■
The router ignores the idle timeout period for single-shot tunnels. This means
that as soon a single-shot tunnel's session is removed, the single-shot tunnel
proceeds to disconnect.
■
The following characteristics apply only to secure L2TP/IPSec single-shot tunnels:
■
The underlying IPSec connection for a single-shot tunnel can carry no more
than a single L2TP tunnel for the duration of its existence.
■
The router disconnects the underlying IPSec transport connection for a
single-shot tunnel at the beginning of the destruct timeout period instead of
waiting until the destruct timeout period expires.
For L2TP/IPSec single-shot tunnels, as soon as the tunnel or its single session fails
negotiations or disconnects, the router prevents any further L2TP tunnels or L2TP
sessions from connecting, and requires that a new IPSec connection be established
for any subsequent connection attempts.
Table 18 on page 296 describes the differences between how the router handles the
idle timeout period (configured with the
l2tp tunnel idle-timeout
command) and
the destruct timeout period (configured with the
l2tp destruct-timeout
command)
for standard L2TP/IPSec tunnels and for single-shot L2TP/IPSec tunnels when the
last remaining tunnel session has been disconnected.
Table 18: Differences in Handling Timeout Periods for L2TP/IPSec Tunnels
Single-Shot L2TP/IPSec Tunnels
Standard L2TP/IPSec Tunnels
(Not Single-Shot)
Timeout
Period
The router ignores the idle timeout
period.
This behavior prevents a
single-shot tunnel from passing
traffic after its single L2TP session
is disconnected.
The tunnel persists until the idle timeout
period expires. If a new L2TP session is
created before the idle timeout period
expires, the tunnel persists to carry the new
session and any subsequent sessions that
are established.
When the idle timeout period expires, the
router disconnects the tunnel.
Idle timeout
period
The router signals the underlying
IPSec transport connection to
disconnect at the beginning of the
destruct timeout period.
The router signals the underlying IPSec
transport connection to disconnect when
the destruct timeout period expires.
Destruct
timeout
period
For information about configuring L2TP/IPSec single-shot tunnels on the router, see
“Configuring Single-Shot Tunnels” on page 299
.
Configuration Tasks for Client PC
To set up client PCs, you need to:
1.
Create an IPSec security policy to secure L2TP traffic to the E Series router.
2.
Get a certificate for the client or set up preshared keys.
296
■
L2TP/IPSec Tunnels
JUNOSe 11.0.x IP Services Configuration Guide
Summary of Contents for JUNOSE 11.0.X IP SERVICES
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 0 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 0 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 0 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 0 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 0 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 0 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 0 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 0 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 0 x IP Services Configuration Guide...