Tunnel failover is a two-way process. If the router detects that the remote peer is
unreachable, it switches to sending traffic to the backup destination. Likewise, if the
router is sending traffic to the backup destination when the connection is terminated,
the router switches to sending the traffic to the original remote peer.
NOTE:
Even without tunnel failover configured, DPD still provides many benefits, such
as indicating that the destination interface is down, ensuring that the router stops
sending packets to the unreachable destination, and generating SNMP traps.
IKE Overview
The IKE suite of protocols allows a pair of security gateways to:
•
Dynamically establish a secure tunnel over which the security gateways can exchange
tunnel and key information.
•
Set up user-level tunnels or SAs, including tunnel attribute negotiations and key
management. These tunnels can also be refreshed and terminated on top of the same
secure channel.
IKE is based on the Oakley and Skeme key determination protocols and the ISAKMP
framework for key exchange and security association establishment. IKE provides:
•
Automatic key refreshing on configurable timeout
•
Support for public key infrastructure (PKI) authentication systems
•
Antireplay defense
IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the
security gateways. Therefore, UDP port 500 packets must be permitted on any IP interface
involved in connecting a security gateway peer.
The following sections expand on the IKE functionality available for the router.
Main Mode and Aggressive Mode
IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase
2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or
aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some
of the characteristics of the two modes are:
•
Main mode
•
Protects the identities of the peers during negotiations and is therefore more secure.
•
Enables greater proposal flexibility than aggressive mode.
•
Is more time consuming than aggressive mode because more messages are
exchanged between peers. (Six messages are exchanged in main mode.)
•
Aggressive mode
Copyright © 2010, Juniper Networks, Inc.
134
JunosE 11.2.x IP Services Configuration Guide
Summary of Contents for JUNOSE 11.2.X IP SERVICES
Page 6: ...Copyright 2010 Juniper Networks Inc vi...
Page 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...
Page 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...
Page 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...
Page 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...
Page 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...
Page 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...
Page 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...
Page 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...
Page 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...
Page 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...
Page 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...
Page 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...
Page 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...