manualshive.com logo in svg

Juniper JUNOSE 11.2.X IP SERVICES, Configuration Manual

Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual is a comprehensive guide for setting up and managing your Juniper network devices. This manual covers all the necessary steps to configure your IP services effectively. Download this manual for free from our website and optimize your network performance.

Share
Download
background image

Reachable networks on the VPN (allowing for split tunneling when supported by the
client software)

Security parameters intended to protect user traffic (including IPSec encapsulating
protocol, encryption algorithms, authentication algorithms, lifetime parameters,
perfect forward secrecy, and DH group for key derivation)

Setting the IP address the router monitors for remote subscribers.

New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is
established. Like IPSec tunnels, IKE policy rules are required to control IKE SA acceptance
and denial.

Relocating Tunnel Interfaces

Unlike static IPSec tunnels interfaces, dynamic IPSec subscribers do not relocate if the
IPSec server card becomes unavailable. If the IPSec server card becomes unavailable,
all dynamic subscribers that are logged in and located on that server card are logged out
and must log back in to connect.

User Authentication

For IPSec subscribers, user authentication occurs in two phases. The first phase is an
IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred to as “
machine” authentication, because the user PC is authenticated, the first authentication
phase verifies private or preshared keys that reside on the PC. These keys are not easily
moved from one PC to another and do not require user entry each time authentication
is performed.

Depending on the IKE phase 1 exchange, restrictions on the authentication type or the
access network setup might exist. To avoid any usage problems, keep the following in
mind:

If you are configuring a VPN where users perform preshared key IPSec authentication
and use the IKE main mode exchange for phase 1, you must setup the access network
such that the VPN has an exclusive local IP address.

If you want to share a single server address on the access network for more than one
VPN, you must either set the clients to use IKE aggressive mode or use a public and
private key pair for authentication. This authentication type includes X.509v3
certificates).

After the IPSec-level authentication takes place, a user authentication occurs. Often
considered a legacy form of authentication, the user authentication (like RADIUS) typically
requires the user to enter information in the form of a username and password.

Platform Considerations

For information about modules that support dynamic IPSec subscribers on the ERX7xx
models, ERX14xx models, and the ERX310 Broadband Services Router:

See IPSec Service support in

ERX Module Guide, Table 1, Module Combinations

for

detailed module specifications.

Copyright © 2010, Juniper Networks, Inc.

172

JunosE 11.2.x IP Services Configuration Guide

Summary of Contents for JUNOSE 11.2.X IP SERVICES

Page 1: ...JunosE Software for E Series Broadband Services Routers IP Services Configuration Guide Release 11 2 x Published 2010 06 29 Copyright 2010 Juniper Networks Inc...

Page 2: ...owned by or licensed to Juniper Networks U S Patent Nos 5 473 599 5 905 725 5 909 440 6 192 051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 5...

Page 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Page 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Page 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Page 6: ...Copyright 2010 Juniper Networks Inc vi...

Page 7: ...ng IPSec 119 Chapter 6 Configuring Dynamic IPSec Subscribers 169 Chapter 7 Configuring ANCP 185 Chapter 8 Configuring Digital Certificates 205 Chapter 9 Configuring IP Tunnels 237 Chapter 10 Configuri...

Page 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...

Page 9: ...Multiple Values in a Match Entry 6 Negating Match Clauses 7 Matching a Community List Exactly 8 Removing Community Lists from a Route Map 8 Matching a Policy List 9 Redistributing Access Routes 9 Set...

Page 10: ...ms 64 Inside Local Addresses 65 Inside Global Addresses 65 Outside Local Addresses 65 Outside Global Addresses 65 Understanding Address Translation 65 Inside Source Translation 65 Outside Source Trans...

Page 11: ...ying Address Pool Information 88 Displaying Inside and Outside Rule Settings 89 Chapter 3 Configuring J Flow Statistics 91 Overview 91 Interface Sampling 91 Aggregation Caches 92 Flow Collection 92 Ma...

Page 12: ...cure IP Interfaces 122 RFC 2401 Compliance 123 IPSec Protocol Stack 123 Security Parameters 124 Manual Versus Signaled Interfaces 125 Operational Virtual Router 126 Transport Virtual Router 126 Perfec...

Page 13: ...siderations 172 References 173 Creating an IPSec Tunnel Profile 173 Configuring IPSec Tunnel Profiles 174 Limiting Interface Instantiations on Each Profile 174 Specifying IKE Settings 174 Setting the...

Page 14: ...P Neighbors 192 Configuring Topology Discovery 192 Configuring ANCP for QoS Adaptive Mode 192 Triggering ANCP Line Configuration 193 Adjusting the Data Rate Reported by ANCP for DSL Lines 194 Configur...

Page 15: ...es 243 Preventing Recursive Tunnels 243 Creating Multicast VPNs Using GRE Tunnels 244 Monitoring IP Tunnels 244 Chapter 10 Configuring Dynamic IP Tunnels 251 Dynamic IP Tunnel Overview 251 Data MDT fo...

Page 16: ...Interactions with NAT 279 Interaction Between IPSec and PPP 279 LNS Change of Port 280 Group Preshared Key 280 NAT Passthrough Mode 280 NAT Traversal 280 How NAT T Works 281 UDP Encapsulation 281 UDP...

Page 17: ...hentication 305 AAA 305 Subscriber Management 306 Mobile IP Routing and Forwarding 306 Mobile IP Platform Considerations 307 Mobile IP References 307 Before You Configure the Mobile IP Home Agent 307...

Page 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...

Page 19: ...er A s Corporate Frame Relay Network 153 Figure 16 ISP X Uses ERX Routers to Connect Corporate Offices over the Internet 153 Figure 17 Connecting Customers Who Use Similar Address Schemes 156 Chapter...

Page 20: ...Figure 28 IKE Packet with NAT T UDP Encapsulation 282 Figure 29 GRE IPSec Connection 288 Copyright 2010 Juniper Networks Inc xx JunosE 11 2 x IP Services Configuration Guide...

Page 21: ...ons 119 Table 9 Security Parameters Used on Secure IP Interfaces 124 Table 10 Security Parameters per IPSec Policy Type 126 Table 11 Supported Transforms 130 Table 12 Supported Security Transform Comb...

Page 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...

Page 23: ...information in the latest release notes differs from the information in the documentation follow the JunosE Release Notes To obtain the most current version of all Juniper Networks technical documenta...

Page 24: ...affic class low loss1 Represents text that the user must type Bold text like this host1 show ip ospf 2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents in...

Page 25: ...n CD ROMs or DVD ROMs see the Portable Libraries page at http www juniper net techpubs resources index html Copies of the Management Information Bases MIBs for a particular software release are availa...

Page 26: ...juniper net techpubs Find solutions and answer questions using our Knowledge Base http kb juniper net Download the latest versions of software and review release notes http www juniper net customers c...

Page 27: ...Configuring Dynamic IPSec Subscribers on page 169 Configuring ANCP on page 185 Configuring Digital Certificates on page 205 Configuring IP Tunnels on page 237 Configuring Dynamic IP Tunnels on page 25...

Page 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...

Page 29: ...tions on page 4 References on page 4 Route Maps on page 4 Match Policy Lists on page 19 Access Lists on page 20 Using the Null Interface on page 32 Prefix Lists on page 32 Prefix Trees on page 35 Comm...

Page 30: ...ed on ERX7xx models ERX14xx models and the Juniper Networks ERX310 Broadband Services Router See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Se...

Page 31: ...are evaluated against the next instance of the route map For example suppose you create two instances of route map boston5 one with sequence number 10 and one with sequence number 25 When you apply b...

Page 32: ...r 10 2 2 4 route map block1 out host1 config router exit host1 config ip as path access list boston deny _32_ host1 config route map block1 deny 1 host1 config route map match as path boston Multiple...

Page 33: ...only if the entry contains no other values In some earlier releases any value specified with a no match command was ignored and the entire match entry was deleted This change applies to all match comm...

Page 34: ...ch host1 config exit host1 show route map example1 route map example permit sequence 10 Match clauses community community list filter 1 exact match The route map example1 permits a route only if the r...

Page 35: ...config route map match tag 30 2 Configure redistribution into BGP of the access internal routes and access routes with route map tagtest host1 config router bgp 405 host1 config router redistribute a...

Page 36: ...same prefix in order to pick the best route to that prefix in the routing table Distance has no meaning in any other circumstance and any attempt to match distance fails Example host1 config route ma...

