Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] Understanding NSM VPN manager auto-populate settings for new devices

0

0

Article ID: KB11259 KB Last Updated: 11 Mar 2021Version: 6.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.

There are a few settings in VPN manager which determine which interface will be used for outgoing-interface and for the interface and zone the tunnel will be bound to.
Symptoms:
NSM does not assign the correct interface for the outgoing-interface or does not bind the correct un-numbered interface to the tunnel.
Solution:
The following features of VPN manager are explained in detail:

Security Device --Tunnel interface zone :  
This is the zone that the VPN tunnel interface will be set to.  If setting the zone to "trust", no policy check is required for traffic coming from the VPN going to the trust zone (as long as Intra-zone blocking is not enabled).    If the zone is "untrust" or another zone, a manual policy entry will need to be created in order to selectively allow traffic incoming from the VPN.

Security Device -- Physical Source Interface: 
This determines which interface to bind the tunnel interface when using an un-numbered VPN gateway.   Typically this will be the interface which is in the same zone as the tunnel interface.   The IP address of the tunnel interface will be based on the interface selected here.

Termination Point:  
The interface selected in "termination point" in VPN manager is the outgoing-interface where the encrypted packets will be transmitted to.   Usually this will be the untrust interface going to the Internet.



In order to automatically assign the correct interface slot/number by default when adding many devices, the following settings control the behavior of the above definitions:

Security Device - Primary and Secondary Zone:  
This setting controls the value that NSM will automatically select for "Tunnel interface Zone" described above.  The primary zone is first verified if it exist on the device being added and will be used.   If the primary zone does not exist on the device, the secondary zone will then be used if it exist on the device being added.

Security Device - Physical source Interface Zone: 
This setting controls the value that NSM will automatically select for "Physical source Interface" described above.   NSM will select the interface slot/number on the device which belong the zone defined here while adding a new device. For example, selecting the trust zone will correctly find the matching interface slot/number and fill-in automatically this interface as the termination point while adding multiple devices to the topology.

Default Zone -- Termination Point (located under "Edit" option): 
This setting controls the value that NSM will automatically select for "Termination Point" described above.  NSM will select the interface slot/number on the device which belong the zone defined here while adding a new device. 
Modification History:
2021-02-27: Tagged for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search