Knowledge Search


×
 

[Archive] FAQ: ScreenOS5.0.0 Changes/Enhancements regarding VPN functionality

  [KB7026] Show Article Properties


Summary:
FAQ: ScreenOS5.0.0 Changes/Enhancements regarding VPN functionality
Symptoms:
FAQ: In Screen OS5.0rx, are there any changes/enhancements regarding VPN functionality?
Solution:

Screen OS5.0.0 enhancements in VPN

  1. Any Source and Destination for VPNs Both source and destination IP addresses for a VPN can be in any interface in any zone.
  2. Bidirectional VPN option on Configuration WebUI page If you specify only one source address and one destination address in a policy, you can still use the Modify matching bidirectional VPN policy option to create a VPN policy for the opposite direction. If, however, you specify multiple source addresses and multiple destination addresses in a policy, the NetScreen device does not support the Modify matching bidirectional VPN policy option.
  3. NAT-T Removed for Manual Key VPNs You cannot configure NAT-Traversal on a Manual Key VPN.
  4. Layer 2 Zone Interfaces as Outgoing Interfaces
    ScreenOS does not support pseudo interfaces, therefore VPNs use layer 2 zone interfaces as outgoing interfaces.
  5. Manual Key dialup VPN Support removed
    NetScreen devices do not support Manual Key dialup VPNs and you cannot create Manual Key dialup users and user groups. After upgrading to ScreenOS 5.0.0, NetScreen devices no longer support commands and settings related to Manual Key dialup VPNs. As a result, you have to replace Manual Key dialup VPNs that you configured in a previous release with AutoKey IKE VPN tunnels.
  6. Single IKE Tunnel Not Supported
    ScreenOS does not support the set ike single-ike-tunnel CLI command.
  7. Template SA Not Generated
    The get sa CLI command does not display the template SA, but displays the SAs created for each pair of VPN policies (one SA per pair of policies).
  8. VPN Monitor Status Not affected by IKE-Rekey
    The success of an IKE re-key negotiation initiates a ping request to the VPN within one second, and the reply packet updates the VPN status.
  9. VPN Event Logs A NetScreen device only generates one event log entry when the state of a VPN changes. If the state changes to Down, the device generates a single log entry to notify that the VPN state is Down, and then only generates one event log entry when the state changes to Up. The severity level for Up events is "critical".

Related Links: