Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Скачать руководство пользователя страница 313 | Manualshive

Страница: 313 / 366

background image

Chapter 12

Securing L2TP and IP Tunnels with IPSec

This chapter describes how to secure generic routing encapsulation (GRE), Distance
Vector Multicast Routing Protocol (DVMRP), and Layer 2 Tunneling Protocol (L2TP)
tunnels with IP Security (IPSec) on your E Series router. It contains the following
sections:

■

Overview on page 287

■

Platform Considerations on page 288

■

References on page 288

■

L2TP/IPSec Tunnels on page 289

■

GRE/IPSec and DVMRP/IPSec Tunnels on page 300

■

Configuring IPSec Transport Profiles on page 302

■

Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels on page 307

Overview

You can provide additional security to L2TP and IP tunnels by protecting them with
an IPSec transport connection. Secure IP interfaces are virtual IP interfaces that are
configured to provide confidentiality and authentication services for the traffic flowing
through the interface; that traffic can be L2TP, GRE, and DVMRP tunnel traffic. See
“Configuring IPSec” on page 125 for detailed information about IPSec.

GRE, DVMRP, and L2TP over IPSec provide security only between tunnel endpoints;
they do not provide end-to-end security. For end-to-end security, you need additional
security for the connection beyond the router.

Tunnel Creation

ERX routers can have both unsecured GRE, DVMRP, and L2TP tunnels and tunnels
that are secured by IPSec. However, unsecured L2TP tunnels are not allowed on the
ISM. You use the following commands to create a secure tunnel:

■

L2TP tunnels—Use the

enable ipsec transport

command in the L2TP destination

profile

■

GRE and DVMRP tunnels—Use the

ipsec-transport

keyword in the

interface

tunnel

command

Overview

■

287

«
...
311
312
313
314
315
...
»

Содержание IP SERVICES - CONFIGURATION GUIDE V 11.1.X

Страница 1: ...for E Series Broadband Services Routers IP Services Configuration Guide Release 11 1 x Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale California 94089 USA 408 745 2000 www juniper net Publi...

Страница 2: ...U S Patent Nos 5 473 599 5 905 725 5 909 440 6 192 051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 578 186 and 6 590 785 JUNOSe Software for E...

Страница 3: ...alms devices links ports or transactions or require the purchase of separate licenses to use particular features functionalities services applications operations or capabilities or provide throughput...

Страница 4: ...n connection with such withholding taxes by promptly providing Juniper with valid tax receipts and other required documentation showing Customer s payment of any withholding taxes completing appropria...

Страница 5: ...nted to in writing by the party to be charged If any portion of this Agreement is held invalid the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement T...

Страница 6: ...vi...

Страница 7: ...uring IPSec 125 Chapter 6 Configuring Dynamic IPSec Subscribers 177 Chapter 7 Configuring ANCP 193 Chapter 8 Configuring Digital Certificates 213 Chapter 9 Configuring IP Tunnels 245 Chapter 10 Config...

Страница 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...

Страница 9: ...e Maps 4 Route Map Configuration Example 5 Multiple Values in a Match Entry 6 Negating Match Clauses 7 Matching a Community List Exactly 8 Removing Community Lists from a Route Map 8 Matching a Policy...

Страница 10: ...urations 65 Traditional NAT 65 Basic NAT 65 NAPT 66 Bidirectional NAT 66 Twice NAT 66 Network and Address Terms 66 Inside Local Addresses 67 Inside Global Addresses 67 Outside Local Addresses 67 Outsi...

Страница 11: ...AT 88 Displaying the NAT License Key 88 Displaying Translation Statistics 89 Displaying Translation Entries 91 Displaying Address Pool Information 92 Displaying Inside and Outside Rule Settings 93 Cha...

Страница 12: ...BFD Information 121 Chapter 5 Configuring IPSec 125 Overview 125 IPSec Terms and Acronyms 125 Platform Considerations 127 References 127 IPSec Concepts 128 Secure IP Interfaces 128 RFC 2401 Compliance...

Страница 13: ...nfiguring Dynamic IPSec Subscribers 177 Overview 177 Dynamic Connection Setup 177 Dynamic Connection Teardown 178 Dynamic IPSec Subscriber Recognition 178 Licensing Requirements 178 Inherited Subscrib...

Страница 14: ...s Node 195 Platform Considerations 195 References 196 Configuring ANCP 196 Creating a Listening TCP Socket for ANCP 196 Accessing L2C Configuration Mode for ANCP 196 Defining the ANCP Session Timeout...

Страница 15: ...od 221 Configuring Digital Certificates Using the Online Method 227 Configuring Peer Public Keys Without Digital Certificates 232 Monitoring Digital Certificates and Public Keys 237 Chapter 9 Configur...

Страница 16: ...80 Module Requirements 280 ERX7xx Models ERX14xx Models and the ERX310 Router 280 E120 Router and E320 Router 281 Configuring IP Reassembly 281 Monitoring IP Reassembly 282 Setting Statistics Baseline...

Страница 17: ...port Profiles 302 Monitoring DVMRP IPSec GRE IPSec and L2TP IPSec Tunnels 307 System Event Logs 307 show Commands 307 Chapter 13 Configuring the Mobile IP Home Agent 315 Mobile IP Overview 315 Mobile...

Страница 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...

Страница 19: ...rk 160 Figure 16 ISP X Uses ERX Routers to Connect Corporate Offices over the Internet 161 Figure 17 Connecting Customers Who Use Similar Address Schemes 164 Chapter 7 Configuring ANCP 193 Figure 18 U...

Страница 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...

Страница 21: ...Abbreviations 125 Table 9 Security Parameters Used on Secure IP Interfaces 130 Table 10 Security Parameters per IPSec Policy Type 132 Table 11 Supported Transforms 136 Table 12 Supported Security Tra...

Страница 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...

Страница 23: ...ion in the latest release notes differs from the information in the documentation follow the JUNOSe Release Notes To obtain the most current version of all Juniper Networks technical documentation see...

Страница 24: ...pf 2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents information as displayed on your terminal s screen Fixed width text like this There are two levels o...

Страница 25: ...e from the Juniper Networks Web site athttp www juniper net Documentation Feedback We encourage you to provide feedback comments and suggestions so that we can improve the documentation to better meet...

Страница 26: ...ase notes http www juniper net customers csc software Search technical bulletins for relevant hardware and software notifications https www juniper net alerts Join and participate in the Juniper Netwo...

Страница 27: ...c on page 125 Configuring Dynamic IPSec Subscribers on page 177 Configuring ANCP on page 193 Configuring Digital Certificates on page 213 Configuring IP Tunnels on page 245 Configuring Dynamic IP Tunn...

Страница 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...

Страница 29: ...page 4 Route Maps on page 4 Match Policy Lists on page 20 Access Lists on page 21 Using the Null Interface on page 33 Prefix Lists on page 33 Prefix Trees on page 36 Community Lists on page 38 Using...

Страница 30: ...uter See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers References For more information about the protocols discussed in this cha...

Страница 31: ...e of the route map For example suppose you create two instances of route map boston5 one with sequence number 10 and one with sequence number 25 When you apply boston5 routes are evaluated first again...

Страница 32: ...outer neighbor 10 2 2 4 route map block1 out host1 config router exit host1 config ip as path access list boston deny _32_ host1 config route map block1 deny 1 host1 config route map match as path bos...

Страница 33: ...atch entry is deleted The routing software deletes the entire match entry only if the entry contains no other values In some earlier releases any value specified with a no match command was ignored an...

Страница 34: ...w ip community list Community standard list 1 permit 0 100 0 200 0 300 host1 config route map example1 permit 10 host1 config route map match community 1 exact match host1 config exit host1 show route...

Страница 35: ...s also known as AAA framed routes are sourced by AAA The following example shows how you might redistribute access internal routes and access routes by matching on a tag 1 Configure route map tagtest...

Страница 36: ...specified value from the match clause See match community match distance Use to match any routes being redistributed out of the routing table that have the specified administrative distance Distance i...

Страница 37: ...ress passed by the specified access list prefix list or prefix tree Example host1 config route map match ip next hop 5 acl_192_54_24_1 Use the no version to delete the match clause from a route map or...

Страница 38: ...fix list in which case only that prefix list match is removed from the route map See match ipv6 route source match level Use to match routes for the specified level Example host1 config route map matc...

Страница 39: ...summary prefix tree Use to specify the prefix tree that summarizes routes for a particular route map Use the ip prefix tree command to set the conditions of the prefix tree including which routes to...

Страница 40: ...he router command You specify the source routing protocol with the redistribute command Example host1 config route map nyc1 permit 10 host1 config route map match ip address list1 host1 config route m...

Страница 41: ...community attribute Similarly a match is found for the list entry of 231 20 and this community is deleted from the community attribute Example host1 config route map set comm list 1 delete Use the no...

