{"id":299,"date":"2009-08-25T19:28:56","date_gmt":"2009-08-25T19:28:56","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2009\/08\/25\/netscreen-additional-site-2-site-vpn-options\/"},"modified":"2021-07-24T19:00:26","modified_gmt":"2021-07-24T19:00:26","slug":"netscreen-additional-site-2-site-vpn-options","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Juniper\/netscreen-additional-site-2-site-vpn-options.html","title":{"rendered":"Netscreen – Additional Site 2 Site VPN Options"},"content":{"rendered":"
This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor<\/strong>“. The “rekey<\/strong>” option will cause the Netscreen to continuously try and send ICMP down the tunnel regardless of whether there are any valid SA`s. When VPN Monitoring is used with Route based VPN`s, the associated tunnel routes will be disabled in the event of the tunnel being classed as down. This allows for the re-routing of traffic in the event of particular tunnel failures. ns5gt-> get sa This allows you to add a number of VPN gateways to a VPN group. In the event of failure the traffic flow is sent through another gateway within the group. Using IKE heart beats and recovery attempts with TCP-SYN flag checking the gateway can failover to another gateway without any disruption to the traffic flow.To ensure that the other gateways can establish new tunnels in the event of failover without the need of the endpoints having to reconnect (i.e an initial SYN not being required) you will need to set the following setting : `unset flow tcp-syn-check-in-tunne<\/strong>l` VPN Groups can be configured within “VPN`s | AutoKey Advanced | VPN Groups<\/strong>“ Note <\/em>: <\/em>VPN Groups only support Policy based VPN`s.<\/span> <\/p>\n","protected":false},"excerpt":{"rendered":" VPN Monitoring This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“. The “rekey” option will cause the Netscreen to continuously try and … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"yoast_head":"\n
<\/span><\/p>\n
When the “optimized<\/strong>” option is enabled the Netscreen will consider any traffic passing the tunnel as an indication that the tunnel is active rather then sending ICMP Pings.
<\/span><\/p>\n
<\/span>Using the “get sa” command, you can obtain the SA and Link Status. This can be found under the “Sta” column (SA\/Link). If the VPN Monitor is not enabled you will see a dash for the Link status such as (A\/-).<\/span> <\/span>
<\/span><\/p>\n
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 192.168.1.107 500 esp: des\/md5 ef1d1675 3549 unlim A\/U -1 0
00000002> 192.168.1.107 500 esp: des\/md5 b41eba07 3549 unlim A\/U -1 0<\/span><\/p>\nVPN Groups<\/strong><\/span><\/h2>\n
<\/span><\/p>\n
<\/span><\/p>\n
<\/span><\/p>\n