Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual Download Page 318 | Manualshive

Page: 318 / 366

background image

■

Configure the router to run in NAT passthrough mode by using the

application

l2tp-nat-passthrough

command. For information, see “NAT Passthrough Mode”

on page 292

.

■

Configure the virtual router to enable NAT Traversal (NAT-T) by using the

ipsec

option nat-t

command. For information, see “NAT Traversal” on page 293

.

Interaction Between IPSec and PPP

PPP defines the Compression Control Protocol (CCP) and the Encryption Control
Protocol (ECP) modes. These modes are currently not supported in the E Series
router. There is no interaction related to encryption directives between IPSec and
PPP.

LNS Change of Port

In the L2TP world, the LNS is allowed to change its port number; this functionality
is currently not supported in ERX routers. IPSec allows only port 1701 to be used
for L2TP/IPSec tunnels. However, the LAC is allowed to use any source port it desires.

Group Preshared Key

Group preshared keys allow the provisioning of secure remote access by means of
L2TP/IPSec to networks that do not use a certificate authority (CA) to issue certificates.
A group preshared key is associated with a local IP address in the E Series router and
is used to authenticate L2TP/IPSec clients that target this IP address as their VPN
server address.

CAUTION:

Group preshared keys are not fully secure, and we recommend that you

use digital certificates in place of group preshared keys. Group preshared keys are
open to man-in-the-middle attacks. To reduce this risk, the ERX routers accept only
IPSec connections that specify L2TP traffic selectors for security associations (SAs)
that are negotiated over IKE connections authenticated with group preshared keys.

NAT Passthrough Mode

NAT devices can change the IP address and port number of a traversing IP packet.
Encrypted frames, in which an ESP header follows the IP header, may or may not
get through the NAT device.

You can set up the router to run in NAT passthrough mode, which causes the router
to not check UDP checksums. The reason is that a NAT device may change the IP
address while the UDP header is encrypted. In this case, the UDP checksum cannot
be recalculated. Not checking UDP checksums does not compromise security, because
IPSec protects UDP with an authentication algorithm far stronger than UDP
checksums. To set up the router to run in NAT passthrough mode, use the

application

l2tp-nat-passthrough

command.

We recommend that you configure the router to use NAT passthrough mode when
the NAT device provides a feature commonly known as IPSec passthrough.

292

■

L2TP/IPSec Tunnels

JUNOSe 11.0.x IP Services Configuration Guide

«
...
316
317
318
319
320
...
»

Summary of Contents for JUNOSE 11.0.X IP SERVICES

Page 1: ...for E Series Broadband Services Routers IP Services Configuration Guide Release 11 0 x Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale California 94089 USA 408 745 2000 www juniper net Publi...

Page 2: ...S Patent Nos 5 473 599 5 905 725 5 909 440 6 192 051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 578 186 and 6 590 785 JUNOSe Software for E...

Page 3: ...alms devices links ports or transactions or require the purchase of separate licenses to use particular features functionalities services applications operations or capabilities or provide throughput...

Page 4: ...n connection with such withholding taxes by promptly providing Juniper with valid tax receipts and other required documentation showing Customer s payment of any withholding taxes completing appropria...

Page 5: ...nted to in writing by the party to be charged If any portion of this Agreement is held invalid the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement T...

Page 6: ...vi...

Page 7: ...uring IPSec 125 Chapter 6 Configuring Dynamic IPSec Subscribers 177 Chapter 7 Configuring ANCP 193 Chapter 8 Configuring Digital Certificates 213 Chapter 9 Configuring IP Tunnels 245 Chapter 10 Config...

Page 8: ...viii JUNOSe 11 0 x IP Services Configuration Guide...

Page 9: ...e Maps 4 Route Map Configuration Example 5 Multiple Values in a Match Entry 6 Negating Match Clauses 7 Matching a Community List Exactly 8 Removing Community Lists from a Route Map 8 Matching a Policy...

Page 10: ...urations 65 Traditional NAT 65 Basic NAT 65 NAPT 66 Bidirectional NAT 66 Twice NAT 66 Network and Address Terms 66 Inside Local Addresses 67 Inside Global Addresses 67 Outside Local Addresses 67 Outsi...

Page 11: ...AT 88 Displaying the NAT License Key 88 Displaying Translation Statistics 89 Displaying Translation Entries 91 Displaying Address Pool Information 92 Displaying Inside and Outside Rule Settings 93 Cha...

Page 12: ...BFD Information 121 Chapter 5 Configuring IPSec 125 Overview 125 IPSec Terms and Acronyms 125 Platform Considerations 127 References 127 IPSec Concepts 128 Secure IP Interfaces 128 RFC 2401 Compliance...

Page 13: ...nfiguring Dynamic IPSec Subscribers 177 Overview 177 Dynamic Connection Setup 177 Dynamic Connection Teardown 178 Dynamic IPSec Subscriber Recognition 178 Licensing Requirements 178 Inherited Subscrib...

Page 14: ...s Node 195 Platform Considerations 195 References 196 Configuring ANCP 196 Creating a Listening TCP Socket for ANCP 196 Accessing L2C Configuration Mode for ANCP 196 Defining the ANCP Session Timeout...

Page 15: ...od 221 Configuring Digital Certificates Using the Online Method 227 Configuring Peer Public Keys Without Digital Certificates 232 Monitoring Digital Certificates and Public Keys 237 Chapter 9 Configur...

Page 16: ...80 Module Requirements 280 ERX7xx Models ERX14xx Models and the ERX310 Router 280 E120 Router and E320 Router 281 Configuring IP Reassembly 281 Monitoring IP Reassembly 282 Setting Statistics Baseline...

Page 17: ...port Profiles 302 Monitoring DVMRP IPSec GRE IPSec and L2TP IPSec Tunnels 307 System Event Logs 307 show Commands 307 Chapter 13 Configuring the Mobile IP Home Agent 315 Mobile IP Overview 315 Mobile...

Page 18: ...xviii Table of Contents JUNOSe 11 0 x IP Services Configuration Guide...

Page 19: ...rk 160 Figure 16 ISP X Uses ERX Routers to Connect Corporate Offices over the Internet 161 Figure 17 Connecting Customers Who Use Similar Address Schemes 164 Chapter 7 Configuring ANCP 193 Figure 18 U...

Page 20: ...xx List of Figures JUNOSe 11 0 x IP Services Configuration Guide...

Page 21: ...Abbreviations 125 Table 9 Security Parameters Used on Secure IP Interfaces 130 Table 10 Security Parameters per IPSec Policy Type 132 Table 11 Supported Transforms 136 Table 12 Supported Security Tra...

Page 22: ...xxii List of Tables JUNOSe 11 0 x IP Services Configuration Guide...

Page 23: ...ion in the latest release notes differs from the information in the documentation follow the JUNOSe Release Notes To obtain the most current version of all Juniper Networks technical documentation see...

Page 24: ...pf 2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents information as displayed on your terminal s screen Fixed width text like this There are two levels o...

Page 25: ...e from the Juniper Networks Web site athttp www juniper net Documentation Feedback We encourage you to provide feedback comments and suggestions so that we can improve the documentation to better meet...

Page 26: ...ase notes http www juniper net customers csc software Search technical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Netwo...

Page 27: ...c on page 125 Configuring Dynamic IPSec Subscribers on page 177 Configuring ANCP on page 193 Configuring Digital Certificates on page 213 Configuring IP Tunnels on page 245 Configuring Dynamic IP Tunn...

Page 28: ...2 Chapters JUNOSe 11 0 x IP Services Configuration Guide...

Page 29: ...page 4 Route Maps on page 4 Match Policy Lists on page 20 Access Lists on page 21 Using the Null Interface on page 33 Prefix Lists on page 33 Prefix Trees on page 36 Community Lists on page 38 Using...

Page 30: ...uter See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers References For more information about the protocols discussed in this cha...

Page 31: ...e of the route map For example suppose you create two instances of route map boston5 one with sequence number 10 and one with sequence number 25 When you apply boston5 routes are evaluated first again...

Page 32: ...outer neighbor 10 2 2 4 route map block1 out host1 config router exit host1 config ip as path access list boston deny _32_ host1 config route map block1 deny 1 host1 config route map match as path bos...

Page 33: ...atch entry is deleted The routing software deletes the entire match entry only if the entry contains no other values In some earlier releases any value specified with a no match command was ignored an...

Page 34: ...w ip community list Community standard list 1 permit 0 100 0 200 0 300 host1 config route map example1 permit 10 host1 config route map match community 1 exact match host1 config exit host1 show route...

Page 35: ...s also known as AAA framed routes are sourced by AAA The following example shows how you might redistribute access internal routes and access routes by matching on a tag 1 Configure route map tagtest...

Page 36: ...specified value from the match clause See match community match distance Use to match any routes being redistributed out of the routing table that have the specified administrative distance Distance i...