Страница 42: ...to the same prefix to identify the best route to that prefix Setting distance in any other circumstance has no effect Example host1 config route map set distance 5 Use the no version to delete the se...

Страница 43: ...a route map See set ipv6 next hop set level Use to specify where to import routes when all of a route map s match criteria are met Example host1 config route map set level level 2 Use the no version t...

Страница 44: ...xt hop of the advertised route If the cost of the next hop changes BGP is not forced to readvertise the route For BGP you can specify the following metrics external Reverts to the normal BGP rules for...

Страница 45: ...e classes to classify packets for quality of service QoS Example host1 config route map set route class 50 Use the no version to delete the set clause from a route map See set route class set route ty...

Страница 46: ...ps the match clauses in match policy lists contain permit and deny statements When you reference a match policy list within a route map the route map evaluates and processes each match clause and perm...

Страница 47: ...efix against the conditions in the list or tree one by one If the first match is for a permit condition the route is accepted or passed If the first match is for a deny condition the route is rejected...

Страница 48: ...oute map set metric type internal 4 Configure redistribution into IS IS of the static routes with route map 1 host1 config router isis testnet host1 config router redistribute static route map 1 5 Ver...

Страница 49: ...ip as path access list command and apply the list to routes received from or passed to a neighbor with the neighbor filter list command AS path access lists use regular expressions to describe the AS...

Страница 50: ...er bgp 47 host1 config router neighbor 10 2 9 2 remote as 621 host1 config router neighbor 10 2 9 2 filter list 1 in host1 config router neighbor 10 2 8 2 remote as 11 host1 config router neighbor 10...

Страница 51: ...bute includes 32 or 837 This condition permits routes that originate in or pass through from elsewhere AS 32 or AS 837 When these routes are advertised through AS 451 and AS 17 to router Chicago insta...

Страница 52: ...ginating in AS 74 learned via router NY that passed through AS 837 and AS 32 weight 175 according to route map 2 over the same routes learned via router Boston weight 150 access list Use to define an...

Страница 53: ...20 and AS path 100 200 300 because 20 is a substring of each path To disable substring matching and constrain matching to only the specified attribute string place the underscore _ metacharacter on bo...

Страница 54: ...access list from a neighbor See neighbor distribute list neighbor filter list Use to assign an AS path access list to matching inbound or outbound routes Use the in keyword to apply the list to inbou...

Страница 55: ...g routes outbound policy you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy Example host1 config router neighbor 192 168 1 158 prefix...

Страница 56: ...1 0 0 0 0 255 host1 config access list gold permit ip host 2 2 2 2 232 0 1 0 0 0 0 255 host1 config access list gold permit ip host 1 1 1 1 232 0 2 0 0 0 0 255 host1 config access list gold permit ip...

Страница 57: ...clear access list counters clear access list clear ipv6 access list Use to clear all access list counters or access list counters in the specified access list Example 1 host1 clear access list list1...

Страница 58: ...tes an association specifying in this case that only IP addresses that match the access list criterion appear in the routing table ip access route table map ipv6 access route table map Use to filter a...

Страница 59: ...ords instead of a next hop or destination address when you configure routes interface null Use to access the null interface The null interface is a data sink it does not accept or forward traffic Alth...

Страница 60: ...to add a clause to a route map Using a Prefix List The following example creates a prefix list that permits routes with a prefix length up to 24 in the 151 0 0 0 8 network host1 config ip prefix list...

Страница 61: ...0 8 Example 2 IPv6 exact match required the router permits only a route with a prefix length of 8 and a network address of 1 0 0 0 0 0 0 5 host1 config ipv6 prefix list abc permit 1 5 8 Use the no ve...

Страница 62: ...oute map See match ipv6 next hop Prefix Trees A prefix tree is a nonsequential collection of permit and deny conditions that apply to IP addresses Like a prefix list the prefix tree specifies a base I...

Страница 63: ...an entry matches Example host1 clear ip prefix tree xyz There is no no version See clear ip prefix tree ip prefix tree Use to create a prefix tree for best route filtering specifies a tree entry a den...

Страница 64: ...enables you to define the community to which a prefix belongs A prefix can belong to more than one community The community attribute lists the communities to which a prefix belongs You can use commun...

Страница 65: ...rmat You can also use a regular expression to specify the community attribute Use the set community command in route maps to configure the community attributes You can add one or more communities to t...

Страница 66: ...map match community 1 host1 config route map set metric 20 host1 config route map exit host1 config route map commtrc permit 2 host1 config route map match community 2 host1 config route map set metri...

Страница 67: ...that is the multiple values are logical ANDed You can specify community values with a number or a regular expression Example host1 config ip community list 1 permit 100 2 100 3 100 4 host1 config rout...

Страница 68: ...efined in Internet draft BGP Extended Communities Attribute draft ietf idr bgp ext communities 07 txt February 2004 expiration This attribute enables the definition of a type of IP extended community...

Страница 69: ...00 4 Use the no version to remove a single extended community list entry if you specify the permit or deny keyword and a path expression Otherwise the router removes the entire community list See ip e...

Страница 70: ...access lists and community lists to more easily filter routes A regular expression uses special characters often referred to as metacharacters to define a pattern that is compared with an input strin...

Страница 71: ...ssue the ip bgp community new format command the community number has the format AA NN where AA is a number that identifies the autonomous system and NN is a number that identifies the community withi...

Страница 72: ...t regular expression It is simply a character or token with no special meaning just as a numeral has no special meaning The backslash applies only to the character immediately following it in the regu...

Страница 73: ...des any one character followed by the numeral 5 5 179 35 2433 252 129 48 2129 14600 2129 321 94 Includes a sequence of three characters where the first character is numeral 1 and the third character i...

Страница 74: ...n 37 1 37 600 700 10025 7771 In the following examples the three characters are 7 space 8 307 800 6127 888 999 Includes a sequence of three characters where the first character is numeral 7 7 6127 723...

Страница 75: ...ifying 200 no underscores results in a match on 200 and on 2005 The underscore metacharacter disables substring matching _200_ For information about using AS path access lists see Access Lists on page...

Страница 76: ...ccess list show ipv6 access list Access lists show ip community list Community lists show ip match policy list Policy lists show ip prefix list Prefix lists show ip prefix tree Prefix trees show ip pr...

Страница 77: ...IP Access List 10 permit ip any any IP Access List 11 deny ip any any Example 2 host1 show access list detail IP Access List 1 1 permit ip host 172 31 192 217 any 2 permit ip 12 40 0 0 0 0 0 3 any de...

Страница 78: ...mit internet Example 2 If you did issue the ip bgp community new format command the display appears as follows host1 show ip community list Community List 1 permit 1239 1005 permit 1239 1006 permit 12...

Страница 79: ...nsertion def ip prefix list name abc count 4 range entries 4 sequences 5 20 ip prefix list name def count 1 range entries 0 sequences 5 5 See show ip prefix list show ip prefix tree Use to display inf...

Страница 80: ...d Always compare MED is disabled Router flap damping is disabled Administrative Distance external 20 internal 200 local 200 Neighbor s No neighbors are configured Routing for Networks Routing Protocol...

Страница 81: ...ng with a specified address routes for a particular protocol BGP IS IS OSPF or RIP locally connected routes internal control routes static routes or summary counters for the routing table Field descri...

Страница 82: ...tries 0 isis routes 0 rip routes 3 static routes 2 connected routes 1 bgp routes 0 ospf routes 2 other internal routes 0 access routes 0 internally created access host routes Last route added deleted...

Страница 83: ...nterface index is present in the routing table for special IP addresses such as broadcast addresses Next Hop Next hop to reach the IP address displays if no next hop is associated with the IP address...

Страница 84: ...r of frames received local destination Frames with this router as their destination hdr errors Number of packets received that contain header errors addr errors Number of packets received that contain...

Страница 85: ...ived dst unreach Number of packets received with destination unreachable time exceed Number of packets received with time to live exceeded param probs Number of packets received with parameter errors...

Страница 86: ...which no application listener was listening on the destination port UDP Statistics Sent total Total number of UDP packets sent errors Number of error packets sent TCP Global Statistics Connections at...

Страница 87: ...timed out 8 reasm req 0 reasm fails 145 frag ok 0 frag fail 290 frag creates Sent 15 forwarded 25144 generated 0 out disc 0 no routes 0 routing discards Route 57680 routes in table 0 timestamp req 0...

Страница 88: ...es the instances of each access list such as match and set commands Example host1 config route map 1 permit 10 host1 config route map match community 44 host1 config route map set local pref 400 host1...

Страница 89: ...page 71 Limiting Translation Entries on page 71 Specifying Inside and Outside Interfaces on page 71 Defining Static Address Translations on page 72 Defining Dynamic Translations on page 74 Clearing Dy...