Page 37: ...hop match ipv6 address Use to match any routes that have a destination network number address that is permitted by the specified prefix list Example host1 config route map match ipv6 address prefix l...

Page 38: ...he match clause See match level match metric Use to match a route for the specified metric value Example host1 config route map match metric 10 Use the no version to delete the match clause from a rou...

Page 39: ...p match tag 25 Use the no version to delete the match clause from a route map or a specified value from the match clause See match tag route map Use to define the conditions for redistributing routes...

Page 40: ...te map See set as path prepend set automatic tag Use to automatically compute the tag value of the destination routing protocol Example host1 config route map set automatic tag Use the no version to d...

Page 41: ...ively you can use the list keyword to specify the name of a community list that you previously created with the ip community list command Example host1 config route map set community no advertise Use...

Page 42: ...to delete the set clause from a route map See set extcommunity set ip next hop Use to set the next hop attribute of a route that matches a route map You can specify an IP address or an interface as th...

Page 43: ...specify a plus or minus sign immediately preceding the metric value The value is added to or subtracted from the metric of any routes matching the route map The relative metric value range is 0 42949...

Page 44: ...al costs and the external cost 2 Sets the cost of the external routes so that it is equal to the external cost alone this is the OSPF default Example host1 config route map set metric type internal Us...

Page 45: ...le host1 config route map set weight 200 Use the no version to delete the set clause from a route map See set weight Match Policy Lists Match policy lists are very similar to route maps However unlike...

Page 46: ...ilter inbound or outbound routes You can use different kinds of access lists to filter routes based on either the prefix or the AS path Filtering Prefixes To filter routes based on the prefix you can...

Page 47: ...c routes to IS IS 1 Configure three static routes host1 config ip route 20 20 20 0 255 255 255 0 192 168 1 0 host1 config ip route 20 20 21 0 255 255 255 0 192 168 2 0 host1 config ip route 20 21 0 0...

Page 48: ...st reject1 deny 172 24 160 0 0 0 0 255 host1 config access list reject1 permit 172 24 24 0 0 0 0 255 Filtering AS Paths You can use a filter list to filter incoming and outgoing routes based on the va...

Page 49: ...to router London Accept routes originated in AS 11 only if they pass directly to router London Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11 but not both AS 62...

Page 50: ...filtering routes Configuration Example 1 In Figure 4 on page 24 a route map is used to determine the weight for routes learned by router Chicago Figure 4 Route Map Filtering Access list 1 permits any...

Page 51: ...Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 weight 50 over the same routes learned via router Boston weight 25 according to route map 1 Router Chicago prefers rout...

Page 52: ...the representation of the AS path of the route as an ASCII string the permit or deny condition applies The AS path does not contain the local AS number The AS path allows substring matching For examp...

Page 53: ...u can do the following Use AS path filters with the ip as path access list and the neighbor filter list commands Use route map filters with the route map and the neighbor route map commands Example ho...

Page 54: ...ment all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer Use the in keyword to assign the prefix tree to incoming rout...

Page 55: ...create gold service host1 config silver service new channels 232 0 3 24 host1 config access list gold permit ip host any 228 0 0 0 0 0 0 255 host1 config access list gold permit ip host 1 1 1 1 232 0...

Page 56: ...ipv6 access list commands to clear access list counters clear access list clear ipv6 access list Use to clear all access list counters or access list counters in the specified access list Example 1 ho...

Page 57: ...iterion appear in the routing table ip access route table map ipv6 access route table map Use to filter access routes before an access list adds them to the routing table Example 1 host1 config ip acc...

Page 58: ...face null 0 host1 config if There is no no version See interface null ip route Use to configure a static route and redirect traffic from it to the null interface Example host1 config if ip route 10 10...

Page 59: ...ounts in the IPv6 prefix lists or the specified entry from the specified prefix list The router increments the hit count by 1 each time an entry matches Example host1 clear ipv6 prefix list abc There...

Page 60: ...to delete the match clause from a route map or a specified value from the match clause See match ip address match ipv6 address Use to match any route that has a destination network number address tha...

Page 61: ...he entry it branches the other way to another mutually exclusive test pair The router stops testing conditions when it finds the best match If no conditions match the router rejects the address An emp...

Page 62: ...ee match ip address match ip next hop Use with the prefix tree keyword to match routes that have a next hop router address passed by the specified prefix tree Example host1 config route map match ip n...

Page 63: ...not advertise the route to any external peers local as also known as no export subconfed Advertises this route to the Internet community by default all prefixes are members of the Internet community i...

Page 64: ...o set metrics for routes that it forwards to router Boston based on the communities to which the routes belong You can create community lists and filter the routes with a route map that matches on the...

Page 65: ...y number of communities so a community list can have many entries comprising many communities You can specify one or more community values when you create a community list A clause in a route map that...

Page 66: ...nity no advertise Use the no version to remove the set clause from a route map See set community Extended Community Lists The router supports the BGP extended community attribute defined in Internet d...

Page 67: ...atch extcommunity boston1 A route matches this community list only if it belongs to at least all three communities in extended community list boston1 communities 100 2 100 3 and 100 4 Use the no versi...

Page 68: ...st Using Regular Expressions You can use regular expressions when you define AS path access lists and community lists to more easily filter routes A regular expression uses special characters often re...

Page 69: ...the community number has the format AA NN where AA is a number that identifies the autonomous system and NN is a number that identifies the community within the autonomous system Otherwise the commun...

Page 70: ...mmediately following it in the regular expression On an E Series router you are likely to use the backslash only for the parentheses characters or BGP indicates a segment of an AS path that is of type...

Page 71: ...9 Includes any character matches all AS paths and community lists 67 42 51314 33 252 422 483142 4 339 7831422 Includes a number that has a numeral 4 followed by zero or more instances of the numeral 2...

Page 72: ...600 but not 25 7771307 800 Includes a number in the range 700 799 7 723 700 but not 25 7771307 800 6127 723 999700 100 600 Consists only of a number in the range 700 799 7 60 4334 545 92 200710 86 53...

Page 73: ...tes from the IP routing table and then enable the owning protocols BGP OSPF RIP to reinstall the routes clear ip routes Use to clear all routing entries or a specified entry from the IP routing table...

Page 74: ...how ip traffic Traffic You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify For details see Command Line Interface...

Page 75: ...path access list AS Path Access List 1 permit AS Path Access List 2 deny AS Path Access List 3 permit _109_ deny AS Path Access List 4 permit _109 deny AS Path Access List 10 deny _109 permit 108_ de...

Page 76: ...6 permit no export Community List 7 permit internet See show ip community list show ip match policy list Use to display configured policy lists Example host1 show ip match policy list match policy li...

Page 77: ...efix tree Prefix tree with the last deletion insertion t_abc5 ip prefix tree name t_abc1 1 entries permit 108 243 0 0 16 ip prefix tree name t_abc2 3 entries permit 101 10 254 0 24 permit 102 10 248 0...

Page 78: ...ol is rip Router Administrative State enable System version RIP1 send 1 receive 1 or 2 Update interval 30 seconds Invalid after 180 seconds hold down time 120 seconds flushed interval 300 seconds Filt...

Page 79: ...xample 1 host1 show ip route Protocol Route type codes I1 ISIS level 1 I2 ISIS level2 I route type intra IA route type inter E route type external i metric type internal e metric type external O OSPF...

Page 80: ...outes 0 dvmrp routes Last route added deleted null by Invalid At MON FEB 04 2008 14 18 04 UTC MPLS tunnel routes not used for forwarding 3 total routes 216 bytes in route entries 1 bgp tunnel routes 1...

Page 81: ...2 Example 3 host1 show ip route slot 9 90 249 255 255 IP address Interface Next Hop 90 249 255 255 Local Interface See show ip route slot show ip static Use to display the status of static routes in t...

Page 82: ...atistics Frags reassembled Number of reassembled packets reasm timed out Number of reassembled packets that timed out reasm req Number of requests for reassembly reasm fails Number of reassembly failu...

Page 83: ...ived echo req Number of echo request ping packets received echo rpy Number of echo replies received timestamp req Number of requests for a timestamp received timestamp rpy Number of replies of timesta...

Page 84: ...ttempted accepted Number of incoming TCP connections accepted established Number of TCP connections established dropped Number of TCP connections dropped closed Number of TCP connections closed TCP Gl...

Page 85: ...57680 routes in table 0 timestamp req 0 timestamp rpy 0 addr mask req 0 addr mask rpy ICMP statistics Rcvd 561 total 0 errors 15 dst unreach 0 time exceed 0 param probs 0 src quench 0 redirects 0 echo...

