Download Print this page

Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual

Ip services configuration guide

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

Enlarged version

JUNOSe

Software

for E Series

Broadband Services Routers

IP Services Configuration Guide

Release 11.1.x

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Published: 2010-04-04

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the IP SERVICES - CONFIGURATION GUIDE V 11.1.X and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X

Page 1 JUNOSe Software for E Series Broadband Services Routers IP Services Configuration Guide Release 11.1.x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 408-745-2000 www.juniper.net Published: 2010-04-04...
Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
Page 4 (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 http://www.gnu.org/licenses/gpl.html...
Page 5 agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein.
Page 7 Abbreviated Table of Contents About the Documentation xxiii Part 1 Chapters Chapter 1 Configuring Routing Policy Chapter 2 Configuring NAT Chapter 3 Configuring J-Flow Statistics Chapter 4 Configuring BFD Chapter 5 Configuring IPSec Chapter 6 Configuring Dynamic IPSec Subscribers Chapter 7 Configuring ANCP Chapter 8 Configuring Digital Certificates...
Page 8 JUNOSe 11.1.x IP Services Configuration Guide viii...
Page 9: Table Of Contents
Table of Contents About the Documentation xxiii E Series and JUNOSe Documentation and Release Notes ......xxiii Audience ....................xxiii E Series and JUNOSe Text and Syntax Conventions ........xxiii Obtaining Documentation ................xxv Documentation Feedback ................xxv Requesting Technical Support ..............xxv Self-Help Online Tools and Resources ..........xxvi Opening a Case with JTAC ..............xxvi Part 1 Chapters...
Page 10 JUNOSe 11.1.x IP Services Configuration Guide Using the Null Interface .................33 Prefix Lists ....................33 Using a Prefix List ...................34 Prefix Trees ....................36 Using a Prefix Tree .................37 Community Lists ...................38 Extended Community Lists ..............42 Using Regular Expressions ................44 AS-path Lists ...................44 Community Lists ..................45 Community Numbers ................45 Metacharacters ..................45...
Page 11 Table of Contents Defining Static Address Translations .............72 Creating Static Inside Source Translations ..........72 Creating Static Outside Source Translations ..........73 Defining Dynamic Translations ..............74 Creating Access List Rules ...............74 Defining Address Pools ................75 Defining Dynamic Translation Rules ............76 Creating Dynamic Inside Source Translation Rules ......77 Creating Dynamic Outside Source Translation Rules ......77 Defining Translation Timeouts ..............78 Clearing Dynamic Translations ..............79...
Page 12 JUNOSe 11.1.x IP Services Configuration Guide Monitoring J-Flow Statistics .................106 Clearing J-Flow Statistics ...............106 J-Flow show Commands ...............106 Chapter 4 Configuring BFD Bidirectional Forwarding Detection Overview ..........113 How BFD Works ...................114 Negotiation of the BFD Liveness Detection Interval ......114 BFD Platform Considerations ..............116 BFD References ...................116 Configuring a BFD License ................117 BFD Version Support ...................117...
Page 13 Table of Contents IKE Overview ....................140 Main Mode and Aggressive Mode ............141 Aggressive Mode Negotiations ............141 IKE Policies ...................142 Priority ...................142 Encryption ..................143 Hash Function ................143 Authentication Mode ..............143 Diffie-Hellman Group ..............144 Lifetime ..................144 IKE SA Negotiation ................144 Generating Private and Public Key Pairs ..........144 Configuration Tasks ..................145 Configuring an IPSec License ..............145 Configuring IPSec Parameters ...............146...
Page 14 JUNOSe 11.1.x IP Services Configuration Guide Defining IPSec Security Association Lifetime Parameters ......186 Defining User Reauthentication Protocol Values ........187 Specifying IPSec Security Association Transforms ........188 Specifying IPSec Security Association PFS and DH Group Parameters ..................188 Defining the Tunnel MTU ..............189 Defining IKE Policy Rules for IPSec Tunnels ..........189 Specifying a Virtual Router for an IKE Policy Rule .........189 Defining Aggressive Mode for an IKE Policy Rule ........190...
Page 15 Table of Contents Chapter 8 Configuring Digital Certificates Overview .....................213 Digital Certificate Terms and Acronyms ..........213 Platform Considerations ................214 References ....................214 IKE Authentication with Digital Certificates ..........215 Signature Authentication ...............215 Generating Public/Private Key Pairs ............216 Obtaining a Root CA Certificate ............216 Obtaining a Public Key Certificate ............217 Offline Certificate Enrollment ............217 Online Certificate Enrollment ............217...
Page 16 JUNOSe 11.1.x IP Services Configuration Guide Combining Dynamic and Static IP Tunnels in the Same Chassis ...263 Changing and Removing Existing Dynamic IP Tunnels ......263 Platform Considerations ................263 Module Requirements ................264 ERX7xx Models, ERX14xx Models, and the ERX310 Router ...264 E120 Router and E320 Router ............264 Redundancy and Tunnel Distribution ............265 References ....................265...
Page 17 Table of Contents Configuring and Monitoring NAT-T ..........295 Single-Shot Tunnels ................295 Configuration Tasks for Client PC ............296 Configuration Tasks for E Series Routers ..........297 Enabling IPSec Support for L2TP ............297 Configuring NAT-T ................298 Configuring Single-Shot Tunnels ............299 GRE/IPSec and DVMRP/IPSec Tunnels ............300 Setting Up the Secure GRE or DVMRP Connection ........301 Configuration Tasks ................301 Enabling IPSec Support for GRE and DVMRP Tunnels ......301...
Page 18 JUNOSe 11.1.x IP Services Configuration Guide xviii Table of Contents...
Page 19: List Of Figures
List of Figures Part 1 Chapters Chapter 1 Configuring Routing Policy Figure 1: Applying Route Maps to Routes ............6 Figure 2: Filtering with Access Lists ...............23 Figure 3: Filtering with AS-Path Access Lists ..........24 Figure 4: Route Map Filtering ................25 Figure 5: Community Lists ................40 Chapter 2 Configuring NAT...
Page 20 JUNOSe 11.1.x IP Services Configuration Guide List of Figures...
Page 21 List of Tables About the Documentation xxiii Table 1: Notice Icons ..................xxiv Table 2: Text and Syntax Conventions ............xxiv Part 1 Chapters Chapter 1 Configuring Routing Policy Table 3: Match and Set Policy Values ............32 Table 4: Action Based on Well-Known Community Membership ....38 Table 5: Supported Regular Expression Metacharacters ........45 Table 6: Sample Regular Expressions ............47 Chapter 4...
Page 22 JUNOSe 11.1.x IP Services Configuration Guide xxii List of Tables...
Page 23: About The Documentation
If the information in the latest release notes differs from the information in the documentation, follow the JUNOSe Release Notes. To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/...
Page 24: Table 1: Notice Icons
JUNOSe 11.1.x IP Services Configuration Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser.
Page 25: About The Documentation
CD-ROMs or DVD-ROMs, see the Offline Documentation page at http://www.juniper.net/techpubs/resources/cdrom.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 26: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 27: Chapters
Part 1 Chapters Configuring Routing Policy on page 3 Configuring NAT on page 63 Configuring J-Flow Statistics on page 95 Configuring BFD on page 113 Configuring IPSec on page 125 Configuring Dynamic IPSec Subscribers on page 177 Configuring ANCP on page 193 Configuring Digital Certificates on page 213 Configuring IP Tunnels on page 245 Configuring Dynamic IP Tunnels on page 261...
Page 28 JUNOSe 11.1.x IP Services Configuration Guide Chapters...
Page 29: Configuring Routing Policy
Chapter 1 Configuring Routing Policy This chapter provides information about configuring routing policy for your E Series router. It describes routing policy configuration in general as it might be used with various routing protocols, such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Routing Information Protocol (RIP).
Page 30: Platform Considerations
For information about the modules supported on E Series routers: See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
Page 31: Route Map Configuration Example
Chapter 1: Configuring Routing Policy Set clauses define how the attributes are modified for matching routes. The set conditions apply only to routes that pass all the match conditions (or a route map with no match conditions). When a route passes all the match conditions, the router software applies all set conditions.
Page 32: Multiple Values In A Match Entry
JUNOSe 11.1.x IP Services Configuration Guide Figure 1: Applying Route Maps to Routes You can use a route map to filter routes based on the autonomous system (AS) path to accomplish this goal. Use the following commands to configure router NY: host1(config)#router bgp 293 host1(config-router)#network 192.168.5.0 mask 255.255.255.0 host1(config-router)#neighbor 10.5.5.2 remote-as 32...
Page 33: Negating Match Clauses
Chapter 1: Configuring Routing Policy A clause with multiple values matches a route that has any of the values; that is, the multiple values are logical ORed. host1(config-route-map)#match ip address lisbon madrid host1(config-route-map)#match as-path 10 20 30 You can also issue successive match commands to add new values to a route map entry for any of the commands listed above.
Page 34: Matching A Community List Exactly
JUNOSe 11.1.x IP Services Configuration Guide If you instead issue the following commands, the specified value is deleted: host1(config-route-map)#no match community dade2 host1(config-route-map)#exit host1(config)#exit host1#show route-map route-map miami, permit, sequence 10 Match clauses: match community corporate5 Issue either of the following commands to delete the entire match community entry: host1(config-route-map)#no match community host1(config-route-map)#no match community corporate5 dade2 Matching a Community List Exactly...
Page 35: Matching A Policy List
Chapter 1: Configuring Routing Policy You can, however, remove the lists with the set comm-list delete command if you created them separately with the following commands: host1(config)#ip community list 1 permit 231:10 host1(config)#ip community list 1 permit 231:20 Matching a Policy List You can use the match policy-list command to reference a policy list within the route map.
Page 36 JUNOSe 11.1.x IP Services Configuration Guide For more information about multicast admission control or QoS adjustment, see Configuring IPv4 Multicast or chapter Configuring IPv6 Multicast in JUNOSe Multicast Routing Configuration Guide. match as-path Use to match an AS-path access list. The implemented weight is based on the first matched AS path.
Page 37 Chapter 1: Configuring Routing Policy Example host1(config-route-map)#match extcommunity topeka10 Use the no version to remove the match clause from a route map or a specified value from the match clause. See match extcommunity. match ip address Use to match any route that has a destination network number that is permitted by an access list, a prefix list, or a prefix tree, or that performs policy routing on packets.