Страница 90: ...endix A Module Protocol Support for information about the modules that support NAT NOTE The E120 and E320 Broadband Services Routers do not support configuration of NAT Module Requirements To configur...

Страница 91: ...public network must not overlap Also route destination advertisements on the public network for example the Internet can appear within the inside network but the NAT router does not propagate advertis...

Страница 92: ...side host to reach the inside host by using a public address When the outside host initiates a connection with the inside host on the private network the NAT router translates that public destination...

Страница 93: ...IP address of an inside host as seen by an outside host and network Addresses may be allocated from a globally unique address space often provided by the ISP if the inside address is connected to the...

Страница 94: ...the outbound direction restores the original information this time operating on the destination address or address port pair For inbound traffic the NAT router translates the outside global address or...

Страница 95: ...e packet to the appropriate egress line module 6 The line module sends the packet as outbound traffic using a globally unique source address inside source translation destination address outside sourc...

Страница 96: ...Discard Rules For all supported types of traffic TCP UDP ICMP and GRE NAT discards packets in the following cases When the translation table is full that is no more entries can be added When the addre...

Страница 97: ...that the translation table contains in global configuration mode for a given virtual router ip nat translation max entries Use to specify the maximum number of dynamic translation entries that the tra...

Страница 98: ...ith more specific variables that further define the type of translation CAUTION You must mark interfaces that participate in NAT translation as on the inside or the outside network See Specifying Insi...

Страница 99: ...translation between two non unique or not publicly routable networks for example two separate networks that use overlapping IP address blocks ip nat outside source static Use to translate the source a...

Страница 100: ...cess lists see Configuring Routing Policy on page 3 The router evaluates multiple commands for the same access list in the order they were created An undefined access list implicitly contains a rule t...

Страница 101: ...lapping ranges When you create or edit address pools keep the following in mind Starting and ending IP addresses for the specified range are inclusive and must reside on the same subnet Address ranges...

Страница 102: ...onfigure inside source or outside source translation If the NAT router cannot locate a matching entry in its translation database for a given packet it evaluates the access list of all applicable dyna...

Страница 103: ...inside source list Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the inside network to the outside network Example h...

Страница 104: ...translations default is 120 seconds These dynamic translations are installed by the DNS but not yet used as soon as the translation is used the router applies the timeout value mentioned above udp tim...

Страница 105: ...mand to clear all dynamic translations from the translation table Use an asterisk in the clear ip nat translation gre icmp tcp udp inside insideGlobalIpAddress insideLocalIpAddress version of this com...

Страница 106: ...k the inside interfaces a Mark the field office host1 blue config interface serial 2 1 1 1 host1 blue config interface ip nat inside host1 blue config interface exit b Mark the two corporate T 3 links...

Страница 107: ...outing loops when no matching translation exists host1 blue config ip route 192 32 6 0 255 255 255 248 null 0 NOTE Null route applies to 192 32 6 0 192 32 6 3 which do not exist in the address pool Al...

Страница 108: ...168 22 2 192 32 6 1 5 Create the address pool for dynamic translations host1 blue config ip nat pool entA192 192 32 6 2 192 32 6 63 prefix length 24 6 Create the access list for addresses eligible fo...

Страница 109: ...inside source and outside source translations must be configured on the NAT router Figure 8 on page 83 illustrates how the inside network is using the unregistered global address space of 15 12 0 0 1...

Страница 110: ...6 NOTE This pool is purposely small allowing for only a few connections 8 Configure the access list for global addresses that overlap with inside addresses host1 blue config access list entAin permit...

Страница 111: ...in other PE devices the rest of the VPN through RFC2547bis MPLS VPNs VR1 of which the VRF is administratively a member represents the public network The interface to EnterpriseA is marked as an inside...

Страница 112: ...device can communicate on the public network host1 vr1 vrf11 config interface ip destination prefix 128 13 44 0 255 255 255 0 9 Mark the subscriber interface as outside host1 vr1 vrf11 config interfac...

Страница 113: ...13 1 2 3 The PPTP client initiates its tunnels to the server at 11 11 11 1 The E Series router translates the SA from inside local 13 1 2 3 to inside global SA 20 0 0 1 Because GRE traffic can pass th...

Страница 114: ...unnel server module for GRE processing If the packets require translating they are again sent through the tunnel server module NOTE Only inner IP headers are translated for terminating GRE flows outer...

Страница 115: ...utside Source Extended Number of outside source extended static translations Dynamic Translation Type Type of dynamic translation inside source simple outside source simple inside source extended Curr...

Страница 116: ...imple 69999 69999 69999 12568 Outside Source Simple 4518 4518 4518 25 Inside Source Extended 70000 70000 70000 568 Fully Extended 26855 26855 26855 2565 Forwarding statistics for virtual router vr1 Pa...

Страница 117: ...xtended entries Inside global Inside global IP address for this translation entry this field also provides the port number separated by a colon for extended entries Outside global Outside global IP ad...

Страница 118: ...20 50 0 3 87 30 50 0 3 8 00 03 35 Never 108 See show ip nat translations Displaying Address Pool Information The show ip nat pool command displays NAT address pool information The command output disp...

Страница 119: ...r Specifying an access list filters the output to display only the address pool associated with the specified list show ip nat inside rule Use to display NAT access list and pool usage information for...

Страница 120: ...e of rule assigned Example host1 show ip nat outside rule access list name list4 pool name poolD rule type outside source See show ip nat outside rule 94 Monitoring NAT JUNOSe 11 1 x IP Services Confi...

Страница 121: ...of a remote workstation for data collection and further processing In addition the ability to enable J Flow on an individual virtual router interface or subinterface allows you to collect network sta...

Страница 122: ...ss interface Aggregation caches contain a subset of the fields collected in the raw flow data For example TCP flags Next Hop Address and ToS values are not maintained in any of the aggregation caches...

Страница 123: ...lways RP 0 Engine ID SRP slot number If for any reason the virtual router is unable to export records to the collector the unsent records are discarded However the virtual router continues to increase...

Страница 124: ...ions See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support NAT For information about modules that support J Flow on the E120 and E320 Broadband Service...

Страница 125: ...Interface Use the ip route cache flow sampled command to enable J Flow statistics on an interface You can also use this command to configure an IP profile that is applied to dynamically created IP int...

Страница 126: ...w changes the packet sampling value to the closest integer that is a power of two and that is less than or equal to the configured value For performance reasons J Flow applies these adjustments to the...

Страница 127: ...cently used flow is removed The possible flow cache range is 1 024 524 288 entries The default value is 65 536 entries ip flow cache entries Use to limit J Flow main flow cache entries Example host1 c...

Страница 128: ...lue is 10 600 seconds The default value is 15 seconds ip flow cache timeout inactive Use to define the inactivity timer in seconds Example host1 config ip flow cache timeout inactive 90 Use the no ver...

Страница 129: ...can configure the Prefix aggregation cache for both source and destination minimum mask size You can configure only the source minimum mask size for the Source Prefix aggregation cache You can configu...

Страница 130: ...set the number of entries in the aggregation cache Example host1 config flow cache cache entries 524288 Use the no version to reset the number of entries to the default value 4096 See cache entries c...

Страница 131: ...gation cache and its configuration See ip flow aggregation cache mask destination Use to set the minimum mask size for the destination address for the prefix and destination prefix aggregation caches...

Страница 132: ...wing commands Command To Display show ip cache flow Main cache flow operational statistics show ip flow sampling J Flow sampling state show ip flow export J Flow export state and export statistics You...

Страница 133: ...dr Destination address of sampled packets Dst Intf Destination interface of sampled packets Summary Total Flows Processed Total number of flows processed Total Packets Total number of packets sampled...

Страница 134: ...within the confines of this document host1 show ip cache flow active detail Main Cache Max Entries 65536 Activity Timeout 60 mins Inactivity Timeout 600 secs Cache Enabled 32012 packets sampled Distri...

Страница 135: ...4 0 000 96 0 000 128 0 000 160 0 000 192 0 000 224 0 000 256 0 000 288 0 000 320 0 000 352 0 000 384 0 000 416 0 000 448 0 000 480 0 000 512 0 000 544 0 000 576 0 000 1024 96 784 1536 3 216 2048 0 000...

Страница 136: ...d packets Dst Addr Destination address of sampled packets Dst Intf Destination interface of sampled packets Summary Total Flows Processed Total number of flows processed Total Packets Total number of...

Страница 137: ...urce ip interface GigabitEthernet5 0 0 See show ip flow show ip flow sampling Use to display configuration values for IP flow cache sampling Example host1 show ip flow sampling Flow sampling is enable...

Страница 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...

Страница 139: ...n these hello messages are not used IGP hellos have their own limitations it often takes one second or more to detect a remote end failure and processing IGP hello messages takes precious processing t...