Page 86: ...ample host1 config route map 1 permit 10 host1 config route map match community 44 host1 config route map set local pref 400 host1 config route map exit host1 config exit host1 show route map 1 route...

Page 87: ...ing Translation Entries on page 69 Specifying Inside and Outside Interfaces on page 69 Defining Static Address Translations on page 69 Defining Dynamic Translations on page 71 Clearing Dynamic Transla...

Page 88: ...r information about the modules that support NAT NOTE The E120 and E320 Broadband Services Routers do not support configuration of NAT Module Requirements To configure NAT on ERX7xx models ERX14xx mod...

Page 89: ...es out to the public network There are two types of traditional NAT basic NAT and NAPT Basic NAT Basic NAT provides translation for IP addresses only called a simple translation and places the mapping...

Page 90: ...nts and routing restrictions apply to bidirectional NAT that were described for traditional NAT The difference between these two methods is that the DNS exchange might create entries within the transl...

Page 91: ...one of two ways inside or outside source translation Inside Source Translation Inside source translation is the most commonly used NAT configuration When an inside host sends a packet to the outside...

Page 92: ...a translated IP address static translation or dynamic translation Static Translations You enter static translations as direct configuration settings that remain in the translation table until you rem...

Page 93: ...destination interface is marked as inside the server module drops the packet Does not find a NAT match and the destination interface is not marked as inside the server module processes the packet norm...

Page 94: ...configure certain IP interfaces to participate in Network Address Translation This chapter discusses how to configure NAT to function for certain IP interfaces For information about general IP interfa...

Page 95: ...e or the outside network CAUTION Only packets routed between an inside and an outside interface are subject to translation You can unmark an interface by using the no version of this command ip nat Us...

Page 96: ...c translation created with the ip nat inside source static command enables any outside host to contact the inside host by using the inside global address of the inside host A static translation can be...

Page 97: ...ss translation and session flows between address realms on demand To configure dynamic translations Define any access list rules that the NAT router uses to decide which packets need translation Defin...

Page 98: ...eate address pools with either a single range or multiple nonoverlapping ranges When you create a single range you specify the starting and ending IP addresses for the range in the root ip nat pool co...

Page 99: ...171 69 40 112 host config ipnat pool address 171 69 40 118 171 69 40 120 host config ipnat pool exit Use the no version to remove the address range See ip nat pool Defining Dynamic Translation Rules...

Page 100: ...keyword to specify that the translation create NAPT entries protocol port and address in the NAT table The no version of this command removes the dynamic translation rule but does not remove any prev...

Page 101: ...time in seconds never for any of the specified timers timeout Dynamic simple translations not for overloaded translations default is 86400 seconds 24 hours dns timeout DNS createdprotocoltranslations...

Page 102: ...ip nat translation gre icmp tcp udp inside insideGlobalIpAddress insideLocalIpAddress version of this command to match any global or local port and remove inside source extended GRE ICMP TCP or UDP tr...

Page 103: ...e config interface ip nat inside host1 blue config interface exit host1 blue config interface serial 1 2 host1 blue config interface ip nat inside host1 blue config interface exit 3 Mark the outside i...

Page 104: ...of the three addresses in the pool Because this example uses NAPT the interface can use only one pool address depending on the number of inside hosts attempting to access the outside at any given time...

Page 105: ...routing loops when no matching translation exists host1 blue config ip route 192 32 6 0 255 255 255 192 null 0 NOTE Null route applies to 192 32 6 0 and 192 32 6 1 which do not exist in the address p...

Page 106: ...y smaller than the size of the company network because not all private hosts are likely to access the public network at the same time 5 Create the access list for addresses eligible for dynamic transl...

Page 107: ...ide global addresses to prevent routing loops when no matching translation exists host1 blue config ip route 12 220 1 0 255 255 0 0 null 0 Cross VRF Example In MPLS VPN configurations you might want t...

Page 108: ...x length 24 5 Create the access list for addresses eligible for dynamic translation host1 vr1 vrf11 config access list entA permit 10 16 5 0 0 0 0 255 6 Create the dynamic translation rule host1 vr1 v...

Page 109: ...at has NAT enabled Figure 10 PPTP Tunnels on an Inside Network The router has installed an inside source static simple translation in its translation table as follows Inside Global Address Inside Loca...

Page 110: ...ound GRE packets the router transmits the packets to the tunnel server module for GRE processing If the packets require translating they are again sent through the tunnel server module NOTE Only inner...

Page 111: ...e extended static translations Outside Source Extended Number of outside source extended static translations Dynamic Translation Type Type of dynamic translation inside source simple outside source si...

Page 112: ...ource Extended 70000 70000 70000 568 Fully Extended 26855 26855 26855 2565 Forwarding statistics for virtual router vr1 Packets received on inside interface and forwarded directly 8 forwarded through...

Page 113: ...utside global Outside global IP address for this translation entry this field also provides the port number separated by a colon for extended entries Outside local Outside local IP address for this tr...

Page 114: ...ormation The command output displays configuration mask and address ranges of all address pools unless you supply a specific pool name show ip nat pool Use to display NAT address pool information Fiel...

Page 115: ...ess list and pool usage information for inside source translation rules Field descriptions access list name Name of the access list pool name Name of the address pool rule type Type of rule assigned E...

Page 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...

Page 117: ...workstation for data collection and further processing In addition the ability to enable J Flow on an individual virtual router interface or subinterface allows you to collect network statistics for s...

Page 118: ...n a subset of the fields collected in the raw flow data For example TCP flags Next Hop Address and ToS values are not maintained in any of the aggregation caches Unlike the main cache aggregation cach...

Page 119: ...o the collector the unsent records are discarded However the virtual router continues to increase the sequence number by one as if it sent the records Discrepancies between the sequence number and sen...

Page 120: ...Services Routers See E120 and E320 Module Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the mo...

Page 121: ...Issuing an interface level flow command does not enable J Flow on the virtual router To enable J Flow issue the ip flow statistics command ip route cache flow sampled Use to enable J Flow on an inter...

Page 122: ...nfigured sampling rate and might drop the intended sampled packets If this occurs you can address the issue by reducing the sampling rate NOTE For all modules except the ES2 10G LM on the E120 router...

Page 123: ...p flow cache timeout active command to specify a value for the activity timer The activity timer measures the amount of time that the virtual router has been recording a datagram for a given flow When...

Page 124: ...flow export 192 168 2 73 2055 version 5 peer as Example 2 Specifies the source address for outbound export J Flow datagrams host1 config ip flow export source fastEthernet 5 0 Use the no version to r...

Page 125: ...ion cache host1 config ip flow aggregation cache as 2 Configure the number of entries 1024 524288 in the aggregation cache the no version sets the number of entries back to its default value of 4096 f...

Page 126: ...abled export destination Use to configure an export destination for the aggregation cache Example host1 config flow cache export destination myhost udp port Use the no version to remove the destinatio...

Page 127: ...ce Monitoring J Flow Statistics This section shows how to clear J Flow statistics and use the show commands to view J Flow settings and statistical results Clearing J Flow Statistics Use the clear ip...

Page 128: ...ribution of IP packets by size Percent Percent distribution of different sized IP packets Protocol Port Protocol of the sample and port destination for that sample Total Flows Total number of flows Fl...

Page 129: ...ckets Protocol Port Flows Sec Flow Packet Sec TCP telnet 1 0 000 118 000 1014 000 0 000 UDP whois 1 0 008 935 000 1026 000 7 664 Summary Total Flows Processed 2 Total Packets 1053 Total Bytes 1078962...

Page 130: ...20 30 41 258 GigE4 0 12 0 0 2 GigE2 0 TCP telnet 58 000 1014 000 0 000 10 20 30 41 63 GE4 0 50 60 70 88 UDP whois 1028 000 1026 000 7 672 Summary Total Flows Processed 2 Total Packets 1086 Total Bytes...

Page 131: ...ld descriptions Aggregation Cache AS AS aggregation cache Destination prefix Destination prefix aggregation cache Prefix Prefix aggregation cache Protocol port Protocol port aggregation cache Source p...

Page 132: ...000 7 664 Summary Total Flows Processed 2 Total Packets 1053 Total Bytes 1078962 show ip flow export Use to display configuration values for IP flow cache export Example host1 show ip flow export Flow...

Page 133: ...en these hello messages are not used IGP hellos have their own limitations it often takes one second or more to detect a remote end failure and processing IGP hello messages takes precious processing...

