Juniper JUNOSE 11.2.X IP SERVICES Скачать руководство пользователя страница 301 | Manualshive

Страница: 301 / 356

background image

CHAPTER 12

Securing L2TP and IP Tunnels with IPSec

This chapter describes how to secure generic routing encapsulation (GRE), Distance
Vector Multicast Routing Protocol (DVMRP), and Layer 2 Tunneling Protocol (L2TP)
tunnels with IP Security (IPSec) on your E Series router. It contains the following sections:

•

Overview on page 275

•

Platform Considerations on page 276

•

References on page 276

•

L2TP/IPSec Tunnels on page 277

•

GRE/IPSec and DVMRP/IPSec Tunnels on page 288

•

Configuring IPSec Transport Profiles on page 289

•

Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels on page 294

Overview

You can provide additional security to L2TP and IP tunnels by protecting them with an
IPSec transport connection. Secure IP interfaces are virtual IP interfaces that are
configured to provide confidentiality and authentication services for the traffic flowing
through the interface; that traffic can be L2TP, GRE, and DVMRP tunnel traffic. See
“Configuring IPSec” on page 119 for detailed information about IPSec.

GRE, DVMRP, and L2TP over IPSec provide security only between tunnel endpoints; they
do not provide end-to-end security. For end-to-end security, you need additional security
for the connection beyond the router.

Tunnel Creation

ERX routers can have both unsecured GRE, DVMRP, and L2TP tunnels and tunnels that
are secured by IPSec. However, unsecured L2TP tunnels are not allowed on the ISM. You
use the following commands to create a secure tunnel:

•

L2TP tunnels—Use the

enable ipsec transport

command in the L2TP destination

profile

•

GRE and DVMRP tunnels—Use the

ipsec-transport

keyword in the

interface tunnel

command

275

Copyright © 2010, Juniper Networks, Inc.

«
...
299
300
301
302
303
...
»

Содержание JUNOSE 11.2.X IP SERVICES

Страница 1: ...JunosE Software for E Series Broadband Services Routers IP Services Configuration Guide Release 11 2 x Published 2010 06 29 Copyright 2010 Juniper Networks Inc...

Страница 2: ...owned by or licensed to Juniper Networks U S Patent Nos 5 473 599 5 905 725 5 909 440 6 192 051 6 333 650 6 359 479 6 406 312 6 429 706 6 459 579 6 493 347 6 538 518 6 538 899 6 552 918 6 567 902 6 5...

Страница 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Страница 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Страница 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Страница 6: ...Copyright 2010 Juniper Networks Inc vi...

Страница 7: ...ng IPSec 119 Chapter 6 Configuring Dynamic IPSec Subscribers 169 Chapter 7 Configuring ANCP 185 Chapter 8 Configuring Digital Certificates 205 Chapter 9 Configuring IP Tunnels 237 Chapter 10 Configuri...

Страница 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...

Страница 9: ...Multiple Values in a Match Entry 6 Negating Match Clauses 7 Matching a Community List Exactly 8 Removing Community Lists from a Route Map 8 Matching a Policy List 9 Redistributing Access Routes 9 Set...

Страница 10: ...ms 64 Inside Local Addresses 65 Inside Global Addresses 65 Outside Local Addresses 65 Outside Global Addresses 65 Understanding Address Translation 65 Inside Source Translation 65 Outside Source Trans...

Страница 11: ...ying Address Pool Information 88 Displaying Inside and Outside Rule Settings 89 Chapter 3 Configuring J Flow Statistics 91 Overview 91 Interface Sampling 91 Aggregation Caches 92 Flow Collection 92 Ma...

Страница 12: ...cure IP Interfaces 122 RFC 2401 Compliance 123 IPSec Protocol Stack 123 Security Parameters 124 Manual Versus Signaled Interfaces 125 Operational Virtual Router 126 Transport Virtual Router 126 Perfec...

Страница 13: ...siderations 172 References 173 Creating an IPSec Tunnel Profile 173 Configuring IPSec Tunnel Profiles 174 Limiting Interface Instantiations on Each Profile 174 Specifying IKE Settings 174 Setting the...

Страница 14: ...P Neighbors 192 Configuring Topology Discovery 192 Configuring ANCP for QoS Adaptive Mode 192 Triggering ANCP Line Configuration 193 Adjusting the Data Rate Reported by ANCP for DSL Lines 194 Configur...

Страница 15: ...es 243 Preventing Recursive Tunnels 243 Creating Multicast VPNs Using GRE Tunnels 244 Monitoring IP Tunnels 244 Chapter 10 Configuring Dynamic IP Tunnels 251 Dynamic IP Tunnel Overview 251 Data MDT fo...

Страница 16: ...Interactions with NAT 279 Interaction Between IPSec and PPP 279 LNS Change of Port 280 Group Preshared Key 280 NAT Passthrough Mode 280 NAT Traversal 280 How NAT T Works 281 UDP Encapsulation 281 UDP...

Страница 17: ...hentication 305 AAA 305 Subscriber Management 306 Mobile IP Routing and Forwarding 306 Mobile IP Platform Considerations 307 Mobile IP References 307 Before You Configure the Mobile IP Home Agent 307...

Страница 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...

Страница 19: ...er A s Corporate Frame Relay Network 153 Figure 16 ISP X Uses ERX Routers to Connect Corporate Offices over the Internet 153 Figure 17 Connecting Customers Who Use Similar Address Schemes 156 Chapter...

Страница 20: ...Figure 28 IKE Packet with NAT T UDP Encapsulation 282 Figure 29 GRE IPSec Connection 288 Copyright 2010 Juniper Networks Inc xx JunosE 11 2 x IP Services Configuration Guide...

Страница 21: ...ons 119 Table 9 Security Parameters Used on Secure IP Interfaces 124 Table 10 Security Parameters per IPSec Policy Type 126 Table 11 Supported Transforms 130 Table 12 Supported Security Transform Comb...

Страница 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...

Страница 23: ...information in the latest release notes differs from the information in the documentation follow the JunosE Release Notes To obtain the most current version of all Juniper Networks technical documenta...

Страница 24: ...affic class low loss1 Represents text that the user must type Bold text like this host1 show ip ospf 2 Routing Process OSPF 2 with Router ID 5 5 0 250 Router is an Area Border Router ABR Represents in...

Страница 25: ...n CD ROMs or DVD ROMs see the Portable Libraries page at http www juniper net techpubs resources index html Copies of the Management Information Bases MIBs for a particular software release are availa...

Страница 26: ...juniper net techpubs Find solutions and answer questions using our Knowledge Base http kb juniper net Download the latest versions of software and review release notes http www juniper net customers c...

Страница 27: ...Configuring Dynamic IPSec Subscribers on page 169 Configuring ANCP on page 185 Configuring Digital Certificates on page 205 Configuring IP Tunnels on page 237 Configuring Dynamic IP Tunnels on page 25...

Страница 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...

Страница 29: ...tions on page 4 References on page 4 Route Maps on page 4 Match Policy Lists on page 19 Access Lists on page 20 Using the Null Interface on page 32 Prefix Lists on page 32 Prefix Trees on page 35 Comm...

Страница 30: ...ed on ERX7xx models ERX14xx models and the Juniper Networks ERX310 Broadband Services Router See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Se...

Страница 31: ...are evaluated against the next instance of the route map For example suppose you create two instances of route map boston5 one with sequence number 10 and one with sequence number 25 When you apply b...

Страница 32: ...r 10 2 2 4 route map block1 out host1 config router exit host1 config ip as path access list boston deny _32_ host1 config route map block1 deny 1 host1 config route map match as path boston Multiple...

Страница 33: ...only if the entry contains no other values In some earlier releases any value specified with a no match command was ignored and the entire match entry was deleted This change applies to all match comm...

Страница 34: ...ch host1 config exit host1 show route map example1 route map example permit sequence 10 Match clauses community community list filter 1 exact match The route map example1 permits a route only if the r...

Страница 35: ...config route map match tag 30 2 Configure redistribution into BGP of the access internal routes and access routes with route map tagtest host1 config router bgp 405 host1 config router redistribute a...

Страница 36: ...same prefix in order to pick the best route to that prefix in the routing table Distance has no meaning in any other circumstance and any attempt to match distance fails Example host1 config route ma...

Страница 37: ...hop match ipv6 address Use to match any routes that have a destination network number address that is permitted by the specified prefix list Example host1 config route map match ipv6 address prefix l...

Страница 38: ...he match clause See match level match metric Use to match a route for the specified metric value Example host1 config route map match metric 10 Use the no version to delete the match clause from a rou...

Страница 39: ...p match tag 25 Use the no version to delete the match clause from a route map or a specified value from the match clause See match tag route map Use to define the conditions for redistributing routes...

Страница 40: ...te map See set as path prepend set automatic tag Use to automatically compute the tag value of the destination routing protocol Example host1 config route map set automatic tag Use the no version to d...

Страница 41: ...ively you can use the list keyword to specify the name of a community list that you previously created with the ip community list command Example host1 config route map set community no advertise Use...

Страница 42: ...to delete the set clause from a route map See set extcommunity set ip next hop Use to set the next hop attribute of a route that matches a route map You can specify an IP address or an interface as th...

Страница 43: ...specify a plus or minus sign immediately preceding the metric value The value is added to or subtracted from the metric of any routes matching the route map The relative metric value range is 0 42949...

Страница 44: ...al costs and the external cost 2 Sets the cost of the external routes so that it is equal to the external cost alone this is the OSPF default Example host1 config route map set metric type internal Us...

Страница 45: ...le host1 config route map set weight 200 Use the no version to delete the set clause from a route map See set weight Match Policy Lists Match policy lists are very similar to route maps However unlike...

Страница 46: ...ilter inbound or outbound routes You can use different kinds of access lists to filter routes based on either the prefix or the AS path Filtering Prefixes To filter routes based on the prefix you can...

Страница 47: ...c routes to IS IS 1 Configure three static routes host1 config ip route 20 20 20 0 255 255 255 0 192 168 1 0 host1 config ip route 20 20 21 0 255 255 255 0 192 168 2 0 host1 config ip route 20 21 0 0...

Страница 48: ...st reject1 deny 172 24 160 0 0 0 0 255 host1 config access list reject1 permit 172 24 24 0 0 0 0 255 Filtering AS Paths You can use a filter list to filter incoming and outgoing routes based on the va...

Страница 49: ...to router London Accept routes originated in AS 11 only if they pass directly to router London Forward routes from AS 282 to AS 435 only if they pass through either AS 621 or AS 11 but not both AS 62...

Страница 50: ...filtering routes Configuration Example 1 In Figure 4 on page 24 a route map is used to determine the weight for routes learned by router Chicago Figure 4 Route Map Filtering Access list 1 permits any...

Страница 51: ...Chicago prefers routes learned via router NY that passed through AS 837 or AS 32 weight 50 over the same routes learned via router Boston weight 25 according to route map 1 Router Chicago prefers rout...

Страница 52: ...the representation of the AS path of the route as an ASCII string the permit or deny condition applies The AS path does not contain the local AS number The AS path allows substring matching For examp...

Страница 53: ...u can do the following Use AS path filters with the ip as path access list and the neighbor filter list commands Use route map filters with the route map and the neighbor route map commands Example ho...

Страница 54: ...ment all the members of the peer group inherit the characteristic configured with this command unless it is overridden for a specific peer Use the in keyword to assign the prefix tree to incoming rout...

Страница 55: ...create gold service host1 config silver service new channels 232 0 3 24 host1 config access list gold permit ip host any 228 0 0 0 0 0 0 255 host1 config access list gold permit ip host 1 1 1 1 232 0...

Страница 56: ...ipv6 access list commands to clear access list counters clear access list clear ipv6 access list Use to clear all access list counters or access list counters in the specified access list Example 1 ho...

Страница 57: ...iterion appear in the routing table ip access route table map ipv6 access route table map Use to filter access routes before an access list adds them to the routing table Example 1 host1 config ip acc...

Страница 58: ...face null 0 host1 config if There is no no version See interface null ip route Use to configure a static route and redirect traffic from it to the null interface Example host1 config if ip route 10 10...

Страница 59: ...ounts in the IPv6 prefix lists or the specified entry from the specified prefix list The router increments the hit count by 1 each time an entry matches Example host1 clear ipv6 prefix list abc There...

Страница 60: ...to delete the match clause from a route map or a specified value from the match clause See match ip address match ipv6 address Use to match any route that has a destination network number address tha...

Страница 61: ...he entry it branches the other way to another mutually exclusive test pair The router stops testing conditions when it finds the best match If no conditions match the router rejects the address An emp...

Страница 62: ...ee match ip address match ip next hop Use with the prefix tree keyword to match routes that have a next hop router address passed by the specified prefix tree Example host1 config route map match ip n...

Страница 63: ...not advertise the route to any external peers local as also known as no export subconfed Advertises this route to the Internet community by default all prefixes are members of the Internet community i...

Страница 64: ...o set metrics for routes that it forwards to router Boston based on the communities to which the routes belong You can create community lists and filter the routes with a route map that matches on the...

Страница 65: ...y number of communities so a community list can have many entries comprising many communities You can specify one or more community values when you create a community list A clause in a route map that...

Страница 66: ...nity no advertise Use the no version to remove the set clause from a route map See set community Extended Community Lists The router supports the BGP extended community attribute defined in Internet d...

Страница 67: ...atch extcommunity boston1 A route matches this community list only if it belongs to at least all three communities in extended community list boston1 communities 100 2 100 3 and 100 4 Use the no versi...

Страница 68: ...st Using Regular Expressions You can use regular expressions when you define AS path access lists and community lists to more easily filter routes A regular expression uses special characters often re...

Страница 69: ...the community number has the format AA NN where AA is a number that identifies the autonomous system and NN is a number that identifies the community within the autonomous system Otherwise the commun...

Страница 70: ...mmediately following it in the regular expression On an E Series router you are likely to use the backslash only for the parentheses characters or BGP indicates a segment of an AS path that is of type...

Страница 71: ...9 Includes any character matches all AS paths and community lists 67 42 51314 33 252 422 483142 4 339 7831422 Includes a number that has a numeral 4 followed by zero or more instances of the numeral 2...

Страница 72: ...600 but not 25 7771307 800 Includes a number in the range 700 799 7 723 700 but not 25 7771307 800 6127 723 999700 100 600 Consists only of a number in the range 700 799 7 60 4334 545 92 200710 86 53...

Страница 73: ...tes from the IP routing table and then enable the owning protocols BGP OSPF RIP to reinstall the routes clear ip routes Use to clear all routing entries or a specified entry from the IP routing table...

Страница 74: ...how ip traffic Traffic You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify For details see Command Line Interface...

Страница 75: ...path access list AS Path Access List 1 permit AS Path Access List 2 deny AS Path Access List 3 permit _109_ deny AS Path Access List 4 permit _109 deny AS Path Access List 10 deny _109 permit 108_ de...

Страница 76: ...6 permit no export Community List 7 permit internet See show ip community list show ip match policy list Use to display configured policy lists Example host1 show ip match policy list match policy li...

Страница 77: ...efix tree Prefix tree with the last deletion insertion t_abc5 ip prefix tree name t_abc1 1 entries permit 108 243 0 0 16 ip prefix tree name t_abc2 3 entries permit 101 10 254 0 24 permit 102 10 248 0...

Страница 78: ...ol is rip Router Administrative State enable System version RIP1 send 1 receive 1 or 2 Update interval 30 seconds Invalid after 180 seconds hold down time 120 seconds flushed interval 300 seconds Filt...

Страница 79: ...xample 1 host1 show ip route Protocol Route type codes I1 ISIS level 1 I2 ISIS level2 I route type intra IA route type inter E route type external i metric type internal e metric type external O OSPF...

Страница 80: ...outes 0 dvmrp routes Last route added deleted null by Invalid At MON FEB 04 2008 14 18 04 UTC MPLS tunnel routes not used for forwarding 3 total routes 216 bytes in route entries 1 bgp tunnel routes 1...

Страница 81: ...2 Example 3 host1 show ip route slot 9 90 249 255 255 IP address Interface Next Hop 90 249 255 255 Local Interface See show ip route slot show ip static Use to display the status of static routes in t...

Страница 82: ...atistics Frags reassembled Number of reassembled packets reasm timed out Number of reassembled packets that timed out reasm req Number of requests for reassembly reasm fails Number of reassembly failu...

Страница 83: ...ived echo req Number of echo request ping packets received echo rpy Number of echo replies received timestamp req Number of requests for a timestamp received timestamp rpy Number of replies of timesta...

Страница 84: ...ttempted accepted Number of incoming TCP connections accepted established Number of TCP connections established dropped Number of TCP connections dropped closed Number of TCP connections closed TCP Gl...

Страница 85: ...57680 routes in table 0 timestamp req 0 timestamp rpy 0 addr mask req 0 addr mask rpy ICMP statistics Rcvd 561 total 0 errors 15 dst unreach 0 time exceed 0 param probs 0 src quench 0 redirects 0 echo...