Страница 140: ...FD enters the Admin Down state BFD notifies the new state to its peer for a failure detection time and after the time expires the client stops transmitting packets For the Admin Down state to work the...

Страница 141: ...terval is the greater of its transmit interval 450 ms and the Router A receive interval 500 ms or 500 ms The liveness detection interval is the period a peer waits for a BFD packet from its peer befor...

Страница 142: ...dels and the ERX310 Broadband Services Router See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for informatio...

Страница 143: ...er attempts to establish version 0 or version 1 sessions based on the capability of the BFD neighbor Table 7 on page 117 indicates how the routers establish sessions based on BFD version support Table...

Страница 144: ...guration Guide EBGP Chapter Configuring IP in JUNOSe IP IPv6 and IGP Configuration Guide IPv4 static routes Chapter Configuring IS IS in JUNOSe IP IPv6 and IGP Configuration Guide IS IS Chapter Config...

Страница 145: ...all virtual routers on the router Example host1 config bfd adapt Use the no version to disable subsequent BFD sessions from adapting timer intervals without resetting any already adapted intervals See...

Страница 146: ...ted clear ipv6 bfd session Use to restart all IPv6 BFD sessions or a specified IPv6 BFD session Use the address keyword to indicate the IPv6 address of the destination to which the session has been es...

Страница 147: ...ing feature of the show command to include or exclude lines of output based on a text string that you specify See Command Line Interface in JUNOSe System Basics Configuration Guide for details show li...

Страница 148: ...abled for this BFD session on the router Local min tx interval Minimum transmit interval in seconds configured on the session at the local end min rx interval Minimum receive interval in seconds confi...

Страница 149: ...s or no forwarding controller assist available only for ES2 4G LM Detection FC assisted Whether component in forwarding controller is acting to speed fast failure detection times yes or no forwarding...

Страница 150: ...r 3 Remote discriminator 1 Session up time 00 00 01 04 Up Down count 1 Adaptivity disabled Local min tx interval 0 3 min rx interval 0 3 multiplier 3 Adapted min tx interval 0 min rx interval 0 multip...

Страница 151: ...r areas Encapsulating protocols including authentication AH and Encapsulating Security Payload ESP to provide security on specified packets The Internet Security Association and Key Management Protoco...

Страница 152: ...Protocol Security IPSec IP address of the entity that is one of two endpoints in an IPSec SA IPSec endpoint Internet Security Association and Key Management Protocol ISAKMP Security associations used...

Страница 153: ...of IPSec References For information about IPSec see the following RFCs RFC 768 User Datagram Protocol August 1980 RFC 2401 Security Architecture for the Internet Protocol November 1998 RFC 2402 IP Aut...

Страница 154: ...to every data packet Both protocols are defined with two modes of operation Tunnel mode completely encapsulates the original packet within another IP header Transport mode keeps the original header a...

Страница 155: ...nel which traffic to discard and so on The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that unwanted traffic is not allowed inside the tunnel Supporte...

Страница 156: ...r context and source and destination IP addresses Transport VR A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys PFS ensur...

Страница 157: ...negotiate an SA on demand with the remote security gateway The remote security gateway must also support SA negotiation otherwise the gateway drops traffic Again the router keeps statistics for dropp...

Страница 158: ...ure IP interface exists Transport Virtual Router The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel endpoints the source and destination are routable addresses Normal...

Страница 159: ...u can use an FQDN instead of the IP address to specify tunnel endpoints You typically use this feature to identify the tunnel destination in broadband and DSL environments in which the destination doe...

Страница 160: ...me on page 144 For signaled IPSec interfaces both the inbound and outbound SA must be assigned a lifetime The lifetime parameter controls the duration for which the SA is valid When a user SA is estab...

Страница 161: ...secure IP interface Therefore two sets of SA parameters exist for each secure IP interface one being the inbound SA parameters and the other the outbound SA parameters The following parameters form e...

Страница 162: ...ication ESP provides data confidentiality and antireplay functions ESP can also provide data authentication although in this implementation ESP does not cover the outer IP header Encapsulation Modes I...

Страница 163: ...g the 3DES encryption algorithm 3DES uses a 168 bit symmetric encryption key and is widely accepted as a strong encryption algorithm Export control issues apply to products that ship from the USA with...

Страница 164: ...nd against each transform in the transform set If there is no match the router provides a negative answer to the remote end which can either try another transform or give up If no match is found the s...

Страница 165: ...PD is a keepalive mechanism that enables the E Series router to detect when the connection between the router and a remote IPSec peer has been lost DPD enables the router to reclaim resources and to o...

Страница 166: ...ng failover the IPSec tunnel switches to the alternate destination and establishes IPSec SAs with the new peer To configure tunnel failover you specify the tunnel destination backup endpoint Tunnel fa...

Страница 167: ...esdropping making it less secure than main mode Is faster than main mode because fewer messages are exchanged between peers Three messages are exchanged in aggressive mode Enables support for fully qu...

Страница 168: ...gotiating IKE SAs The agreed on IKE SA between the local system and a remote security gateway may vary because it depends on the IKE policies used by each remote peer However the initial set of IKE po...

Страница 169: ...ty The ERX router supports two authentication methods Digital certificates using RSA algorithms For digital certificate authentication an initiator signs message interchange data using his private key...

Страница 170: ...ists starting from the highest priority If it finds a match that policy is successfully negotiated Again the lifetime is negotiated to the lesser of the two lifetimes and failures are logged Generatin...

Страница 171: ...cense you can configure up to 10 IPSec tunnels on an ERX router However you can purchase licenses that support the following IPSec tunnel maximums 1000 2000 4000 8000 16000 32000 The number of additio...

Страница 172: ...fig manual key masked key AAAAGAAAAAcAAAACfd SAsaVQ6Qeopt2rJOP6LDg 0hX5cMO 3 Define the local endpoint used for ISAKMP IKE negotiations for all IPSec tunnels in the router host1 config ipsec local end...

Страница 173: ...is renegotiated To set a lifetime for all SAs on a tunnel use the tunnel lifetime command To set a lifetime for a specific SA use lifetime on page 158 Example 1 host1 config ipsec lifetime kilobytes 4...

Страница 174: ...m set See ipsec transform set key Use to enter a manual preshared key Preshared keys can have up to 256 ASCII alphanumeric characters To include spaces in the key enclose the key in quotation marks Ex...

Страница 175: ...face host1 vrA config if ip address 10 3 0 0 255 255 0 0 4 Specify the transform set that ISAKMP uses for SA negotiations host1 vrA config if tunnel transform set customerAprotection 5 Configure the l...

Страница 176: ...U size for the tunnel host1 config if tunnel mtu 2240 interface tunnel Use to create or configure an IPSec tunnel interface Use the transport virtual router keyword to establish the tunnel on a virtua...

Страница 177: ...ic or number of seconds limit is reached the SA is renegotiated which ensures that the tunnel does not go down during renegotiation Example host1 config if tunnel lifetime seconds 48000 kilobytes 2490...

Страница 178: ...entity Example 1 host1 config if tunnel peer identity range 10 10 1 1 10 10 2 2 Example 2 host1 config if tunnel peer identity subnet 130 10 1 1 255 255 255 0 Use the no version to remove the peer ide...

Страница 179: ...ryption algorithm sets SPI and session keys for outbound SAs on a tunnel You can enter this command only on tunnels that have tunnel signaling set to manual Use the online Help to see a list of availa...

Страница 180: ...st1 config if tunnel transform set espSet Use the no version to remove the transform set from a tunnel See tunnel transform set Configuring DPD and IPSec Tunnel Failover You can use the ipsec option d...

Страница 181: ...backup tunnel destination When DPD detects a disconnection between the E Series router and the regular IPSec tunnel destination the router redirects traffic to the tunnel destination backup and vice...

Страница 182: ...aggressive mode Specify the authentication method host1 config ike policy authentication pre share Specify the encryption algorithm host1 config ike policy encryption 3des Assign a Diffie Hellman gro...

Страница 183: ...1 config ike policy authentication pre share Use the no version to restore the default preshared keys See authentication encryption Use to specify one of the following encryption algorithms to use in...

Страница 184: ...s a priority to the policy You can number policies in the range 1 10000 with 1 having the highest priority You can add up to 10 IKE policies per router Example host1 config ipsec ike policy rule 3 hos...

Страница 185: ...okie pair it can send an invalid cookie notification message to the initiator The responder might fail to recognize the cookie pair because it has lost the cookie or because it deleted the cookie and...

Страница 186: ...le IPSec tunnels between the same endpoints They filter traffic going into and coming out of the tunnels so that it is within the specified range If the configuration requires that only one IPSec tunn...