Page 37: ...ress passed by the specified access list prefix list or prefix tree Example host1 config route map match ip next hop 5 acl_192_54_24_1 Use the no version to delete the match clause from a route map or...

Page 38: ...fix list in which case only that prefix list match is removed from the route map See match ipv6 route source match level Use to match routes for the specified level Example host1 config route map matc...

Page 39: ...summary prefix tree Use to specify the prefix tree that summarizes routes for a particular route map Use the ip prefix tree command to set the conditions of the prefix tree including which routes to...

Page 40: ...he router command You specify the source routing protocol with the redistribute command Example host1 config route map nyc1 permit 10 host1 config route map match ip address list1 host1 config route m...

Page 41: ...community attribute Similarly a match is found for the list entry of 231 20 and this community is deleted from the community attribute Example host1 config route map set comm list 1 delete Use the no...

Page 42: ...to the same prefix to identify the best route to that prefix Setting distance in any other circumstance has no effect Example host1 config route map set distance 5 Use the no version to delete the se...

Page 43: ...a route map See set ipv6 next hop set level Use to specify where to import routes when all of a route map s match criteria are met Example host1 config route map set level level 2 Use the no version t...

Page 44: ...xt hop of the advertised route If the cost of the next hop changes BGP is not forced to readvertise the route For BGP you can specify the following metrics external Reverts to the normal BGP rules for...

Page 45: ...e classes to classify packets for quality of service QoS Example host1 config route map set route class 50 Use the no version to delete the set clause from a route map See set route class set route ty...

Page 46: ...ps the match clauses in match policy lists contain permit and deny statements When you reference a match policy list within a route map the route map evaluates and processes each match clause and perm...

Page 47: ...efix against the conditions in the list or tree one by one If the first match is for a permit condition the route is accepted or passed If the first match is for a deny condition the route is rejected...

Page 48: ...oute map set metric type internal 4 Configure redistribution into IS IS of the static routes with route map 1 host1 config router isis testnet host1 config router redistribute static route map 1 5 Ver...

Page 49: ...ip as path access list command and apply the list to routes received from or passed to a neighbor with the neighbor filter list command AS path access lists use regular expressions to describe the AS...

Page 50: ...er bgp 47 host1 config router neighbor 10 2 9 2 remote as 621 host1 config router neighbor 10 2 9 2 filter list 1 in host1 config router neighbor 10 2 8 2 remote as 11 host1 config router neighbor 10...

Page 51: ...bute includes 32 or 837 This condition permits routes that originate in or pass through from elsewhere AS 32 or AS 837 When these routes are advertised through AS 451 and AS 17 to router Chicago insta...

Page 52: ...ginating in AS 74 learned via router NY that passed through AS 837 and AS 32 weight 175 according to route map 2 over the same routes learned via router Boston weight 150 access list Use to define an...

Page 53: ...20 and AS path 100 200 300 because 20 is a substring of each path To disable substring matching and constrain matching to only the specified attribute string place the underscore _ metacharacter on bo...

Page 54: ...access list from a neighbor See neighbor distribute list neighbor filter list Use to assign an AS path access list to matching inbound or outbound routes Use the in keyword to apply the list to inbou...

Page 55: ...g routes outbound policy you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy Example host1 config router neighbor 192 168 1 158 prefix...

Page 56: ...1 0 0 0 0 255 host1 config access list gold permit ip host 2 2 2 2 232 0 1 0 0 0 0 255 host1 config access list gold permit ip host 1 1 1 1 232 0 2 0 0 0 0 255 host1 config access list gold permit ip...

Page 57: ...clear access list counters clear access list clear ipv6 access list Use to clear all access list counters or access list counters in the specified access list Example 1 host1 clear access list list1...

Page 58: ...tes an association specifying in this case that only IP addresses that match the access list criterion appear in the routing table ip access route table map ipv6 access route table map Use to filter a...

Page 59: ...ords instead of a next hop or destination address when you configure routes interface null Use to access the null interface The null interface is a data sink it does not accept or forward traffic Alth...

Page 60: ...to add a clause to a route map Using a Prefix List The following example creates a prefix list that permits routes with a prefix length up to 24 in the 151 0 0 0 8 network host1 config ip prefix list...

Page 61: ...0 8 Example 2 IPv6 exact match required the router permits only a route with a prefix length of 8 and a network address of 1 0 0 0 0 0 0 5 host1 config ipv6 prefix list abc permit 1 5 8 Use the no ve...

Page 62: ...oute map See match ipv6 next hop Prefix Trees A prefix tree is a nonsequential collection of permit and deny conditions that apply to IP addresses Like a prefix list the prefix tree specifies a base I...

Page 63: ...an entry matches Example host1 clear ip prefix tree xyz There is no no version See clear ip prefix tree ip prefix tree Use to create a prefix tree for best route filtering specifies a tree entry a den...

Page 64: ...enables you to define the community to which a prefix belongs A prefix can belong to more than one community The community attribute lists the communities to which a prefix belongs You can use commun...

Page 65: ...rmat You can also use a regular expression to specify the community attribute Use the set community command in route maps to configure the community attributes You can add one or more communities to t...

Page 66: ...map match community 1 host1 config route map set metric 20 host1 config route map exit host1 config route map commtrc permit 2 host1 config route map match community 2 host1 config route map set metri...

Page 67: ...that is the multiple values are logical ANDed You can specify community values with a number or a regular expression Example host1 config ip community list 1 permit 100 2 100 3 100 4 host1 config rout...

Page 68: ...efined in Internet draft BGP Extended Communities Attribute draft ietf idr bgp ext communities 07 txt February 2004 expiration This attribute enables the definition of a type of IP extended community...

Page 69: ...00 4 Use the no version to remove a single extended community list entry if you specify the permit or deny keyword and a path expression Otherwise the router removes the entire community list See ip e...

Page 70: ...access lists and community lists to more easily filter routes A regular expression uses special characters often referred to as metacharacters to define a pattern that is compared with an input strin...

Page 71: ...ssue the ip bgp community new format command the community number has the format AA NN where AA is a number that identifies the autonomous system and NN is a number that identifies the community withi...

Page 72: ...t regular expression It is simply a character or token with no special meaning just as a numeral has no special meaning The backslash applies only to the character immediately following it in the regu...

Page 73: ...des any one character followed by the numeral 5 5 179 35 2433 252 129 48 2129 14600 2129 321 94 Includes a sequence of three characters where the first character is numeral 1 and the third character i...

Page 74: ...n 37 1 37 600 700 10025 7771 In the following examples the three characters are 7 space 8 307 800 6127 888 999 Includes a sequence of three characters where the first character is numeral 7 7 6127 723...

Page 75: ...ifying 200 no underscores results in a match on 200 and on 2005 The underscore metacharacter disables substring matching _200_ For information about using AS path access lists see Access Lists on page...

Page 76: ...ccess list show ipv6 access list Access lists show ip community list Community lists show ip match policy list Policy lists show ip prefix list Prefix lists show ip prefix tree Prefix trees show ip pr...

Page 77: ...IP Access List 10 permit ip any any IP Access List 11 deny ip any any Example 2 host1 show access list detail IP Access List 1 1 permit ip host 172 31 192 217 any 2 permit ip 12 40 0 0 0 0 0 3 any de...

Page 78: ...mit internet Example 2 If you did issue the ip bgp community new format command the display appears as follows host1 show ip community list Community List 1 permit 1239 1005 permit 1239 1006 permit 12...

Page 79: ...nsertion def ip prefix list name abc count 4 range entries 4 sequences 5 20 ip prefix list name def count 1 range entries 0 sequences 5 5 See show ip prefix list show ip prefix tree Use to display inf...

Page 80: ...d Always compare MED is disabled Router flap damping is disabled Administrative Distance external 20 internal 200 local 200 Neighbor s No neighbors are configured Routing for Networks Routing Protocol...

Page 81: ...ng with a specified address routes for a particular protocol BGP IS IS OSPF or RIP locally connected routes internal control routes static routes or summary counters for the routing table Field descri...

Page 82: ...tries 0 isis routes 0 rip routes 3 static routes 2 connected routes 1 bgp routes 0 ospf routes 2 other internal routes 0 access routes 0 internally created access host routes Last route added deleted...

Page 83: ...nterface index is present in the routing table for special IP addresses such as broadcast addresses Next Hop Next hop to reach the IP address displays if no next hop is associated with the IP address...

Page 84: ...r of frames received local destination Frames with this router as their destination hdr errors Number of packets received that contain header errors addr errors Number of packets received that contain...

Page 85: ...ived dst unreach Number of packets received with destination unreachable time exceed Number of packets received with time to live exceeded param probs Number of packets received with parameter errors...