Страница 86: ...ample host1 config route map 1 permit 10 host1 config route map match community 44 host1 config route map set local pref 400 host1 config route map exit host1 config exit host1 show route map 1 route...

Страница 87: ...ing Translation Entries on page 69 Specifying Inside and Outside Interfaces on page 69 Defining Static Address Translations on page 69 Defining Dynamic Translations on page 71 Clearing Dynamic Transla...

Страница 88: ...r information about the modules that support NAT NOTE The E120 and E320 Broadband Services Routers do not support configuration of NAT Module Requirements To configure NAT on ERX7xx models ERX14xx mod...

Страница 89: ...es out to the public network There are two types of traditional NAT basic NAT and NAPT Basic NAT Basic NAT provides translation for IP addresses only called a simple translation and places the mapping...

Страница 90: ...nts and routing restrictions apply to bidirectional NAT that were described for traditional NAT The difference between these two methods is that the DNS exchange might create entries within the transl...

Страница 91: ...one of two ways inside or outside source translation Inside Source Translation Inside source translation is the most commonly used NAT configuration When an inside host sends a packet to the outside...

Страница 92: ...a translated IP address static translation or dynamic translation Static Translations You enter static translations as direct configuration settings that remain in the translation table until you rem...

Страница 93: ...destination interface is marked as inside the server module drops the packet Does not find a NAT match and the destination interface is not marked as inside the server module processes the packet norm...

Страница 94: ...configure certain IP interfaces to participate in Network Address Translation This chapter discusses how to configure NAT to function for certain IP interfaces For information about general IP interfa...

Страница 95: ...e or the outside network CAUTION Only packets routed between an inside and an outside interface are subject to translation You can unmark an interface by using the no version of this command ip nat Us...

Страница 96: ...c translation created with the ip nat inside source static command enables any outside host to contact the inside host by using the inside global address of the inside host A static translation can be...

Страница 97: ...ss translation and session flows between address realms on demand To configure dynamic translations Define any access list rules that the NAT router uses to decide which packets need translation Defin...

Страница 98: ...eate address pools with either a single range or multiple nonoverlapping ranges When you create a single range you specify the starting and ending IP addresses for the range in the root ip nat pool co...

Страница 99: ...171 69 40 112 host config ipnat pool address 171 69 40 118 171 69 40 120 host config ipnat pool exit Use the no version to remove the address range See ip nat pool Defining Dynamic Translation Rules...

Страница 100: ...keyword to specify that the translation create NAPT entries protocol port and address in the NAT table The no version of this command removes the dynamic translation rule but does not remove any prev...

Страница 101: ...time in seconds never for any of the specified timers timeout Dynamic simple translations not for overloaded translations default is 86400 seconds 24 hours dns timeout DNS createdprotocoltranslations...

Страница 102: ...ip nat translation gre icmp tcp udp inside insideGlobalIpAddress insideLocalIpAddress version of this command to match any global or local port and remove inside source extended GRE ICMP TCP or UDP tr...

Страница 103: ...e config interface ip nat inside host1 blue config interface exit host1 blue config interface serial 1 2 host1 blue config interface ip nat inside host1 blue config interface exit 3 Mark the outside i...

Страница 104: ...of the three addresses in the pool Because this example uses NAPT the interface can use only one pool address depending on the number of inside hosts attempting to access the outside at any given time...

Страница 105: ...routing loops when no matching translation exists host1 blue config ip route 192 32 6 0 255 255 255 192 null 0 NOTE Null route applies to 192 32 6 0 and 192 32 6 1 which do not exist in the address p...

Страница 106: ...y smaller than the size of the company network because not all private hosts are likely to access the public network at the same time 5 Create the access list for addresses eligible for dynamic transl...

Страница 107: ...ide global addresses to prevent routing loops when no matching translation exists host1 blue config ip route 12 220 1 0 255 255 0 0 null 0 Cross VRF Example In MPLS VPN configurations you might want t...

Страница 108: ...x length 24 5 Create the access list for addresses eligible for dynamic translation host1 vr1 vrf11 config access list entA permit 10 16 5 0 0 0 0 255 6 Create the dynamic translation rule host1 vr1 v...

Страница 109: ...at has NAT enabled Figure 10 PPTP Tunnels on an Inside Network The router has installed an inside source static simple translation in its translation table as follows Inside Global Address Inside Loca...

Страница 110: ...ound GRE packets the router transmits the packets to the tunnel server module for GRE processing If the packets require translating they are again sent through the tunnel server module NOTE Only inner...

Страница 111: ...e extended static translations Outside Source Extended Number of outside source extended static translations Dynamic Translation Type Type of dynamic translation inside source simple outside source si...

Страница 112: ...ource Extended 70000 70000 70000 568 Fully Extended 26855 26855 26855 2565 Forwarding statistics for virtual router vr1 Packets received on inside interface and forwarded directly 8 forwarded through...

Страница 113: ...utside global Outside global IP address for this translation entry this field also provides the port number separated by a colon for extended entries Outside local Outside local IP address for this tr...

Страница 114: ...ormation The command output displays configuration mask and address ranges of all address pools unless you supply a specific pool name show ip nat pool Use to display NAT address pool information Fiel...

Страница 115: ...ess list and pool usage information for inside source translation rules Field descriptions access list name Name of the access list pool name Name of the address pool rule type Type of rule assigned E...

Страница 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...

Страница 117: ...workstation for data collection and further processing In addition the ability to enable J Flow on an individual virtual router interface or subinterface allows you to collect network statistics for s...

Страница 118: ...n a subset of the fields collected in the raw flow data For example TCP flags Next Hop Address and ToS values are not maintained in any of the aggregation caches Unlike the main cache aggregation cach...

Страница 119: ...o the collector the unsent records are discarded However the virtual router continues to increase the sequence number by one as if it sent the records Discrepancies between the sequence number and sen...

Страница 120: ...Services Routers See E120 and E320 Module Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the mo...

Страница 121: ...Issuing an interface level flow command does not enable J Flow on the virtual router To enable J Flow issue the ip flow statistics command ip route cache flow sampled Use to enable J Flow on an inter...

Страница 122: ...nfigured sampling rate and might drop the intended sampled packets If this occurs you can address the issue by reducing the sampling rate NOTE For all modules except the ES2 10G LM on the E120 router...

Страница 123: ...p flow cache timeout active command to specify a value for the activity timer The activity timer measures the amount of time that the virtual router has been recording a datagram for a given flow When...

Страница 124: ...flow export 192 168 2 73 2055 version 5 peer as Example 2 Specifies the source address for outbound export J Flow datagrams host1 config ip flow export source fastEthernet 5 0 Use the no version to r...

Страница 125: ...ion cache host1 config ip flow aggregation cache as 2 Configure the number of entries 1024 524288 in the aggregation cache the no version sets the number of entries back to its default value of 4096 f...

Страница 126: ...abled export destination Use to configure an export destination for the aggregation cache Example host1 config flow cache export destination myhost udp port Use the no version to remove the destinatio...

Страница 127: ...ce Monitoring J Flow Statistics This section shows how to clear J Flow statistics and use the show commands to view J Flow settings and statistical results Clearing J Flow Statistics Use the clear ip...

Страница 128: ...ribution of IP packets by size Percent Percent distribution of different sized IP packets Protocol Port Protocol of the sample and port destination for that sample Total Flows Total number of flows Fl...

Страница 129: ...ckets Protocol Port Flows Sec Flow Packet Sec TCP telnet 1 0 000 118 000 1014 000 0 000 UDP whois 1 0 008 935 000 1026 000 7 664 Summary Total Flows Processed 2 Total Packets 1053 Total Bytes 1078962...

Страница 130: ...20 30 41 258 GigE4 0 12 0 0 2 GigE2 0 TCP telnet 58 000 1014 000 0 000 10 20 30 41 63 GE4 0 50 60 70 88 UDP whois 1028 000 1026 000 7 672 Summary Total Flows Processed 2 Total Packets 1086 Total Bytes...

Страница 131: ...ld descriptions Aggregation Cache AS AS aggregation cache Destination prefix Destination prefix aggregation cache Prefix Prefix aggregation cache Protocol port Protocol port aggregation cache Source p...

Страница 132: ...000 7 664 Summary Total Flows Processed 2 Total Packets 1053 Total Bytes 1078962 show ip flow export Use to display configuration values for IP flow cache export Example host1 show ip flow export Flow...

