■
Reachable networks on the VPN (allowing for split tunneling when supported
by the client software)
■
Security parameters intended to protect user traffic (including IPSec
encapsulating protocol, encryption algorithms, authentication algorithms,
lifetime parameters, perfect forward secrecy, and DH group for key
derivation)
■
Setting the IP address the router monitors for remote subscribers.
New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is
established. Like IPSec tunnels, IKE policy rules are required to control IKE SA
acceptance and denial.
Relocating Tunnel Interfaces
Unlike static IPSec tunnels interfaces, dynamic IPSec subscribers do not relocate if
the IPSec server card becomes unavailable. If the IPSec server card becomes
unavailable, all dynamic subscribers that are logged in and located on that server
card are logged out and must log back in to connect.
User Authentication
For IPSec subscribers, user authentication occurs in two phases. The first phase is
an IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred
to as “ machine” authentication, because the user PC is authenticated, the first
authentication phase verifies private or preshared keys that reside on the PC. These
keys are not easily moved from one PC to another and do not require user entry
each time authentication is performed.
Depending on the IKE phase 1 exchange, restrictions on the authentication type or
the access network setup might exist. To avoid any usage problems, keep the following
in mind:
■
If you are configuring a VPN where users perform preshared key IPSec
authentication and use the IKE main mode exchange for phase 1, you must setup
the access network such that the VPN has an exclusive local IP address.
■
If you want to share a single server address on the access network for more than
one VPN, you must either set the clients to use IKE aggressive mode or use a
public and private key pair for authentication. This authentication type includes
X.509v3 certificates).
After the IPSec-level authentication takes place, a user authentication occurs. Often
considered a legacy form of authentication, the user authentication (like RADIUS)
typically requires the user to enter information in the form of a username and
password.
Platform Considerations
For information about modules that support dynamic IPSec subscribers on the ERX7xx
models, ERX14xx models, and the ERX310 Broadband Services Router:
180
■
Platform Considerations
JUNOSe 11.1.x IP Services Configuration Guide
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...