Tunnel Interface Configuration

A tunnel interface acts as doorway to a VPN tunnel. Traffic enters and exits a VPN tunnel via a tunnel interface.

By binding a tunnel interface to a VPN, you can separate the policy from the VPN tunnel. This way, you can configure one tunnel, and define multiple policies to allow or deny traffic through that tunnel. When there is no tunnel interface bound to a VPN tunnel, you must specify a VPN tunnel in the access policy itself and choose tunnel as the action. Because the action tunnel implies permission, you cannot specifically deny traffic from a VPN tunnel.

You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynamic IP (DIP) addresses in the same subnet as the tunnel interface.

For more information on tunnel interfaces and VPN tunnels, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide available on the documentation CD that shipped with your Juniper Networks product and also on the Juniper Networks support site.

To Configure a Tunnel Interface

  1. Enter the required information:

Tunnel Interface Name: Enter an ID number for the tunnel interface.

Zone (VR): Select the zone and virtual router to which you want to bind the tunnel interface.

Fixed IP: Select this option if you want the tunnel interface to support policy-based NAT.

IP Address/Netmask: Enter the IP address and netmask of the tunnel interface.

Unnumbered: Select this option if the tunnel interface does not need to support policy-based NAT and if your configuration does not require the tunnel interface to be bound to a tunnel zone.

An unnumbered interface borrows the IP address from another interface that is bound to the same security zone. You must specify which interface the tunnel interface will borrow the IP address from.

Interface: Select the interface from which the tunnel interface will borrow the IP address. The interface must be in the same security zone as the tunnel interface.

Maximum Transfer Unit (MTU): If you know the MTU of the VPN data path and it is smaller than 1500 bytes (the default), enter that value here. The device first fragments a VPN-destined packet if the packet size exceeds the MTU on the outgoing physical interface. Then the device encapsulates and encrypts the fragment. (When the device fragments a packet, it reserves at least 200 bytes for encapsulation and encryption.) If the VPN data path requires a smaller MTU than 1500 bytes, intermediary network devices must defragment, reassemble, and again fragment oversized VPN packets as they receive them. Use this option to avoid adding such unnecessary strain to the network.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this tunnel interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

Protocol: Select BGP to enable the BGP protocol on the interface.

  1. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the tunnel interface.

Block Intra-Subnet Traffic: (only available for tunnel interfaces with an IP address/netmask) Select this check box to block traffic that routes back out the same tunnel interface that it entered.

 

To Remove a Tunnel Interface

  1. Return to the Interface List page. In the Configure column, click Remove for the tunnel interface you want to remove.

A system message prompts you to confirm the removal.

  1. Click Yes to continue or No to cancel the action.