Страница 187: ...erASecret erx1 config manual key exit erx1 config ipsec key manual pre share 100 3 0 1 erx1 config manual key key customerASecret erx1 config manual key exit erx2 config ipsec key manual pre share 100...

Страница 188: ...ion erx2 config if tunnel local identity subnet 200 2 0 0 255 255 0 0 erx2 config if tunnel peer identity subnet 200 1 0 0 255 255 0 0 erx2 config if tunnel source 100 2 0 1 erx2 config if tunnel dest...

Страница 189: ...pted and authenticated Of course this example shows the basic secure encapsulation of customer traffic over the untrusted IP network You can add features such as key refreshing Example 2 Example 2 sho...

Страница 190: ...3des hmac sha erx3 config ipsec transform set customerBprotection ah hmac md5 2 On each ERX router create a protection suite for the three routers to use to authenticate each other erx1 config ipsec k...

Страница 191: ...the IP interfaces reaching those customers are defined Create the endpoints for the tunnels in the ISP default virtual router Virtual router A erx1 config virtual router vrA erx1 vrA config Tunnel fro...

Страница 192: ...0 0 erx1 vrB config if exit 4 On erx2 create two IPSec tunnels one to carry customer A s traffic and another to carry customer B s traffic You must create each pair of tunnels in the virtual routers...

Страница 193: ...config if tunnel transform set customerBprotection erx2 vrB config if tunnel local identity subnet 10 2 0 0 255 255 0 0 erx2 vrB config if tunnel peer identity subnet 10 3 0 0 255 255 0 0 erx2 vrB con...

Страница 194: ...nation 5 1 0 1 erx3 vrB config if ip address 10 1 0 0 255 255 0 0 erx3 vrB config if exit Tunnel from Boston to Boca on virtual router B erx3 vrB config interface tunnel ipsec Bboston2boca transport v...

Страница 195: ...sed in the IKE policy des 3des hash algorithm Hash algorithm used in the IKE policy SHA MD5 authentication method Authentication method used in the IKE policy RSA signature preshared keys Diffie Hellm...

Страница 196: ...Corresponds to the messaging state in the main mode and aggressive mode negotiations Possible states are AM_SA_I Initiator has sent initial aggressive mode SA payload and key exchange to the responde...

Страница 197: ...100 500 195 0 2 200 500 1688 DONE 0x6573dcbc9bf31fae 0x7af8b4d13078b463 195 0 3 100 500 195 0 3 200 500 1685 DONE 0xdc7df648fcac375a 0x0346752d2881d5c5 195 0 3 100 500 195 0 3 200 500 1685 DONE 0xe77...

Страница 198: ...ic transform set include the transform set name Field descriptions Transform set Displays the transforms in the transform set Example 1 host1 show ipsec transform set Transform set Highest security es...

Страница 199: ...nnel lifetime kilobytes Configured traffic based lifetime in kilobytes Tunnel pfs PFS group in use on the tunnel 0 PFS is not in use 1 768 bit group 2 1024 bit group 5 1536 bit group Tunnel administra...

Страница 200: ...s Number of octets sent in encapsulated packets OutPolicyErrors Number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier selector OutOtherTxErrors Number of...

Страница 201: ...ummary Use to display a summary of all tunnels configured on the router Field descriptions Total number of ipsec interface Number of tunnels configured on the router Administrative status Number of tu...

Страница 202: ...l2e3d1 is up IPSEC tunnel s0l3e3d0 is up IPSEC tunnel s0l4e3d0 is up IPSEC tunnel s0l4e3d1 is up IPSEC tunnel s0l5e3d0 is up See show ipsec tunnel show license ipsec tunnels Use to display the IPSec l...

Страница 203: ...the resources This link can be a direct connection or a tunnel IPSec IP in IP GRE or MPLS Once establishing a connection the router can pass traffic between the VPN and connected users The E Series ro...

Страница 204: ...SA deleted by a remote peer and no rekeying activity occurs for one minute Administrative logout IPSec card terminating the user becoming unavailable for example the card is reloading disabled or disc...

Страница 205: ...scribers Controlling which connecting user based on the IKE identification belongs to a given profile Profile settings falling in this category include the following IKE identities from peers that can...

Страница 206: ...authentication phase verifies private or preshared keys that reside on the PC These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed...

Страница 207: ...e latest drafts For additional configuration information see Configuring IPSec on page 125 Configuring Digital Certificates on page 213 Configuring IP Tunnels on page 245 JUNOSe Broadband Access Confi...

Страница 208: ...ces Use to define the maximum number of interfaces that the IPSec tunnel profile can instantiate Example host1 config ipsec tunnel profile max interfaces 500 Use the no version to return the maximum v...

Страница 209: ...s identity must also pass any restrictions set for the peer domain name for this profile before they are able to log in An IP address as an IKE identity type and the IP address resides within the spec...

Страница 210: ...efault value no domain suffix and usernames are passed transparently to AAA See domain suffix Overriding IPSec Local and Peer Identities for SA Negotiations You can use the local ip identity and peer...

Страница 211: ...le ip profile ipProfile1 Use the no version to remove the association with this profile See ip profile Defining the Server IP Address The local ip address command defines the specified local IP addres...

Страница 212: ...hrough the secure tunnel and reach the VPN Other traffic for example Web browsing would travel directly to the Internet through the local service provider without passing through the tunnel NOTE Split...

Страница 213: ...KE SA establishment Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users NOTE For maximum security enable reauthentication The skip peer config keywor...

Страница 214: ...nsform ah hmac md5 Use the no version to reset the transform to the default esp 3des sha1 See transform Specifying IPSec Security Association PFS and DH Group Parameters The pfs group command specifie...

Страница 215: ...to an IKE SA exchange the router evaluates the possible policy rules as follows If an IP address specific IKE policy rule refers to the local IP address and virtual router for this exchange the router...

Страница 216: ...y aggressive mode negotiation the tunnel proposes aggressive mode to the peer in connections that the policy initiates If the peer initiates a negotiation the tunnel accepts the negotiation if the mod...

Страница 217: ...ded authentication pap no re authentication Peer IP characteristics configuration enabled Virtual router default Local IP address 10 227 5 31 Local IKE identity 10 227 5 31 Peer IKE identity IP networ...

Страница 218: ...address is that of the user When the endpoint is l2tp the address is that of the LNS Virtual Router Name of the virtual router context Interface Interface specifier over which the subscriber is connec...

Страница 219: ...ol ANCP also known as Layer 2 Control L2C is based on a subset of the General Switch Management Protocol GSMP as defined in the GSMPv3 Base Specification draft ietf gsmp v3 base spec 06 txt GSMP is a...

Страница 220: ...re that B RAS devices obtain information about the access network topology the links within that network and their rates Operations support systems cannot enforce the consistency of this gathered info...

Страница 221: ...llowing ways From AAA layer For PPP interfaces the router retrieves the DSL line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external...

Страница 222: ...tening TCP socket for ANCP ANCP monitors port 6068 for ANCP TCP connection requests l2c ip listen Use to create a listening TCP socket in the current virtual router context Example host1 config l2c ip...

Страница 223: ...the learning option This learning option in the virtual router enables network access server to learn the partition ID from all the access nodes wait for gsmp syn Use to enable the learning option in...

Страница 224: ...version to remove the output label association See l2c end user id l2c max branches Use to specify the maximum number of branches the ANCP end user can have Example host1 config if l2c max branches 5...

Страница 225: ...Neighbor The L2C Neighbor Configuration mode enables you to define an ANCP neighbor by specifying a neighbor ID and the maximum number of branches that the neighbor can have id Use to specify the ANC...

Страница 226: ...have in the range 1 64000 entries Example host1 l2c neighbor max discovery table entries 4000 Use the no version to return the maximum number of discovery table entries to its default value 10 000 en...

Страница 227: ...ighbor including those associated with the QoS downstream rate and QoS cell mode applications Similarly issuing the clear l2c discovery table command without specifying an entry removes all QoS parame...

Страница 228: ...management message to the access node This message enables the B RAS to configure a service profile name on an access loop Example host1 l2c line configuration interface atm 2 0 11 profile1 There is n...

Страница 229: ...st for IGMP By using ANCP IGMP is no longer terminated or proxied at the access node Instead IGMP passes through the access node transparently B RAS terminates both the data PVC and IGMP After any use...

Страница 230: ...age 203 1 Configure an OIF map for the access node that maps each multicast group to an outgoing interface 2 Define ANCP parameters 3 Enable ANCP to listen to OIF mapping events from IGMP in this virt...

Страница 231: ...CCESS_NODE_1 host1 config l2c neighbor id 09af 15bc 3156 Configure ANCP multicast labels on the corresponding outgoing interfaces host1 config interface atm 2 0 101 host1 config interface ip igmp vers...