Страница 133: ...en these hello messages are not used IGP hellos have their own limitations it often takes one second or more to detect a remote end failure and processing IGP hello messages takes precious processing...

Страница 134: ...peer for a failure detection time and after the time expires the client stops transmitting packets For the Admin Down state to work the peer which receives the Admin Down state notification must have...

Страница 135: ...iveness detection interval is the period a peer waits for a BFD packet from its peer before declaring the BFD session to be down The detection interval is determined independently by each peer and can...

Страница 136: ...ule specifications See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support BFD For information about modules that support BFD on the E120 and E320 Broadb...

Страница 137: ...ers establish sessions based on BFD version support Table 7 Determining BFD Versions E Series Routers Running Software Versions Earlier than JunosE 7 2 x E Series Routers Running JunosE 7 2 x and late...

Страница 138: ...guration Guide OSPF Chapter Configuring OSPF in JunosE IP IPv6 and IGP Configuration Guide OSPFv3 Chapter Configuring PIM for IPv4 Multicast in JunosE IP IPv6 and IGP Configuration Guide and chapter C...

Страница 139: ...ed timer intervals for all BFD sessions on the router Does not disable the state of the BFD adaptive timer interval feature Example host1 clear bfd adapted intervals There is no no version See clear b...

Страница 140: ...d Example 1 host1 clear ipv6 bfd session Example 2 host1 clear ipv6 bfd session address 1 4 There is no no version See clear ipv6 bfd session Monitoring BFD This section lists the system event logs as...

Страница 141: ...session Field descriptions Address IP address of the remote interface with which the session is established In unnumbered cases the remote interface provides its reference IP address State State of t...

Страница 142: ...e remote end Up Down count Number of up down transitions that have occurred on the session Local diagnostic Reason at the local end for the last session down event Remote diagnostic Reason at the remo...

Страница 143: ...val 0 multiplier 3 Remote min tx interval 0 3 min rx interval 0 3 multiplier 3 Local diagnostic None Remote diagnostic None Remote heard hears us Min async interval 0 3 min slow interval 0 3 Echo mode...

Страница 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...

Страница 145: ...sulating protocols including authentication AH and Encapsulating Security Payload ESP to provide security on specified packets The Internet Security Association and Key Management Protocol Internet Ke...

Страница 146: ...ready secured traffic arriving on that interface identified based on its SPI This traffic is cleared and checked against the security parameters set for that interface Inbound traffic Internet Protoco...

Страница 147: ...er See ERX Module Guide Table 1 Module Combinations for detailed module specifications See ERX Module Guide Appendix A Module Protocol Support for information about the modules that support IPSec NOTE...

Страница 148: ...data packet Authentication header AH provides authentication to every data packet Both protocols are defined with two modes of operation Tunnel mode completely encapsulates the original packet within...

Страница 149: ...traffic to discard and so on The router also applies IPSec selectors to traffic going into or coming out of a secure tunnel so that unwanted traffic is not allowed inside the tunnel Supported selector...

Страница 150: ...and source and destination IP addresses Transport VR A key generation approach that guarantees that every newly generated session key is not in any way related to the previous keys PFS ensures that a...

Страница 151: ...an SA on demand with the remote security gateway The remote security gateway must also support SA negotiation otherwise the gateway drops traffic Again the router keeps statistics for dropped traffic...

Страница 152: ...ure tunnel endpoints the source and destination are routable addresses Normally the transport VR is the default ISP routing infrastructure on top of which VPNs are provisioned The IPSec Service module...

Страница 153: ...es the FQDN to establish and authenticate the IPSec connection and then uses the actual IP address for rekeying and filtering operations The ERX router FQDN feature supports both preshared keys and di...

Страница 154: ...lished both a timer and a traffic volume counter are set When either counter reaches the limit specified by the SA lifetime a new SA is negotiated and the expired SA is deleted The renegotiations refr...

Страница 155: ...the other the outbound SA parameters The following parameters form each set of SA parameters SPI The SPI is a unique identifier that is applied to the SA when securing a flow An SPI is unique for a gi...

Страница 156: ...IPSec supports two encapsulation modes tunnel mode and transport mode Tunnel mode creates a second IP header in the packet and uses both the local and remote security gateway addresses as source and d...

Страница 157: ...and ESP DES transforms ESP DES MD5 Combination of ESP SHA and ESP DES transforms ESP DES SHA Combination of ESP MD5 and ESP 3DES transforms ESP 3DES MD5 Combination of ESP SHA and ESP 3DES transforms...

Страница 158: ...rocessing on page 132 AH Processing on page 132 This section also provides a pointer to the IPSec system maximums IP Security Policies The ERX router does not support a systemwide SPD Instead the rout...

Страница 159: ...th each other at regular predetermined intervals DPD uses two techniques to verify connectivity on an as needed basis In the first method the router sends DPD inquiries to the remote peer when traffic...

Страница 160: ...ork for key exchange and security association establishment IKE provides Automatic key refreshing on configurable timeout Support for public key infrastructure PKI authentication systems Antireplay de...

Страница 161: ...nations of initiator proposals and policy rules As indicated allowing aggressive mode in a policy rule allows negotiation to take place no matter what the initiator requests Table 13 Initiator Proposa...

Страница 162: ...ever every IKE policy is considered secure enough to secure the IKE SA flow During IKE negotiation all policies are scanned one at a time starting from the highest priority policy and ending with the...

Страница 163: ...me parameter for an IKE policy The timer for the lifetime parameter begins when the IKE SA is established using IKE IKE SA Negotiation As the initiator of an IKE SA the router sends its IKE policies t...

Страница 164: ...em attribute regardless of how many ISMs exist in the system Only one set of keys is available at any given time Configuration Tasks This section explains the steps to configure an IPSec license and I...

Страница 165: ...host1 config manual key key customerASecret After you enter a preshared key the router encrypts the key and displays it in masked form to increase the security of the key If you need to reenter the ke...

Страница 166: ...sp net host1 config manual key Example 3 using an FQDN with user specification host1 config ipsec key manual pre share identity user4919 branch245 customer77 isp net host1 config manual key Use the no...

Страница 167: ...actual transform used on the tunnel is negotiated with the peer Transforms are numbered in a priority sequence in the order in which you enter them To display the names of the transforms that you can...

Страница 168: ...ddresses assigned to the tunnel interface host1 config virtual router vrA host1 vrA config 2 Create an IPSec tunnel and specify the transport VR host1 vrA config interface tunnel ipsec Aottawa2boston...

Страница 169: ...in use by this tunnel host1 config if tunnel lifetime seconds 48000 kilobytes 249000 13 Optional Set the MTU size for the tunnel host1 config if tunnel mtu 2240 interface tunnel Use to create or conf...

Страница 170: ...er of seconds limit is reached the SA is renegotiated which ensures that the tunnel does not go down during renegotiation Example host1 config if tunnel lifetime seconds 48000 kilobytes 249000 Use the...

Страница 171: ...configure perfect forward secrecy PFS on this tunnel Assign a Diffie Hellman prime modulus group using one of the following keywords 1 768 bit group 2 1024 bit group 5 1536 bit group Example host1 con...

Страница 172: ...et includes DES create an 8 byte key using 16 hexadecimal characters 3DES create a 24 byte key using 48 hexadecimal characters MD5 create a 16 byte key using 32 hexadecimal characters SHA create a 20...

Страница 173: ...IPSec tunnel destination backup is configured the router redirects traffic to the alternate destination when DPD detects a disconnection between the E Series router and the regular tunnel destination...

Страница 174: ...SL environments use the FQDN to identify the tunnel destination backup which does not have a fixed IP address The identity string can include an optional user specification preceding the FQDN this is...

Страница 175: ...ssive mode to the peer in connections that the policy initiates If the peer initiates a negotiation the tunnel accepts the negotiation if the mode matches this policy Use the accepted keyword to accep...

Страница 176: ...it group 5 1536 bit group Example host1 config ike policy group 5 Use the no version to restore the default See group hash Use to set the hash algorithm for the IKE policy md5 MD5 HMAC variant sha SHA...

Страница 177: ...As The range is 60 86400 seconds host1 config ike policy lifetime 360 Use the no version to reset the SA lifetime to the default 28800 seconds See lifetime Refreshing SAs To refresh ISAKMP IKE or IPSe...

Страница 178: ...e subject to denial of service DOS attacks Instead the E Series router can determine when a phase 1 relationship has gone stale by timeouts or use of dead peer detection DPD For this reason this featu...

Страница 179: ...long haul Frame Relay links by creating IPSec tunnels to carry customer A s traffic securely between the sites over the public or ISP provided IP network This alternative costs only a fraction of the...

Страница 180: ...et customerAprotection erx1 config if tunnel local identity subnet 200 1 0 0 255 255 0 0 erx1 config if tunnel peer identity subnet 200 3 0 0 255 255 0 0 erx1 config if tunnel source 100 1 0 1 erx1 co...

Страница 181: ...ustomerAprotection erx3 config if tunnel local identity subnet 200 3 0 0 255 255 0 0 erx3 config if tunnel peer identity subnet 200 2 0 0 255 255 0 0 erx3 config if tunnel source 100 3 0 1 erx3 config...

Страница 182: ...t customerBprotection ah hmac md5 2 On each ERX router create a protection suite for the three routers to use to authenticate each other erx1 config ipsec key manual pre share 5 2 0 1 erx1 config manu...

Страница 183: ...for the tunnels in the ISP default virtual router Virtual router A erx1 config virtual router vrA erx1 vrA config Tunnel from Ottawa to Boston on virtual router A erx1 vrA config interface tunnel ipse...

Страница 184: ...air of tunnels in the virtual routers where the IP interfaces reaching those customers are defined Create the endpoints for the tunnels in the ISP default virtual router Virtual router A erx2 config v...

Страница 185: ...rx3 create two IPSec tunnels one to carry customer A s traffic and another to carry customer B s traffic Virtual router A erx3 config virtual router vrA erx3 vrA config Tunnel from Boston to Ottawa on...

Страница 186: ...subnet 10 2 0 0 255 255 0 0 erx3 vrB config if tunnel source 5 3 0 1 erx3 vrB config if tunnel destination 5 2 0 1 erx3 vrB config if ip address 10 2 0 0 255 255 0 0 erx3 vrB config if exit The confi...

Страница 187: ...me of SAs created with this policy 60 to 86400 seconds aggressive mode Allowed or not allowed Example host1 show ipsec ike policy rule IKE Policy Rules Protection suite priority 5 encryption algorithm...

Страница 188: ...main mode SA payload to the responder MM_SA_R Responder has sent a response to the initial main mode SA MM_KE_I Initiator has sent initial main mode key exchange to the responder MM_KE_R Responder ha...

Страница 189: ...s and transport virtual router of local endpoints To display the local endpoint of a specific transport virtual router include the virtual router name Example host1 show ipsec local endpoint transport...

Страница 190: ...n is displayed Tunnel operational configuration Configuration running on the tunnel Tunnel type Manual signaled Tunnel mtu MTU size of the tunnel Tunnel localEndpoint IP address of local tunnel endpoi...

Страница 191: ...ased lifetime in kilobytes inbound outbound traffic remaining Number of additional kilobytes that tunnel can send or receive before traffic based lifetime expires Tunnel Statistics Displays statistics...

Страница 192: ...Address 4 0 0 100 Tunnel peer identity is ipAddress 3 0 0 100 Tunnel lifetime seconds is 7200 Tunnel lifetime kilobytes is 1024000 Tunnel pfs is group 5 Tunnel administrative state is Up Tunnel Operat...

Страница 193: ...splay the status of tunnels configured on a virtual router To display only tunnels that are in a specific state use the state keyword To display tunnels that are using a particular IP address use the...

Страница 194: ...s ipsec tunnels license is g1k23b23eb2j which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards See show license Copyright 2010 Juniper Networks Inc 168 JunosE 11 2 x I...

Страница 195: ...the associated VR or VRF The router contains a link between the VR or VRF and the private intranet containing the resources This link can be a direct connection or a tunnel IPSec IP in IP GRE or MPLS...

Страница 196: ...The following events can trigger the teardown of a dynamic IPSec subscriber connection All phase 1 and phase 2 SA deleted by a remote peer and no rekeying activity occurs for one minute Administrative...

Страница 197: ...rolling which connecting user based on the IKE identification belongs to a given profile Profile settings falling in this category include the following IKE identities from peers that can use this pro...

Страница 198: ...reside on the PC These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed Depending on the IKE phase 1 exchange restrictions on the a...

Страница 199: ...tes on page 205 Configuring IP Tunnels on page 237 JunosE Broadband Access Configuration Guide Creating an IPSec Tunnel Profile To create an IPSec tunnel profile use the ipsec tunnel profile command T...

Страница 200: ...return the maximum value to unlimited indicating no limit to the number of interfaces that can be instantiated on this profile See max interfaces Specifying IKE Settings This section describes how to...

Страница 201: ...e username portion of the IKE identity matches the username setting for this profile An empty string default means that an IKE identity type of userFQDN is not allowed for logins on this profile NOTE...

Страница 202: ...and local identities at the other end respectively Example host1 config ipsec tunnel profile local ip identity range 10 30 11 1 10 30 11 50 Use the no version to restore the default value the interna...

Страница 203: ...ave higher priority than global keys If both individual and global keys are configured the individual that also has a specific key must use that key or authentication fails More than one profile can s...

Страница 204: ...ume lifetime Use to specify the IPSec lifetime parameters used on IPSec SA lifetime negotiations Example host1 config ipsec tunnel profile lifetime seconds 5000 25000 Use the no version to return the...

Страница 205: ...cepts the first transform proposed by a client that matches one of the transforms specified by this command During an IPSec SA exchange with a client the router proposes all transforms specified by th...

Страница 206: ...s This section describes enhancements to some IKE policy rule commands to support dynamic IPSec subscribers Specifying a Virtual Router for an IKE Policy Rule The ip address virtual router command ena...

Страница 207: ...Mode for an IKE Policy Rule The aggressive mode command enables aggressive mode negotiation for the tunnel For additional information about aggressive mode and how it works see Main Mode and Aggressi...

Страница 208: ...el profile found Example 2 host1 show ipsec tunnel profile detail ipsec spg IPsec tunnel profile ipsec spg is active with no subscriber Extended authentication pap no re authentication Peer IP charact...

Страница 209: ...d source of the address l2tp local dhcp radius user For local dhcp radius and user endpoints the address is that of the user When the endpoint is l2tp the address is that of the LNS Virtual Router Nam...

Страница 210: ...xcfgUser1 vpn1 800 555 1212 See show subscribers Copyright 2010 Juniper Networks Inc 184 JunosE 11 2 x IP Services Configuration Guide...

Страница 211: ...197 Monitoring ANCP on page 197 Overview Access Node Control Protocol ANCP also known as Layer 2 Control L2C is based on a subset of the General Switch Management Protocol GSMP as defined in the GSMP...

Страница 212: ...multiple flows and distinct QoS requirements These mechanisms require that B RAS devices obtain information about the access network topology the links within that network and their rates Operations...

Страница 213: ...g ways From AAA layer For PPP interfaces the router retrieves the DSL line rate parameters from the AAA layer and reports this information to the SRC software From DHCP options For DHCP external serve...

Страница 214: ...rt 6068 for ANCP TCP connection requests l2c ip listen Use to create a listening TCP socket in the current virtual router context Example host1 config l2c ip listen Use the no version to remove the li...

Страница 215: ...fig l2c wait for gsmp syn Use the no version to disable the learning option in ANCP If the access node does not send the GSMP_SYN message after initiating the TCP session the connection is lost becaus...

Страница 216: ...if l2c peer attachment id in_multicast_port_5 Use the no version to remove the input label association See l2c peer attachment id Configuring ANCP Neighbors From the L2C Configuration mode config l2c...

Страница 217: ...y the maximum number of discovery table entries that a neighbor can have Using this command to change the maximum number of entries when an already greater number of current entries exists in the disc...

Страница 218: ...host1 l2c neighbor discovery mode Use the no version to disable discovery mode See discovery mode Configuring ANCP for QoS Adaptive Mode The system can QoS adjust VLAN and ATM VC downstream rates rece...

Страница 219: ...ANCP QoS adaptive mode enables the system to shape VLAN and ATM VC downstream rates received from ANCP by dynamically creating QoS parameter instances associated with the ANCP L2C downstream applicat...

Страница 220: ...ers that use the specified DSL line type Example host1 config l2c adjustment factor adsl1 45 host1 config l2c adjustment factor adsl2 55 host1 config l2c adjustment factor adsl2 67 host1 config l2c ad...

Страница 221: ...In the following example Figure 18 on page 195 two subscribers access individual multicast channels through cross connections branches that occur on the access node Figure 18 Using ANCP with an Acces...

Страница 222: ...iles see Command Line Interface in JunosE System Basics Configuration Guide Configure an OIF map host1 config ip igmp oif map OIFMAP atm 2 0 101 232 1 1 1 10 1 1 1 host1 config ip igmp oif map OIFMAP...