Page 86: ...which no application listener was listening on the destination port UDP Statistics Sent total Total number of UDP packets sent errors Number of error packets sent TCP Global Statistics Connections at...

Page 87: ...timed out 8 reasm req 0 reasm fails 145 frag ok 0 frag fail 290 frag creates Sent 15 forwarded 25144 generated 0 out disc 0 no routes 0 routing discards Route 57680 routes in table 0 timestamp req 0...

Page 88: ...es the instances of each access list such as match and set commands Example host1 config route map 1 permit 10 host1 config route map match community 44 host1 config route map set local pref 400 host1...

Page 89: ...page 71 Limiting Translation Entries on page 71 Specifying Inside and Outside Interfaces on page 71 Defining Static Address Translations on page 72 Defining Dynamic Translations on page 74 Clearing Dy...

Page 90: ...endix A Module Protocol Support for information about the modules that support NAT NOTE The E120 and E320 Broadband Services Routers do not support configuration of NAT Module Requirements To configur...

Page 91: ...public network must not overlap Also route destination advertisements on the public network for example the Internet can appear within the inside network but the NAT router does not propagate advertis...

Page 92: ...side host to reach the inside host by using a public address When the outside host initiates a connection with the inside host on the private network the NAT router translates that public destination...

Page 93: ...IP address of an inside host as seen by an outside host and network Addresses may be allocated from a globally unique address space often provided by the ISP if the inside address is connected to the...

Page 94: ...the outbound direction restores the original information this time operating on the destination address or address port pair For inbound traffic the NAT router translates the outside global address or...

Page 95: ...e packet to the appropriate egress line module 6 The line module sends the packet as outbound traffic using a globally unique source address inside source translation destination address outside sourc...

Page 96: ...Discard Rules For all supported types of traffic TCP UDP ICMP and GRE NAT discards packets in the following cases When the translation table is full that is no more entries can be added When the addre...

Page 97: ...that the translation table contains in global configuration mode for a given virtual router ip nat translation max entries Use to specify the maximum number of dynamic translation entries that the tra...

Page 98: ...ith more specific variables that further define the type of translation CAUTION You must mark interfaces that participate in NAT translation as on the inside or the outside network See Specifying Insi...

Page 99: ...translation between two non unique or not publicly routable networks for example two separate networks that use overlapping IP address blocks ip nat outside source static Use to translate the source a...

Page 100: ...cess lists see Configuring Routing Policy on page 3 The router evaluates multiple commands for the same access list in the order they were created An undefined access list implicitly contains a rule t...

Page 101: ...lapping ranges When you create or edit address pools keep the following in mind Starting and ending IP addresses for the specified range are inclusive and must reside on the same subnet Address ranges...

Page 102: ...onfigure inside source or outside source translation If the NAT router cannot locate a matching entry in its translation database for a given packet it evaluates the access list of all applicable dyna...

Page 103: ...inside source list Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the inside network to the outside network Example h...

Page 104: ...translations default is 120 seconds These dynamic translations are installed by the DNS but not yet used as soon as the translation is used the router applies the timeout value mentioned above udp tim...

Page 105: ...mand to clear all dynamic translations from the translation table Use an asterisk in the clear ip nat translation gre icmp tcp udp inside insideGlobalIpAddress insideLocalIpAddress version of this com...

Page 106: ...k the inside interfaces a Mark the field office host1 blue config interface serial 2 1 1 1 host1 blue config interface ip nat inside host1 blue config interface exit b Mark the two corporate T 3 links...

Page 107: ...outing loops when no matching translation exists host1 blue config ip route 192 32 6 0 255 255 255 248 null 0 NOTE Null route applies to 192 32 6 0 192 32 6 3 which do not exist in the address pool Al...

Page 108: ...168 22 2 192 32 6 1 5 Create the address pool for dynamic translations host1 blue config ip nat pool entA192 192 32 6 2 192 32 6 63 prefix length 24 6 Create the access list for addresses eligible fo...

Page 109: ...inside source and outside source translations must be configured on the NAT router Figure 8 on page 83 illustrates how the inside network is using the unregistered global address space of 15 12 0 0 1...

Page 110: ...6 NOTE This pool is purposely small allowing for only a few connections 8 Configure the access list for global addresses that overlap with inside addresses host1 blue config access list entAin permit...

Page 111: ...in other PE devices the rest of the VPN through RFC2547bis MPLS VPNs VR1 of which the VRF is administratively a member represents the public network The interface to EnterpriseA is marked as an inside...

Page 112: ...device can communicate on the public network host1 vr1 vrf11 config interface ip destination prefix 128 13 44 0 255 255 255 0 9 Mark the subscriber interface as outside host1 vr1 vrf11 config interfac...

Page 113: ...13 1 2 3 The PPTP client initiates its tunnels to the server at 11 11 11 1 The E Series router translates the SA from inside local 13 1 2 3 to inside global SA 20 0 0 1 Because GRE traffic can pass th...

Page 114: ...unnel server module for GRE processing If the packets require translating they are again sent through the tunnel server module NOTE Only inner IP headers are translated for terminating GRE flows outer...

Page 115: ...utside Source Extended Number of outside source extended static translations Dynamic Translation Type Type of dynamic translation inside source simple outside source simple inside source extended Curr...

Page 116: ...imple 69999 69999 69999 12568 Outside Source Simple 4518 4518 4518 25 Inside Source Extended 70000 70000 70000 568 Fully Extended 26855 26855 26855 2565 Forwarding statistics for virtual router vr1 Pa...

Page 117: ...xtended entries Inside global Inside global IP address for this translation entry this field also provides the port number separated by a colon for extended entries Outside global Outside global IP ad...

Page 118: ...20 50 0 3 87 30 50 0 3 8 00 03 35 Never 108 See show ip nat translations Displaying Address Pool Information The show ip nat pool command displays NAT address pool information The command output disp...

Page 119: ...r Specifying an access list filters the output to display only the address pool associated with the specified list show ip nat inside rule Use to display NAT access list and pool usage information for...

Page 120: ...e of rule assigned Example host1 show ip nat outside rule access list name list4 pool name poolD rule type outside source See show ip nat outside rule 94 Monitoring NAT JUNOSe 11 0 x IP Services Confi...

Page 121: ...of a remote workstation for data collection and further processing In addition the ability to enable J Flow on an individual virtual router interface or subinterface allows you to collect network sta...

Page 122: ...ss interface Aggregation caches contain a subset of the fields collected in the raw flow data For example TCP flags Next Hop Address and ToS values are not maintained in any of the aggregation caches...

Page 123: ...lways RP 0 Engine ID SRP slot number If for any reason the virtual router is unable to export records to the collector the unsent records are discarded However the virtual router continues to increase...

Page 124: ...ions See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support NAT For information about modules that support J Flow on the E120 and E320 Broadband Service...

Page 125: ...Interface Use the ip route cache flow sampled command to enable J Flow statistics on an interface You can also use this command to configure an IP profile that is applied to dynamically created IP int...

Page 126: ...w changes the packet sampling value to the closest integer that is a power of two and that is less than or equal to the configured value For performance reasons J Flow applies these adjustments to the...

Page 127: ...cently used flow is removed The possible flow cache range is 1 024 524 288 entries The default value is 65 536 entries ip flow cache entries Use to limit J Flow main flow cache entries Example host1 c...

Page 128: ...lue is 10 600 seconds The default value is 15 seconds ip flow cache timeout inactive Use to define the inactivity timer in seconds Example host1 config ip flow cache timeout inactive 90 Use the no ver...

Page 129: ...can configure the Prefix aggregation cache for both source and destination minimum mask size You can configure only the source minimum mask size for the Source Prefix aggregation cache You can configu...

Page 130: ...set the number of entries in the aggregation cache Example host1 config flow cache cache entries 524288 Use the no version to reset the number of entries to the default value 4096 See cache entries c...

Page 131: ...gation cache and its configuration See ip flow aggregation cache mask destination Use to set the minimum mask size for the destination address for the prefix and destination prefix aggregation caches...

Page 132: ...wing commands Command To Display show ip cache flow Main cache flow operational statistics show ip flow sampling J Flow sampling state show ip flow export J Flow export state and export statistics You...

Page 133: ...dr Destination address of sampled packets Dst Intf Destination interface of sampled packets Summary Total Flows Processed Total number of flows processed Total Packets Total number of packets sampled...

Page 134: ...within the confines of this document host1 show ip cache flow active detail Main Cache Max Entries 65536 Activity Timeout 60 mins Inactivity Timeout 600 secs Cache Enabled 32012 packets sampled Distri...

Page 135: ...4 0 000 96 0 000 128 0 000 160 0 000 192 0 000 224 0 000 256 0 000 288 0 000 320 0 000 352 0 000 384 0 000 416 0 000 448 0 000 480 0 000 512 0 000 544 0 000 576 0 000 1024 96 784 1536 3 216 2048 0 000...

