What would cause this problem?

You are creating route-based VPNs on a NS208. When creating your 101st interface, you receive an error message and are prevented from additional tunnel interfaces. What would cause this problem?

You are creating route-based VPNs on a NS208. When creating your 101st interface, you receive an error message and are prevented from additional tunnel interfaces. What would cause this problem?

A.
There is a limit of 100 tunnel interfaces per zone

B.
There is a limit of 100 tunnel interfaces per NS208

C.
There is a limit of 100 tunnel interfaces per virtual router

D.
Acquire a license key to increase the number of tunnel interfaces that can be created.

Explanation:
The configuration of a NetScreen device for VPN support is particularly flexible. You can create route-based and policy-based VPN tunnels. Additionally, each type of tunnel can use Manual Key or AutoKey IKE to manage the keys used for encryption and authentication.
With policy-based VPN tunnels, a tunnel is treated as an object (or a building block) that together with source,
destination, service, and action, comprises a policy that permits VPN traffic. (Actually, the VPN policy action is
tunnel, but the action permit is implied, if unstated). In a policy-based VPN configuration, a policy specifically
references a VPN tunnel by name.
With route-based VPNs, the policy does not specifically reference a VPN tunnel. Instead, the policy references a destination address. When the NetScreen device does a route lookup to find the interface through which it must send traffic to reach that address, it finds a route via a tunnel interface, which is bound to a specific VPN tunnel1. Thus, with a policy-based VPN tunnel, you can consider a tunnel as an element in the construction of a policy. With a route-based VPN tunnel, you can consider a tunnel as a means for delivering traffic, and the policy as a method for either permitting or denying the delivery of that traffic.
The number of policy-based VPN tunnels that you can create is limited by the number of policies that the device supports. The number of route-based VPN tunnels that you create is limited by the number of route entries (4096 for a ns208)or the number of tunnel interfaces that the device supports (256 for a ns208) -whichever number is lower. A route-based VPN tunnel configuration is a good choice when you want to conserve tunnel resources while setting granular restrictions on VPN traffic. Although you can create numerous policies referencing the same VPN tunnel, each policy creates an individual IPSec security association (SA) with the remote peer, each of which counts as an individual VPN tunnel. With a route-based approach to VPNs, the regulation of traffic is not coupled to the means of its delivery. You can configure dozens of policies to regulate traffic flowing through a single VPN tunnel between two sites, and there is just one IPSec SA at work. Also, a route-based VPN configuration allows you to create policies referencing a destination reached through a VPN tunnel in which the action is deny, unlike a policy-based VPN configuration, in which-as stated earlier-the action must be tunnel, implying permit.



Leave a Reply 0

Your email address will not be published. Required fields are marked *