Page 134: ...peer for a failure detection time and after the time expires the client stops transmitting packets For the Admin Down state to work the peer which receives the Admin Down state notification must have...

Page 135: ...iveness detection interval is the period a peer waits for a BFD packet from its peer before declaring the BFD session to be down The detection interval is determined independently by each peer and can...

Page 136: ...ule specifications See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support BFD For information about modules that support BFD on the E120 and E320 Broadb...

Page 137: ...ers establish sessions based on BFD version support Table 7 Determining BFD Versions E Series Routers Running Software Versions Earlier than JunosE 7 2 x E Series Routers Running JunosE 7 2 x and late...

Page 138: ...guration Guide OSPF Chapter Configuring OSPF in JunosE IP IPv6 and IGP Configuration Guide OSPFv3 Chapter Configuring PIM for IPv4 Multicast in JunosE IP IPv6 and IGP Configuration Guide and chapter C...

Page 139: ...ed timer intervals for all BFD sessions on the router Does not disable the state of the BFD adaptive timer interval feature Example host1 clear bfd adapted intervals There is no no version See clear b...

Page 140: ...d Example 1 host1 clear ipv6 bfd session Example 2 host1 clear ipv6 bfd session address 1 4 There is no no version See clear ipv6 bfd session Monitoring BFD This section lists the system event logs as...

Page 141: ...session Field descriptions Address IP address of the remote interface with which the session is established In unnumbered cases the remote interface provides its reference IP address State State of t...

Page 142: ...e remote end Up Down count Number of up down transitions that have occurred on the session Local diagnostic Reason at the local end for the last session down event Remote diagnostic Reason at the remo...

Page 143: ...val 0 multiplier 3 Remote min tx interval 0 3 min rx interval 0 3 multiplier 3 Local diagnostic None Remote diagnostic None Remote heard hears us Min async interval 0 3 min slow interval 0 3 Echo mode...

Page 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...

Page 145: ...sulating protocols including authentication AH and Encapsulating Security Payload ESP to provide security on specified packets The Internet Security Association and Key Management Protocol Internet Ke...

Page 146: ...ready secured traffic arriving on that interface identified based on its SPI This traffic is cleared and checked against the security parameters set for that interface Inbound traffic Internet Protoco...

Page 147: ...er See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support IPSec NOTE...

Page 148: ...data packet Authentication header AH provides authentication to every data packet Both protocols are defined with two modes of operation Tunnel mode completely encapsulates the original packet within...

Page 149: ...traffic to discard and so on The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that unwanted traffic is not allowed inside the tunnel Supported selector...

Page 150: ...and source and destination IP addresses Transport VR A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys PFS ensures that a...

Page 151: ...an SA on demand with the remote security gateway The remote security gateway must also support SA negotiation otherwise the gateway drops traffic Again the router keeps statistics for dropped traffic...

Page 152: ...ure tunnel endpoints the source and destination are routable addresses Normally the transport VR is the default ISP routing infrastructure on top of which VPNs are provisioned The IPSec Service module...

Page 153: ...es the FQDN to establish and authenticate the IPSec connection and then uses the actual IP address for rekeying and filtering operations The ERX router FQDN feature supports both preshared keys and di...

Page 154: ...lished both a timer and a traffic volume counter are set When either counter reaches the limit specified by the SA lifetime a new SA is negotiated and the expired SA is deleted The renegotiations refr...

Page 155: ...the other the outbound SA parameters The following parameters form each set of SA parameters SPI The SPI is a unique identifier that is applied to the SA when securing a flow An SPI is unique for a gi...

Page 156: ...IPSec supports two encapsulation modes tunnel mode and transport mode Tunnel mode creates a second IP header in the packet and uses both the local and remote security gateway addresses as source and d...

Page 157: ...and ESP DES transforms ESP DES MD5 Combination of ESP SHA and ESP DES transforms ESP DES SHA Combination of ESP MD5 and ESP 3DES transforms ESP 3DES MD5 Combination of ESP SHA and ESP 3DES transforms...

Page 158: ...rocessing on page 132 AH Processing on page 132 This section also provides a pointer to the IPSec system maximums IP Security Policies The ERX router does not support a systemwide SPD Instead the rout...

Page 159: ...th each other at regular predetermined intervals DPD uses two techniques to verify connectivity on an as needed basis In the first method the router sends DPD inquiries to the remote peer when traffic...

Page 160: ...ork for key exchange and security association establishment IKE provides Automatic key refreshing on configurable timeout Support for public key infrastructure PKI authentication systems Antireplay de...

Page 161: ...nations of initiator proposals and policy rules As indicated allowing aggressive mode in a policy rule allows negotiation to take place no matter what the initiator requests Table 13 Initiator Proposa...

Page 162: ...ever every IKE policy is considered secure enough to secure the IKE SA flow During IKE negotiation all policies are scanned one at a time starting from the highest priority policy and ending with the...

Page 163: ...me parameter for an IKE policy The timer for the lifetime parameter begins when the IKE SA is established using IKE IKE SA Negotiation As the initiator of an IKE SA the router sends its IKE policies t...

Page 164: ...em attribute regardless of how many ISMs exist in the system Only one set of keys is available at any given time Configuration Tasks This section explains the steps to configure an IPSec license and I...

Page 165: ...host1 config manual key key customerASecret After you enter a preshared key the router encrypts the key and displays it in masked form to increase the security of the key If you need to reenter the ke...

Page 166: ...sp net host1 config manual key Example 3 using an FQDN with user specification host1 config ipsec key manual pre share identity user4919 branch245 customer77 isp net host1 config manual key Use the no...

Page 167: ...actual transform used on the tunnel is negotiated with the peer Transforms are numbered in a priority sequence in the order in which you enter them To display the names of the transforms that you can...

Page 168: ...ddresses assigned to the tunnel interface host1 config virtual router vrA host1 vrA config 2 Create an IPSec tunnel and specify the transport VR host1 vrA config interface tunnel ipsec Aottawa2boston...

Page 169: ...in use by this tunnel host1 config if tunnel lifetime seconds 48000 kilobytes 249000 13 Optional Set the MTU size for the tunnel host1 config if tunnel mtu 2240 interface tunnel Use to create or conf...

Page 170: ...er of seconds limit is reached the SA is renegotiated which ensures that the tunnel does not go down during renegotiation Example host1 config if tunnel lifetime seconds 48000 kilobytes 249000 Use the...

Page 171: ...configure perfect forward secrecy PFS on this tunnel Assign a Diffie Hellman prime modulus group using one of the following keywords 1 768 bit group 2 1024 bit group 5 1536 bit group Example host1 con...

Page 172: ...et includes DES create an 8 byte key using 16 hexadecimal characters 3DES create a 24 byte key using 48 hexadecimal characters MD5 create a 16 byte key using 32 hexadecimal characters SHA create a 20...

Page 173: ...IPSec tunnel destination backup is configured the router redirects traffic to the alternate destination when DPD detects a disconnection between the E Series router and the regular tunnel destination...

Page 174: ...SL environments use the FQDN to identify the tunnel destination backup which does not have a fixed IP address The identity string can include an optional user specification preceding the FQDN this is...

Page 175: ...ssive mode to the peer in connections that the policy initiates If the peer initiates a negotiation the tunnel accepts the negotiation if the mode matches this policy Use the accepted keyword to accep...

Page 176: ...it group 5 1536 bit group Example host1 config ike policy group 5 Use the no version to restore the default See group hash Use to set the hash algorithm for the IKE policy md5 MD5 HMAC variant sha SHA...

Page 177: ...As The range is 60 86400 seconds host1 config ike policy lifetime 360 Use the no version to reset the SA lifetime to the default 28800 seconds See lifetime Refreshing SAs To refresh ISAKMP IKE or IPSe...

Page 178: ...e subject to denial of service DOS attacks Instead the E Series router can determine when a phase 1 relationship has gone stale by timeouts or use of dead peer detection DPD For this reason this featu...

Page 179: ...long haul Frame Relay links by creating IPSec tunnels to carry customer A s traffic securely between the sites over the public or ISP provided IP network This alternative costs only a fraction of the...

Page 180: ...et customerAprotection erx1 config if tunnel local identity subnet 200 1 0 0 255 255 0 0 erx1 config if tunnel peer identity subnet 200 3 0 0 255 255 0 0 erx1 config if tunnel source 100 1 0 1 erx1 co...