Page 136: ...d packets Dst Addr Destination address of sampled packets Dst Intf Destination interface of sampled packets Summary Total Flows Processed Total number of flows processed Total Packets Total number of...

Page 137: ...urce ip interface GigabitEthernet5 0 0 See show ip flow show ip flow sampling Use to display configuration values for IP flow cache sampling Example host1 show ip flow sampling Flow sampling is enable...

Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 0 x IP Services Configuration Guide...

Page 139: ...n these hello messages are not used IGP hellos have their own limitations it often takes one second or more to detect a remote end failure and processing IGP hello messages takes precious processing t...

Page 140: ...FD enters the Admin Down state BFD notifies the new state to its peer for a failure detection time and after the time expires the client stops transmitting packets For the Admin Down state to work the...

Page 141: ...terval is the greater of its transmit interval 450 ms and the Router A receive interval 500 ms or 500 ms The liveness detection interval is the period a peer waits for a BFD packet from its peer befor...

Page 142: ...dels and the ERX310 Broadband Services Router See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for informatio...

Page 143: ...er attempts to establish version 0 or version 1 sessions based on the capability of the BFD neighbor Table 7 on page 117 indicates how the routers establish sessions based on BFD version support Table...

Page 144: ...guration Guide EBGP Chapter Configuring IP in JUNOSe IP IPv6 and IGP Configuration Guide IPv4 static routes Chapter Configuring IS IS in JUNOSe IP IPv6 and IGP Configuration Guide IS IS Chapter Config...

Page 145: ...all virtual routers on the router Example host1 config bfd adapt Use the no version to disable subsequent BFD sessions from adapting timer intervals without resetting any already adapted intervals See...

Page 146: ...ted clear ipv6 bfd session Use to restart all IPv6 BFD sessions or a specified IPv6 BFD session Use the address keyword to indicate the IPv6 address of the destination to which the session has been es...

Page 147: ...ing feature of the show command to include or exclude lines of output based on a text string that you specify See Command Line Interface in JUNOSe System Basics Configuration Guide for details show li...

Page 148: ...abled for this BFD session on the router Local min tx interval Minimum transmit interval in seconds configured on the session at the local end min rx interval Minimum receive interval in seconds confi...

Page 149: ...s or no forwarding controller assist available only for ES2 4G LM Detection FC assisted Whether component in forwarding controller is acting to speed fast failure detection times yes or no forwarding...

Page 150: ...r 3 Remote discriminator 1 Session up time 00 00 01 04 Up Down count 1 Adaptivity disabled Local min tx interval 0 3 min rx interval 0 3 multiplier 3 Adapted min tx interval 0 min rx interval 0 multip...

Page 151: ...r areas Encapsulating protocols including authentication AH and Encapsulating Security Payload ESP to provide security on specified packets The Internet Security Association and Key Management Protoco...

Page 152: ...Protocol Security IPSec IP address of the entity that is one of two endpoints in an IPSec SA IPSec endpoint Internet Security Association and Key Management Protocol ISAKMP Security associations used...

Page 153: ...of IPSec References For information about IPSec see the following RFCs RFC 768 User Datagram Protocol August 1980 RFC 2401 Security Architecture for the Internet Protocol November 1998 RFC 2402 IP Aut...

Page 154: ...to every data packet Both protocols are defined with two modes of operation Tunnel mode completely encapsulates the original packet within another IP header Transport mode keeps the original header a...

Page 155: ...nel which traffic to discard and so on The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that unwanted traffic is not allowed inside the tunnel Supporte...

Page 156: ...r context and source and destination IP addresses Transport VR A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys PFS ensur...

Page 157: ...negotiate an SA on demand with the remote security gateway The remote security gateway must also support SA negotiation otherwise the gateway drops traffic Again the router keeps statistics for dropp...

Page 158: ...ure IP interface exists Transport Virtual Router The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel endpoints the source and destination are routable addresses Normal...

Page 159: ...u can use an FQDN instead of the IP address to specify tunnel endpoints You typically use this feature to identify the tunnel destination in broadband and DSL environments in which the destination doe...

Page 160: ...me on page 144 For signaled IPSec interfaces both the inbound and outbound SA must be assigned a lifetime The lifetime parameter controls the duration for which the SA is valid When a user SA is estab...

Page 161: ...secure IP interface Therefore two sets of SA parameters exist for each secure IP interface one being the inbound SA parameters and the other the outbound SA parameters The following parameters form e...

Page 162: ...ication ESP provides data confidentiality and antireplay functions ESP can also provide data authentication although in this implementation ESP does not cover the outer IP header Encapsulation Modes I...

Page 163: ...g the 3DES encryption algorithm 3DES uses a 168 bit symmetric encryption key and is widely accepted as a strong encryption algorithm Export control issues apply to products that ship from the USA with...

Page 164: ...nd against each transform in the transform set If there is no match the router provides a negative answer to the remote end which can either try another transform or give up If no match is found the s...

Page 165: ...PD is a keepalive mechanism that enables the E Series router to detect when the connection between the router and a remote IPSec peer has been lost DPD enables the router to reclaim resources and to o...

Page 166: ...ng failover the IPSec tunnel switches to the alternate destination and establishes IPSec SAs with the new peer To configure tunnel failover you specify the tunnel destination backup endpoint Tunnel fa...

Page 167: ...esdropping making it less secure than main mode Is faster than main mode because fewer messages are exchanged between peers Three messages are exchanged in aggressive mode Enables support for fully qu...

Page 168: ...gotiating IKE SAs The agreed on IKE SA between the local system and a remote security gateway may vary because it depends on the IKE policies used by each remote peer However the initial set of IKE po...

Page 169: ...ty The ERX router supports two authentication methods Digital certificates using RSA algorithms For digital certificate authentication an initiator signs message interchange data using his private key...

Page 170: ...ists starting from the highest priority If it finds a match that policy is successfully negotiated Again the lifetime is negotiated to the lesser of the two lifetimes and failures are logged Generatin...

Page 171: ...cense you can configure up to 10 IPSec tunnels on an ERX router However you can purchase licenses that support the following IPSec tunnel maximums 1000 2000 4000 8000 16000 32000 The number of additio...

Page 172: ...fig manual key masked key AAAAGAAAAAcAAAACfd SAsaVQ6Qeopt2rJOP6LDg 0hX5cMO 3 Define the local endpoint used for ISAKMP IKE negotiations for all IPSec tunnels in the router host1 config ipsec local end...

Page 173: ...is renegotiated To set a lifetime for all SAs on a tunnel use the tunnel lifetime command To set a lifetime for a specific SA use lifetime on page 158 Example 1 host1 config ipsec lifetime kilobytes 4...

Page 174: ...m set See ipsec transform set key Use to enter a manual preshared key Preshared keys can have up to 256 ASCII alphanumeric characters To include spaces in the key enclose the key in quotation marks Ex...

Page 175: ...face host1 vrA config if ip address 10 3 0 0 255 255 0 0 4 Specify the transform set that ISAKMP uses for SA negotiations host1 vrA config if tunnel transform set customerAprotection 5 Configure the l...

Page 176: ...U size for the tunnel host1 config if tunnel mtu 2240 interface tunnel Use to create or configure an IPSec tunnel interface Use the transport virtual router keyword to establish the tunnel on a virtua...

Page 177: ...ic or number of seconds limit is reached the SA is renegotiated which ensures that the tunnel does not go down during renegotiation Example host1 config if tunnel lifetime seconds 48000 kilobytes 2490...

Page 178: ...entity Example 1 host1 config if tunnel peer identity range 10 10 1 1 10 10 2 2 Example 2 host1 config if tunnel peer identity subnet 130 10 1 1 255 255 255 0 Use the no version to remove the peer ide...

Page 179: ...ryption algorithm sets SPI and session keys for outbound SAs on a tunnel You can enter this command only on tunnels that have tunnel signaling set to manual Use the online Help to see a list of availa...

Page 180: ...st1 config if tunnel transform set espSet Use the no version to remove the transform set from a tunnel See tunnel transform set Configuring DPD and IPSec Tunnel Failover You can use the ipsec option d...

Page 181: ...backup tunnel destination When DPD detects a disconnection between the E Series router and the regular IPSec tunnel destination the router redirects traffic to the tunnel destination backup and vice...

Page 182: ...aggressive mode Specify the authentication method host1 config ike policy authentication pre share Specify the encryption algorithm host1 config ike policy encryption 3des Assign a Diffie Hellman gro...

Page 183: ...1 config ike policy authentication pre share Use the no version to restore the default preshared keys See authentication encryption Use to specify one of the following encryption algorithms to use in...

Page 184: ...s a priority to the policy You can number policies in the range 1 10000 with 1 having the highest priority You can add up to 10 IKE policies per router Example host1 config ipsec ike policy rule 3 hos...

