Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] FAQ: ScreenOS5.0.0 Changes/Enhancements regarding VPN functionality

0

0

Article ID: KB7026 KB Last Updated: 20 Aug 2010Version: 4.0
Summary:
FAQ: ScreenOS5.0.0 Changes/Enhancements regarding VPN functionality
Symptoms:
FAQ: In Screen OS5.0rx, are there any changes/enhancements regarding VPN functionality?
Solution:

Screen OS5.0.0 enhancements in VPN

  1. Any Source and Destination for VPNs Both source and destination IP addresses for a VPN can be in any interface in any zone.
  2. Bidirectional VPN option on Configuration WebUI page If you specify only one source address and one destination address in a policy, you can still use the Modify matching bidirectional VPN policy option to create a VPN policy for the opposite direction. If, however, you specify multiple source addresses and multiple destination addresses in a policy, the NetScreen device does not support the Modify matching bidirectional VPN policy option.
  3. NAT-T Removed for Manual Key VPNs You cannot configure NAT-Traversal on a Manual Key VPN.
  4. Layer 2 Zone Interfaces as Outgoing Interfaces
    ScreenOS does not support pseudo interfaces, therefore VPNs use layer 2 zone interfaces as outgoing interfaces.
  5. Manual Key dialup VPN Support removed
    NetScreen devices do not support Manual Key dialup VPNs and you cannot create Manual Key dialup users and user groups. After upgrading to ScreenOS 5.0.0, NetScreen devices no longer support commands and settings related to Manual Key dialup VPNs. As a result, you have to replace Manual Key dialup VPNs that you configured in a previous release with AutoKey IKE VPN tunnels.
  6. Single IKE Tunnel Not Supported
    ScreenOS does not support the set ike single-ike-tunnel CLI command.
  7. Template SA Not Generated
    The get sa CLI command does not display the template SA, but displays the SAs created for each pair of VPN policies (one SA per pair of policies).
  8. VPN Monitor Status Not affected by IKE-Rekey
    The success of an IKE re-key negotiation initiates a ping request to the VPN within one second, and the reply packet updates the VPN status.
  9. VPN Event Logs A NetScreen device only generates one event log entry when the state of a VPN changes. If the state changes to Down, the device generates a single log entry to notify that the VPN state is Down, and then only generates one event log entry when the state changes to Up. The severity level for Up events is "critical".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search