Страница 223: ...ans of a GSMP port management message For example when using an ATM based local loop the ANCP operation can trigger the access node to generate ATM F4 F5 loopback cells on the local loop l2c oam Use t...

Страница 224: ...splays the adjustment factor for each DSL type host1 show adjustment factor L2C QoS Adjustment Rates ADSL1 45 ADSL2 55 ADSL2 100 VDSL 100 VDSL2 55 SDS 100 Example 2 Displays the adjustment factor for...

Страница 225: ...DLE Dsl Type Type of DSL Total Line Attributes Total number of line attributes reported Example 1 host1 show l2c discovery table brief Neighbor Access Loop Id Down UpStream kbps State ACCESSNODE_10 Ac...

Страница 226: ...am 9408 kbps Line State 1 SHOWTIME Dsl Type 0 Invalid transmission type Total Line Attributes 6 See show l2c discovery table show l2c label Use to display information about known ANCP labels on the ro...

Страница 227: ...rface Peer Attach Id ATM4 0 11 Accessnode_10 atm3 2 0 10 ATM4 0 12 Accessnode_10 atm3 3 0 10 ATM4 0 13 Accessnode_10 atm3 4 0 10 ATM4 0 14 Accessnode_10 atm3 5 0 10 Example 3 host1 show l2c label neig...

Страница 228: ...ol state of this neighbor Number of configured neighbors Number of configured ANCP neighbors Number of Neighbors in GSMP_ESTAB state Number of ANCP neighbors that are in an established GSMP state Numb...

Страница 229: ...P neighbors Number of active neighbors Number of active ANCP neighbors Number of end user ids Number of ANCP end user IDs output labels Number of peer attachment ids Number of ANCP peer attachment IDs...

Страница 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...

Страница 231: ...s and Public Keys on page 228 Overview You can use digital certificates in place of preshared keys for IKE negotiations For more information about IKE see IKE Overview on page 134 in Configuring IPSec...

Страница 232: ...t dictate how IPSec processes a packet including encapsulation protocol and session keys A single secure tunnel uses multiple SAs SA Simple certificate enrollment protocol used to submit requests and...

Страница 233: ...ficate This certificate provides a level of assurance that a peer s identity as represented in the certificate is associated with a particular public key E Series Broadband Services Routers provide bo...

Страница 234: ...generate its own public private key pairs The public private key pair supports the RSA standard 1024 or 2048 bits The private key is used only by the ERX router It is never exchanged with any other n...

Страница 235: ...rds supported for certificate enrollment are PKCS 10 certificate requests PKCS 7 responses and X 509v3 certificates For manual enrollment certificates are encoded in base64 MIME so that the files are...

Страница 236: ...E phase 1 signature authentication In the online certificate method you use the crl command to control CRL verification The router uses HTTP to support CRL verification when the CRL distribution point...

Страница 237: ...ERX router and taken to CAs for obtaining a certificate crq Used for public certificate files The public certificates for root CAs and the router public certificates are copied to the ERX router They...

Страница 238: ...t having to obtain a digital certificate This method offers the simplicity and convenience of using preshared key authentication without its inherent security risks With this method you no longer need...

Страница 239: ...3764 51E3AB3C F9A6665E 562E3681 F120405E 30235690 6FC093AA EB0FE956 51C38EE1 54D81E40 7687C387 07020301 0001 For more information about the format of an RSA public key and about ASN 1 syntax see RFC 3...

Страница 240: ...rom the CA copy the certificate to the router and then inform the router that the new certificate exists host1 config ipsec certificate database refresh 8 Optional Set the sensitivity of how the route...

Страница 241: ...handles CRLs during negotiation of IKE phase 1 signature authentication Specify one of the following keywords ignored Allows negotiations to succeed even if a CRL is invalid or the peer s certificate...

Страница 242: ...rates the certificate use offline methods to send the certificate request file to the CA Example host1 config ipsec certificate request generate rsa myrequest crq There is no no version See ipsec cert...

Страница 243: ...r policies in the range 1 10000 with 1 having the highest priority Example host1 config ipsec ike policy rule 3 host1 config ike policy Use the no version to remove policies If you do not include a pr...

Страница 244: ...here is no no version To remove a key pair use the ipsec key zeroize command See ipsec key generate ipsec key zeroize Use to delete RSA key pairs Include one of the following keywords rsa Removes the...

Страница 245: ...host1 config ca identity issuer identifier BetaSecurityCorp 5 Specify the URL of the SCEP server from which the CA certificates and the router s public certificates is retrieved host1 config ca ident...

Страница 246: ...he default setting required Requires a valid CRL either the certificates that belong to the E Series router or the peer must not appear in the CRL this is the strictest setting Example host1 config ca...

Страница 247: ...16 ikeEnrollment Received CA certificate for ca trustedca1 INFO 10 18 2003 03 45 16 ikeEnrollment Received CA certificate for ca trustedca1 fingerprint 28 19 ba 76 d8 e0 bb 22 60 cd b9 2d dc b8 58 01...

Страница 248: ...y rule Use to define an ISAKMP IKE policy When you enter the command you include a number that identifies the policy and assigns a priority to the policy You can number policies in the range 1 10000 w...

Страница 249: ...ipsec key zeroize command See ipsec key generate ipsec key zeroize Use to delete RSA key pairs Include one of the following keywords rsa Removes the RSA key pair from the router pre share Removes all...

Страница 250: ...ertificate 1 Generate the RSA key pair on the router host1 config ipsec key generate rsa 1024 Please wait IPsec Generate Keys complete 2 In your IKE policy set the authentication method to RSA signatu...

Страница 251: ...e1c 951be4e8 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698 748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b 4aac505b 255f17ca faf884ca f0402022 5ad6f44...

Страница 252: ...ey generate rsa 2048 Please wait IPsec Generate Keys complete There is no no version To remove a key pair use the ipsec key zeroize command See ipsec key generate ipsec key pubkey chain rsa Use to acc...

Страница 253: ...sion to remove the peer public key from the router See ipsec key pubkey chain rsa key string Use to manually enter a 1024 bit or 2048 bit public key for a remote peer with which you want to establish...

Страница 254: ...nfigures the public key for a remote peer with the user FQDN tsmith sales company_xyz com using lowercase x as the key string delimiter character host1 config ipsec key pubkey chain rsa name tsmith sa...

Страница 255: ...ment url http 192 168 10 124 scepurl issuer id BetaSecurityCorp retry period 1 retry limit 60 crl setting optional proxy url See show ipsec ca identity show ipsec certificates show ike certificates NO...

Страница 256: ...suerName C CA ST ON L Kanata O BetaSecurityCorp OU VT Group CN VT Root CA SerialNumber 84483276204047383658902 SignatureAlgorithm rsa pkcs1 sha1 Validity NotBefore 2003 Oct 21st 16 14 42 GMT NotAfter...

Страница 257: ...sLocation Following names detected URI uniform resource indicator Viewing specific name types No names of type IP DNS URI EMAIL RID UPN or DN detected AccessMethod 1 3 6 1 5 5 7 48 2 AccessLocation Fo...

Страница 258: ...1 FullName Following names detected URI uniform resource indicator Viewing specific name types URI http vtsca1 CertEnroll VTS 20Root 20CA crl Entry 2 FullName Following names detected URI uniform res...

Страница 259: ...configuration show ike configuration NOTE The show ike configuration command has been replaced by the show ipsec ike configuration command and may be removed completely in a future release Use to disp...

Страница 260: ...the summary keyword To display the public key for a remote peer with a specific IP address use the address keyword followed by the IP address in 32 bit dotted decimal format To display the public key...

Страница 261: ...7 bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63...

Страница 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...

Страница 263: ...is a virtual point to point connection between two routers See Figure 19 on page 237 To establish an IP tunnel you specify a tunnel type and name and then configure an interface on each router to act...

Страница 264: ...ers See E120 and E320 Module Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that sup...

Страница 265: ...ADV LM require the ES2 S1 Service IOA to condition it to receive and transmit data to other line modules The ES2 S1 Service IOA also does not have ingress or egress ports You can also create IP tunnel...

Страница 266: ...irtual router keyword to establish the tunnel on a virtual router other than the current virtual router Example host1 config interface tunnel dvmrp boston tunnel 1 transport virtual router boston Use...

Страница 267: ...l2 host1 config if tunnel destination 192 13 7 1 Example 2 host1 config interface tunnel dvmrp tunnel2 host1 config if tunnel destination remoteHost Use the no version to remove the destination of a t...