Page 181: ...ustomerAprotection erx3 config if tunnel local identity subnet 200 3 0 0 255 255 0 0 erx3 config if tunnel peer identity subnet 200 2 0 0 255 255 0 0 erx3 config if tunnel source 100 3 0 1 erx3 config...

Page 182: ...t customerBprotection ah hmac md5 2 On each ERX router create a protection suite for the three routers to use to authenticate each other erx1 config ipsec key manual pre share 5 2 0 1 erx1 config manu...

Page 183: ...for the tunnels in the ISP default virtual router Virtual router A erx1 config virtual router vrA erx1 vrA config Tunnel from Ottawa to Boston on virtual router A erx1 vrA config interface tunnel ipse...

Page 184: ...air of tunnels in the virtual routers where the IP interfaces reaching those customers are defined Create the endpoints for the tunnels in the ISP default virtual router Virtual router A erx2 config v...

Page 185: ...rx3 create two IPSec tunnels one to carry customer A s traffic and another to carry customer B s traffic Virtual router A erx3 config virtual router vrA erx3 vrA config Tunnel from Boston to Ottawa on...

Page 186: ...subnet 10 2 0 0 255 255 0 0 erx3 vrB config if tunnel source 5 3 0 1 erx3 vrB config if tunnel destination 5 2 0 1 erx3 vrB config if ip address 10 2 0 0 255 255 0 0 erx3 vrB config if exit The confi...

Page 187: ...me of SAs created with this policy 60 to 86400 seconds aggressive mode Allowed or not allowed Example host1 show ipsec ike policy rule IKE Policy Rules Protection suite priority 5 encryption algorithm...

Page 188: ...main mode SA payload to the responder MM_SA_R Responder has sent a response to the initial main mode SA MM_KE_I Initiator has sent initial main mode key exchange to the responder MM_KE_R Responder ha...

Page 189: ...s and transport virtual router of local endpoints To display the local endpoint of a specific transport virtual router include the virtual router name Example host1 show ipsec local endpoint transport...

Page 190: ...n is displayed Tunnel operational configuration Configuration running on the tunnel Tunnel type Manual signaled Tunnel mtu MTU size of the tunnel Tunnel localEndpoint IP address of local tunnel endpoi...

Page 191: ...ased lifetime in kilobytes inbound outbound traffic remaining Number of additional kilobytes that tunnel can send or receive before traffic based lifetime expires Tunnel Statistics Displays statistics...

Page 192: ...Address 4 0 0 100 Tunnel peer identity is ipAddress 3 0 0 100 Tunnel lifetime seconds is 7200 Tunnel lifetime kilobytes is 1024000 Tunnel pfs is group 5 Tunnel administrative state is Up Tunnel Operat...

Page 193: ...splay the status of tunnels configured on a virtual router To display only tunnels that are in a specific state use the state keyword To display tunnels that are using a particular IP address use the...

Page 194: ...s ipsec tunnels license is g1k23b23eb2j which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards See show license Copyright 2010 Juniper Networks Inc 168 JunosE 11 2 x I...

Page 195: ...the associated VR or VRF The router contains a link between the VR or VRF and the private intranet containing the resources This link can be a direct connection or a tunnel IPSec IP in IP GRE or MPLS...

Page 196: ...The following events can trigger the teardown of a dynamic IPSec subscriber connection All phase 1 and phase 2 SA deleted by a remote peer and no rekeying activity occurs for one minute Administrative...

Page 197: ...rolling which connecting user based on the IKE identification belongs to a given profile Profile settings falling in this category include the following IKE identities from peers that can use this pro...

Page 198: ...reside on the PC These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed Depending on the IKE phase 1 exchange restrictions on the a...

Page 199: ...tes on page 205 Configuring IP Tunnels on page 237 JunosE Broadband Access Configuration Guide Creating an IPSec Tunnel Profile To create an IPSec tunnel profile use the ipsec tunnel profile command T...

Page 200: ...return the maximum value to unlimited indicating no limit to the number of interfaces that can be instantiated on this profile See max interfaces Specifying IKE Settings This section describes how to...

Page 201: ...e username portion of the IKE identity matches the username setting for this profile An empty string default means that an IKE identity type of userFQDN is not allowed for logins on this profile NOTE...

Page 202: ...and local identities at the other end respectively Example host1 config ipsec tunnel profile local ip identity range 10 30 11 1 10 30 11 50 Use the no version to restore the default value the interna...

Page 203: ...ave higher priority than global keys If both individual and global keys are configured the individual that also has a specific key must use that key or authentication fails More than one profile can s...

Page 204: ...ume lifetime Use to specify the IPSec lifetime parameters used on IPSec SA lifetime negotiations Example host1 config ipsec tunnel profile lifetime seconds 5000 25000 Use the no version to return the...

Page 205: ...cepts the first transform proposed by a client that matches one of the transforms specified by this command During an IPSec SA exchange with a client the router proposes all transforms specified by th...

Page 206: ...s This section describes enhancements to some IKE policy rule commands to support dynamic IPSec subscribers Specifying a Virtual Router for an IKE Policy Rule The ip address virtual router command ena...

Page 207: ...Mode for an IKE Policy Rule The aggressive mode command enables aggressive mode negotiation for the tunnel For additional information about aggressive mode and how it works see Main Mode and Aggressi...

Page 208: ...el profile found Example 2 host1 show ipsec tunnel profile detail ipsec spg IPsec tunnel profile ipsec spg is active with no subscriber Extended authentication pap no re authentication Peer IP charact...

Page 209: ...d source of the address l2tp local dhcp radius user For local dhcp radius and user endpoints the address is that of the user When the endpoint is l2tp the address is that of the LNS Virtual Router Nam...

Page 210: ...xcfgUser1 vpn1 800 555 1212 See show subscribers Copyright 2010 Juniper Networks Inc 184 JunosE 11 2 x IP Services Configuration Guide...

Page 211: ...197 Monitoring ANCP on page 197 Overview Access Node Control Protocol ANCP also known as Layer 2 Control L2C is based on a subset of the General Switch Management Protocol GSMP as defined in the GSMP...

Page 212: ...multiple flows and distinct QoS requirements These mechanisms require that B RAS devices obtain information about the access network topology the links within that network and their rates Operations...

Page 213: ...g ways From AAA layer For PPP interfaces the router retrieves the DSL line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external serve...

Page 214: ...rt 6068 for ANCP TCP connection requests l2c ip listen Use to create a listening TCP socket in the current virtual router context Example host1 config l2c ip listen Use the no version to remove the li...

Page 215: ...fig l2c wait for gsmp syn Use the no version to disable the learning option in ANCP If the access node does not send the GSMP_SYN message after initiating the TCP session the connection is lost becaus...

Page 216: ...if l2c peer attachment id in_multicast_port_5 Use the no version to remove the input label association See l2c peer attachment id Configuring ANCP Neighbors From the L2C Configuration mode config l2c...

Page 217: ...y the maximum number of discovery table entries that a neighbor can have Using this command to change the maximum number of entries when an already greater number of current entries exists in the disc...

Page 218: ...host1 l2c neighbor discovery mode Use the no version to disable discovery mode See discovery mode Configuring ANCP for QoS Adaptive Mode The system can QoS adjust VLAN and ATM VC downstream rates rece...

Page 219: ...ANCP QoS adaptive mode enables the system to shape VLAN and ATM VC downstream rates received from ANCP by dynamically creating QoS parameter instances associated with the ANCP L2C downstream applicat...

Page 220: ...ers that use the specified DSL line type Example host1 config l2c adjustment factor adsl1 45 host1 config l2c adjustment factor adsl2 55 host1 config l2c adjustment factor adsl2 67 host1 config l2c ad...

Page 221: ...In the following example Figure 18 on page 195 two subscribers access individual multicast channels through cross connections branches that occur on the access node Figure 18 Using ANCP with an Acces...

Page 222: ...iles see Command Line Interface in JunosE System Basics Configuration Guide Configure an OIF map host1 config ip igmp oif map OIFMAP atm 2 0 101 232 1 1 1 10 1 1 1 host1 config ip igmp oif map OIFMAP...

Page 223: ...ans of a GSMP port management message For example when using an ATM based local loop the ANCP operation can trigger the access node to generate ATM F4 F5 loopback cells on the local loop l2c oam Use t...

Page 224: ...splays the adjustment factor for each DSL type host1 show adjustment factor L2C QoS Adjustment Rates ADSL1 45 ADSL2 55 ADSL2 100 VDSL 100 VDSL2 55 SDS 100 Example 2 Displays the adjustment factor for...

