The transport VR information is required, although its explicit configuration is not.
If omitted, the transport VR is assumed to be the same as the operational VR.
However, the tunnel source and destination are mandatory elements.
Transport VR Definition
The transport VR definition includes:
■
Transport virtual router name—Name of the transport virtual router. If not
explicitly configured, the operational VR is assumed.
■
Tunnel source endpoint—IP address or FQDN used as the tunnel source endpoint
on this end of the tunnel. In the case of signaled tunnels, the router monitors
and transmits on port 500 of this address for IKE negotiations. The tunnel source
endpoint must be a configured IP address or FQDN on the transport VR, or the
router indicates an error. See “Transport VR Definitions with an FQDN” on
page 133 for information about using an FQDN rather than an IP address.
■
Tunnel destination endpoint—IP address or FQDN associated with the termination
or initiation point of the secure IP tunnel. This address must be routable within
the context of the transport VR. Each secure IP tunnel can have a different remote
IP address.
Transport VR Definitions with an FQDN
For signaled IPSec tunnels, you can use an FQDN instead of the IP address to specify
tunnel endpoints. You typically use this feature to identify the tunnel destination in
broadband and DSL environments in which the destination does not have a fixed IP
address. The remote device uses the FQDN to establish and authenticate the IPSec
connection, and then uses the actual IP address for rekeying and filtering operations.
The ERX router FQDN feature supports both preshared keys and digital certificates.
If it uses preshared keys, the router must use IKE aggressive mode to support FQDNs.
An identity string can include an optional
user@
specification that precedes the
FQDN. The entire string can be a maximum of 80 characters. For example, both of
the following are supported:
branch245.customer77.isp.net
[email protected]
With preshared key authentication, and when using the
user@fqdn
format, the router
searches for the key based on the entire identity string. If the router cannot find that
string, the router strips off the
user@
part and performs a second search based on
the FQDN part of the string.
With digital certificates, the two sides of the tunnel must use the same identity format,
with or without the
user@
specification; no stripping operation and no second search
occurs.
NOTE:
The E Series router does not support FQDN-to-IP address resolution by DNS.
IPSec Concepts
■
133
Chapter 5: Configuring IPSec
Содержание JUNOSE 11.0.X IP SERVICES
Страница 6: ...vi...
Страница 8: ...viii JUNOSe 11 0 x IP Services Configuration Guide...
Страница 18: ...xviii Table of Contents JUNOSe 11 0 x IP Services Configuration Guide...
Страница 20: ...xx List of Figures JUNOSe 11 0 x IP Services Configuration Guide...
Страница 22: ...xxii List of Tables JUNOSe 11 0 x IP Services Configuration Guide...
Страница 28: ...2 Chapters JUNOSe 11 0 x IP Services Configuration Guide...
Страница 138: ...112 Monitoring J Flow Statistics JUNOSe 11 0 x IP Services Configuration Guide...
Страница 286: ...260 Monitoring IP Tunnels JUNOSe 11 0 x IP Services Configuration Guide...
Страница 312: ...286 Monitoring IP Reassembly JUNOSe 11 0 x IP Services Configuration Guide...
Страница 357: ...Part 2 Index Index on page 333 Index 331...
Страница 358: ...332 Index JUNOSe 11 0 x IP Services Configuration Guide...