Page 185: ...okie pair it can send an invalid cookie notification message to the initiator The responder might fail to recognize the cookie pair because it has lost the cookie or because it deleted the cookie and...

Page 186: ...le IPSec tunnels between the same endpoints They filter traffic going into and coming out of the tunnels so that it is within the specified range If the configuration requires that only one IPSec tunn...

Page 187: ...erASecret erx1 config manual key exit erx1 config ipsec key manual pre share 100 3 0 1 erx1 config manual key key customerASecret erx1 config manual key exit erx2 config ipsec key manual pre share 100...

Page 188: ...ion erx2 config if tunnel local identity subnet 200 2 0 0 255 255 0 0 erx2 config if tunnel peer identity subnet 200 1 0 0 255 255 0 0 erx2 config if tunnel source 100 2 0 1 erx2 config if tunnel dest...

Page 189: ...pted and authenticated Of course this example shows the basic secure encapsulation of customer traffic over the untrusted IP network You can add features such as key refreshing Example 2 Example 2 sho...

Page 190: ...3des hmac sha erx3 config ipsec transform set customerBprotection ah hmac md5 2 On each ERX router create a protection suite for the three routers to use to authenticate each other erx1 config ipsec k...

Page 191: ...the IP interfaces reaching those customers are defined Create the endpoints for the tunnels in the ISP default virtual router Virtual router A erx1 config virtual router vrA erx1 vrA config Tunnel fro...

Page 192: ...0 0 erx1 vrB config if exit 4 On erx2 create two IPSec tunnels one to carry customer A s traffic and another to carry customer B s traffic You must create each pair of tunnels in the virtual routers...

Page 193: ...config if tunnel transform set customerBprotection erx2 vrB config if tunnel local identity subnet 10 2 0 0 255 255 0 0 erx2 vrB config if tunnel peer identity subnet 10 3 0 0 255 255 0 0 erx2 vrB con...

Page 194: ...nation 5 1 0 1 erx3 vrB config if ip address 10 1 0 0 255 255 0 0 erx3 vrB config if exit Tunnel from Boston to Boca on virtual router B erx3 vrB config interface tunnel ipsec Bboston2boca transport v...

Page 195: ...sed in the IKE policy des 3des hash algorithm Hash algorithm used in the IKE policy SHA MD5 authentication method Authentication method used in the IKE policy RSA signature preshared keys Diffie Hellm...

Page 196: ...Corresponds to the messaging state in the main mode and aggressive mode negotiations Possible states are AM_SA_I Initiator has sent initial aggressive mode SA payload and key exchange to the responde...

Page 197: ...100 500 195 0 2 200 500 1688 DONE 0x6573dcbc9bf31fae 0x7af8b4d13078b463 195 0 3 100 500 195 0 3 200 500 1685 DONE 0xdc7df648fcac375a 0x0346752d2881d5c5 195 0 3 100 500 195 0 3 200 500 1685 DONE 0xe77...

Page 198: ...ic transform set include the transform set name Field descriptions Transform set Displays the transforms in the transform set Example 1 host1 show ipsec transform set Transform set Highest security es...

Page 199: ...nnel lifetime kilobytes Configured traffic based lifetime in kilobytes Tunnel pfs PFS group in use on the tunnel 0 PFS is not in use 1 768 bit group 2 1024 bit group 5 1536 bit group Tunnel administra...

Page 200: ...s Number of octets sent in encapsulated packets OutPolicyErrors Number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier selector OutOtherTxErrors Number of...

Page 201: ...ummary Use to display a summary of all tunnels configured on the router Field descriptions Total number of ipsec interface Number of tunnels configured on the router Administrative status Number of tu...

Page 202: ...l2e3d1 is up IPSEC tunnel s0l3e3d0 is up IPSEC tunnel s0l4e3d0 is up IPSEC tunnel s0l4e3d1 is up IPSEC tunnel s0l5e3d0 is up See show ipsec tunnel show license ipsec tunnels Use to display the IPSec l...

Page 203: ...the resources This link can be a direct connection or a tunnel IPSec IP in IP GRE or MPLS Once establishing a connection the router can pass traffic between the VPN and connected users The E Series ro...

Page 204: ...SA deleted by a remote peer and no rekeying activity occurs for one minute Administrative logout IPSec card terminating the user becoming unavailable for example the card is reloading disabled or disc...

Page 205: ...scribers Controlling which connecting user based on the IKE identification belongs to a given profile Profile settings falling in this category include the following IKE identities from peers that can...

Page 206: ...authentication phase verifies private or preshared keys that reside on the PC These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed...

Page 207: ...e latest drafts For additional configuration information see Configuring IPSec on page 125 Configuring Digital Certificates on page 213 Configuring IP Tunnels on page 245 JUNOSe Broadband Access Confi...

Page 208: ...ces Use to define the maximum number of interfaces that the IPSec tunnel profile can instantiate Example host1 config ipsec tunnel profile max interfaces 500 Use the no version to return the maximum v...

Page 209: ...s identity must also pass any restrictions set for the peer domain name for this profile before they are able to log in An IP address as an IKE identity type and the IP address resides within the spec...

Page 210: ...efault value no domain suffix and usernames are passed transparently to AAA See domain suffix Overriding IPSec Local and Peer Identities for SA Negotiations You can use the local ip identity and peer...

Page 211: ...le ip profile ipProfile1 Use the no version to remove the association with this profile See ip profile Defining the Server IP Address The local ip address command defines the specified local IP addres...

Page 212: ...hrough the secure tunnel and reach the VPN Other traffic for example Web browsing would travel directly to the Internet through the local service provider without passing through the tunnel NOTE Split...

Page 213: ...KE SA establishment Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users NOTE For maximum security enable reauthentication The skip peer config keywor...

Page 214: ...nsform ah hmac md5 Use the no version to reset the transform to the default esp 3des sha1 See transform Specifying IPSec Security Association PFS and DH Group Parameters The pfs group command specifie...

Page 215: ...to an IKE SA exchange the router evaluates the possible policy rules as follows If an IP address specific IKE policy rule refers to the local IP address and virtual router for this exchange the router...

Page 216: ...y aggressive mode negotiation the tunnel proposes aggressive mode to the peer in connections that the policy initiates If the peer initiates a negotiation the tunnel accepts the negotiation if the mod...

Page 217: ...ded authentication pap no re authentication Peer IP characteristics configuration enabled Virtual router default Local IP address 10 227 5 31 Local IKE identity 10 227 5 31 Peer IKE identity IP networ...

Page 218: ...address is that of the user When the endpoint is l2tp the address is that of the LNS Virtual Router Name of the virtual router context Interface Interface specifier over which the subscriber is connec...

Page 219: ...ol ANCP also known as Layer 2 Control L2C is based on a subset of the General Switch Management Protocol GSMP as defined in the GSMPv3 Base Specification draft ietf gsmp v3 base spec 06 txt GSMP is a...

Page 220: ...re that B RAS devices obtain information about the access network topology the links within that network and their rates Operations support systems cannot enforce the consistency of this gathered info...

Page 221: ...llowing ways From AAA layer For PPP interfaces the router retrieves the DSL line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external...

Page 222: ...tening TCP socket for ANCP ANCP monitors port 6068 for ANCP TCP connection requests l2c ip listen Use to create a listening TCP socket in the current virtual router context Example host1 config l2c ip...

Page 223: ...the learning option This learning option in the virtual router enables network access server to learn the partition ID from all the access nodes wait for gsmp syn Use to enable the learning option in...

Page 224: ...version to remove the output label association See l2c end user id l2c max branches Use to specify the maximum number of branches the ANCP end user can have Example host1 config if l2c max branches 5...

Page 225: ...Neighbor The L2C Neighbor Configuration mode enables you to define an ANCP neighbor by specifying a neighbor ID and the maximum number of branches that the neighbor can have id Use to specify the ANC...

Page 226: ...have in the range 1 64000 entries Example host1 l2c neighbor max discovery table entries 4000 Use the no version to return the maximum number of discovery table entries to its default value 10 000 en...

Page 227: ...ighbor including those associated with the QoS downstream rate and QoS cell mode applications Similarly issuing the clear l2c discovery table command without specifying an entry removes all QoS parame...

Page 228: ...management message to the access node This message enables the B RAS to configure a service profile name on an access loop Example host1 l2c line configuration interface atm 2 0 11 profile1 There is n...

Page 229: ...st for IGMP By using ANCP IGMP is no longer terminated or proxied at the access node Instead IGMP passes through the access node transparently B RAS terminates both the data PVC and IGMP After any use...

Page 230: ...age 203 1 Configure an OIF map for the access node that maps each multicast group to an outgoing interface 2 Define ANCP parameters 3 Enable ANCP to listen to OIF mapping events from IGMP in this virt...