Страница 268: ...ed boston that supports one end of the tunnel host1 virtual router boston 2 Configure a physical or loopback interface for the end of the tunnel on virtual router boston The IP address of this interfa...

Страница 269: ...el the module forwards the frames to a tunnel service module Tunnel service modules include SMs and modules that support the use of shared tunnel server ports The tunnel service module encapsulates th...

Страница 270: ...ls For information about configuring multicast VPNs using GRE tunnels see Configuring PIM for IPv4 Multicast in JunosE Multicast Routing Configuration Guide Monitoring IP Tunnels You can monitor DVMRP...

Страница 271: ...xx models ERX14xx models and the ERX310 router or slot adapter port format E120 and E320 routers Tunnel secured by ipsec transport interface IPSec interface that secures the tunnel Tunnel administrati...

Страница 272: ...rtual router vr1 ip 0 0 0 0 DVMRP tunnel boston1 is up 1 DVMRP tunnel found 1 tunnel was created static Example 5 Displays a DVMRP tunnel on an E320 router host1 show dvmrp tunnel detail DVMRP tunnel...

Страница 273: ...the number of tunnels associated with an IP address on the virtual router specify an IP address with the virtual router keyword and the name of the virtual router Field descriptions Tunnel name Name o...

Страница 274: ...eated static Example 2 host1 show gre tunnel detail Tunnel operational configuration Tunnel name is vr1 Tunnel mtu is 10240 Tunnel source address is 10 0 0 2 Tunnel destination address is 10 0 0 1 Tun...

Страница 275: ...ple 4 host1 show gre tunnel virtual router vr1 ip 10 0 0 1 GRE tunnel VR1 is up 1 GRE tunnel found 1 tunnel was created static Example 5 Displays a GRE tunnel on an E320 router host1 show gre tunnel d...

Страница 276: ...play a summary of information about GRE tunnels Field descriptions Administrative status enabled Tunnel is available for use disabled Tunnel is not available for use Operational status up Tunnel is op...

Страница 277: ...ls also known as IP in IP tunnels To establish a dynamic IP tunnel for GRE or DVMRP interfaces you must configure a destination profile for a specific transport virtual router that is used to store tu...

Страница 278: ...Mobile IP application can create dynamic point to point GRE and DVMRP tunnels The Mobile IP application is a tunneling based solution that enhances the utility of E Series Broadband Services Routers a...

Страница 279: ...tic tunnel with the same parameters as an existing dynamic IP tunnel the system does not create the dynamic IP tunnel Changing and Removing Existing Dynamic IP Tunnels You can modify the parameters in...

Страница 280: ...orts on their own associated I O modules However you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel You can also create IP tunnels on rou...

Страница 281: ...nels on page 251 References For more information about IP tunnels see the following documents RFC 1700 Assigned Numbers October 1994 RFC 1701 Generic Routing Encapsulation October 1994 RFC 1702 Generi...

Страница 282: ...el source 1 1 1 1 3 Set the destination address for the tunnel host1 config dest profile tunnel destination subnet 10 0 0 0 255 0 0 0 4 Optional Set the maximum transmission unit MTU size for the tunn...

Страница 283: ...profile kanata mdt dvmrp destination profile Use to configure a destination profile for dynamic DVMRP tunnels Use the any virtual router keyword to create a default destination profile for all virtua...

Страница 284: ...utation across a GRE tunnel Checksum computation is not supported for DVMRP tunnels Selecting this feature causes the E Series router to drop corrupted packets it receives on the tunnel interface Exam...

Страница 285: ...ify GRE sequence numbers at both ends of the GRE tunnel Example host1 config dest profile tunnel sequence datagrams Use the no version to disable sequence numbers See tunnel sequence datagrams tunnel...

Страница 286: ...outer assigned to the destination profile tunnel destination subnet Value of the configured destination address subnet tunnel source Value of the configured source address Example 1 Displays all desti...

Страница 287: ...el Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name of the virtual router associ...

Страница 288: ...PN Tunnel operational configuration Tunnel mtu is 5000 Tunnel source address is 1 1 1 1 Tunnel destination address is 2 2 2 2 Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel up do...

Страница 289: ...ecause the hardware such as a line module supporting the tunnel is inaccessible Example host1 show dvmrp tunnel summary Administrative status enabled disabled 1 0 Operational status up down not presen...

Страница 290: ...Displays a specific GRE destination profile used for dynamic IP tunnel creation host1 show gre destination profile boston1 gre destination profile boston1 tunnel checksum disabled tunnel sequence dat...

Страница 291: ...tunnel Tunnel mtu Value of the maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tu...

Страница 292: ...vr11 show dvmrp tunnel detail mvpn dynamic 1 GRE tunnel mvpn dynamic 1 is Up tunnel is dynamic Application is MVPN Tunnel operational configuration Tunnel mtu is 5000 Tunnel source address is 1 1 1 1...

Страница 293: ...re tunnel show gre tunnel summary Use to display a summary of information about GRE tunnels Field descriptions Administrative status enabled Tunnel is available for use disabled Tunnel is not availabl...

Страница 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...

Страница 295: ...processed and de encapsulated at the egress endpoint When packets are tunneled through an IP network simple IP forwarding is performed The IP forwarding process might fragment packets in the tunnel T...

Страница 296: ...xx Models ERX14xx Models and the ERX310 Router To configure IP reassembly on ERX7xx models ERX14xx models and the ERX310 router you must install one of a Service Module SM an IPSec Service line module...

Страница 297: ...P reassembly on IOAs that support shared tunnel server ports You can configure provision a shared tunnel server port to use a portion of the IOA s bandwidth to provide tunnel services For a list of th...

Страница 298: ...baseline for tunnel reassembly statistics on the current virtual router The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting th...

Страница 299: ...ad sent to the SRP module Reassembly Errors or Total Reassembly Errors Number of errors in completing reassembly detailed display includes types of reassembly errors Reassembly Discards Number of pack...

Страница 300: ...unnel reassembly The following command shows reassembly statistics relative to the baseline before new packets arrive at the router for reassembly host1 vr2 show ip tunnel reassembly statistics delta...

Страница 301: ...virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface that traffic can be L2TP GRE and DVMRP tunnel traffic Se...

Страница 302: ...NS and LAC support in E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support LNS and LAC Module Requirements To create IPSec secured tunnels you must...

Страница 303: ...using another unsecured connection to the Internet depending on the client software capabilities On the router side of the L2TP connection the E Series router acts as the LNS On the PC client side of...

Страница 304: ...ion SA between the client PC and the E Series router that is acting as a VPN provider SAs are established to secure data traffic The IPSec connection secures L2TP traffic 3 Set up an L2TP tunnel and s...

Страница 305: ...S X version 10 3 or higher Interactions with NAT There are two ways that you can configure E Series routers to interact with Network Address Translation NAT devices in the network Configure the router...

Страница 306: ...ce You can set up the router to run in NAT passthrough mode which causes the router to not check UDP checksums The reason is that a NAT device may change the IP address while the UDP header is encrypt...

Страница 307: ...the IPSec remote peers 3 If a NAT device is detected between the remote peers the router negotiates the appropriate type of UDP encapsulation as part of the IKE SA and uses this encapsulation method...

Страница 308: ...led UDP encapsulated IPSec packets arriving and leaving the router look like standard UDP packets However the router does not forward these packets to and from the SRP module as it does for other UDP...

Страница 309: ...an carry no more than a single L2TP session for the duration of its existence The router ignores the idle timeout period for single shot tunnels This means that as soon a single shot tunnel s session...

Страница 310: ...es Destruct timeout period For information about configuring L2TP IPSec single shot tunnels on the router see Configuring Single Shot Tunnels on page 287 Configuration Tasks for Client PC To set up cl...

Страница 311: ...ile remote host default host1 config l2tp dest profile host 3 Specify that for L2TP tunnels associated with this destination profile the router accept only tunnels protected by IPSec host1 config l2tp...

Страница 312: ...NAT T To configure NAT T on the current virtual router 1 Select the name of the virtual router you want to configure host1 config virtual router westford host1 westford config 2 Enable NAT T for the...

Страница 313: ...configuration of the single shot tunnel for a particular L2TP host profile For information about how to use this command see show l2tp destination profile on page 300 For information about the other...

Страница 314: ...ith a remote router After establishing the IPSec connection the E Series router establishes a GRE or DVMRP tunnel to the remote router The tunnel is completely protected by the IPSec connection Settin...

Страница 315: ...mand interface tunnel dvmrp interface tunnel gre Use with the ipsec transport keyword to create a GRE or DVMRP tunnel that is protected with IPSec in transport mode NOTE After you create a clear GRE o...

Страница 316: ...er Local IPSec Transport Profile mode host1 config ipsec transport profile local ip address 10 10 1 1 host1 config ipsec transport profile local Optional Configure a key for IKE negotiations For examp...

Страница 317: ...which is a typical scenario for secure remote access For GRE IPSec and DVMRP IPSec connections you must enter a fixed address the 0 0 0 0 wildcard address is not accepted and will return an error Exam...

Страница 318: ...d key which is not fully secure Example host1 config ipsec transport profile local ip address 192 168 1 2 host1 config ipsec transport profile local Use the no version to delete the IP address See loc...

Страница 319: ...only the show config output you can 1 Use the show config command to see the encrypted masked form of the key 2 Use the pre shared masked command to enter the masked key The system will behave the sam...

Страница 320: ...3des hmac sha See transform set Monitoring DVMRP IPSec GRE IPSec and L2TP IPSec Tunnels This section contains information about troubleshooting and monitoring DVMRP IPSec GRE IPSec and L2TP IPSec tun...

Страница 321: ...uter has negotiated NAT T as part of the IKE SA the local UDP port number displayed in the Local Port column is typically 4500 When NAT T is disabled or not supported on one or both sides of the IKE S...

Страница 322: ...ore not using NAT T to access the router This PC appears in the Remote Port column with its own IP address 21 227 9 10 and UDP port number 500 The remaining two client PCs are located behind a NAT dev...

Страница 323: ...subnet protocol and port Remote identity Shows the subnet protocol and port Inbound spi Inbound security parameter index Inbound transform Inbound algorithm Inbound lifetime Inbound configured lifetim...

Страница 324: ...ed above Example 1 host1 vr11 show ipsec transport interface IPSEC transport interface 5 is Up IPSEC transport interface 6 is Up 2 Ipsec transport interfaces found Example 2 host1 vr11 show ipsec tran...

Страница 325: ...nd Number of IPSec transport interfaces that are currently bound to the upper layer Example host1 vr11 show ipsec transport interface summary Operational status up down upper bound 2 0 2 See show ipse...

Страница 326: ...port profile show l2tp destination profile Use to display configuration information for an L2TP destination profile and its associated L2TP host profiles If single shot tunnels are configured for a pa...

Страница 327: ...w l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp Virtual router default Peer address 172 31 1 99 Statistics Destination profile c...

Страница 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...

Страница 329: ...here mobility is desired and the traditional land line dial in model does not provide an adequate solution and in environments where a wireless technology is used NOTE Currently JunosE Software does n...

Страница 330: ...request an agent advertisement from the mobile node through Internet Control Message Protocol ICMP router solicitations Mobile IP Registration The home agent receives the registration requests on UDP...

Страница 331: ...e security association MD 5 key for a specified user or a group of users domain Authentication is accomplished either by generating an authentication authorization and accounting AAA access request or...

Страница 332: ...agent When Mobile IP obtains all of the parameters required for interface creation including the tunnel ID and the authentication context it directs the subscriber management application to create th...

Страница 333: ...Guide Table 1 Modules and IOAs for detailed module specifications See E120 and E320 Module Guide Appendix A IOA Protocol Support for information about the modules that support the Mobile IP home agen...

Страница 334: ...tion server host1 test config radius authentication server 10 209 13 234 host1 test config radius key secret host1 test config radius udp port 1812 host1 test config radius radius update source addr 1...

Страница 335: ...replay timestamp within 255 algorithm hmac md5 Assign an interface profile for the Mobile IP home agent host1 test config ip mobile profile testProfile ip mobile home agent Use to configure the Mobile...

Страница 336: ...security associations include the aaa keyword To specify the access control list applied to the care of address that restricts access for foreign agents or networks include the care of access keyword...

Страница 337: ...eyword followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII key use the ascii keyword followed by an alphanumeric value up to a maximum of 16 characters...

Страница 338: ...followed by a 32 character 128 bit hexadecimal value in the range 0x0 0xFFFFFFFE To specify an ASCII key use the ascii keyword followed by an alphanumeric value up to a maximum of 16 characters 128 bi...

Страница 339: ...the mobile node home address or NAI Example host1 clear ip mobile binding nai john yahoo com There is no no version See clear ip mobile binding show ip mobile binding Use to display the binding table...

Страница 340: ...ation of the home agent in the virtual router Field descriptions Access list name Name of the access control list applied to the care of address that restricts access for foreign agents or networks Re...

Страница 341: ...ner com Home IP MN NAI address Lifetime Care Of Access Aaa Configured warner com 36000 no See show ip mobile host show ip mobile profile Use to display the interface profile name associated with the h...

Страница 342: ...Home IP address IP address of the mobile node host SPI Security parameter index SPI key for authenticating registration requests Algorithm Algorithm hmac md5 or keyed md5 for authenticating Mobile IP...

Страница 343: ...roadcast or B bit being set without the corresponding D bit or a denial by the registration filters No Resources Number of registration requests rejected due to insufficient resources such as a full b...

Страница 344: ...ffic show license mobile ip home agent Use to display the license key for the home agent Field descriptions Mobile IP license is Mobile IP license key associated with the home agent and the maximum nu...

Страница 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...

Страница 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...

Страница 347: ...uthentication 219 225 B baseline commands baseline ip 84 baseline ip mobile home agent 313 baseline ip tunnel reassembly 272 baseline setting Mobile IP home agent 313 tunnel reassembly 272 BFD Bidirec...

Страница 348: ...cast Routing Protocol reassembly of tunnel packets 270 tunnels 238 dvmrp destination profile command 257 DVMRP with IPSec how it works 288 setting up secure connection 288 dynamic IP tunnels configuri...

Страница 349: ...refix trees 35 ip commands ip as path access list 22 ip bgp community new format 38 ip community list 39 ip prefix list 20 32 ip prefix tree 20 35 ip refresh route 47 ip route 32 ip tunnel reassembly...

Страница 350: ...ipsec option dpd 143 ipsec option nat t 286 ipsec option tx invalid cookie 151 ipsec transform set 141 key 141 masked key 141 See also show ipsec commands IPSec identity commands common name 213 coun...

Страница 351: ...ofile 285 l2tp ignore receive data sequencing 271 L2TP with IPSec 169 275 client software supported 279 compatibility 279 configuring client PC 284 E Series router 284 288 IPSec transport profiles 289...

Страница 352: ...h mode 280 references 62 static address translation defining 69 terms 64 inside global address 64 inside local address 64 outside global address 64 outside local address 64 timeouts defining 75 transl...

Страница 353: ...eyword 4 filtering incoming outgoing routes with access lists 24 instance 4 map tag 4 match clause 4 monitoring 49 permit keyword 4 sequence number 4 set clause 4 route map command 13 routing policy c...

Страница 354: ...t inside rule 85 show ip nat outside rule 85 show ip nat statistics 85 show ip nat translations 85 show ipsec commands show ike certificates 228 show ike configuration 228 show ike identity 228 show i...

Страница 355: ...nation 143 tunnel destination backup 148 tunnel lifetime 143 tunnel local identity 143 tunnel mtu 143 tunnel peer identity 143 tunnel pfs group 143 tunnel session key inbound 143 tunnel session key ou...

Страница 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...

Отзывы:

Нет отзывов

Похожие инструкции для JUNOSE 11.2.X IP SERVICES

EOS-1D Mark II Digial

Бренд: Canon Страницы: 2

DATA SYNCHRONIZER

Бренд: Novell Страницы: 50

Бренд: Novation Страницы: 93

DATA SYNCHRONIZER - UPDATE 1

Бренд: Novell Страницы: 9

Бренд: CenturyLink Страницы: 24

Бренд: Muratec Страницы: 13

PARTNER ACS R5.0

Бренд: Avaya Страницы: 32

Бренд: ViewSonic Страницы: 2

VB Directory System

Бренд: VBrick Systems Страницы: 21

StreamPlayer v4.4

Бренд: VBrick Systems Страницы: 32

Бренд: Intel Страницы: 212

Бренд: 3Com Страницы: 144

Бренд: AMX Страницы: 16

Бренд: GRASS VALLEY Страницы: 2

Бренд: GRASS VALLEY Страницы: 60

Бренд: Altigen Страницы: 34

057B1-41A111-1001 - AutoCAD LT 2010

Бренд: Autodesk Страницы: 574

ANTI-VIRUS 5.6 - FOR MICROSOFT ISA SERVER 2000 ENTERPRISE...

Бренд: KAPERSKY Страницы: 104

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды