SUMMARY:
PROBLEM OR GOAL:
CAUSE:
SOLUTION:
PURPOSE:
PROBLEM OR GOAL:
CAUSE:
SOLUTION:
Policy Based:
- A Policy Based VPN is a configuration in which a specific VPN tunnel is referenced in a policy whose action is set as Tunnel. The tunnel icon appears as either a Lock or as a Lock with directional arrows as shown in the sample below. The icon below indicates that the policy is configured for a Bi-Directional Tunnel.
You can identify whether a VPN is route or policy based via the Command line as well. In the get sa command, the value under the PID field lists the policy ID that is used for that SA:
SSG-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000001< 1.1.1.1 500 esp:3des/sha1 e37791d3 3596 unlim A/- 2 0
00000001> 1.1.1.1 500 esp:3des/sha1 883ebdb8 3596 unlim A/- 1 0
You can see the 2 and 1 values being listed under the PID column; that is policy ID’s 2 and 1 are used in that SA. if the VPN is route based, then this value will be -1.
Common reasons to use a Policy-based VPN:
Common reasons to use a Policy-based VPN:
- The remote VPN device is a non-Juniper device
- Need to access only one subnet or one network at the remote site, across the VPN.
Route Based:
- A Route Based VPN is a configuration, in which the policy does not reference a specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route that points to a specific tunnel interface. The tunnel interface may be bound to a VPN tunnel or to a tunnel zone.
- When a tunnel interface is in a security zone, a tunnel interface must be bound to a VPN tunnel. This is necessary to create a routing- based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface.
- A tunnel is a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, ScreenOS allows you the freedom to separate the regulation of traffic from the means of its delivery.
- If the tunnel interface does not need to support Policy Based NAT and the configuration does not require the tunnel interface to be bound to a tunnel zone, the interface can be specified as unnumbered. An unnumbered tunnel interface must be bound to a security zone; it cannot be bound to a tunnel zone. An interface must also be bound to the security zone, whose IP address the unnumbered tunnel interface borrows.
Common Reasons to use a Route-based VPN:In addition, the Route Based VPNs must include the following configuration information:
- Tunnel Interface
- Phase I VPN Gateway configuration (listed under VPNs > AutoKey Advanced > Gateway on the WebUI)
- Phase II VPN configuration (listed under VPNs > AutoKey IKE on the WebUI); including:
- Local and Remote Proxy ID
- VPN configuration bound to tunnel interface
- Route for remote network pointing to tunnel interface
- Policy specifying action of "Permit" to allow traffic
- Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur, as it traverses the VPN.
- Overlapping Subnets/IP Addresses between the two LANs.
- Hub-and-spoke VPN topology.
- Design requires Primary and Backup VPN.
- A Dynamic Routing Protocol (that is OSPF, RIP, BGP) is running across the VPN.
- Need to access multiple subnets or networks at the remote site, across the VPN.
Troubleshooting
RELATED LINKS: 
댓글 없음:
댓글 쓰기