Page 225: ...DLE Dsl Type Type of DSL Total Line Attributes Total number of line attributes reported Example 1 host1 show l2c discovery table brief Neighbor Access Loop Id Down UpStream kbps State ACCESSNODE_10 Ac...

Page 226: ...am 9408 kbps Line State 1 SHOWTIME Dsl Type 0 Invalid transmission type Total Line Attributes 6 See show l2c discovery table show l2c label Use to display information about known ANCP labels on the ro...

Page 227: ...rface Peer Attach Id ATM4 0 11 Accessnode_10 atm3 2 0 10 ATM4 0 12 Accessnode_10 atm3 3 0 10 ATM4 0 13 Accessnode_10 atm3 4 0 10 ATM4 0 14 Accessnode_10 atm3 5 0 10 Example 3 host1 show l2c label neig...

Page 228: ...ol state of this neighbor Number of configured neighbors Number of configured ANCP neighbors Number of Neighbors in GSMP_ESTAB state Number of ANCP neighbors that are in an established GSMP state Numb...

Page 229: ...P neighbors Number of active neighbors Number of active ANCP neighbors Number of end user ids Number of ANCP end user IDs output labels Number of peer attachment ids Number of ANCP peer attachment IDs...

Page 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...

Page 231: ...s and Public Keys on page 228 Overview You can use digital certificates in place of preshared keys for IKE negotiations For more information about IKE see IKE Overview on page 134 in Configuring IPSec...

Page 232: ...t dictate how IPSec processes a packet including encapsulation protocol and session keys A single secure tunnel uses multiple SAs SA Simple certificate enrollment protocol used to submit requests and...

Page 233: ...ficate This certificate provides a level of assurance that a peer s identity as represented in the certificate is associated with a particular public key E Series Broadband Services Routers provide bo...

Page 234: ...generate its own public private key pairs The public private key pair supports the RSA standard 1024 or 2048 bits The private key is used only by the ERX router It is never exchanged with any other n...

Page 235: ...rds supported for certificate enrollment are PKCS 10 certificate requests PKCS 7 responses and X 509v3 certificates For manual enrollment certificates are encoded in base64 MIME so that the files are...

Page 236: ...E phase 1 signature authentication In the online certificate method you use the crl command to control CRL verification The router uses HTTP to support CRL verification when the CRL distribution point...

Page 237: ...ERX router and taken to CAs for obtaining a certificate crq Used for public certificate files The public certificates for root CAs and the router public certificates are copied to the ERX router They...

Page 238: ...t having to obtain a digital certificate This method offers the simplicity and convenience of using preshared key authentication without its inherent security risks With this method you no longer need...

Page 239: ...3764 51E3AB3C F9A6665E 562E3681 F120405E 30235690 6FC093AA EB0FE956 51C38EE1 54D81E40 7687C387 07020301 0001 For more information about the format of an RSA public key and about ASN 1 syntax see RFC 3...

Page 240: ...rom the CA copy the certificate to the router and then inform the router that the new certificate exists host1 config ipsec certificate database refresh 8 Optional Set the sensitivity of how the route...

Page 241: ...handles CRLs during negotiation of IKE phase 1 signature authentication Specify one of the following keywords ignored Allows negotiations to succeed even if a CRL is invalid or the peer s certificate...

Page 242: ...rates the certificate use offline methods to send the certificate request file to the CA Example host1 config ipsec certificate request generate rsa myrequest crq There is no no version See ipsec cert...

Page 243: ...r policies in the range 1 10000 with 1 having the highest priority Example host1 config ipsec ike policy rule 3 host1 config ike policy Use the no version to remove policies If you do not include a pr...

Page 244: ...here is no no version To remove a key pair use the ipsec key zeroize command See ipsec key generate ipsec key zeroize Use to delete RSA key pairs Include one of the following keywords rsa Removes the...

Page 245: ...host1 config ca identity issuer identifier BetaSecurityCorp 5 Specify the URL of the SCEP server from which the CA certificates and the router s public certificates is retrieved host1 config ca ident...

Page 246: ...he default setting required Requires a valid CRL either the certificates that belong to the E Series router or the peer must not appear in the CRL this is the strictest setting Example host1 config ca...

Page 247: ...16 ikeEnrollment Received CA certificate for ca trustedca1 INFO 10 18 2003 03 45 16 ikeEnrollment Received CA certificate for ca trustedca1 fingerprint 28 19 ba 76 d8 e0 bb 22 60 cd b9 2d dc b8 58 01...

Page 248: ...y rule Use to define an ISAKMP IKE policy When you enter the command you include a number that identifies the policy and assigns a priority to the policy You can number policies in the range 1 10000 w...

Page 249: ...ipsec key zeroize command See ipsec key generate ipsec key zeroize Use to delete RSA key pairs Include one of the following keywords rsa Removes the RSA key pair from the router pre share Removes all...

Page 250: ...ertificate 1 Generate the RSA key pair on the router host1 config ipsec key generate rsa 1024 Please wait IPsec Generate Keys complete 2 In your IKE policy set the authentication method to RSA signatu...

Page 251: ...e1c 951be4e8 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698 748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b 4aac505b 255f17ca faf884ca f0402022 5ad6f44...

Page 252: ...ey generate rsa 2048 Please wait IPsec Generate Keys complete There is no no version To remove a key pair use the ipsec key zeroize command See ipsec key generate ipsec key pubkey chain rsa Use to acc...

Page 253: ...sion to remove the peer public key from the router See ipsec key pubkey chain rsa key string Use to manually enter a 1024 bit or 2048 bit public key for a remote peer with which you want to establish...

Page 254: ...nfigures the public key for a remote peer with the user FQDN tsmith sales company_xyz com using lowercase x as the key string delimiter character host1 config ipsec key pubkey chain rsa name tsmith sa...

Page 255: ...ment url http 192 168 10 124 scepurl issuer id BetaSecurityCorp retry period 1 retry limit 60 crl setting optional proxy url See show ipsec ca identity show ipsec certificates show ike certificates NO...

Page 256: ...suerName C CA ST ON L Kanata O BetaSecurityCorp OU VT Group CN VT Root CA SerialNumber 84483276204047383658902 SignatureAlgorithm rsa pkcs1 sha1 Validity NotBefore 2003 Oct 21st 16 14 42 GMT NotAfter...

Page 257: ...sLocation Following names detected URI uniform resource indicator Viewing specific name types No names of type IP DNS URI EMAIL RID UPN or DN detected AccessMethod 1 3 6 1 5 5 7 48 2 AccessLocation Fo...

Page 258: ...1 FullName Following names detected URI uniform resource indicator Viewing specific name types URI http vtsca1 CertEnroll VTS 20Root 20CA crl Entry 2 FullName Following names detected URI uniform res...

Page 259: ...configuration show ike configuration NOTE The show ike configuration command has been replaced by the show ipsec ike configuration command and may be removed completely in a future release Use to disp...

Page 260: ...the summary keyword To display the public key for a remote peer with a specific IP address use the address keyword followed by the IP address in 32 bit dotted decimal format To display the public key...

Page 261: ...7 bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63...

Page 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...

Page 263: ...is a virtual point to point connection between two routers See Figure 19 on page 237 To establish an IP tunnel you specify a tunnel type and name and then configure an interface on each router to act...

Page 264: ...ers See E120 and E320 Module Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that sup...

Page 265: ...ADV LM require the ES2 S1 Service IOA to condition it to receive and transmit data to other line modules The ES2 S1 Service IOA also does not have ingress or egress ports You can also create IP tunnel...

Page 266: ...irtual router keyword to establish the tunnel on a virtual router other than the current virtual router Example host1 config interface tunnel dvmrp boston tunnel 1 transport virtual router boston Use...

Page 267: ...l2 host1 config if tunnel destination 192 13 7 1 Example 2 host1 config interface tunnel dvmrp tunnel2 host1 config if tunnel destination remoteHost Use the no version to remove the destination of a t...

Page 268: ...ed boston that supports one end of the tunnel host1 virtual router boston 2 Configure a physical or loopback interface for the end of the tunnel on virtual router boston The IP address of this interfa...

Page 269: ...el the module forwards the frames to a tunnel service module Tunnel service modules include SMs and modules that support the use of shared tunnel server ports The tunnel service module encapsulates th...

Page 270: ...ls For information about configuring multicast VPNs using GRE tunnels see Configuring PIM for IPv4 Multicast in JunosE Multicast Routing Configuration Guide Monitoring IP Tunnels You can monitor DVMRP...

Page 271: ...xx models ERX14xx models and the ERX310 router or slot adapter port format E120 and E320 routers Tunnel secured by ipsec transport interface IPSec interface that secures the tunnel Tunnel administrati...

Page 272: ...rtual router vr1 ip 0 0 0 0 DVMRP tunnel boston1 is up 1 DVMRP tunnel found 1 tunnel was created static Example 5 Displays a DVMRP tunnel on an E320 router host1 show dvmrp tunnel detail DVMRP tunnel...

Page 273: ...the number of tunnels associated with an IP address on the virtual router specify an IP address with the virtual router keyword and the name of the virtual router Field descriptions Tunnel name Name o...

Page 274: ...eated static Example 2 host1 show gre tunnel detail Tunnel operational configuration Tunnel name is vr1 Tunnel mtu is 10240 Tunnel source address is 10 0 0 2 Tunnel destination address is 10 0 0 1 Tun...

Page 275: ...ple 4 host1 show gre tunnel virtual router vr1 ip 10 0 0 1 GRE tunnel VR1 is up 1 GRE tunnel found 1 tunnel was created static Example 5 Displays a GRE tunnel on an E320 router host1 show gre tunnel d...

Page 276: ...play a summary of information about GRE tunnels Field descriptions Administrative status enabled Tunnel is available for use disabled Tunnel is not available for use Operational status up Tunnel is op...

Page 277: ...ls also known as IP in IP tunnels To establish a dynamic IP tunnel for GRE or DVMRP interfaces you must configure a destination profile for a specific transport virtual router that is used to store tu...

Page 278: ...Mobile IP application can create dynamic point to point GRE and DVMRP tunnels The Mobile IP application is a tunneling based solution that enhances the utility of E Series Broadband Services Routers a...

Page 279: ...tic tunnel with the same parameters as an existing dynamic IP tunnel the system does not create the dynamic IP tunnel Changing and Removing Existing Dynamic IP Tunnels You can modify the parameters in...

Page 280: ...orts on their own associated I O modules However you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel You can also create IP tunnels on rou...

Page 281: ...nels on page 251 References For more information about IP tunnels see the following documents RFC 1700 Assigned Numbers October 1994 RFC 1701 Generic Routing Encapsulation October 1994 RFC 1702 Generi...

Page 282: ...el source 1 1 1 1 3 Set the destination address for the tunnel host1 config dest profile tunnel destination subnet 10 0 0 0 255 0 0 0 4 Optional Set the maximum transmission unit MTU size for the tunn...

Page 283: ...profile kanata mdt dvmrp destination profile Use to configure a destination profile for dynamic DVMRP tunnels Use the any virtual router keyword to create a default destination profile for all virtua...

Page 284: ...utation across a GRE tunnel Checksum computation is not supported for DVMRP tunnels Selecting this feature causes the E Series router to drop corrupted packets it receives on the tunnel interface Exam...

Page 285: ...ify GRE sequence numbers at both ends of the GRE tunnel Example host1 config dest profile tunnel sequence datagrams Use the no version to disable sequence numbers See tunnel sequence datagrams tunnel...

Page 286: ...outer assigned to the destination profile tunnel destination subnet Value of the configured destination address subnet tunnel source Value of the configured source address Example 1 Displays all desti...

Page 287: ...el Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name of the virtual router associ...

Page 288: ...PN Tunnel operational configuration Tunnel mtu is 5000 Tunnel source address is 1 1 1 1 Tunnel destination address is 2 2 2 2 Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel up do...

Page 289: ...ecause the hardware such as a line module supporting the tunnel is inaccessible Example host1 show dvmrp tunnel summary Administrative status enabled disabled 1 0 Operational status up down not presen...

Page 290: ...Displays a specific GRE destination profile used for dynamic IP tunnel creation host1 show gre destination profile boston1 gre destination profile boston1 tunnel checksum disabled tunnel sequence dat...

Page 291: ...tunnel Tunnel mtu Value of the maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tu...

Page 292: ...vr11 show dvmrp tunnel detail mvpn dynamic 1 GRE tunnel mvpn dynamic 1 is Up tunnel is dynamic Application is MVPN Tunnel operational configuration Tunnel mtu is 5000 Tunnel source address is 1 1 1 1...

Page 293: ...re tunnel show gre tunnel summary Use to display a summary of information about GRE tunnels Field descriptions Administrative status enabled Tunnel is available for use disabled Tunnel is not availabl...

Page 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...

Page 295: ...processed and de encapsulated at the egress endpoint When packets are tunneled through an IP network simple IP forwarding is performed The IP forwarding process might fragment packets in the tunnel T...

Page 296: ...xx Models ERX14xx Models and the ERX310 Router To configure IP reassembly on ERX7xx models ERX14xx models and the ERX310 router you must install one of a Service Module SM an IPSec Service line module...

Page 297: ...P reassembly on IOAs that support shared tunnel server ports You can configure provision a shared tunnel server port to use a portion of the IOA s bandwidth to provide tunnel services For a list of th...

Page 298: ...baseline for tunnel reassembly statistics on the current virtual router The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting th...

Page 299: ...ad sent to the SRP module Reassembly Errors or Total Reassembly Errors Number of errors in completing reassembly detailed display includes types of reassembly errors Reassembly Discards Number of pack...

Page 300: ...unnel reassembly The following command shows reassembly statistics relative to the baseline before new packets arrive at the router for reassembly host1 vr2 show ip tunnel reassembly statistics delta...

Page 301: ...virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface that traffic can be L2TP GRE and DVMRP tunnel traffic Se...

Page 302: ...NS and LAC support in E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support LNS and LAC Module Requirements To create IPSec secured tunnels you must...

Page 303: ...using another unsecured connection to the Internet depending on the client software capabilities On the router side of the L2TP connection the E Series router acts as the LNS On the PC client side of...

Page 304: ...ion SA between the client PC and the E Series router that is acting as a VPN provider SAs are established to secure data traffic The IPSec connection secures L2TP traffic 3 Set up an L2TP tunnel and s...

Page 305: ...S X version 10 3 or higher Interactions with NAT There are two ways that you can configure E Series routers to interact with Network Address Translation NAT devices in the network Configure the router...

Page 306: ...ce You can set up the router to run in NAT passthrough mode which causes the router to not check UDP checksums The reason is that a NAT device may change the IP address while the UDP header is encrypt...

Page 307: ...the IPSec remote peers 3 If a NAT device is detected between the remote peers the router negotiates the appropriate type of UDP encapsulation as part of the IKE SA and uses this encapsulation method...

Page 308: ...led UDP encapsulated IPSec packets arriving and leaving the router look like standard UDP packets However the router does not forward these packets to and from the SRP module as it does for other UDP...

Page 309: ...an carry no more than a single L2TP session for the duration of its existence The router ignores the idle timeout period for single shot tunnels This means that as soon a single shot tunnel s session...

Page 310: ...es Destruct timeout period For information about configuring L2TP IPSec single shot tunnels on the router see Configuring Single Shot Tunnels on page 287 Configuration Tasks for Client PC To set up cl...

Page 311: ...ile remote host default host1 config l2tp dest profile host 3 Specify that for L2TP tunnels associated with this destination profile the router accept only tunnels protected by IPSec host1 config l2tp...

Page 312: ...NAT T To configure NAT T on the current virtual router 1 Select the name of the virtual router you want to configure host1 config virtual router westford host1 westford config 2 Enable NAT T for the...

Page 313: ...configuration of the single shot tunnel for a particular L2TP host profile For information about how to use this command see show l2tp destination profile on page 300 For information about the other...

Page 314: ...ith a remote router After establishing the IPSec connection the E Series router establishes a GRE or DVMRP tunnel to the remote router The tunnel is completely protected by the IPSec connection Settin...

Page 315: ...mand interface tunnel dvmrp interface tunnel gre Use with the ipsec transport keyword to create a GRE or DVMRP tunnel that is protected with IPSec in transport mode NOTE After you create a clear GRE o...

Page 316: ...er Local IPSec Transport Profile mode host1 config ipsec transport profile local ip address 10 10 1 1 host1 config ipsec transport profile local Optional Configure a key for IKE negotiations For examp...

Page 317: ...which is a typical scenario for secure remote access For GRE IPSec and DVMRP IPSec connections you must enter a fixed address the 0 0 0 0 wildcard address is not accepted and will return an error Exam...

Page 318: ...d key which is not fully secure Example host1 config ipsec transport profile local ip address 192 168 1 2 host1 config ipsec transport profile local Use the no version to delete the IP address See loc...

Page 319: ...only the show config output you can 1 Use the show config command to see the encrypted masked form of the key 2 Use the pre shared masked command to enter the masked key The system will behave the sam...

Page 320: ...3des hmac sha See transform set Monitoring DVMRP IPSec GRE IPSec and L2TP IPSec Tunnels This section contains information about troubleshooting and monitoring DVMRP IPSec GRE IPSec and L2TP IPSec tun...

Page 321: ...uter has negotiated NAT T as part of the IKE SA the local UDP port number displayed in the Local Port column is typically 4500 When NAT T is disabled or not supported on one or both sides of the IKE S...

Page 322: ...ore not using NAT T to access the router This PC appears in the Remote Port column with its own IP address 21 227 9 10 and UDP port number 500 The remaining two client PCs are located behind a NAT dev...

Page 323: ...subnet protocol and port Remote identity Shows the subnet protocol and port Inbound spi Inbound security parameter index Inbound transform Inbound algorithm Inbound lifetime Inbound configured lifetim...

Page 324: ...ed above Example 1 host1 vr11 show ipsec transport interface IPSEC transport interface 5 is Up IPSEC transport interface 6 is Up 2 Ipsec transport interfaces found Example 2 host1 vr11 show ipsec tran...

Page 325: ...nd Number of IPSec transport interfaces that are currently bound to the upper layer Example host1 vr11 show ipsec transport interface summary Operational status up down upper bound 2 0 2 See show ipse...

Page 326: ...port profile show l2tp destination profile Use to display configuration information for an L2TP destination profile and its associated L2TP host profiles If single shot tunnels are configured for a pa...

Page 327: ...w l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp Virtual router default Peer address 172 31 1 99 Statistics Destination profile c...

Page 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...

Page 329: ...here mobility is desired and the traditional land line dial in model does not provide an adequate solution and in environments where a wireless technology is used NOTE Currently JunosE Software does n...

Page 330: ...request an agent advertisement from the mobile node through Internet Control Message Protocol ICMP router solicitations Mobile IP Registration The home agent receives the registration requests on UDP...

Page 331: ...e security association MD 5 key for a specified user or a group of users domain Authentication is accomplished either by generating an authentication authorization and accounting AAA access request or...

Page 332: ...agent When Mobile IP obtains all of the parameters required for interface creation including the tunnel ID and the authentication context it directs the subscriber management application to create th...

Page 333: ...Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support the Mobile IP home agen...

Page 334: ...tion server host1 test config radius authentication server 10 209 13 234 host1 test config radius key secret host1 test config radius udp port 1812 host1 test config radius radius update source addr 1...

Page 335: ...replay timestamp within 255 algorithm hmac md5 Assign an interface profile for the Mobile IP home agent host1 test config ip mobile profile testProfile ip mobile home agent Use to configure the Mobile...

Page 336: ...security associations include the aaa keyword To specify the access control list applied to the care of address that restricts access for foreign agents or networks include the care of access keyword...

Page 337: ...eyword followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII key use the ascii keyword followed by an alphanumeric value up to a maximum of 16 characters...

Page 338: ...followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII key use the ascii keyword followed by an alphanumeric value up to a maximum of 16 characters 128 bi...

Page 339: ...the mobile node home address or NAI Example host1 clear ip mobile binding nai john yahoo com There is no no version See clear ip mobile binding show ip mobile binding Use to display the binding table...

Page 340: ...ation of the home agent in the virtual router Field descriptions Access list name Name of the access control list applied to the care of address that restricts access for foreign agents or networks Re...

Page 341: ...ner com Home IP MN NAI address Lifetime Care Of Access Aaa Configured warner com 36000 no See show ip mobile host show ip mobile profile Use to display the interface profile name associated with the h...

Page 342: ...Home IP address IP address of the mobile node host SPI Security parameter index SPI key for authenticating registration requests Algorithm Algorithm hmac md5 or keyed md5 for authenticating Mobile IP...

Page 343: ...roadcast or B bit being set without the corresponding D bit or a denial by the registration filters No Resources Number of registration requests rejected due to insufficient resources such as a full b...

Page 344: ...ffic show license mobile ip home agent Use to display the license key for the home agent Field descriptions Mobile IP license is Mobile IP license key associated with the home agent and the maximum nu...

Page 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...

Page 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...

Page 347: ...uthentication 219 225 B baseline commands baseline ip 84 baseline ip mobile home agent 313 baseline ip tunnel reassembly 272 baseline setting Mobile IP home agent 313 tunnel reassembly 272 BFD Bidirec...

Page 348: ...cast Routing Protocol reassembly of tunnel packets 270 tunnels 238 dvmrp destination profile command 257 DVMRP with IPSec how it works 288 setting up secure connection 288 dynamic IP tunnels configuri...

Page 349: ...refix trees 35 ip commands ip as path access list 22 ip bgp community new format 38 ip community list 39 ip prefix list 20 32 ip prefix tree 20 35 ip refresh route 47 ip route 32 ip tunnel reassembly...

Page 350: ...ipsec option dpd 143 ipsec option nat t 286 ipsec option tx invalid cookie 151 ipsec transform set 141 key 141 masked key 141 See also show ipsec commands IPSec identity commands common name 213 coun...

Page 351: ...ofile 285 l2tp ignore receive data sequencing 271 L2TP with IPSec 169 275 client software supported 279 compatibility 279 configuring client PC 284 E Series router 284 288 IPSec transport profiles 289...

Page 352: ...h mode 280 references 62 static address translation defining 69 terms 64 inside global address 64 inside local address 64 outside global address 64 outside local address 64 timeouts defining 75 transl...

Page 353: ...eyword 4 filtering incoming outgoing routes with access lists 24 instance 4 map tag 4 match clause 4 monitoring 49 permit keyword 4 sequence number 4 set clause 4 route map command 13 routing policy c...

Page 354: ...t inside rule 85 show ip nat outside rule 85 show ip nat statistics 85 show ip nat translations 85 show ipsec commands show ike certificates 228 show ike configuration 228 show ike identity 228 show i...

Page 355: ...nation 143 tunnel destination backup 148 tunnel lifetime 143 tunnel local identity 143 tunnel mtu 143 tunnel peer identity 143 tunnel pfs group 143 tunnel session key inbound 143 tunnel session key ou...

Page 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...

Reviews:

No comments

Related manuals for JUNOSE 11.2.X IP SERVICES

DAVIS WeatherLink Addendum preview
WeatherLink
Brand: DAVIS Pages: 20
Patton electronics ForeSight 6300 NMS Getting Started Manual preview
ForeSight 6300 NMS
Brand: Patton electronics Pages: 117
Raymarine RayTech RNS 5.0 User Manual preview
RayTech RNS 5.0
Brand: Raymarine Pages: 152
Fargo Persona Persona M30e User Manual preview
Persona Persona M30e
Brand: Fargo Pages: 31
SonicWALL OS 2.x Quick Start Manual preview
OS 2.x
Brand: SonicWALL Pages: 20
Avaya PARTNER ACS PC Administration Getting Started Manual preview
PARTNER ACS PC Administration
Brand: Avaya Pages: 56
Avaya P120 SMON User Manual preview
P120 SMON
Brand: Avaya Pages: 61
Red Hat Cluster Suite Manual preview
Cluster Suite
Brand: Red Hat Pages: 188
AVG 9 INTERNET SECURITY - REVISED 6-2010 User Manual preview
9 INTERNET SECURITY - REVISED 6-2010
Brand: AVG Pages: 209
Avision FS-5900C User Manual preview
FS-5900C
Brand: Avision Pages: 47
THOMSON LCP 400 User Manual preview
LCP 400
Brand: THOMSON Pages: 22
GRASS VALLEY EDIUS NEO 3 Datasheet preview
EDIUS NEO 3
Brand: GRASS VALLEY Pages: 2
Genius KIDSBALL Manual preview
KIDSBALL
Brand: Genius Pages: 7
Genius F509 User Manual preview
F509
Brand: Genius Pages: 11
CAERE WORDSCAN User Manual preview
WORDSCAN
Brand: CAERE Pages: 108
National Instruments Image Acquisition Software User Manual preview
Image Acquisition Software
Brand: National Instruments Pages: 68
TC Electronic TC Chorus-Delay Manual preview
TC Chorus-Delay
Brand: TC Electronic Pages: 7
Echo Audio Indigo DJx Owner'S Manual preview
Indigo DJx
Brand: Echo Audio Pages: 35

Brands by name

Popular brands

Load more brands