination IP address at the remote end of a tunnel, optimization can produce misleading results.
Rekey: Select this check box if you want to keep an security association (SA) active even if there is no other VPN traffic except the ICMP echo requests (pings) sent by the VPN monitoring module. When the key lifetime for a Phase 1 or Phase 2 security association (SA) is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.
Click Return to save your settings.