Страница 232: ...s showtime DEFAULT RESPONSE Example 2 host1 l2c oam neighbor accessnode_1002 end user id enduser_1002 request succeeded 0x503 DSL line status showtime DEFAULT RESPONSE There is no no version See l2c o...

Страница 233: ...e to display information about the ANCP configuration on the router Field descriptions Current timeout Configured session timeout in seconds Qos adaptive mode Whether QoS adaptive mode is enabled true...

Страница 234: ...tm 2 32 0 0 8064 1184 UP ACCESSNODE_10 Accessnode_10 atm 2 33 0 0 8064 1184 DOWN ACCESSNODE_10 Accessnode_10 atm 2 34 0 0 8064 1184 DOWN Example 2 Topology discovery table for a particular end user id...

Страница 235: ...or output keyword to display labels for output ports Use the brief keyword to show limited information Field descriptions Interface Interface on which ANCP is configured End User Id Output label assoc...

Страница 236: ...0 atm3 2 0 10 ATM4 0 12 Accessnode_10 atm3 3 0 10 ATM4 0 13 Accessnode_10 atm3 4 0 10 ATM4 0 14 Accessnode_10 atm3 5 0 10 See show l2c label show l2c neighbor Use to display information about all know...

Страница 237: ...NCP neighbors that are in an established GSMP state Number of neighbors in GSMP_EMPTY state Number of ANCP neighbors that are in an unestablished GSMP state Example 1 host1 show l2c neighbor name acce...

Страница 238: ...er of active ANCP neighbors Number of end user ids Number of ANCP end user IDs output labels Number of peer attachment ids Number of ANCP peer attachment IDs input labels Number of add branches Number...

Страница 239: ...al Certificates and Public Keys on page 237 Overview You can use digital certificates in place of preshared keys for IKE negotiations For more information about IKE see IKE Overview on page 140 in Con...

Страница 240: ...rs that dictate how IPSec processes a packet including encapsulation protocol and session keys A single secure tunnel uses multiple SAs SA Simple certificate enrollment protocol used to submit request...

Страница 241: ...te This certificate provides a level of assurance that a peer s identity as represented in the certificate is associated with a particular public key E Series Broadband Services Routers provide both a...

Страница 242: ...rate its own public private key pairs The public private key pair supports the RSA standard 1024 or 2048 bits The private key is used only by the ERX router It is never exchanged with any other nodes...

Страница 243: ...supported for certificate enrollment are PKCS 10 certificate requests PKCS 7 responses and X 509v3 certificates For manual enrollment certificates are encoded in base64 MIME so that the files are easi...

Страница 244: ...ommand you can control how the router handles CRLs during negotiation of IKE phase 1 signature authentication In the online certificate method you use the crl command to control CRL verification The r...

Страница 245: ...icate files The router s private keys are similarly hidden from users Table 16 File Extensions Offline Configuration Description File Extension Used for certificate request files that are generated on...

Страница 246: ...ith the intended party Typically public keys are exchanged in messages containing an X 509v3 digital certificate As an alternative to setting up digital certificates you can configure and exchange pub...

Страница 247: ...y shown in bold typeface represents the RSA public key exponent 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A7E43C 3E2D399F 34EF6E16 F84464A9 8A145997 CC7F34C8 3DFF8216 57780FE9 D...

Страница 248: ...st1 config 5 Generate a certificate request using certificate parameters from the IPSec identity configuration host1 config ipsec certificate request generate rsa myrequest crq 6 After the certificate...

Страница 249: ...name that the router uses in IKE authentication messages and to generate certificate requests The domain name is used in the SubjectAlternative DNS certificate extensions and as an FQDN fully qualifi...

Страница 250: ...outer scans all certificate files and determines which files are router public certificates and which are root CA certificates Example host1 config ipsec certificate database refresh There is no no ve...

Страница 251: ...ly in a future release See ipsec crl ipsec identity Use to enter IPSec Identity Configuration mode in which you can specify information that the router uses in certificate requests and during negotiat...

Страница 252: ...ec ike policy rule on page 225 and may be removed completely in a future release See ipsec isakmp policy rule ipsec key generate Use to generate RSA key pairs Include a length of either 1024 or 2048 b...

Страница 253: ...ipsec ike policy rule 1 host1 config ike policy authentication rsa sig host1 config ike policy exit NOTE For more information about setting up IKE policies see Defining an IKE Policy on page 156 in Co...

Страница 254: ...n method that the router uses For digital certificates the method is set to RSA signature Example host1 config ike policy authentication rsa sig Use the no version to restore the default preshared key...

Страница 255: ...nrollment retry period enrollment url Use to specify the URL of the SCEP server in the format http server_ipaddress You can then use the ipsec ca authentication command to retrieve CA certificates fro...

Страница 256: ...ec ca identity command Example host1 config ipsec ca enroll trustedca1 My498pWd host1 config INFO 10 18 2003 03 49 33 ikeEnrollment Received erx certificate for ca trustedca1 host1 config Use the no i...

Страница 257: ...umber that identifies the policy and assigns a priority to the policy You can number policies in the range 1 10000 with 1 having the highest priority Example host1 config ipsec isakmp policy rule 3 ho...

Страница 258: ...etaSecurityCorp Use the no version to remove the name from the configuration See issuer identifier root proxy url Use to specify an HTTP proxy server that can submit HTTP requests on the E Series rout...

Страница 259: ...a90c76 3ae3acbb 4a777037 31527ea0 23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301 0001 For information about the format of an RSA public key see Public Key Format on page 221 4...

Страница 260: ...9 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698...

Страница 261: ...the address keyword followed by the IP address in 32 bit dotted decimal format To specify the identity of the remote peer associated with the public key use the name keyword followed by either The ful...

Страница 262: ...st not occur anywhere else in the key string For information about the format of an RSA public key see Public Key Format on page 221 Example 1 Configures the public key for a remote peer with IP addre...

Страница 263: ...3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51 f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74 cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b 29b475c6 ad...

Страница 264: ...e release Use to display the IKE certificates and CRLs on the router Specify the type of certificate you want to display all All certificates configured on the router crl Certificate revocation lists...

Страница 265: ...f modn sign rsa pkcs1 md5 Modulus n 1024 bits 13409127965307061503054050053800642488356537668078160605242622661311625 19876607806686846822070359658649546374128540876213416858514288030584124 0589652082...

Страница 266: ...No names of type IP DNS URI EMAIL RID UPN or DN detected Fingerprints MD5 c4 c9 22 b6 19 07 4e 4f ee 81 7a 9f cb f9 1f 7e SHA 1 58 ba fb 0d 68 61 42 2a 52 7e 19 82 77 a4 55 4c 25 8c c5 60 Example 2 h...

Страница 267: ...EMAIL RID UPN or DN detected SubjectKeyID KeyId 15 0a 17 4d 36 b6 49 96 fa d5 be df 51 3e e4 90 51 a2 c0 95 Unknown 1 3 6 1 4 1 311 21 1 02 01 00 Fingerprints MD5 8c 56 fb a6 bd ab 13 67 e6 13 09 c1...

Страница 268: ...ld descriptions Ike identity Information from your IKE identify configuration that the router uses to generate certificate requests CRL Check Setting of the CRL check optional required ignored Example...

Страница 269: ...remote peer with a specific identity use the name keyword followed by either The fully qualified domain name FQDN The FQDN preceded by an optional user specification this is also referred to as user...

Страница 270: ...a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff 2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a253...

Страница 271: ...248 Monitoring IP Tunnels on page 253 Overview E Series routers support static IP tunnels An IP tunnel is a virtual point to point connection between two routers See Figure 19 on page 245 To establis...

Страница 272: ...X310 Broadband Services Router See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for information about the mod...

Страница 273: ...er you must install an ES2 4G line module LM with an ES2 S1 Service I O adapter IOA or an IOA that supports the use of shared tunnel server ports For information about installing modules in these rout...

Страница 274: ...ace 4 Set the source address for the tunnel 5 Set the destination address for the tunnel 6 Optional Enable error checking across a GRE tunnel 7 Set the maximum transmission unit MTU size for the tunne...

Страница 275: ...this feature causes the E Series router to drop corrupted packets it receives on the tunnel interface Example host1 config interface tunnel gre tunnel2 host1 config if tunnel checksum Use the no versi...

Страница 276: ...1 host1 config if tunnel source atm 5 0 12 Example 3 ATM interface on an E320 router that uses the slot adapter port format host1 config interface tunnel dvmrp boston tunnel 1 host1 config if tunnel s...

Страница 277: ...4 Configure a virtual router called chicago that supports the other end of the tunnel host1 config virtual router chicago 5 Configure a physical or loopback interface for the end of the tunnel on vir...

Страница 278: ...ace treat it in the same way as any IP interface on the router For example you can configure static IP routes or enable routing protocols on the tunnel interface The IP configurations you apply to the...

Страница 279: ...tunnel disabled down enabled lower down not present up To view the state of a specific tunnel specify a tunnel name To view the number of tunnels associated with that IP address specify an IP address...

Страница 280: ...tets received or transmitted by the tunnel Discards Number of packets not accepted by the tunnel Errors Number of packets with errors received or transmitted by the tunnel Data rx Received data Data t...

Страница 281: ...1 Tunnel destination address is 50 1 1 2 Tunnel transport virtual router is v1 Tunnel up down trap is enabled Tunnel server location is 13 0 0 Tunnel administrative state is Up Statistics packets oct...

Страница 282: ...ransmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name...

Страница 283: ...router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Tunnel up down trap is enabled Tunnel server location is 4 0 Tunnel administrative state is up Statistics packets octets discard...

Страница 284: ...detail GRE tunnel start is Up tunnel is static Tunnel operational configuration Tunnel mtu is 10240 Tunnel source address is 15 0 0 1 Tunnel destination address is 15 0 0 2 Tunnel transport virtual r...

Страница 285: ...led Tunnel is available for use disabled Tunnel is not available for use Operational status up Tunnel is operational down Tunnel is not operational not present Tunnel is not operational because the ha...

Страница 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...

Страница 287: ...P interfaces you must configure a destination profile for a specific transport virtual router that is used to store tunnel configuration options including the source and destination addresses of the d...

Страница 288: ...unneling based solution enables a router on a user s home subnet to intercept and forward IP packets to users while they roam beyond traditional network boundaries To achieve mobility the mobile node...

Страница 289: ...IP tunnels that reference the destination profile You can relocate a dynamic IP tunnel for the Mobile IP application You cannot relocate a dynamic IP tunnel for the data MDT application because it is...

Страница 290: ...ports You can configure provision a shared tunnel server port to use a portion of the module s bandwidth to provide tunnel services For a list of the modules that support shared tunnel server ports s...

Страница 291: ...Encapsulation within IP October 1996 RFC 2784 Generic Routing Encapsulation GRE March 2000 Configuring a Destination Profile for Dynamic IP Tunnels The tasks in this section describe how to configure...

Страница 292: ...for the tunnel host1 config dest profile tunnel destination subnet 10 0 0 0 255 0 0 0 4 Optional Set the maximum transmission unit MTU size for the tunnel host1 config dest profile tunnel mtu 10240 5...

Страница 293: ...ynamic DVMRP tunnel host1 config dest profile profile ip kanata 6 Optional Enable IPSec transport mode host1 config dest profile enable ipsec transport 7 Optional Create a multicast VPN tunnel host1 c...

Страница 294: ...t1 config gre destination profile kanata2 Use the no version to delete the destination profile See gre destination profile profile Use to assign an IP profile with parameters that are used to stack an...

Страница 295: ...13 7 20 Use the no version to remove the destination of a tunnel See tunnel destination tunnel mdt profile Use to enable multicast distribution tree operation so the IP tunnel component can create an...

Страница 296: ...e system dvmrp destination profile Name of the DVMRP destination profiles configured on the system tunnel checksum Status of tunnel checksum configuration enabled or disabled tunnel sequence datagrams...

Страница 297: ...the state keyword and the state of the tunnel disabled down enabled lower down not present up To view the state of a specific tunnel specify a tunnel name To view the number of tunnels associated wit...

Страница 298: ...nel packets Number of packets received or transmitted by the tunnel octets Number of octets received or transmitted by the tunnel discards Number of packets not accepted by the tunnel Errors Number of...

Страница 299: ...6 6 Tunnel destination address is 3 3 3 3 Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Tunnel sequence number option is disabled Tunnel key is disa...

Страница 300: ...e of the tunnel MTU ipsec transport mode Status of IPSec transport mode configuration enabled or disabled tunnel mdt Status of IPSec transport mode configuration enabled or disabled profile Name of th...

Страница 301: ...stination subnet 224 0 0 0 255 0 0 0 tunnel source 1 1 1 1 tunnel source 1 1 1 2 tunnel source 1 1 1 3 See show gre destination profile show gre tunnel Use to display information about a GRE tunnel or...

Страница 302: ...ion of the tunnel server in slot port format ERX7xx models ERX14xx models and the ERX310 router or slot adapter port format E120 and E320 routers Tunnel is secured by ipsec transport interface IPSec i...

Страница 303: ...0 0 0 Data tx 0 0 0 0 1 GRE tunnel found 1 tunnel was created dynamically Example 3 Displays the detail of a dynamically created GRE tunnel for the Mobile IP application host1 vr12 show gre tunnel det...

Страница 304: ...Tunnel is operational down Tunnel is not operational not present Tunnel is not operational because the hardware such as a line module supporting the tunnel is inaccessible Example host1 show gre tunn...

Страница 305: ...the tunnel are processed and de encapsulated at the egress endpoint When packets are tunneled through an IP network simple IP forwarding is performed The IP forwarding process might fragment packets i...

Страница 306: ...kets depend on the type of E Series router that you have ERX7xx Models ERX14xx Models and the ERX310 Router To configure IP reassembly on ERX7xx models ERX14xx models and the ERX310 router you must in...

Страница 307: ...ine modules The ES2 S1 Service IOA also does not have ingress or egress ports You can also configure IP reassembly on IOAs that support shared tunnel server ports You can configure provision a shared...

Страница 308: ...escribes how to set a statistics baseline for tunnel reassembly statistics and how to display reassembly statistics Setting Statistics Baselines You can use the baseline ip tunnel reassembly command t...

Страница 309: ...s received for all tunneling protocols Total Packets Reassembled Number of packets reassembled detailed display includes number of packets reassembled for each protocol Control Other increments for pa...

Страница 310: ...ly Statistics for Virtual Router vr2 Tunnel IP Reassembly enabled Total Fragments Received 45 Total Packets Reassembled 15 Reassembly Errors 0 Reassembly Discards 0 The following command sets a baseli...

Страница 311: ...ly Statistics for Virtual Router vr2 Tunnel IP Reassembly enabled Total Fragments Received 15 Total Packets Reassembled 5 Reassembly Errors 0 Reassembly Discards 0 See show ip tunnel reassembly statis...

Страница 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...

Страница 313: ...nterfaces are virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface that traffic can be L2TP GRE and DVMRP tunn...

Страница 314: ...See LNS and LAC support in E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support LNS and LAC Module Requirements To create IPSec secured tunnels yo...

Страница 315: ...ition to using another unsecured connection to the Internet depending on the client software capabilities On the router side of the L2TP connection the E Series router acts as the LNS On the PC client...

Страница 316: ...n Figure 23 on page 290 1 Obtain an IP address from your ISP using a normal B RAS termination 2 IKE signals a security association SA between the client PC and the E Series router that is acting as a...

Страница 317: ...lity and Requirements This section covers various compatibility issues and requirements for the L2TP IPSec traffic Client Software Supported The L2TP IPSec software supports the following client PC op...

Страница 318: ...this IP address as their VPN server address CAUTION Group preshared keys are not fully secure and we recommend that you use digital certificates in place of group preshared keys Group preshared keys a...

Страница 319: ...T is enabled on a specific virtual router either by default or by using the ipsec option nat t command the router performs the following actions in this order 1 The router monitors the exchange of pr...

Страница 320: ...istinguish them from standard ESP control and data frames Figure 28 on page 294 shows an IKE packet encapsulated with a NAT T UDP header Figure 28 IKE Packet with NAT T UDP Encapsulation Only frames t...

Страница 321: ...onitoring NAT T see the sections listed in Table 17 on page 295 Table 17 Configuration and Monitoring Tasks for NAT T See Section Command Task Configuring NAT T on page 298 ipsec option nat t Enabling...

Страница 322: ...P IPSec tunnels when the last remaining tunnel session has been disconnected Table 18 Differences in Handling Timeout Periods for L2TP IPSec Tunnels Single Shot L2TP IPSec Tunnels Standard L2TP IPSec...

Страница 323: ...7 6 Configure NAT T on the virtual router See Configuring NAT T on page 298 7 Configure single shot L2TP IPSec tunnels See Configuring Single Shot Tunnels on page 299 8 Configure IPSec transport profi...

Страница 324: ...figuration mode If no virtual router is specified the current virtual router context is used If the destination address is 0 0 0 0 then any LAC that can be reached via the specified virtual router is...

Страница 325: ...ed See ipsec option nat t Configuring Single Shot Tunnels To configure a single shot L2TP IPSec tunnel 1 Create an L2TP destination profile which defines the location of the LAC The l2tp destination p...

Страница 326: ...ion for a single shot tunnel at the beginning of the destruct timeout period instead of waiting until the destruct timeout period expires A single shot tunnel does not persist beyond its last connecte...

