Figure 13: IPSec Tunneling Packet Encapsulation
Security Parameters
Secure IP interfaces allow tunneled traffic to be secured in many ways. For that,
secure interfaces are associated with security parameters that are enforced for traffic
that goes through these interfaces. Table 9 on page 130 briefly describes all the
parameters used for a secure IP interface.
Table 9: Security Parameters Used on Secure IP Interfaces
Description
Security Parameter
A secure IP interface, which can be either manual or signaled.
■
You can configure manual interfaces manually on both local and
remote security gateways.
■
Signaled interfaces can dynamically set up connections between
security gateways using ISAKMP/IKE.
Manual or signaled
Operational parameters for the secure IP interface, including the virtual
router context to which this interface belongs and the network prefix
reachable through the interface.
Operational VR
Transport network characteristics for the tunnel, including its virtual
router context and source and destination IP addresses.
Transport VR
A key-generation approach that guarantees that every newly generated
session key is not in any way related to the previous keys. PFS ensures
that a compromised session key does not compromise previous and
subsequent keys.
Perfect forward
secrecy (PFS)
A limit on time and traffic volume allowed over the interface before an
SA needs to be renegotiated.
Lifetime
The actual session-related parameters used by both security gateways
to secure the traffic between them. You can manually define the SA for
manual secure IP tunnels or the SA can dynamically negotiate for signaled
tunnels.
Two sets of SA parameters exist; one for inbound traffic and another
for outbound traffic.
Inbound and
outbound SAs
The set of security parameters, including protocols and algorithms, that
is considered adequate to provide a required security level to the traffic
flowing through an interface.
Transform set
Figure 14 on page 131 shows the relationships of the various security parameters to
the IPSec security interface. The following sections discuss each parameter in detail.
130
■
IPSec Concepts
JUNOSe 11.1.x IP Services Configuration Guide
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...