Page 231: ...CCESS_NODE_1 host1 config l2c neighbor id 09af 15bc 3156 Configure ANCP multicast labels on the corresponding outgoing interfaces host1 config interface atm 2 0 101 host1 config interface ip igmp vers...

Page 232: ...s showtime DEFAULT RESPONSE Example 2 host1 l2c oam neighbor accessnode_1002 end user id enduser_1002 request succeeded 0x503 DSL line status showtime DEFAULT RESPONSE There is no no version See l2c o...

Page 233: ...e to display information about the ANCP configuration on the router Field descriptions Current timeout Configured session timeout in seconds Qos adaptive mode Whether QoS adaptive mode is enabled true...

Page 234: ...tm 2 32 0 0 8064 1184 UP ACCESSNODE_10 Accessnode_10 atm 2 33 0 0 8064 1184 DOWN ACCESSNODE_10 Accessnode_10 atm 2 34 0 0 8064 1184 DOWN Example 2 Topology discovery table for a particular end user id...

Page 235: ...or output keyword to display labels for output ports Use the brief keyword to show limited information Field descriptions Interface Interface on which ANCP is configured End User Id Output label assoc...

Page 236: ...0 atm3 2 0 10 ATM4 0 12 Accessnode_10 atm3 3 0 10 ATM4 0 13 Accessnode_10 atm3 4 0 10 ATM4 0 14 Accessnode_10 atm3 5 0 10 See show l2c label show l2c neighbor Use to display information about all know...

Page 237: ...NCP neighbors that are in an established GSMP state Number of neighbors in GSMP_EMPTY state Number of ANCP neighbors that are in an unestablished GSMP state Example 1 host1 show l2c neighbor name acce...

Page 238: ...er of active ANCP neighbors Number of end user ids Number of ANCP end user IDs output labels Number of peer attachment ids Number of ANCP peer attachment IDs input labels Number of add branches Number...

Page 239: ...al Certificates and Public Keys on page 237 Overview You can use digital certificates in place of preshared keys for IKE negotiations For more information about IKE see IKE Overview on page 140 in Con...

Page 240: ...rs that dictate how IPSec processes a packet including encapsulation protocol and session keys A single secure tunnel uses multiple SAs SA Simple certificate enrollment protocol used to submit request...

Page 241: ...te This certificate provides a level of assurance that a peer s identity as represented in the certificate is associated with a particular public key E Series Broadband Services Routers provide both a...

Page 242: ...rate its own public private key pairs The public private key pair supports the RSA standard 1024 or 2048 bits The private key is used only by the ERX router It is never exchanged with any other nodes...

Page 243: ...supported for certificate enrollment are PKCS 10 certificate requests PKCS 7 responses and X 509v3 certificates For manual enrollment certificates are encoded in base64 MIME so that the files are easi...

Page 244: ...ommand you can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication In the online certificate method you use the crl command to control CRL verification The r...

Page 245: ...icate files The router s private keys are similarly hidden from users Table 16 File Extensions Offline Configuration Description File Extension Used for certificate request files that are generated on...

Page 246: ...ith the intended party Typically public keys are exchanged in messages containing an X 509v3 digital certificate As an alternative to setting up digital certificates you can configure and exchange pub...

Page 247: ...y shown in bold typeface represents the RSA public key exponent 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A7E43C 3E2D399F 34EF6E16 F84464A9 8A145997 CC7F34C8 3DFF8216 57780FE9 D...

Page 248: ...st1 config 5 Generate a certificate request using certificate parameters from the IPSec identity configuration host1 config ipsec certificate request generate rsa myrequest crq 6 After the certificate...

Page 249: ...name that the router uses in IKE authentication messages and to generate certificate requests The domain name is used in the SubjectAlternative DNS certificate extensions and as an FQDN fully qualifi...

Page 250: ...outer scans all certificate files and determines which files are router public certificates and which are root CA certificates Example host1 config ipsec certificate database refresh There is no no ve...

Page 251: ...ly in a future release See ipsec crl ipsec identity Use to enter IPSec Identity Configuration mode in which you can specify information that the router uses in certificate requests and during negotiat...

Page 252: ...ec ike policy rule on page 225 and may be removed completely in a future release See ipsec isakmp policy rule ipsec key generate Use to generate RSA key pairs Include a length of either 1024 or 2048 b...

Page 253: ...ipsec ike policy rule 1 host1 config ike policy authentication rsa sig host1 config ike policy exit NOTE For more information about setting up IKE policies see Defining an IKE Policy on page 156 in Co...

Page 254: ...n method that the router uses For digital certificates the method is set to RSA signature Example host1 config ike policy authentication rsa sig Use the no version to restore the default preshared key...

Page 255: ...nrollment retry period enrollment url Use to specify the URL of the SCEP server in the format http server_ipaddress You can then use the ipsec ca authentication command to retrieve CA certificates fro...

Page 256: ...ec ca identity command Example host1 config ipsec ca enroll trustedca1 My498pWd host1 config INFO 10 18 2003 03 49 33 ikeEnrollment Received erx certificate for ca trustedca1 host1 config Use the no i...

Page 257: ...umber that identifies the policy and assigns a priority to the policy You can number policies in the range 1 10000 with 1 having the highest priority Example host1 config ipsec isakmp policy rule 3 ho...

Page 258: ...etaSecurityCorp Use the no version to remove the name from the configuration See issuer identifier root proxy url Use to specify an HTTP proxy server that can submit HTTP requests on the E Series rout...

Page 259: ...a90c76 3ae3acbb 4a777037 31527ea0 23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301 0001 For information about the format of an RSA public key see Public Key Format on page 221 4...

Page 260: ...9 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698...

Page 261: ...the address keyword followed by the IP address in 32 bit dotted decimal format To specify the identity of the remote peer associated with the public key use the name keyword followed by either The ful...

Page 262: ...st not occur anywhere else in the key string For information about the format of an RSA public key see Public Key Format on page 221 Example 1 Configures the public key for a remote peer with IP addre...

Page 263: ...3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51 f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74 cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b 29b475c6 ad...

Page 264: ...e release Use to display the IKE certificates and CRLs on the router Specify the type of certificate you want to display all All certificates configured on the router crl Certificate revocation lists...

Page 265: ...f modn sign rsa pkcs1 md5 Modulus n 1024 bits 13409127965307061503054050053800642488356537668078160605242622661311625 19876607806686846822070359658649546374128540876213416858514288030584124 0589652082...

Page 266: ...No names of type IP DNS URI EMAIL RID UPN or DN detected Fingerprints MD5 c4 c9 22 b6 19 07 4e 4f ee 81 7a 9f cb f9 1f 7e SHA 1 58 ba fb 0d 68 61 42 2a 52 7e 19 82 77 a4 55 4c 25 8c c5 60 Example 2 h...

Page 267: ...EMAIL RID UPN or DN detected SubjectKeyID KeyId 15 0a 17 4d 36 b6 49 96 fa d5 be df 51 3e e4 90 51 a2 c0 95 Unknown 1 3 6 1 4 1 311 21 1 02 01 00 Fingerprints MD5 8c 56 fb a6 bd ab 13 67 e6 13 09 c1...

Page 268: ...ld descriptions Ike identity Information from your IKE identify configuration that the router uses to generate certificate requests CRL Check Setting of the CRL check optional required ignored Example...

Page 269: ...remote peer with a specific identity use the name keyword followed by either The fully qualified domain name FQDN The FQDN preceded by an optional user specification this is also referred to as user...

Page 270: ...a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff 2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a253...

Page 271: ...248 Monitoring IP Tunnels on page 253 Overview E Series routers support static IP tunnels An IP tunnel is a virtual point to point connection between two routers See Figure 19 on page 245 To establis...

Page 272: ...X310 Broadband Services Router See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for information about the mod...

Page 273: ...er you must install an ES2 4G line module LM with an ES2 S1 Service I O adapter IOA or an IOA that supports the use of shared tunnel server ports For information about installing modules in these rout...

Page 274: ...ace 4 Set the source address for the tunnel 5 Set the destination address for the tunnel 6 Optional Enable error checking across a GRE tunnel 7 Set the maximum transmission unit MTU size for the tunne...

Page 275: ...this feature causes the E Series router to drop corrupted packets it receives on the tunnel interface Example host1 config interface tunnel gre tunnel2 host1 config if tunnel checksum Use the no versi...

Page 276: ...1 host1 config if tunnel source atm 5 0 12 Example 3 ATM interface on an E320 router that uses the slot adapter port format host1 config interface tunnel dvmrp boston tunnel 1 host1 config if tunnel s...

Page 277: ...4 Configure a virtual router called chicago that supports the other end of the tunnel host1 config virtual router chicago 5 Configure a physical or loopback interface for the end of the tunnel on vir...

Page 278: ...ace treat it in the same way as any IP interface on the router For example you can configure static IP routes or enable routing protocols on the tunnel interface The IP configurations you apply to the...

Page 279: ...tunnel disabled down enabled lower down not present up To view the state of a specific tunnel specify a tunnel name To view the number of tunnels associated with that IP address specify an IP address...

Page 280: ...tets received or transmitted by the tunnel Discards Number of packets not accepted by the tunnel Errors Number of packets with errors received or transmitted by the tunnel Data rx Received data Data t...

Page 281: ...1 Tunnel destination address is 50 1 1 2 Tunnel transport virtual router is v1 Tunnel up down trap is enabled Tunnel server location is 13 0 0 Tunnel administrative state is Up Statistics packets oct...

Page 282: ...ransmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name...

Page 283: ...router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Tunnel up down trap is enabled Tunnel server location is 4 0 Tunnel administrative state is up Statistics packets octets discard...

Page 284: ...detail GRE tunnel start is Up tunnel is static Tunnel operational configuration Tunnel mtu is 10240 Tunnel source address is 15 0 0 1 Tunnel destination address is 15 0 0 2 Tunnel transport virtual r...

Page 285: ...led Tunnel is available for use disabled Tunnel is not available for use Operational status up Tunnel is operational down Tunnel is not operational not present Tunnel is not operational because the ha...

Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 0 x IP Services Configuration Guide...

Page 287: ...P interfaces you must configure a destination profile for a specific transport virtual router that is used to store tunnel configuration options including the source and destination addresses of the d...

Page 288: ...unneling based solution enables a router on a user s home subnet to intercept and forward IP packets to users while they roam beyond traditional network boundaries To achieve mobility the mobile node...

Page 289: ...IP tunnels that reference the destination profile You can relocate a dynamic IP tunnel for the Mobile IP application You cannot relocate a dynamic IP tunnel for the data MDT application because it is...

Page 290: ...ports You can configure provision a shared tunnel server port to use a portion of the module s bandwidth to provide tunnel services For a list of the modules that support shared tunnel server ports s...

Page 291: ...Encapsulation within IP October 1996 RFC 2784 Generic Routing Encapsulation GRE March 2000 Configuring a Destination Profile for Dynamic IP Tunnels The tasks in this section describe how to configure...

Page 292: ...for the tunnel host1 config dest profile tunnel destination subnet 10 0 0 0 255 0 0 0 4 Optional Set the maximum transmission unit MTU size for the tunnel host1 config dest profile tunnel mtu 10240 5...

Page 293: ...ynamic DVMRP tunnel host1 config dest profile profile ip kanata 6 Optional Enable IPSec transport mode host1 config dest profile enable ipsec transport 7 Optional Create a multicast VPN tunnel host1 c...

Page 294: ...t1 config gre destination profile kanata2 Use the no version to delete the destination profile See gre destination profile profile Use to assign an IP profile with parameters that are used to stack an...

Page 295: ...13 7 20 Use the no version to remove the destination of a tunnel See tunnel destination tunnel mdt profile Use to enable multicast distribution tree operation so the IP tunnel component can create an...

Page 296: ...e system dvmrp destination profile Name of the DVMRP destination profiles configured on the system tunnel checksum Status of tunnel checksum configuration enabled or disabled tunnel sequence datagrams...

Page 297: ...the state keyword and the state of the tunnel disabled down enabled lower down not present up To view the state of a specific tunnel specify a tunnel name To view the number of tunnels associated wit...

Page 298: ...nel packets Number of packets received or transmitted by the tunnel octets Number of octets received or transmitted by the tunnel discards Number of packets not accepted by the tunnel Errors Number of...

Page 299: ...6 6 Tunnel destination address is 3 3 3 3 Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Tunnel sequence number option is disabled Tunnel key is disa...

Page 300: ...e of the tunnel MTU ipsec transport mode Status of IPSec transport mode configuration enabled or disabled tunnel mdt Status of IPSec transport mode configuration enabled or disabled profile Name of th...

Page 301: ...stination subnet 224 0 0 0 255 0 0 0 tunnel source 1 1 1 1 tunnel source 1 1 1 2 tunnel source 1 1 1 3 See show gre destination profile show gre tunnel Use to display information about a GRE tunnel or...

Page 302: ...ion of the tunnel server in slot port format ERX7xx models ERX14xx models and the ERX310 router or slot adapter port format E120 and E320 routers Tunnel is secured by ipsec transport interface IPSec i...

Page 303: ...0 0 0 Data tx 0 0 0 0 1 GRE tunnel found 1 tunnel was created dynamically Example 3 Displays the detail of a dynamically created GRE tunnel for the Mobile IP application host1 vr12 show gre tunnel det...

Page 304: ...Tunnel is operational down Tunnel is not operational not present Tunnel is not operational because the hardware such as a line module supporting the tunnel is inaccessible Example host1 show gre tunn...

Page 305: ...the tunnel are processed and de encapsulated at the egress endpoint When packets are tunneled through an IP network simple IP forwarding is performed The IP forwarding process might fragment packets i...

Page 306: ...kets depend on the type of E Series router that you have ERX7xx Models ERX14xx Models and the ERX310 Router To configure IP reassembly on ERX7xx models ERX14xx models and the ERX310 router you must in...

Page 307: ...ine modules The ES2 S1 Service IOA also does not have ingress or egress ports You can also configure IP reassembly on IOAs that support shared tunnel server ports You can configure provision a shared...

Page 308: ...escribes how to set a statistics baseline for tunnel reassembly statistics and how to display reassembly statistics Setting Statistics Baselines You can use the baseline ip tunnel reassembly command t...

Page 309: ...s received for all tunneling protocols Total Packets Reassembled Number of packets reassembled detailed display includes number of packets reassembled for each protocol Control Other increments for pa...

Page 310: ...ly Statistics for Virtual Router vr2 Tunnel IP Reassembly enabled Total Fragments Received 45 Total Packets Reassembled 15 Reassembly Errors 0 Reassembly Discards 0 The following command sets a baseli...

Page 311: ...ly Statistics for Virtual Router vr2 Tunnel IP Reassembly enabled Total Fragments Received 15 Total Packets Reassembled 5 Reassembly Errors 0 Reassembly Discards 0 See show ip tunnel reassembly statis...

Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 0 x IP Services Configuration Guide...

Page 313: ...nterfaces are virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface that traffic can be L2TP GRE and DVMRP tunn...

Page 314: ...See LNS and LAC support in E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support LNS and LAC Module Requirements To create IPSec secured tunnels yo...

Page 315: ...ition to using another unsecured connection to the Internet depending on the client software capabilities On the router side of the L2TP connection the E Series router acts as the LNS On the PC client...

Page 316: ...n Figure 23 on page 290 1 Obtain an IP address from your ISP using a normal B RAS termination 2 IKE signals a security association SA between the client PC and the E Series router that is acting as a...

Page 317: ...lity and Requirements This section covers various compatibility issues and requirements for the L2TP IPSec traffic Client Software Supported The L2TP IPSec software supports the following client PC op...

Page 318: ...this IP address as their VPN server address CAUTION Group preshared keys are not fully secure and we recommend that you use digital certificates in place of group preshared keys Group preshared keys a...

Page 319: ...T is enabled on a specific virtual router either by default or by using the ipsec option nat t command the router performs the following actions in this order 1 The router monitors the exchange of pr...

Page 320: ...istinguish them from standard ESP control and data frames Figure 28 on page 294 shows an IKE packet encapsulated with a NAT T UDP header Figure 28 IKE Packet with NAT T UDP Encapsulation Only frames t...

Page 321: ...onitoring NAT T see the sections listed in Table 17 on page 295 Table 17 Configuration and Monitoring Tasks for NAT T See Section Command Task Configuring NAT T on page 298 ipsec option nat t Enabling...

Page 322: ...P IPSec tunnels when the last remaining tunnel session has been disconnected Table 18 Differences in Handling Timeout Periods for L2TP IPSec Tunnels Single Shot L2TP IPSec Tunnels Standard L2TP IPSec...

Page 323: ...7 6 Configure NAT T on the virtual router See Configuring NAT T on page 298 7 Configure single shot L2TP IPSec tunnels See Configuring Single Shot Tunnels on page 299 8 Configure IPSec transport profi...

Page 324: ...figuration mode If no virtual router is specified the current virtual router context is used If the destination address is 0 0 0 0 then any LAC that can be reached via the specified virtual router is...

Page 325: ...ed See ipsec option nat t Configuring Single Shot Tunnels To configure a single shot L2TP IPSec tunnel 1 Create an L2TP destination profile which defines the location of the LAC The l2tp destination p...

Page 326: ...ion for a single shot tunnel at the beginning of the destruct timeout period instead of waiting until the destruct timeout period expires A single shot tunnel does not persist beyond its last connecte...