Страница 327: ...cifying the virtual router and destination address and enabling IPSec support See Configuring IP Tunnels on page 245 Set up digital certificates on the router or configure preshared keys for IKE authe...

Страница 328: ...sed to secure DVMRP GRE or L2TP tunnels 1 Create the profile host1 config ipsec transport profile secureGre virtual router default ip address 5 5 5 5 host1 config ipsec transport profile 2 Specify one...

Страница 329: ...l2tp Secures L2TP traffic l2tp nat passthrough Secures L2TP traffic and also allows clients to connect from behind NAT devices that support IPSec passthrough To allow these clients to connect the rou...

Страница 330: ...ange the router rejects the connection Example host1 config ipsec transport profile lifetime seconds 900 86400 kilobytes 100000 4294967295 Use the no version to restore the default values 100000 42949...

Страница 331: ...ote IP address specified for this transport profile and that are destined for the local IP address If the remote endpoint address is a wildcard address this preshared key is a group preshared key CAUT...

Страница 332: ...ransport profile If the remote endpoint address is a wildcard address this preshared key is a group preshared key CAUTION Group preshared keys are not fully secure and we do not recommend using them T...

Страница 333: ...DVMRP or GRE tunnels If the tunnel is protected by IPSec the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface The line is not shown...

Страница 334: ...sponds to the messaging state in the main mode and aggressive mode negotiations Possible states are AM_SA_I Initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_S...

Страница 335: ...Time Sec State Local Cookie Remote Cookie 21 227 9 8 500 21 227 9 10 500 26133 DONE 0x87a943562124c711 0xafa2cf4a260399a4 21 227 9 8 4500 21 227 9 11 4500 28774 DONE 0x01f9efa234d45ad8 0xada4cb7cafee9...

Страница 336: ...er packets received InUserOctets Number of octets received from user packets InAccPackets Number of encapsulated packets received InAccOctets Number of octets received in encapsulated packets InAuthEr...

Страница 337: ...ion gre No pfs group Mtu is 1440 Local address is 10 255 0 61 Remote address is 10 255 0 62 Local identity is subnet 10 255 0 61 255 255 255 255 proto 47 port 0 Remote identity is subnet 10 255 0 62 2...

Страница 338: ...he configuration of an IPSec transport profile Field descriptions IPSec transport profile Name of the profile Virtual router Virtual router on which this profile is configured Peer address Remote endp...

Страница 339: ...e profile for that remote host Field descriptions Destination profile attributes Transport Method used to transfer traffic Virtual router Name of the virtual router Peer address IP address of the LAC...

Страница 340: ...efault Peer address 172 31 1 99 Statistics Destination profile current session count is 1 Host profile attributes Remote host is lac 1 Configuration Tunnel password is password Interface profile is tu...

Страница 341: ...del does not provide an adequate solution and in environments where a wireless technology is used NOTE Currently JUNOSe software does not support configuration of the Mobile IP foreign agent Tradition...

Страница 342: ...home agent receives the registration requests on UDP port 434 The registration request contains the IP router ID as the home agent IP address The home agent can support static home address allocation...

Страница 343: ...ng AAA access request or querying the locally configured security parameters depending on whether or not you use the aaa keyword when you issue the ip mobile host command to configure the mobile node...

Страница 344: ...ber management application to create the dynamic IP subscriber interface During the re registration process when there is a handoff from an initial Mobile IP foreign agent to a new Mobile IP foreign a...

Страница 345: ...A IOA Protocol Support for information about the modules that support the Mobile IP home agent Mobile IP References For more information about Mobile IP consult the following resources RFC 2006 The De...

Страница 346: ...09 13 234 host1 test config radius key secret host1 test config radius udp port 1812 host1 test config radius radius update source addr 10 209 12 2 Configure an accounting server host1 test config rad...

Страница 347: ...thin 255 algorithm hmac md5 Assign an interface profile for the Mobile IP home agent host1 test config ip mobile profile testProfile ip mobile home agent Use to configure the Mobile IP home agent on a...

Страница 348: ...ation and security associations include the aaa keyword To specify the access control list applied to the care of address that restricts access for foreign agents or networks include the care of acces...

Страница 349: ...r the hex keyword or the ascii keyword as follows To specify a hexadecimal key use the hex keyword followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII...

Страница 350: ...urity association include the required key keyword followed by either the hex keyword or the ascii keyword as follows To specify a hexadecimal key use the hex keyword followed by a 32 character 128 bi...

Страница 351: ...for a specified Mobile IP home agent Example host1 baseline ip mobile home agent There is no no version See baseline ip mobile home agent clear ip mobile binding Use to remove the binding table in the...

Страница 352: ...Care of address 72 1 1 15 Lifetime granted 10 00 00 36000 seconds Lifetime remaining 01 46 32 Tunnel Source 66 0 0 5 Destination 72 1 1 15 Encapsulation GRE Reverse tunnel enabled See show ip mobile...

Страница 353: ...AA server is configured or not Example 1 host1 show ip mobile host Home MN NAI IP address Lifetime Care Of Access Aaa Configured warner com 36000 no yahoo com yes pj juniper net 100 no pm juniper net...

Страница 354: ...8 0x274 hmac md5 secret 20 20 20 1 628 0x274 hmac md5 255 secret 30 30 30 1 628 0x274 hmac md5 255 secret See show ip mobile secure foreign agent show ip mobile secure host Use to display the security...

Страница 355: ...he home agent Unspecified Number of registration requests rejected for an unspecified reason such as an internal communication failure Unknown HA Number of registration requests rejected because of an...

Страница 356: ...HA 0 Administratively prohibited 0 No Resources 0 Authentication failed MN 0 FA 0 Bad identification 0 Bad request form 0 Unavailable encapsulation 0 No reverse tunnel 0 See show ip mobile traffic sh...

Страница 357: ...Part 2 Index Index on page 333 Index 331...

Страница 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...

Страница 359: ...le home agent 325 baseline ip tunnel reassembly 282 baseline setting Mobile IP home agent 325 tunnel reassembly 282 BFD Bidirectional Forwarding Detection BGP peer reachability detection 113 license 1...

Страница 360: ...ansport command 268 endpoints tunnel 245 F filter lists BGP 23 filtering AS paths 23 network prefixes 21 undesirable traffic 33 firewall configuring 113 monitoring 120 firewall commands license firewa...

Страница 361: ...ource list 76 ip nat outside source static 73 ip nat pool 75 ip nat translation 78 ip nat translation max entries 71 See also show ip nat commands IP reassembly of tunnel packets 279 configuring 281 m...

Страница 362: ...rm combinations supported 137 transform sets 130 135 transforms supported 136 transport VR 130 132 IPSec transport local profile commands pre share 302 pre share masked 302 IPSec transport profile com...

Страница 363: ...8 match level 12 match metric 12 match metric type 12 match policy list 13 match route type 13 match tag 13 match set summary prefix tree 36 38 max interfaces command 182 Mobile IP home agent 330 AAA...

Страница 364: ...d secrecy 133 policy list monitoring 51 prefix lists 33 prefix trees 36 prefixes filtering network 21 preventing recursive tunnels 251 profile commands profile 268 public keys displaying on router 237...

Страница 365: ...te 51 show ip route slot 51 show ip static 51 show ip traffic 51 show ip tunnel reassembly statistics 283 show ip flow sampling command 106 111 show ip match policy list command 51 show ip mobile comm...

Страница 366: ...8 tunnel commands IP tunnel checksum 248 268 tunnel destination 248 268 tunnel mtu 248 tunnel sequence datagrams 268 tunnel source 248 268 tunnel commands IPSec tunnel destination 150 tunnel destinati...

Отзывы:

Нет отзывов

Похожие инструкции для IP SERVICES - CONFIGURATION GUIDE V 11.1.X

20032623 - Endpoint Protection Small Business Edition

Бренд: Symantec Страницы: 351

Бренд: Brocade Communications Systems Страницы: 60

CoPilot CoPilot Live Smartphone

Бренд: ALK Страницы: 42

Бренд: Brother Страницы: 320

Бренд: VDO Страницы: 8

Бренд: Konica Minolta Страницы: 6

Бренд: DeLorme Страницы: 29

Бренд: AirLive Страницы: 19

Бренд: Juniper Страницы: 14

Бренд: Nikon Страницы: 38

Бренд: LEI Extras Страницы: 8

Бренд: IBM Страницы: 29

GW Dataport Command Interface D13202

Бренд: TANDBERG Страницы: 32

Energy WeatherLink

Бренд: Davis Instruments Страницы: 47

Бренд: Oki Страницы: 2

ANTI-SPAM 3.0 -

Бренд: KAPERSKY Страницы: 153

Бренд: Canon Страницы: 55

15K.2 - Savvio 146.8 GB Hard Drive

Бренд: Seagate Страницы: 78

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды