Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Device-Level Manual Key VPN: Using VPN Configuration Overview

 

The following topics explain how to configure device-level manual key VPN using VPN configuration:

Device-Level Manual Key VPN Properties

Enter the following values to configure device-level manual key using VPN configuration as described in Table 1.

Table 1: Device-Level Manual Key VPN Properties

Device-Level Manual Key VPN Properties

Your Action

VPN Name

Enter a name for the VPN.

Gateway

Enter a gateway for the VPN.

Local SPI

Specify the local Security Parameter Index. This option also supports IPv6.

Remote SPI

Specify the remote Security Parameter Index. This option also supports IPv6.

Outgoing Interface

Specify the outgoing interface, which is the interface on the security device that sends and receives VPN traffic. Typically, the outgoing interface is in the untrust zone.

Do not set Fragment Bit in the Outer Header

Select the fragment bit to control how the IP packet is fragmented when traveling across networks.

  • Clear—Use this option to enable IP packets to be fragmented.

  • Set—Use this option to ensure that IP packets are not fragmented.

  • Copy—Select to use the same option as specified in the internal IP header of the original packet.

IPsec Protocol

Specify the IPsec protocol and algorithm you want to use for data authentication and/or encryption. Because this information is static for each VPN member, they do not need to negotiate for communication.

  • AH—Use Authentication Header to authenticate the VPN traffic, but not encrypt the traffic. If you select AH, you must also specify the key or password that AH uses in the authentication algorithm.

    Note: All passwords handled by NSM are case-sensitive.

  • ESP—Use Encapsulating Security Payload to authenticate and encrypt the VPN traffic. If you select ESP, because ESP uses keys to encrypt and decrypt data, you must also specify the key or password that the VPN node uses to send and receive VPN data through the VPN tunnel.

Binding

You can bind the VPN tunnel to a tunnel interface or tunnel zone to increase the number of available interfaces in the security device. To use a tunnel interface and/or tunnel zone in your VPN, you must first create the tunnel interface or zone on the device; for details, see Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview and Configuring a Tunnel Interface.

  • None—Select none when you do not want to bind the VPN tunnel to a tunnel interface or zone.

  • Tunnel Interface—Select a preconfigured tunnel interface on the security device to bind the VPN tunnel to the tunnel interface. The security device routes all VPN traffic through the tunnel interface to the protected resources. The user is able to set the DSCP marking and DSCP value. The DSCP value ranges from 0 through 63.

  • Tunnel Zone—Select a preconfigured tunnel zone on the security device to bind the VPN tunnel directly to the tunnel zone. The tunnel zone must include one or more numbered tunnel interfaces; when the security device routes VPN traffic to the tunnel zone, the traffic uses one or more of the tunnel interfaces to reach the protected resources.

Monitor Management on ScreenOS Devices Using Manual Key VPN

You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. Enable the VPN Monitor in RealTime Monitor to display statistics for the VPN tunnel as described in Table 2.

Table 2: Monitor

VPN Monitor Status

Description

VPN Monitor

When enabled, the device sends ICMP echo requests (pings) through the tunnel at specified intervals (configurable in seconds) to monitor network connectivity (the device uses the IP address of the local outgoing interface as the source address and the IP address of the remote gateway as the destination address). If the ping activity indicates that the VPN monitoring status has changed, the device triggers an SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics for VPN traffic in the tunnel and displays the tunnel status.

Rekey

When enabled, the device regenerates the IKE key after a failed VPN tunnel attempts to reestablish itself. When disabled, the device monitors the tunnel only when the VPN passes user-generated traffic (instead of using device-generated ICMP echo requests). Use the rekey option to:

  • Keep the VPN tunnel up even when traffic is not passing through

  • Monitor devices at the remote site.

  • Enable dynamic routing protocols to learn routes at a remote site and transmit messages through the tunnel.

  • Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when multiple VPN tunnels are bound to a single tunnel interface.

Optimized

This option appears only for devices running ScreenOS 5.x. When enabled, the device optimizes its VPN monitoring behavior as follows:

  • Considers incoming traffic in the VPN tunnel as ICMP echo replies. This reduces false alarms that might occur when traffic through the tunnel is heavy and the echo replies cannot get through.

  • Suppresses VPN monitoring pings when the tunnel passes both incoming and outgoing traffic. This can help reduce network traffic.

Source Interface and Destination IP

When configured, these options use VPN Monitoring when the other end of the VPN tunnel is not a security device. Specify the source and destination IP addresses.