Page 327: ...cifying the virtual router and destination address and enabling IPSec support See Configuring IP Tunnels on page 245 Set up digital certificates on the router or configure preshared keys for IKE authe...

Page 328: ...sed to secure DVMRP GRE or L2TP tunnels 1 Create the profile host1 config ipsec transport profile secureGre virtual router default ip address 5 5 5 5 host1 config ipsec transport profile 2 Specify one...

Page 329: ...l2tp Secures L2TP traffic l2tp nat passthrough Secures L2TP traffic and also allows clients to connect from behind NAT devices that support IPSec passthrough To allow these clients to connect the rou...

Page 330: ...ange the router rejects the connection Example host1 config ipsec transport profile lifetime seconds 900 86400 kilobytes 100000 4294967295 Use the no version to restore the default values 100000 42949...

Page 331: ...ote IP address specified for this transport profile and that are destined for the local IP address If the remote endpoint address is a wildcard address this preshared key is a group preshared key CAUT...

Page 332: ...ransport profile If the remote endpoint address is a wildcard address this preshared key is a group preshared key CAUTION Group preshared keys are not fully secure and we do not recommend using them T...

Page 333: ...DVMRP or GRE tunnels If the tunnel is protected by IPSec the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface The line is not shown...

Page 334: ...sponds to the messaging state in the main mode and aggressive mode negotiations Possible states are AM_SA_I Initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_S...

Page 335: ...Time Sec State Local Cookie Remote Cookie 21 227 9 8 500 21 227 9 10 500 26133 DONE 0x87a943562124c711 0xafa2cf4a260399a4 21 227 9 8 4500 21 227 9 11 4500 28774 DONE 0x01f9efa234d45ad8 0xada4cb7cafee9...

Page 336: ...er packets received InUserOctets Number of octets received from user packets InAccPackets Number of encapsulated packets received InAccOctets Number of octets received in encapsulated packets InAuthEr...

Page 337: ...ion gre No pfs group Mtu is 1440 Local address is 10 255 0 61 Remote address is 10 255 0 62 Local identity is subnet 10 255 0 61 255 255 255 255 proto 47 port 0 Remote identity is subnet 10 255 0 62 2...

Page 338: ...he configuration of an IPSec transport profile Field descriptions IPSec transport profile Name of the profile Virtual router Virtual router on which this profile is configured Peer address Remote endp...

Page 339: ...e profile for that remote host Field descriptions Destination profile attributes Transport Method used to transfer traffic Virtual router Name of the virtual router Peer address IP address of the LAC...

Page 340: ...efault Peer address 172 31 1 99 Statistics Destination profile current session count is 1 Host profile attributes Remote host is lac 1 Configuration Tunnel password is password Interface profile is tu...

Page 341: ...del does not provide an adequate solution and in environments where a wireless technology is used NOTE Currently JUNOSe software does not support configuration of the Mobile IP foreign agent Tradition...

Page 342: ...home agent receives the registration requests on UDP port 434 The registration request contains the IP router ID as the home agent IP address The home agent can support static home address allocation...

Page 343: ...ng AAA access request or querying the locally configured security parameters depending on whether or not you use the aaa keyword when you issue the ip mobile host command to configure the mobile node...

Page 344: ...ber management application to create the dynamic IP subscriber interface During the re registration process when there is a handoff from an initial Mobile IP foreign agent to a new Mobile IP foreign a...

Page 345: ...A IOA Protocol Support for information about the modules that support the Mobile IP home agent Mobile IP References For more information about Mobile IP consult the following resources RFC 2006 The De...

Page 346: ...09 13 234 host1 test config radius key secret host1 test config radius udp port 1812 host1 test config radius radius update source addr 10 209 12 2 Configure an accounting server host1 test config rad...

Page 347: ...thin 255 algorithm hmac md5 Assign an interface profile for the Mobile IP home agent host1 test config ip mobile profile testProfile ip mobile home agent Use to configure the Mobile IP home agent on a...

Page 348: ...ation and security associations include the aaa keyword To specify the access control list applied to the care of address that restricts access for foreign agents or networks include the care of acces...

Page 349: ...r the hex keyword or the ascii keyword as follows To specify a hexadecimal key use the hex keyword followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII...

Page 350: ...urity association include the required key keyword followed by either the hex keyword or the ascii keyword as follows To specify a hexadecimal key use the hex keyword followed by a 32 character 128 bi...

Page 351: ...for a specified Mobile IP home agent Example host1 baseline ip mobile home agent There is no no version See baseline ip mobile home agent clear ip mobile binding Use to remove the binding table in the...

Page 352: ...Care of address 72 1 1 15 Lifetime granted 10 00 00 36000 seconds Lifetime remaining 01 46 32 Tunnel Source 66 0 0 5 Destination 72 1 1 15 Encapsulation GRE Reverse tunnel enabled See show ip mobile...

Page 353: ...AA server is configured or not Example 1 host1 show ip mobile host Home MN NAI IP address Lifetime Care Of Access Aaa Configured warner com 36000 no yahoo com yes pj juniper net 100 no pm juniper net...

Page 354: ...8 0x274 hmac md5 secret 20 20 20 1 628 0x274 hmac md5 255 secret 30 30 30 1 628 0x274 hmac md5 255 secret See show ip mobile secure foreign agent show ip mobile secure host Use to display the security...

Page 355: ...he home agent Unspecified Number of registration requests rejected for an unspecified reason such as an internal communication failure Unknown HA Number of registration requests rejected because of an...

Page 356: ...HA 0 Administratively prohibited 0 No Resources 0 Authentication failed MN 0 FA 0 Bad identification 0 Bad request form 0 Unavailable encapsulation 0 No reverse tunnel 0 See show ip mobile traffic sh...

Page 357: ...Part 2 Index Index on page 333 Index 331...

Page 358: ...332 Index JUNOSe 11 0 x IP Services Configuration Guide...

Page 359: ...le home agent 325 baseline ip tunnel reassembly 282 baseline setting Mobile IP home agent 325 tunnel reassembly 282 BFD Bidirectional Forwarding Detection BGP peer reachability detection 113 license 1...

Page 360: ...ansport command 268 endpoints tunnel 245 F filter lists BGP 23 filtering AS paths 23 network prefixes 21 undesirable traffic 33 firewall configuring 113 monitoring 120 firewall commands license firewa...

Page 361: ...ource list 76 ip nat outside source static 73 ip nat pool 75 ip nat translation 78 ip nat translation max entries 71 See also show ip nat commands IP reassembly of tunnel packets 279 configuring 281 m...

Page 362: ...rm combinations supported 137 transform sets 130 135 transforms supported 136 transport VR 130 132 IPSec transport local profile commands pre share 302 pre share masked 302 IPSec transport profile com...

Page 363: ...8 match level 12 match metric 12 match metric type 12 match policy list 13 match route type 13 match tag 13 match set summary prefix tree 36 38 max interfaces command 182 Mobile IP home agent 330 AAA...

Page 364: ...d secrecy 133 policy list monitoring 51 prefix lists 33 prefix trees 36 prefixes filtering network 21 preventing recursive tunnels 251 profile commands profile 268 public keys displaying on router 237...

Page 365: ...te 51 show ip route slot 51 show ip static 51 show ip traffic 51 show ip tunnel reassembly statistics 283 show ip flow sampling command 106 111 show ip match policy list command 51 show ip mobile comm...

Page 366: ...8 tunnel commands IP tunnel checksum 248 268 tunnel destination 248 268 tunnel mtu 248 tunnel sequence datagrams 268 tunnel source 248 268 tunnel commands IPSec tunnel destination 150 tunnel destinati...

Reviews:

No comments

Related manuals for JUNOSE 11.0.X IP SERVICES

GPSMAP GPSMAP 196

Brand: Garmin Pages: 4

Brand: Garmin Pages: 2

E-20 - Dual Monaural Earphones

Brand: Olympus Pages: 2

Brand: PS Audio Pages: 6

WS02-NCTC1-E - 07-2001

Brand: Omron Pages: 116

Brand: Konica Minolta Pages: 6

Brand: Adobe Pages: 8

Brand: Acroprint Pages: 2

Brand: Lowrance Pages: 48

Brand: AMX Pages: 34

K2-AVID TRANSFER MANAGER

Brand: GRASS VALLEY Pages: 2

DEEP FREEZE ENTERPRISE

Brand: FARONICS Pages: 104

Brand: Garmin Pages: 4

Nuvi 780 - Automotive GPS Receiver

Brand: Garmin Pages: 14

Brand: Lenovo Pages: 5

FLASH MX PROFESSIONAL 2004 - FLASH LITE 1.1...

Brand: MACROMEDIA Pages: 86

Brand: Janome Pages: 7

AURORA PLAYOUT - S AND UPGRADE INSTRUCTIONS V7.1

Brand: GRASS VALLEY Pages: 37

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands