The previous sections of this chapter gave you a lot of information—some generalized, some SRX-specific. It’s time to make use of that information and provide you with some real-world guidance on how to select the appropriate properties for your SRX VPN configuration.
As you’ve come to realize by now, there are many different VPN configuration options. However, deciding which options to select is quite easy once you understand them. Here we’ll detail 12 key configuration options with recommendations and tips on when and where you might use them:
The first decision you should make when determining how to deploy your VPNs is whether IKE will be used to negotiate the VPN keys, or whether to use manual keys. For just about every scenario, AutoKey IKE should be used over manual key encryption because AutoKey IKE is dynamic and renegotiates the keys used rather than using the same key indefinitely. The only exception to this rule is if security isn’t much of a concern, due to the impact that AutoKey negotiation would put on your system. Although individual IKE negotiation may not put much load on the system, negotiating lots of VPN tunnels simultaneously can be very computationally intensive, thus making manual keys preferable.
ESP is the most widely deployed VPN protocol because it not only performs authentication, but also provides security by encrypting the data. Although encrypting the data is a computationally ...