Page 38 JUNOSe 11.1.x IP Services Configuration Guide host1(config-route-map)#match ipv6 next-hop prefix-list next1 Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map.
Page 39 Chapter 1: Configuring Routing Policy Use the no version to delete the match clause from a route map. See match metric-type. match policy-list Use to reference a policy list that has the specified name. Example host1(config-route-map)#match policy-list list1 Use the no version to remove the match clause from a route map. See match policy-list.
Page 40 JUNOSe 11.1.x IP Services Configuration Guide Use to define the conditions for redistributing routes from one routing protocol to another, and for filtering or modifying updates sent to or received from peers. Each route-map command has a list of match and set commands associated with it.
Page 41 Chapter 1: Configuring Routing Policy set comm-list delete Use to remove communities specified by the community list from the community attribute of routes that match the route map. You can use this command to delete communities only if the community list was created with a single community per list entry, as the following sample configuration for router host1 shows: host1(config)#ip community-list 1 permit 231:10...
Page 42 JUNOSe 11.1.x IP Services Configuration Guide Use to enable BGP route flap dampening only on routes that pass the match clauses of, and are redistributed by, a particular route map. BGP creates a dampening parameter block for each unique set of dampening parameters such as suppress threshold, reuse threshold, and so on used by BGP.
Page 43 Chapter 1: Configuring Routing Policy On inbound route maps, overrides any third-party next-hop configuration by setting the next hop to the IP address of the peer Example host1(config-route-map)#set ip next-hop 192.56.32.1 Use the no version to delete the set clause from a route map. See set ip next-hop.
Page 44 JUNOSe 11.1.x IP Services Configuration Guide To establish a relative metric, specify a plus or minus sign immediately preceding the metric value. The value is added to or subtracted from the metric of any routes matching the route map. The relative metric value range is 0–4294967295. Example host1(config-route-map)#set metric -25 You cannot use both an absolute metric and a relative metric within the same...
Page 45 Chapter 1: Configuring Routing Policy set origin Use to set the BGP origin of the advertised route. Example host1(config-route-map)#set origin egp Use the no version to delete the set clause from a route map. See set origin. set route-class Use to set the route class value. The route-class attribute enables you to associate a route class with incoming packets based on the destination or source address of the packet.
Page 46: Match Policy Lists
JUNOSe 11.1.x IP Services Configuration Guide Use to specify the BGP weight for the routing table. The weights assigned with the set weight command in a route map override the weights assigned using the neighbor weight and neighbor filter-list weight commands.
Page 47: Access Lists
Chapter 1: Configuring Routing Policy host1(config-match-policy-list)# Use the no version to delete the match policy list. See ip match-policy-list. Access Lists An access list is a sequential collection of permit and deny conditions that you can use to filter inbound or outbound routes. You can use different kinds of access lists to filter routes based on either the prefix or the AS path.
Page 48: Configuration Example 2
JUNOSe 11.1.x IP Services Configuration Guide permit ip any any The implicit deny rule does not appear in the display for access list 3, because any prefix matches access list 3. Configuration Example 2 The following example demonstrates how to use a route map and an access list to redistribute static routes to IS-IS.
Page 49: Filtering As Paths
Chapter 1: Configuring Routing Policy Figure 2: Filtering with Access Lists The following commands configure router Boston to apply access list reject1 to routes inbound from router SanJose. Access list reject1 rejects routes matching 172.24.160.0/19. host1(config)#router bgp 17 host1(config-router)#neighbor 10.5.5.4 remote-as 873 host1(config-router)#neighbor 10.5.5.4 distribute-list reject1 in host1(config-router)#exit host1(config)#access-list reject1 permit 172.24.48.0 0.0.255...
Page 50: Configuration Example 1
JUNOSe 11.1.x IP Services Configuration Guide Configuration Example 1 Consider the network structure in Figure 3 on page 24. Suppose you want router London to behave in the following way: Accept routes originated in AS 621 only if they pass directly to router London. Accept routes originated in AS 11 only if they pass directly to router London.
Page 51: Using Access Lists In A Route Map
Chapter 1: Configuring Routing Policy AS-path access list 2 is applied to routes that router London receives from router Berlin. Router London rejects routes with the AS path 621 11 or 621 282 11. Router London accepts routes with the AS path 282 11, 282 621, 282 621 11, or 282 11 621.
Page 52 JUNOSe 11.1.x IP Services Configuration Guide host1(config-router)#neighbor 10.2.2.4 route-map 1 in host1(config-router)#exit host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 weight 50 host1(config-router)#neighbor 10.5.5.2 route-map 2 in host1(config)#route-map 1 permit 1 host1(config-route-map)#match as-path 1 host1(config-route-map)#set weight 25 host1(config-route-map)#exit host1(config)#ip as-path access-list 1 permit [ 32 837 ] host1(config)#route-map 2 permit 1 host1(config-route-map)#match as-path 2 host1(config-route-map)#set weight 175...
Page 53 Chapter 1: Configuring Routing Policy Use to enable RIP, OSPF, or BGP to advertise a default route (0.0.0.0/0) that exists in the IP routing table. If you specify the always option for OSPF, OSPF generates a default route, if it does not exist in the IP routing table and advertises it.
Page 54 JUNOSe 11.1.x IP Services Configuration Guide Use the no version to delete an IPv6 access list (no other options specified), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword). See ipv6 access-list.
Page 55: Using Access Lists For Pim Join Filters
Chapter 1: Configuring Routing Policy Use the out keyword to assign the prefix list to outgoing routes (outbound policy); you cannot configure a member of a peer group to override the inherited peer group characteristic for outbound policy Example host1(config-router)#neighbor 192.168.1.158 prefix-list seoul19 in Use the no version to remove the prefix list.
Page 56 JUNOSe 11.1.x IP Services Configuration Guide Create the various access list services you want to use with the PIM join filter command. host1(config)#! create bronze service host1(config)#! - restrict SSM channels to 232.0.1/24 only host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255 host1(config)#access-list bronze permit ip host 1.1.1.1 232.0.1.0 0.0.0.255 host1(config)#access-list bronze permit ip host 2.2.2.2 232.0.1.0 0.0.0.255 host1(config)#...
Page 57: Clearing Access List Counters
Chapter 1: Configuring Routing Policy Enable PIM sparse mode on another subinterface and assign the gold join filter. host1(config-if)#interface atm 3/0.103 host1(config-if)#ip address 103.0.0.1 255.255.255.255 host1(config-if)#ip pim sparse-mode host1(config-if)#ip pim join-filter gold For information about the ip pim join-filter command, see Configuring PIM for IPv4 Multicast in JUNOSe Multicast Routing Configuration Guide.
Page 58: Table 3: Match And Set Policy Values
JUNOSe 11.1.x IP Services Configuration Guide Table 3: Match and Set Policy Values Match ip address metric metric distance distance For example, you can configure an access list and route map to filter, based on IP address, any routes that appear in the routing table: host1(config)#ip access-route table-map just10net host1(config)#access-list permit10 permit 10.0.0.0 0.255.255.255 host1(config)#access-list permit10 deny any...
Page 59: Using The Null Interface
Chapter 1: Configuring Routing Policy host1(config)#ipv6 static-route table-map map4 Use the no version to delete the table map. See ip static-route table-map. See ipv6 static-route table-map. Using the Null Interface You can use access control lists to filter undesired traffic. Another way to handle undesired traffic is to send it to the null interface.
Page 60: Using A Prefix List
JUNOSe 11.1.x IP Services Configuration Guide or rejects the address. Because the router stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the router rejects the address. An empty prefix list results in an automatic permit of the tested address. Unlike access lists, the prefix list specifies a base IP or IPv6 address and a length (the number of bits applied to the base to determine the network prefix).
Page 61 Chapter 1: Configuring Routing Policy Use to create a prefix list for route filtering and to specify a list entry a deny or permit clause for a network address to the prefix list. Use to add entries to prefix lists. The prefix list name can be up to 32 characters long.
Page 62: Prefix Trees
JUNOSe 11.1.x IP Services Configuration Guide Use the no version to delete all address match clauses from a route map unless you specify an access list or prefix list, in which case only the list match is removed from the route map. See match ipv6 address.
Page 63: Using A Prefix Tree
Chapter 1: Configuring Routing Policy Use the ip prefix-tree command to define an IP prefix tree. Use the prefix-tree keyword with the match ip address or match ip next-hop commands to add a clause to a route map. Use the match-set summary prefix-tree command to specify the prefix tree that summarizes routes for a particular route map.
Page 64: Community Lists
JUNOSe 11.1.x IP Services Configuration Guide Use with the prefix-tree keyword to match routes that have a next-hop router address passed by the specified prefix tree. Example host1(config-route-map)#match ip next-hop prefix-tree xyz Use the no version to delete the match clause from a route map or a specified value from the match clause.
Page 65 Chapter 1: Configuring Routing Policy Table 4: Action Based on Well-Known Community Membership (continued) Well-Known Community BGP Device Action local-as (also known as Does not advertise the route to any external peers no-export-subconfed) internet Advertises this route to the Internet community; by default, all prefixes are members of the Internet community In addition to the well-known communities, you can define local-use communities, also known as private communities or general communities.
Page 66 JUNOSe 11.1.x IP Services Configuration Guide Figure 5: Community Lists Suppose you want router Albany to set metrics for routes that it forwards to router Boston based on the communities to which the routes belong. You can create community lists and filter the routes with a route map that matches on the community list.
Page 67 Chapter 1: Configuring Routing Policy ip bgp-community new-format Use to specify that communities must be displayed in AA:NN format, where AA is a number that identifies the autonomous system and NN is a number that identifies the community within the autonomous system. Example host1(config)#ip bgp-community new-format Use the no version to restore the default display.
Page 68: Extended Community Lists
JUNOSe 11.1.x IP Services Configuration Guide set community Use to set the community attribute in BGP updates. You can specify a community list number in the range 1–4294967295, or in the new community format of AA:NN, or you can specify one of the following well-known communities: local-as Prevents advertisement outside the local AS no-advertise Prevents advertisement to any peer...
Page 69 Chapter 1: Configuring Routing Policy You can specify one or more community values when you create an extended community list. A clause in a route map that includes a list that has more than one value matches only a route that has all of the values; that is, the multiple values are logical ANDed.
Page 70: Using Regular Expressions
JUNOSe 11.1.x IP Services Configuration Guide You can specify both a route target community and a site-of-origin community at the same time in a set clause without them overwriting each other. Example host1(config)#route-map 1 host1(config-route-map)#set extcommunity rt 10.10.10.2:325 Use the no version to remove the set clause from the route map. See set extcommunity.
Page 71: Community Lists
Chapter 1: Configuring Routing Policy Community Lists For a community list, the input string is the community attribute of the routes to which the list is applied using a route-map command. If the community attribute matches the regular expression in the community list, the route matches the community list.
Page 72: Using Metacharacters As Literal Tokens
JUNOSe 11.1.x IP Services Configuration Guide Table 5: Supported Regular Expression Metacharacters (continued) Metacharacter Description Matches zero or one sequence of the immediately previous character or pattern. Specifies patterns for multiple use when followed by one of the multiplier metacharacters: asterisk (*), plus sign (+), or question mark (?). Matches any enclosed character;...
Page 73: Regular Expression Examples
Chapter 1: Configuring Routing Policy Regular Expression Examples Table 6 on page 47 lists some representative regular expressions that you might use in an AS-path access list or community list, along with sample attribute values that match or do not match the regular expression. Table 6: Sample Regular Expressions Regular Matched AS-Path or Community...
Page 74 JUNOSe 11.1.x IP Services Configuration Guide Table 6: Sample Regular Expressions (continued) Regular Matched AS-Path or Community Expression Attribute Example 1(37)+ Includes a sequence that has a numeral 1373737 29 44 37137 78 1 immediately followed by one or more 137 42 21 instances of the pattern 37 but not...
Page 75: Managing The Routing Table
Chapter 1: Configuring Routing Policy Table 6: Sample Regular Expressions (continued) Regular Matched AS-Path or Community Expression Attribute Example {41 19} (AS-path attribute only) Includes the {41 19} 53 76 {41 19} 17 AS-set or AS-seq {41 19} 255 {41 19} but not 3 41 19 41 19 532 101 102 | 103 105...
Page 76: Troubleshooting Routing Policy
JUNOSe 11.1.x IP Services Configuration Guide There is no no version. See ip refresh-route. Troubleshooting Routing Policy You can turn on debugging for routing policy by issuing the log severity debug ipRoutePolicy command from Global Configuration mode. You can specify different levels of severity for ipRoutePolicy.
Page 77 Chapter 1: Configuring Routing Policy Use to display information about access lists. The displayed information includes the instances of each access list. Use the detail keyword to display the automatically assigned element ID for each access list entry. Only rules that you explicitly create have element IDs. Example 1 host1#show access-list IP Access List 1:...
Page 78 JUNOSe 11.1.x IP Services Configuration Guide Use to display community list information. Display varies based on whether you issued the ip bgp community new-format command. Example 1 If you did not issue the ip bgp community new-format command, the display appears as follows: host1#show ip community-list Community List 1: permit...
Page 79 Chapter 1: Configuring Routing Policy See show ip match-policy-list. show ip prefix-list Use to display information about the prefix lists currently configured on the router. Use the summary keyword to display abbreviated information about prefix lists. Example 1 host1#show ip prefix-list Prefix-list with the last deletion/insertion: def ip prefix-list name abc: 4 entries seq 5 permit 192.168.0.0/16 le 24...
Page 80 JUNOSe 11.1.x IP Services Configuration Guide Prefix-tree with the last deletion/insertion: t_abc5 ip prefix-tree name t_abc1: count: 1 ip prefix-tree name t_abc2: count: 5 ip prefix-tree name t_abc3: count: 1 See show ip prefix-tree. show ip protocols Use to display detailed information about the protocols currently configured on the router.
Page 81 Chapter 1: Configuring Routing Policy show ip redistribute Use to display configured route redistribution policy. Field descriptions To Protocol into which routes are distributed From Protocol from which routes are distributed status Redistribution status route map number Number of the route map Example host1#show ip redistribute To ospf, From static is enabled with route map 4...
Page 82 JUNOSe 11.1.x IP Services Configuration Guide 172.16.2.0/24 192.168.1.102 20/1 fastEthernet0/0 10.10.0.112/32 Static 192.168.1.1 fastEthernet0/0 10.1.1.0/24 Connect 10.1.1.1 atm3/0.100 Example 2 host1#show ip route static Protocol/Route type codes: I1- ISIS level 1, I2- ISIS level2, I- route type intra, IA- route type inter, E- route type external, i- metric type internal, e- metric type external, O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2...
Page 83 Chapter 1: Configuring Routing Policy Last route added/deleted: 2::4/128 by BGP Tunnel At MON FEB 04 2008 14:18:26 UTC See show ip route. show ip route slot Use to display the interface and next hop for an IP address in the routing table of a line module specified by the slot it occupies.
Page 84 JUNOSe 11.1.x IP Services Configuration Guide Prefix IP address prefix Length Prefix length Next Hop IP address of the next hop Met Number of hops Dist Administrative distance or weight assigned to the route Tag Tag value assigned to the route Intf Interface type and interface specifier Example host1#show ip static...
Page 85 Chapter 1: Configuring Routing Policy IP Statistics Sent: forwarded Number of packets forwarded generated Number of packets generated out disc Number of outbound packets discarded no routes Number of packets that could not be routed routing discards Number of packets that could not be routed that were discarded IP Statistics Route: routes in table Number of routes in the routing table...
Page 86 JUNOSe 11.1.x IP Services Configuration Guide time excd Number of packets sent with time-to-live exceeded param prob Number of packets sent with parameter errors src quench Number of source quench packets sent redirects Number of send packet redirects sent echo req Number of echo request (ping) packets sent echo rpy Number of echo replies sent timestamp req Number of requests for a timestamp sent timestamp rpy Number of replies to timestamp requests sent...
Page 87 Chapter 1: Configuring Routing Policy short pkts Number of short packets received duplicate pkts Number of duplicate packets received out of order pkts Number of packets received out of order TCP Global Statistics Sent: total pkts Total number of TCP packets sent data pkts Number of data packets sent bytes Number of bytes sent retransmitted pkts Number of packets retransmitted...
Page 88 JUNOSe 11.1.x IP Services Configuration Guide Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: ARP Statistics: See show ip traffic. show route-map Use to display the configured route maps. The displayed information includes the instances of each access list such as match and set commands.
Page 89: Configuring Nat
Chapter 2 Configuring NAT This chapter describes how to configure Network Address Translation (NAT) on your ERX router; it contains the following sections: Overview on page 63 Platform Considerations on page 64 References on page 64 NAT Configurations on page 65 Network and Address Terms on page 66 Understanding Address Translation on page 67 Address Assignment Methods on page 68...
Page 90: Platform Considerations
JUNOSe 11.1.x IP Services Configuration Guide NAT enables you to translate IP addresses between two address realms (for example, between an intranet network that uses private, not publicly routable addresses and the Internet, or between two overlapping, private networks). When incoming traffic is received, the IP addresses are translated back for delivery within the private network.
Page 91: Nat Configurations
Chapter 2: Configuring NAT RFC 2993-Architecture Implications of NAT (November 2000) RFC 3022-Traditional IP Network Address Translator (Traditional NAT) (January 2001) RFC 3027-Protocol Complications with the IP Network Address Translator (January 2001) NAT Configurations You can configure NAT in several different ways. Each of the following configuration methods provides a solution for different configuration requirements: Traditional NAT Bidirectional NAT...
Page 92: Napt
JUNOSe 11.1.x IP Services Configuration Guide NAPT Network Address Port Translation (NAPT) extends the level of translation beyond that of basic NAT; it modifies both the IP address and the transport identifier (for example, the TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation).
Page 93: Inside Local Addresses
Chapter 2: Configuring NAT From a NAT perspective, an inside network is the local portion of a network that uses private, not publicly routable IP addresses that you want to translate. An outside network is the public portion of a network that uses legitimate, publicly routable IP addresses to which you want private hosts to connect.
Page 94: Outside Source Translation
JUNOSe 11.1.x IP Services Configuration Guide For outbound traffic, the NAT router translates the inside local address (or address/port) into the inside global address (or address/port), either through a statically defined translation or dynamically created translation. For inbound traffic, a translation must be found to revert the inside global address (or address/port) into the inside local address (or address/port), or the packet is not routed into the inside network.
Page 95: Dynamic Translations
Chapter 2: Configuring NAT Dynamic Translations Dynamic translations use access list rules, to determine whether to apply NAT to incoming traffic, and NAT address pools, from which a NAT translation can obtain IP addresses. You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.
Page 96: Pptp And Gre Tunneling Through Nat
JUNOSe 11.1.x IP Services Configuration Guide PPTP and GRE Tunneling Through NAT You can configure NAT traversal support for GRE flows using simple translations (Basic NAT). Because PPTP uses an enhanced GRE encapsulation for the PPP payload, configuring for GRE flows also supports NAT traversal for PPTP tunnels. NOTE: Neither port translation (NAPT) nor Firewall traversal for GRE packets is supported for GRE flows.
Page 97: Configuring A Nat License
Use to specify a NAT license. Purchase a NAT license to allow NAT configuration on the ERX router. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license nat license-value Use the no version to disable the license.
Page 98: Defining Static Address Translations
JUNOSe 11.1.x IP Services Configuration Guide CAUTION: Only packets routed between an inside and an outside interface are subject to translation. You can unmark an interface by using the no version of this command. ip nat Use to mark an IP interface as participating in NAT translation. Use the keyword (inside or outside) to specify the side of the network on which the interface resides.
Page 99: Creating Static Outside Source Translations
Chapter 2: Configuring NAT Use to create static translations for a source address (or address/port pair) when routing a packet from the inside network to the outside network, and to untranslate the destination address (or address/port pair) when a packet returns from the outside network to the inside network.
Page 100: Defining Dynamic Translations
JUNOSe 11.1.x IP Services Configuration Guide Defining Dynamic Translations Dynamic translations use access list rules, to determine whether or not to apply NAT to incoming traffic, and NAT address pools, from which a NAT translation can allocate IP addresses. You use dynamic translation when you want the NAT router to initiate and manage address translation and session flows between address realms on demand.
Page 101: Defining Address Pools
Chapter 2: Configuring NAT host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255 Use the no version to delete the access list (by not specifying any other options), the specified entry in the access list, or the log for the specified access list or entry (by specifying the log keyword).
Page 102: Defining Dynamic Translation Rules
JUNOSe 11.1.x IP Services Configuration Guide Use the no version to remove the range for the current address pool. See address. ip nat pool Use to create address pools. Example 1 Creating a single, continuous range host (config) #ip nat pool singlerange 171.69.40.1 171.69.40.100 prefix-length 30 Example 2 Creating multiple, discontinuous ranges host (config) #ip nat pool multiplerange prefix-length 30...
Page 103: Creating Dynamic Inside Source Translation Rules
Chapter 2: Configuring NAT When an address pool is empty, the NAT router drops the packet. Access lists and pools do not have to exist when you are defining dynamic translation rules; you may create them after you define the dynamic translations. Creating Dynamic Inside Source Translation Rules Use the ip nat inside source list command to create a dynamic inside source translation rule.
Page 104: Defining Translation Timeouts
JUNOSe 11.1.x IP Services Configuration Guide ip nat outside source list Use to create dynamic translation rules that specify when to create a translation for a source address when routing a packet from the outside network to the inside network. Example host (config) # ip nat outside source list translation1 pool pool1 Use the no version to remove the dynamic translation rule;...
Page 105: Clearing Dynamic Translations
Chapter 2: Configuring NAT Use to change translation timeouts for existing and newly created translations in the translation table. All timeouts for this command support a maximum value of 2147483 seconds (about 25 days). Example host1 (config) # ip nat translation timeout 23200 Use the no version to reset the timer to its default value.
Page 106: Figure 6: Napt Example
JUNOSe 11.1.x IP Services Configuration Guide Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation). Figure 6: NAPT Example The address pool consists of three addresses (the number of addresses is small, because NAPT is used).
Page 107: Bidirectional Nat Example
Chapter 2: Configuring NAT host1:blue(config)#ip nat inside source static tcp 190.22.8.18 21 190.22.8.18 Create the address pool for dynamic translations. host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24 Create the access list for addresses eligible for dynamic translation. host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255 host1:blue(config)#access-list justcorp permit 10.10.2.0 0.0.0.255 Create the NAPT dynamic translation rule.
Page 108: Figure 7: Bidirectional Nat Example
JUNOSe 11.1.x IP Services Configuration Guide Figure 7: Bidirectional NAT Example To configure this example: Enter the correct virtual router context. host1(config)#virtual-router blue Mark the inside interface. host1:blue(config)#interface serial 1/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit Mark the outside interface. host1:blue(config)#interface gigabitEthernet 3/0.1 host1:blue(config-interface)#ip nat outside host1:blue(config-interface)#exit Create the translation for the DNS.
Page 109: Twice Nat Example
Chapter 2: Configuring NAT host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0 NOTE: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool. Twice NAT Example Twice NAT is often useful when the inside network is using a nonprivate address space (unregistered usage of global address space) and you want it to connect to the public network.
Page 110 JUNOSe 11.1.x IP Services Configuration Guide host1:blue(config-interface)#exit Create the address pool for inside source translations. host1:blue(config)#ip nat pool entAoutpool 12.220.1.0 12.220.255.255 prefix-length 16 NOTE: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time. Create the access list for addresses eligible for dynamic translation.
Page 111: Cross-Vrf Example
Chapter 2: Configuring NAT Configure a null route for the inside global addresses to prevent routing loops when no matching translation exists. host1:blue(config)#ip route 12.220.1.0 255.255.0.0 null 0 Cross-VRF Example In MPLS VPN configurations, you might want to offer public Internet access to VPN subscribers.
Page 112: Tunnel Configuration Through Nat Examples
JUNOSe 11.1.x IP Services Configuration Guide host1:vr1(config-interface)#ip demux-type da-prefix host1:vr1(config-interface)#exit Create the address pool for dynamic translations. host1:vr1(config)#virtual-router vr1:vrf11 host1:vr1:vrf11(config)#ip nat pool entApool 128.13.44.0 128.13.44.255 prefix-length 24 Create the access list for addresses eligible for dynamic translation. host1:vr1:vrf11(config)#access-list entA permit 10.16.5.0 0.0.0.255 Create the dynamic translation rule.
Page 113: Clients On An Inside Network
Chapter 2: Configuring NAT Clients on an Inside Network In this example, a subscriber on the inside network is initiating PPTP tunnels to a PPTP server located in the outside network. The PPTP connection to the server traverses an E Series router that has NAT enabled. Figure 10: PPTP Tunnels on an Inside Network The router has installed an inside source static simple translation in its translation table as follows:...
Page 114: Gre Flows Through Nat
JUNOSe 11.1.x IP Services Configuration Guide The router has installed an inside source static simple translation in its translation table as follows: Inside Local Address Inside Global Address 11.11.11.1 20.0.0.1 The PPTP client initiates its tunnels to the inside global address 20.0.0.1. The E Series router translates packets destined for address 20.0.0.1 and forwards them to the inside local address of 11.11.11.1.
Page 115: Displaying Translation Statistics
Chapter 2: Configuring NAT host1#show license nat Nat license is nat_license See show license. Displaying Translation Statistics The show ip nat statistics command displays internal statistics that apply to NAT operation. show ip nat statistics Use to display internal NAT statistics. Field descriptions Last dynamic allocation failure Completion level of any dynamic allocation failures;...
Page 116 JUNOSe 11.1.x IP Services Configuration Guide discarded Number of packets discarded immediately upon receipt discarded by translator Number of packets discarded by the NAT translator when no matching translation could be located Example host1#show ip nat statistics NAT database statistics for virtual router vr1: -------------------------------------------------------------- Last dynamic allocation failure: normal, successful completion Dynamic entry limit was reached 10318 times...
Page 117: Displaying Translation Entries
Chapter 2: Configuring NAT Displaying Translation Entries The show ip nat translations command displays current translations that reside in the translation table. Simple translation entries appear with inside/outside and local/global address information. Extended entries appear with added protocol and port numbers (or query IDs).
Page 118: Displaying Address Pool Information
JUNOSe 11.1.x IP Services Configuration Guide host1# show ip nat translations verbose Time Time Inside Inside Outside Outside since since Prot local global global local creation last use ---- ----------- ---------- ----------- ----------- ---------- -------- 20.0.0.3 30.0.0.3 00:04:50 00:00:01 21.0.0.3 30.208.0.3 00:02:12 00:00:01...
Page 119: Displaying Inside And Outside Rule Settings
Chapter 2: Configuring NAT range: 4.4.4.1 to 4.4.4.32 pool: pool2 netmask: 255.255.255.0 prefix length: 24 range: 1.1.1.1 to 1.1.1.24 range: 2.2.2.1 to 2.2.2.55 Example 2 host1#show ip nat pool pool1 pool: pool1 netmask: 255.255.255.0 prefix length: 24 range: 3.3.3.1 to 3.3.3.255 range: 4.4.4.1 to 4.4.4.32 See show ip nat pool.
Page 120 JUNOSe 11.1.x IP Services Configuration Guide rule type Type of rule assigned Example host1#show ip nat outside rule access list name: list4 pool name: poolD rule type: outside source See show ip nat outside rule. Monitoring NAT...
Page 121: Configuring J-Flow Statistics
Chapter 3 Configuring J-Flow Statistics This chapter describes how to configure J-Flow statistics on your ERX router; it contains the following sections: Overview on page 95 Platform Considerations on page 98 Before You Configure J-Flow Statistics on page 98 Configuring Flow-Based Statistics Collection on page 98 Monitoring J-Flow Statistics on page 106 Overview The JUNOSe J-Flow feature provides a method by which you can collect IP traffic...
Page 122: Aggregation Caches
JUNOSe 11.1.x IP Services Configuration Guide Aggregation Caches Data from flow cache entries is summarized to build aggregated views or aggregation caches. Aggregation caches are created and maintained along with the main cache. Aggregation caches have their own history area where the aging aggregation cache records are collected.
Page 123: Cache Flow Export
Chapter 3: Configuring J-Flow Statistics Destination port number (DP) Layer 3 protocol type Type of service (ToS byte) or Differentiated Services code point (DSCP) Input interface Cache Flow Export Using UDP as the transport method, the ERX router can export the content of the flow cache as the system removes the entries.
Page 124: Operation With Nat
JUNOSe 11.1.x IP Services Configuration Guide Operation with NAT When functioning with Network Address Translation (NAT), J-Flow sampling occurs before NAT applies any translation. Operation with High Availability When high availability is enabled, the following occurs in the event of a switchover: Any flows that are collected but not exported off of the router are lost.
Page 125: Enabling Flow-Based Statistics
Chapter 3: Configuring J-Flow Statistics (Optional) Define the sampling interval at which you want to collect statistics. (Optional) Customize the size of the main flow cache. (Optional) Define flow cache aging timers. (Optional) Specify to where you want to export J-Flow statistics. Enabling Flow-Based Statistics Use the ip flow statistics command to explicitly enable J-Flow.
Page 126: Defining A Sampling Interval
JUNOSe 11.1.x IP Services Configuration Guide Use the no version to disable J-Flow statistics on the interface. See ip route-cache flow sampled. Defining a Sampling Interval Use the ip flow-sampling-mode packet-interval command to define the packet-sampling interval for the virtual router. The sampling interval specifies the rate at which the virtual router samples J-Flow information.
Page 127: Setting Cache Size
Chapter 3: Configuring J-Flow Statistics Specifying an interval less than 10 sets a very high sampling rate that can severely degrade performance. The lower the packet-sampling interval you configure, the faster the sampling rate. For information about the effects of using the ip flow-sampling-mode packet-interval command for the ES2 10G LM with either the ES2-S1 GE-8 IOA or the ES2-S2 10GE PR IOA on E120 routers and E320 routers, see “Defining a Sampling Interval”...
Page 128: Specifying The Inactivity Timer
JUNOSe 11.1.x IP Services Configuration Guide ip flow-cache timeout active Use to define the activity timer, in minutes. Example host1(config)#ip flow-cache timeout active 50 Use the no version to return the activity timer to its default value (30 minutes). See ip flow-cache timeout. Specifying the Inactivity Timer Use the ip flow-cache timeout inactive command to specify a value for the inactivity timer.
Page 129: Configuring Aggregation Flow Caches
Chapter 3: Configuring J-Flow Statistics Configuring Aggregation Flow Caches Aggregation caches are disabled by default. Exporting flow records from the router does not occur while it is in the disabled state. When the configuration for an aggregation cache is changed from enabled to disabled state, all flow records from that cache are removed and flow collection stops.
Page 130 JUNOSe 11.1.x IP Services Configuration Guide host1(config-flow-cache)#export destination { hostname | ip address } udp-port-number Set the source IP address for datagrams containing information from this cache: the no version removes the explicit setting of the source address. host1(config-flow-cache)#export source interfacetype interface Enable the aggregation cache.
Page 131 Chapter 3: Configuring J-Flow Statistics host1(config-flow-cache)#export destination myhost udp-port Use the no version to remove the destination. See export destination. export source Use to configure an export source for the aggregation cache. Example host1(config-flow-cache)#export source interface inf1 Use the no version to remove the destination. See export source.
Page 132: Monitoring J-Flow Statistics
JUNOSe 11.1.x IP Services Configuration Guide Monitoring J-Flow Statistics This section shows how to clear J-Flow statistics and use the show commands to view J-Flow settings and statistical results. Clearing J-Flow Statistics Use the clear ip flow stats command to clear all entries from all flow caches on the virtual router.
Page 133 Chapter 3: Configuring J-Flow Statistics Size-Distribution of IP packets by size Percent-Percent distribution of different-sized IP packets Protocol - Port-Protocol of the sample and port destination for that sample Total Flows-Total number of flows Flows/Sec-Number of flows per second Packets/Flow-Number of packets per flow Bytes/Packet-Number of bytes per packet Packets/Sec Number of packets per second Src.
Page 134 JUNOSe 11.1.x IP Services Configuration Guide 2560 0.000 3072 0.000 3584 0.000 4096 0.000 4608 0.000 Total Flows Packets Bytes Packets Protocol-Port Flows /Sec /Flow /Packet /Sec ------------- --------- --------- ---------- --------- --------- TCP–telnet 0.000 118.000 1014.000 0.000 UDP–whois++ 0.008 935.000 1026.000 7.664...
Page 135 Chapter 3: Configuring J-Flow Statistics 4608 0.000 Packets Bytes Packets Src.Addr Src.Intf Dst.Addr Dst.Intf Protocol Port /Flow /Packet /Sec ------------- --------- --------- ---------- --------------- --------- --------- --------- 10.20.30.41 258 GigE4/0 12.0.0.2 GigE2/0 TCP-telnet 58.000 1014.000 0.000 10.20.30.41 63 GE4/0 50.60.70.88 UDP-whois++ 1028.000 1026.000...
Page 136 JUNOSe 11.1.x IP Services Configuration Guide Field descriptions Aggregation Cache AS AS aggregation cache Destination-prefix Destination-prefix aggregation cache Prefix Prefix aggregation cache Protocol-port Protocol-port aggregation cache Source-prefix Source-prefix aggregation cache Total Flows Total number of flows Flows/Sec Number of flows per second Packets/Flow Number of packets per flow Bytes/Packet Number of bytes per packet Packets/Sec Number of packets per second...
Page 137 Chapter 3: Configuring J-Flow Statistics Use to display configuration values for IP flow cache export. Example host1#show ip flow export Flow export is enabled using version 5 format. Exporting to 10.0.0.2 port 9898 using source ip interface GigabitEthernet5/0/0. See show ip flow. show ip flow sampling Use to display configuration values for IP flow cache sampling.
Page 138 JUNOSe 11.1.x IP Services Configuration Guide Monitoring J-Flow Statistics...
Page 139: Configuring Bfd
Chapter 4 Configuring BFD This chapter describes how to configure bidirectional forwarding detection (BFD) on your E-series router; it contains the following sections: Bidirectional Forwarding Detection Overview on page 113 BFD Platform Considerations on page 116 BFD References on page 116 Configuring a BFD License on page 117 BFD Version Support on page 117 Configuring BFD on page 118...
Page 140: How Bfd Works
JUNOSe 11.1.x IP Services Configuration Guide about configuring BFD for EBGP routes, see Configuring BGP Routing in JUNOSe BGP and MPLS Configuration Guide. How BFD Works In a BFD-configured network, when a client launches a BFD session with a peer, BFD begins sending slow, periodic BFD control packets that contain the interval values that you specified when you configured the BFD peers.
Page 141: Chapter 4 Configuring Bfd
Chapter 4: Configuring BFD Each pair of peers negotiates acceptable transmit and receive intervals for BFD packets. These values can be different on each peer. The negotiated transmit interval for a peer is the interval between the BFD packets that it sends to its peers. The receive interval for a peer is the minimum time that it requires between packets sent from its peer;...
Page 142: Bfd Platform Considerations
JUNOSe 11.1.x IP Services Configuration Guide session to be down. In either case, all routes learned from the failed peer are purged immediately. NOTE: Before the router can use any bfd-liveness-detection command, you must specify a BFD license key. To view an already configured license, use the show license bfd command.
Page 143: Configuring A Bfd License
Use to specify a BFD license. Purchase a BFD license to allow BFD configuration on the E Series router. NOTE: Acquire the BFD license from Juniper Networks Customer Service or your Juniper Networks sales representative. Example host1(config)#license bfd license-value Use the no version to disable the license.
Page 144: Configuring Bfd
JUNOSe 11.1.x IP Services Configuration Guide NOTE: You cannot configure the JUNOSe software to send BFD Version 0 or BFD Version 1 packets. The JUNOSe software determines the BFD version through auto-negotiation. Configuring BFD You configure BFD on routing protocols that use BFD for fast failure detection. BFD does not require any stand-alone configuration;...
Page 145: Clearing Bfd Sessions
Chapter 4: Configuring BFD on the router by making them less restrictive and increasing the survival chances for the session. NOTE: Enabling BFD adaptive timers targets only rapidly flapping events and not genuine BFD down events. If BFD down events occur in intervals longer than 5 seconds, the session does not attempt to adapt.
Page 146: Monitoring Bfd
JUNOSe 11.1.x IP Services Configuration Guide Use the discriminator keyword to clear the BFD session associated with the unique system-wide identifier. Example 1 host1#clear bfd session Example 2 host1#clear bfd session address 10.10.5.24 Example 3 host1#clear bfd session discriminator 4 There is no no version.
Page 147: Viewing Bfd Information
Chapter 4: Configuring BFD bfdGeneral bfdSession bfdEvents bgpConnections isisBfdEvents ospfEvents ospfv3General ripBfdLog For more information about using event logs, see the JUNOSe System Event Logging Reference Guide. Viewing BFD Information You can monitor the following aspects of BFD by using the following show commands: To Display Command BFD session information...
Page 148 JUNOSe 11.1.x IP Services Configuration Guide Address IP address of the remote interface with which the session is established. In unnumbered cases, the remote interface provides its reference IP address. State State of the BFD session, Up, Down, or AdminDown Interface Interface on which the BFD session has been established Detect/Detection Time Time (in seconds) taken to declare the remote interface down when no packets are received from that interface...
Page 149 Chapter 4: Configuring BFD Remote diagnostic Reason at the remote end for the last session down event Remote heard/Remote not heard Whether the local end is receiving packets from the remote end hears us/doesn't hear us Whether the remote end is receiving packets from the local end Min async interval Minimum interval (in seconds) between packets sent when in asynchronous mode...
Page 150 JUNOSe 11.1.x IP Services Configuration Guide Echo mode disabled/inactive 2 Clients: Client OSPFv2, desired tx: 0.3, required rx: 0.3, multiplier 3 Client ISIS, desired tx: 0.3, required rx: 0.3, multiplier 3 TX FC-assisted? Yes, Detection FC-assisted? Yes Example 3 IPv6 version host1#show bfd session detail Address fe80:1234::abcd State UP on Interface FastEthernet1/3...
Page 151: Configuring Ipsec
Chapter 5 Configuring IPSec This chapter describes Internet Protocol Security (IPSec) capabilities of the ERX routers. It contains the following sections: Overview on page 125 Platform Considerations on page 127 References on page 127 IPSec Concepts on page 128 IKE Overview on page 140 Configuration Tasks on page 145 Configuration Examples on page 160 Monitoring IPSec on page 168...
Page 152 JUNOSe 11.1.x IP Services Configuration Guide Table 8: IPSec Terms and Abbreviations (continued) Term or Abbreviation Description Certificate authority Data Encryption Standard encryption algorithm Dead peer detection, which enables router to detect when communication to remote peer has been disconnected. Also known as IKE keepalive. Digital Signature Standard authentication algorithm Encapsulating Security Payload, which provides data integrity, data confidentiality and, optionally, sender's authentication...
Page 153: Platform Considerations
Chapter 5: Configuring IPSec Table 8: IPSec Terms and Abbreviations (continued) Term or Abbreviation Description Secure Hash Algorithm Security parameter index Virtual private network Platform Considerations For information about modules that support IPSec on ERX14xx models, ERX7xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, Module Combinations for detailed module specifications.
Page 154: Ipsec Concepts
JUNOSe 11.1.x IP Services Configuration Guide RFC 2410 The NULL Encryption Algorithm and Its Use With IPSec (November 1998) RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers (February 2004) For information about using digital certificates, see “Configuring Digital Certificates” on page 213.
Page 155: Rfc 2401 Compliance
Chapter 5: Configuring IPSec Secure IP interfaces are a logical representation of a secure connection between two security endpoints, one of which is the local system. The remote endpoint can be another security gateway or a host. RFC 2401 Compliance RFC 2401 states that a security policy database (SPD) must exist for each physical interface in the router, and an administrator must configure these SPDs to determine which traffic must be IPSec-protected, not IPSec-protected, or denied.
Page 156: Security Parameters
JUNOSe 11.1.x IP Services Configuration Guide Figure 13: IPSec Tunneling Packet Encapsulation Security Parameters Secure IP interfaces allow tunneled traffic to be secured in many ways. For that, secure interfaces are associated with security parameters that are enforced for traffic that goes through these interfaces.
Page 157: Manual Versus Signaled Interfaces
Chapter 5: Configuring IPSec Figure 14: IPSec Security Parameters in Relation to the Secure IP Interface Manual Versus Signaled Interfaces The router supports both manual and signaled interfaces: Manual interfaces use a preconfigured set of SA parameters to secure traffic flowing through a secure IP interface.
Page 158: Operational Virtual Router
JUNOSe 11.1.x IP Services Configuration Guide Table 10: Security Parameters per IPSec Policy Type Security Parameter Manual Signaled Operational VR Required Required Transport VR Required Required Perfect forward secrecy Optional Optional Lifetime Optional Optional Inbound and outbound SAs Required Not applicable Transform set Required Required...
Page 159 Chapter 5: Configuring IPSec The transport VR information is required, although its explicit configuration is not. If omitted, the transport VR is assumed to be the same as the operational VR. However, the tunnel source and destination are mandatory elements. Transport VR Definition The transport VR definition includes: Transport virtual router name Name of the transport virtual router.
Page 160: Perfect Forward Secrecy
JUNOSe 11.1.x IP Services Configuration Guide Perfect Forward Secrecy PFS is an optional feature that causes every newly refreshed key to be completely unrelated to the previous key. PFS provides added security, but requires extra processing for a new Diffie-Hellmann key exchange on every key refresh. If PFS is enabled, the router mandates PFS during SA negotiation.
Page 161: Inbound And Outbound Sas
Chapter 5: Configuring IPSec To set the tunnel lifetime, use the tunnel lifetime command. To set the global (default) lifetime, use the ipsec lifetime command. Inbound and Outbound SAs SA parameters are the actual session parameters used to secure a specific data flow associated with a specific secure IP interface.
Page 162: Table 11: Supported Transforms
JUNOSe 11.1.x IP Services Configuration Guide to find common agreement between the local and the remote security gateway on how to protect that specific data flow. A transform set includes encapsulation protocols and transforms; for example, encryption/decryption/authentication algorithms. These parameters are grouped to specify the acceptable protection for a given data flow.
Page 163: Table 12: Supported Security Transform Combinations
Chapter 5: Configuring IPSec Table 11: Supported Transforms (continued) Transform Description AH-SHA IPSec performs AH protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. ESP-MD5 IPSec performs ESP protocol encapsulation using the MD5 hash function with HMAC message authentication.
Page 164: Other Security Features
JUNOSe 11.1.x IP Services Configuration Guide Table 12: Supported Security Transform Combinations (continued) Security Type Supported Transform Combinations Data authentication and confidentiality ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA The ISM does not support both the ESP and AH encapsulation modes concurrently on the same secure tunnel. Negotiating Transforms Inside a transform set, IPSec transforms are numbered in a priority sequence.
Page 165: Esp Processing
Chapter 5: Configuring IPSec ESP Processing The router supports both the encryption and authentication functions of ESP encapsulation as defined in RFC 2406. Specifically, the router supports: DES and 3DES encryption algorithms The HMAC-SHA and HMAC-MD5 authentication algorithms ESP security options on a per-tunnel (per-SA) basis Tunnel mode AH Processing The router supports AH encapsulation as defined in RFC 2402.
Page 166: Tunnel Failover
JUNOSe 11.1.x IP Services Configuration Guide Unlike other keepalive and heartbeat schemes, which require that peers frequently exchange Hello packets with each other at regular predetermined intervals, DPD uses two techniques to verify connectivity on an as-needed basis. In the first method, the router sends DPD inquiries to the remote peer when traffic has been sent to the peer in the last 30 seconds but no traffic has been received from the peer in the last 60 seconds.
Page 167: Main Mode And Aggressive Mode
Chapter 5: Configuring IPSec Antireplay defense IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the security gateways. Therefore, UDP port 500 packets must be permitted on any IP interface involved in connecting a security gateway peer. The following sections expand on the IKE functionality available for the router.
Page 168: Ike Policies
JUNOSe 11.1.x IP Services Configuration Guide Table 13: Initiator Proposals and Policy Rules Aggressive Mode Initiator Requests Initiator Requests Responder Policy Setting (First Time) (Rekeyed) Rule Accepted Main mode Follows First Time Aggressive or Main modes (follows initiator) Requested Aggressive mode Follows First Time Aggressive or Main modes (follows initiator)
Page 169: Encryption
Chapter 5: Configuring IPSec the peer security gateway accepts is used for that IKE session. This procedure is repeated for every IKE session that needs to be established. Encryption A specific encryption transform can be applied to an IKE policy. The supported encryption algorithms are: 3DES Hash Function...
Page 170: Diffie-Hellman Group
JUNOSe 11.1.x IP Services Configuration Guide Diffie-Hellman Group An IKE policy must specify which Diffie-Hellmann group is used during the symmetrical key generation phase of IKE. The following Diffie-Hellmann groups are supported: Group 1 (768-bit) Group 2 (1024-bit) Group 5 (1536-bit) Lifetime Like a user SA, an IKE SA does not last indefinitely.
Page 171: Configuration Tasks
SRP 10G – 10,000 SRP 40G – 20,000 license ipsec-tunnels Use to specify an IPSec tunnel license. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license ipsec-tunnels license string Use the no version to disable the license.
Page 172: Configuring Ipsec Parameters
JUNOSe 11.1.x IP Services Configuration Guide Configuring IPSec Parameters To configure IPSec: For each endpoint, create a transform set that provides the desired encryption and authentication. host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5 Add a preshared key that the routers use to authenticate each other. host1(config)#ipsec key manual pre-share 5.2.0.1 host1(config-manual-key)#key customerASecret After you enter a preshared key, the router encrypts the key and displays it in...
Page 173 Chapter 5: Configuring IPSec Example 1 using an IP Address host1(config)#ipsec key manual pre-share ip address 10.10.1.1 host1(config-manual-key)# Example 2 using an FQDN host1(config)#ipsec key manual pre-share identity branch245.customer77.isp.net host1(config-manual-key)# Example 3 using an FQDN with user@ specification host1(config)#ipsec key manual pre-share identity user4919@branch245.customer77.isp.net host1(config-manual-key)# Use the no version to delete a manually configured key from the router.
Page 174 JUNOSe 11.1.x IP Services Configuration Guide ipsec transform-set Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality. Transform sets used for manually configured tunnels can have one transform. Transform sets used for signaled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer.
Page 175: Creating An Ipsec Tunnel
Chapter 5: Configuring IPSec host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO There is no no version. To delete a key, use the no version of the ipsec key manual command. See masked-key. Creating an IPSec Tunnel To create an IPSec tunnel: Enter virtual router mode.
Page 176 JUNOSe 11.1.x IP Services Configuration Guide For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs. host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b (Optional) Configure PFS on this tunnel. host1:vrA(config-if)#tunnel pfs group 5 (Optional) Set the tunnel type to signaled or manual.
Page 177 Chapter 5: Configuring IPSec Example 3 host1(config-if)#tunnel destination identity user4919@branch245.customer77.isp.net Use the no version to remove the address. See tunnel destination. tunnel lifetime Use to set the renegotiation time of the SAs in use by this tunnel. To configure the lifetime in number of seconds, use the seconds keyword to specify the lifetime in the range 1800–864000.The default value is 28800 seconds.
Page 178 JUNOSe 11.1.x IP Services Configuration Guide tunnel mtu Use to set the MTU size for the tunnel. Example host1(config-if)#tunnel mtu 2240 Use the no version to restore the default MTU (1440). See tunnel mtu. tunnel peer-identity Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords: address Specifies an IP address as the peer identity subnet Specifies a subnet as the peer identity...
Page 179 Chapter 5: Configuring IPSec Use to manually configure the authentication or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual. Use the online Help to see a list of available algorithm sets. Each key is an arbitrary hexadecimal string.
Page 180: Configuring Dpd And Ipsec Tunnel Failover
JUNOSe 11.1.x IP Services Configuration Guide manual Specifies that security parameters and keys are configured manually Example host1(config-if)#tunnel signaling manual Use the no version to restore the default value, isakmp. See tunnel signaling. tunnel source Use to specify an existing interface address that serves as the tunnel's source address.
Page 181 Chapter 5: Configuring IPSec host1(config)#virtual-router vrA host1:vrA(config)# Create an IPSec tunnel, and specify the transport VR. host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)# Specify the address or identity of the tunnel destination backup endpoint. host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net ipsec option dpd Use to enable dead peer detection (DPD) on the router.
Page 182: Defining An Ike Policy
JUNOSe 11.1.x IP Services Configuration Guide host1(config-if)#tunnel destination backup identity branch245.customer88.isp.net host1(config-if)#tunnel destination backup identity user4925@branch245.customer88.isp.net Use the no version to restore the default in which the regular tunnel destination is also the backup tunnel destination. See tunnel destination backup. Defining an IKE Policy IKE policies define parameters that the router uses during IKE phase 1 negotiation.
Page 183 Chapter 5: Configuring IPSec Use the requested keyword to request aggressive mode when negotiating with peers Use the required keyword to only request and accept aggressive mode when negotiating with peers. Example host1(config-ike-policy)#aggressive-mode accepted Use the no version to set the negotiation mode to main mode. See aggressive-mode.
Page 184 JUNOSe 11.1.x IP Services Configuration Guide hash Use to set the hash algorithm for the IKE policy: md5 MD5 (HMAC variant) sha SHA-1 (HMAC variant) Example host1(config-ike-policy)#hash md5 Use the no version to restore the default, sha. See hash. ipsec ike-policy-rule ipsec isakmp-policy-rule NOTE: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.
Page 185: Refreshing Sas
Chapter 5: Configuring IPSec Refreshing SAs To refresh ISAKMP/IKE or IPSec SAs: host1(config)#ipsec clear sa tunnel ipsec:Aottawa2boca phase 2 ipsec clear sa Use to refresh ISAKMP/IKE or IPSec SAs. To reinitialize all SAs, use the all keyword. To reinitialize SAs on a specific tunnel, use the tunnel keyword. To reinitialize SAs on tunnels that are in a specific state, use the state keyword.
Page 186: Configuration Examples
JUNOSe 11.1.x IP Services Configuration Guide Use to enable the router to send an invalid cookie notification to an IKE peer when the router does not recognize the initiator-responder cookie pair. Example host1(config)#ipsec option tx-invalid-cookie Use the no version to restore the default, disabling the ability to send an invalid cookie notification.
Page 187: Figure 16: Isp-X Uses Erx Routers To Connect Corporate Offices Over The
Chapter 5: Configuring IPSec Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the Internet To configure the connections as shown in Figure 16 on page 161: On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet.
Page 188 JUNOSe 11.1.x IP Services Configuration Guide erx1(config)#interface tunnel ipsec:Aottawa2boston erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.3.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1 erx1(config-if)#tunnel destination 100.3.0.1 erx1(config-if)#ip address 200.3.0.0 255.255.0.0 erx1(config-if)#exit Tunnel 2: erx1(config)#interface tunnel ipsec:Aottawa2boca erx1(config-if)#tunnel transform-set customerAprotection erx1(config-if)#tunnel local-identity subnet 200.1.0.0 255.255.0.0 erx1(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx1(config-if)#tunnel source 100.1.0.1...
Page 189 Chapter 5: Configuring IPSec erx3(config-if)#ip address 200.1.0.0 255.255.0.0 erx3(config-if)#exit Tunnel 2: erx3(config)#interface tunnel ipsec:Aboston2boca erx3(config-if)#tunnel transform-set customerAprotection erx3(config-if)#tunnel local-identity subnet 200.3.0.0 255.255.0.0 erx3(config-if)#tunnel peer-identity subnet 200.2.0.0 255.255.0.0 erx3(config-if)#tunnel source 100.3.0.1 erx3(config-if)#tunnel destination 100.2.0.1 erx3(config-if)#ip address 200.2.0.0 255.255.0.0 erx3(config-if)#exit The configuration is complete. Now customer A traffic between different cities flows through the public, or untrusted, IP network inside a tunnel, where each packet is encrypted and authenticated.
Page 190: Figure 17: Connecting Customers Who Use Similar Address Schemes
JUNOSe 11.1.x IP Services Configuration Guide Figure 17: Connecting Customers Who Use Similar Address Schemes To configure the connections as shown in Figure 17 on page 164: On each ERX router, create a protection suite that provides customer A with 3DES encryption and SHA-1 authentication, and customer B with AH authentication using MD5.
Page 191 Chapter 5: Configuring IPSec erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.2 erx2(config-manual-key)#key customerBSecret erx2(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.2.0.1 erx3(config-manual-key)#key customerASecret erx3(config-manual-key)#exit erx3(config)#ipsec key manual pre-share 5.1.0.2...
Page 192 JUNOSe 11.1.x IP Services Configuration Guide Virtual router B: erx1(config)#virtual-router vrB erx1:vrB(config)# Tunnel from Ottawa to Boston on virtual router B: erx1:vrB(config)#interface tunnel ipsec:Bottawa2boston transport-virtual-router default erx1:vrB(config-if)#tunnel transform-set customerBprotection erx1:vrB(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#tunnel source 5.1.0.2 erx1:vrB(config-if)#tunnel destination 5.3.0.2 erx1:vrB(config-if)#ip address 10.3.0.0 255.255.0.0 erx1:vrB(config-if)#exit...
Page 193 Chapter 5: Configuring IPSec erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit Virtual router B: erx2(config)#virtual-router vrB erx2:vrB(config)# Tunnel from Boca to Ottawa on virtual router B: erx2:vrB(config)#interface tunnel ipsec:Bboca2ottawa transport-virtual-router default erx2:vrB(config-if)#tunnel transform-set customerBprotection erx2:vrB(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrB(config-if)#tunnel peer-identity subnet 10.1.0.0 255.255.0.0...
Page 194: Monitoring Ipsec
JUNOSe 11.1.x IP Services Configuration Guide erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit Virtual router B: erx3(config)#virtual-router vrB erx3:vrB(config)# Tunnel from Boston to Ottawa on virtual router B: erx3:vrB(config)#interface tunnel ipsec:Bboston2ottawa transport-virtual-router...
Page 195: Show Commands
Chapter 5: Configuring IPSec stTunnel Secure tunnel interface For more information about using event logs, see the JUNOSe System Event Logging Reference Guide. show Commands To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands. show ipsec ike-policy-rule show ike policy-rule NOTE: The show ipsec ike-policy-rule command replaces the show ipsec...
Page 196 JUNOSe 11.1.x IP Services Configuration Guide hash algorithm :SHA Secure Hash Standard authentication method:Pre Shared Keys Diffie-Hellman group :2 (1024 bit) lifetime :28800 seconds aggressive mode :Not Allowed See show ipsec ike-policy-rule. See show ike policy-rule. show ipsec ike-sa show ike sa NOTE: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release.
Page 197 Chapter 5: Configuring IPSec MM_DONE_I Initiator has finished main mode negotiation DONE Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages Local Cookie Unique identifier (SPI) for the local phase 1 IKE SA Remote Cookie Unique identifier (SPI) for the remote phase 1 IKE SA Example host1# show ipsec ike-sa IKE Phase 1 SA's:...
Page 198 JUNOSe 11.1.x IP Services Configuration Guide Use to display the status, enabled or disabled, of IPSec options configured on the current virtual router. Information is displayed for the following options: Dead peer detection (DPD) Network Address Translation Traversal (NAT-T). For information about configuring and monitoring NAT-T on L2TP/IPSec tunnels, see “Securing L2TP and IP Tunnels with IPSec”...
Page 199 Chapter 5: Configuring IPSec Tunnel remoteEndpoint IP address of remote tunnel endpoint Tunnel source IP address or FQDN of tunnel source Tunnel destination IP address or FQDN of tunnel destination Tunnel backup destination Alternate tunnel destination Tunnel transport virtual router Name of transport virtual router over which tunnel runs Tunnel transform set Tunnel transform set in use on this tunnel Tunnel local identity IP address of local endpoint identity that ISAKMP...
Page 200 JUNOSe 11.1.x IP Services Configuration Guide InUserPackets Number of user packets received InUserOctets Number of octets received from user packets InAccPackets Number of encapsulated packets received InAccOctets Number of octets received in encapsulated packets InAuthErrors Number of authentication errors received InReplayErrors Number of replay errors in received traffic InPolicyErrors Number of policy errors in received traffic InOtherRxErrors Number of packets received that have errors other...
Page 201 Chapter 5: Configuring IPSec inbound lifetime: allowed 7200s, remaining 7100s inbound traffic: allowed 1024000KB, remaining 1023997KB outboundSpi = 0x283b0201, outboundSa = esp-3des-hmac-sha outbound lifetime: allowed 7200s, remaining 7100s outbound traffic: allowed 1024000KB, remaining 1023997KB Tunnel Statistics: InUserPackets InUserOctets 1920 InAccPackets InAccOctets 2760 InAuthErrors...
Page 202 JUNOSe 11.1.x IP Services Configuration Guide To display tunnels that are using a particular IP address, use the ip keyword. Field descriptions For a description of fields, see the show ipsec tunnel detail command. Example host1#show ipsec tunnel virtual-router default ip 10.255.1.13 IPSEC tunnel s0l1e3d0 is up IPSEC tunnel s0l1e3d1 is up IPSEC tunnel s0l2e3d0 is up...
Page 203: Configuring Dynamic Ipsec Subscribers
Chapter 6 Configuring Dynamic IPSec Subscribers This chapter describes how to securely terminate IPSec remote access subscribers. These subscribers can reside on different VPNs and the router can support many VPNs simultaneously. It contains the following sections: Overview on page 177 Platform Considerations on page 180 References on page 181 Creating an IPSec Tunnel Profile on page 181...
Page 204: Dynamic Connection Teardown
JUNOSe 11.1.x IP Services Configuration Guide The router uses existing authentication, authorization, and accounting (AAA) functionality to authenticate the user data. After granting access, the router instantiates an IP interface for the new subscriber as well as an access route for the IP address assigned to the subscriber on the terminating virtual router.
Page 205: Inherited Subscriber Functionality
Chapter 6: Configuring Dynamic IPSec Subscribers One IPSec license If either license is unavailable, the router denies access to the subscriber. Inherited Subscriber Functionality Dynamic IPSec subscribers inherit much of the built-in AAA subscriber management functionality. This functionality includes the following: AAAA subscriber management commands DNS (primary and secondary) WINS (primary and secondary)
Page 206: Relocating Tunnel Interfaces
JUNOSe 11.1.x IP Services Configuration Guide Reachable networks on the VPN (allowing for split tunneling when supported by the client software) Security parameters intended to protect user traffic (including IPSec encapsulating protocol, encryption algorithms, authentication algorithms, lifetime parameters, perfect forward secrecy, and DH group for key derivation) Setting the IP address the router monitors for remote subscribers.
Page 207: References
Chapter 6: Configuring Dynamic IPSec Subscribers See IPSec Service support in ERX Module Guide, Table 1, Module Combinations for detailed module specifications. See IPSec Service support in ERX Module Guide, Appendix A, Module Protocol Support for information about the modules that support IPSec service. References For more information about dynamic IPSec subscribers, consult the following resources:...
Page 208: Configuring Ipsec Tunnel Profiles
JUNOSe 11.1.x IP Services Configuration Guide host1(config-ipsec-tunnel-profile)# Use the no version to delete the tunnel profile. See ipsec tunnel profile. Configuring IPSec Tunnel Profiles This sections explains how to configure the parameters that exist in the IPSec tunnel profile configuration mode. Limiting Interface Instantiations on Each Profile To define the maximum number of interfaces that the IPSec tunnel profile can instantiate, use the max-interfaces command.
Page 209: Setting The Ike Peer Identity
Chapter 6: Configuring Dynamic IPSec Subscribers Use to set the IKE local identity used for IKE security association (SA) negotiations. Example host1(config-ipsec-tunnel-profile)#ike local-identity domain-name domain1 Use the no version to remove the specified IKE local identity. See ike local-identity. Setting the IKE Peer Identity To set the IKE peer identity values, use the ike peer-identity command.
Page 210: Appending A Domain Suffix To A Username
JUNOSe 11.1.x IP Services Configuration Guide See ike peer-identity domain-name. See ike peer-identity ip address. See ike peer-identity username. Appending a Domain Suffix to a Username The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user.
Page 211: Specifying An Ip Profile For Ip Interface Instantiations
Chapter 6: Configuring Dynamic IPSec Subscribers Use to override the peer identity (phase 2 identity) used for IPSec security association negotiations. For IPSec negotiations to succeed, the local and peer identities at one end of the tunnel must match the peer and local identities at the other end (respectively).
Page 212: Specifying Local Networks
JUNOSe 11.1.x IP Services Configuration Guide More than one profile can specify the same local endpoint and virtual router. Because the last value set overrides the other, we recommend that you avoid this type of configuration. local ip address Use to specify the given local IP address as a server address. Example host1(config-ipsec-tunnel-profile)#local ip address 192.2.52.12 Use the no version to stop the router from monitoring UDP port 500 for user...
Page 213: Defining User Reauthentication Protocol Values
Chapter 6: Configuring Dynamic IPSec Subscribers Use to specify the IPSec lifetime parameters used on IPSec SA lifetime negotiations. Example host1(config-ipsec-tunnel-profile)#lifetime seconds 5000 25000 Use the no version to return the lifetime to its default value, 28800 seconds (8 hours) and no traffic volume limit. See lifetime.
Page 214: Specifying Ipsec Security Association Transforms
JUNOSe 11.1.x IP Services Configuration Guide Specifying IPSec Security Association Transforms The transform command specifies the IPSec transforms that IPSec SA negotiations can use for this profile. The router accepts the first transform proposed by a client that matches one of the transforms specified by this command. During an IPSec SA exchange with a client, the router proposes all transforms specified by this command and one is accepted by the client.
Page 215: Defining The Tunnel Mtu
Chapter 6: Configuring Dynamic IPSec Subscribers Defining the Tunnel MTU The tunnel mtu command configures the maximum transmission unit size for the tunnel. tunnel mtu Use to configure the maximum transmission unit size for the tunnel. Example host1(config-ipsec-tunnel-profile)#tunnel mtu 3000 Use the no version to restores the default value, an MTU size of 1400 bytes.
Page 216: Defining Aggressive Mode For An Ike Policy Rule
JUNOSe 11.1.x IP Services Configuration Guide Use to limit the scope of the IKE policy rule to the specified local IP address on the specified virtual router. This limitation ensures that this policy rule is evaluated for IKE security association evaluations for only the specified IP address and virtual router.
Page 217: Show Commands
Chapter 6: Configuring Dynamic IPSec Subscribers ipsecXcfgSM IPsec Xauth/ModeCfg state machine ipsecP1Throttler Ongoing Phase 1 negotiations For more information about using event logs, see the JUNOSe System Event Logging Reference Guide. show Commands To display user information for dynamic IPSec tunnel profiles or subscribers, use the following show commands.
Page 218 JUNOSe 11.1.x IP Services Configuration Guide inboundUserPacketsReceived = 88 inboundUserOctetsReceived = 74880 inboundAccPacketsReceived = 88 inboundAccOctetsReceived = 79488 inboundAuthenticationErrors= 0 inboundReplayErrors = 0 inboundPolicyErrors = 0 inboundOtherRxErrors = 0 inboundDecryptErrors = 0 inboundPadErrors = 0 See show ipsec tunnel profile. show subscribers Use to display the active subscribers on the router.
Page 219: Configuring Ancp
Chapter 7 Configuring ANCP This chapter describes how to configure Access Node Control Protocol (ANCP), also known as Layer 2 Control (L2C), for IP multicast on an E Series router; it contains the following sections: Overview on page 193 Platform Considerations on page 195 References on page 196 Configuring ANCP on page 196 Configuring ANCP Interfaces on page 198...
Page 220: Access Topology Discovery
JUNOSe 11.1.x IP Services Configuration Guide ANCP is an extension to GSMPv3 that functions as a control plane between a service-oriented layer 3 edge device (the Broadband Remote Access Server) and a layer 2 access node. In this role, ANCP performs QoS-related, service-related, and subscriber-related operations.
Page 221: Oam
Chapter 7: Configuring ANCP The access node sending a single copy of the multicast stream to a specific access node is a more efficient use of the bandwidth. Using this method, the access node performs the multicast replication for subscribers that reside beyond the access node. ANCP transactional multicast enables the E Series router to set up a multicast replication state in the access node.
Page 222: References
JUNOSe 11.1.x IP Services Configuration Guide References For more information about ANCP, see the following resources: GSMP extensions for layer2 control (L2C) Topology Discovery and Line Configuration draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006 expiration) IGMP-based Multicast Forwarding (“ IGMP Proxying” ) draft-ietf-magma-igmp-proxy-00.txt (May 2002 expiration) GSMPv3 Base Specification draft-ietf-gsmp-v3-base-spec-06.txt (March 2006 expiration) Configuring ANCP...
Page 223: Defining The Ancp Session Timeout
Chapter 7: Configuring ANCP Use the no version to remove all ANCP configurations. See l2c. Defining the ANCP Session Timeout In L2C Configuration (config-l2c) mode, you can use the session-timeout command to specify the ANCP session timeout value. The timer range is 1–25 seconds with a default value of 25 seconds.
Page 224: Configuring Ancp Interfaces
JUNOSe 11.1.x IP Services Configuration Guide Use the no version to revert the session timeout to its default setting, 60 seconds. Configuring ANCP Interfaces ANCP uses several interface-level configuration commands. These commands provide the ability to define GSMP input and output labels associated with the interface and specify the number of branches the ANCP end user can support.
Page 225: Accessing L2C Neighbor Configuration Mode For Ancp
Chapter 7: Configuring ANCP Accessing L2C Neighbor Configuration Mode for ANCP Use the neighbor command to create an ANCP neighbor and access the L2C Neighbor Configuration (config-l2c-neighbor) mode. neighbor Use to create an ANCP neighbor and access the L2C Neighbor Configuration (config-l2c-neighbor) mode.
Page 226: Limiting Discovery Table Entries
JUNOSe 11.1.x IP Services Configuration Guide Limiting Discovery Table Entries You use the max-discovery-table-entries command to specify the maximum number of discovery table entries that a neighbor can have. Using this command to change the maximum number of entries when an already greater number of current entries exists in the discovery table does not remove any existing entries.
Page 227: Configuring Ancp For Qos Adaptive Mode
Chapter 7: Configuring ANCP Use to enable ANCP discovery for a neighbor. Example host1(l2c-neighbor)#discovery-mode Use the no version to disable discovery mode. See discovery-mode. Configuring ANCP for QoS Adaptive Mode The system can QoS adjust VLAN and ATM VC downstream rates received from ANCP when you enable QoS adaptive mode by issuing the qos-adaptive-mode command.
Page 228: Triggering Ancp Line Configuration
JUNOSe 11.1.x IP Services Configuration Guide Use to enable the QoS adaptive mode for ANCP. QoS adaptive mode enables the system to shape VLAN and ATM VC downstream rates received from ANCP by dynamically creating QoS parameter instances associated with the ANCP (L2C) downstream application. Example host1(config-l2c)#qos-adaptive-mode Use the no version to disable QoS adaptive mode for the system.
Page 229: Configuring Transactional Multicast For Igmp
Chapter 7: Configuring ANCP adjustment-factor Use to configure a QoS adjustment factor that is applied to the upstream data rate and downstream data rate reported by ANCP for a DSL type. The adjustment factor is used to generate an accurate QoS shaping rate. The factor is applied for all subscribers that use the specified DSL line type Example host1(config-l2c)#adjustment-factor adsl1 45...
Page 230: Ancp Igmp Configuration Example
JUNOSe 11.1.x IP Services Configuration Guide ANCP IGMP Configuration Example In the following example (Figure 18 on page 204), two subscribers access individual multicast channels through cross connections (branches) that occur on the access node. Figure 18: Using ANCP with an Access Node To configure the example, use the following general procedures: NOTE: This example provides general information for configuring ANCP mapping.
Page 231: Complete Configuration Example
Chapter 7: Configuring ANCP When Subscriber A requests to join 232.1.1.1, ANCP transmits an add branch message with the corresponding input and output labels that cross-connect port 3 and port 6 on Access Node 1. Complete Configuration Example The following example contains the commands used to configure ANCP. You can customize and use this example in your own network.
Page 232: Monitoring Ancp
JUNOSe 11.1.x IP Services Configuration Guide access node responds with the result of the triggered loopback test by means of a GSMP port management message. For example, when using an ATM-based local-loop, the ANCP operation can trigger the access node to generate ATM (F4/F5) loopback cells on the local loop.
Page 233 Chapter 7: Configuring ANCP VDSL Adjustment factor for the VDSL DSL type VDSL2 Adjustment factor for the VDSL2 DSL type SDS Adjustment factor for the SDS DSL type Example 1 Displays the adjustment factor for each DSL type host1#show adjustment-factor L2C QoS Adjustment Rates: ADSL1: ADSL2:...
Page 234 JUNOSe 11.1.x IP Services Configuration Guide Neighbor Neighbor name Access-Loop-Id Access loop identifier Down/Upstream (kbps) Downstream and upstream rates, in Kbps State State of the access loop, UP or DOWN Actual-Data-Rate-Upstream Actual upstream data rate, in Kbps Actual-Data-Rate-Downstream Actual downstream data rate, in Kbps Attainable-Data-Rate-Upstream Attainable upstream data rate for this line, in Kbps Attainable-Data-Rate-Downstream Attainable downstream data rate for...
Page 235 Chapter 7: Configuring ANCP Dsl-Type: 0(Invalid transmission type) Total Line Attributes: 2 Access-Loop-Id: Dslam_10 atm 10/7:0.0 DOWN Neighbor: DSLAM_10 Line-State: 2(IDLE) Dsl-Type: 0(Invalid transmission type) Total Line Attributes: 2 Access-Loop-Id: Dslam_10 atm 2/0:0.0 Neighbor: DSLAM_10 Actual-Data-Rate-Upstream: 1184(kbps) Actual-Data-Rate-Downstream: 8064(kbps) Attainable-Data-Rate-Upstream: 1184(kbps) Attainable-Data-Rate-Downstream: 9408(kbps) Line-State: 1(SHOWTIME) Dsl-Type: 0(Invalid transmission type)
Page 236 JUNOSe 11.1.x IP Services Configuration Guide Interface: ATM2/0.304 End-User-Id: Accessnode_10 atm2/6:0.0 Neighbor: accessnode _1004 Max-Branches: 5 Example 2 host1# show l2c label brief Interface End-User-Id Neighbor ------------------------- ------------------------- ---------------- ATM4/0.300 Accessnode_10 atm2/2:0.0 accessnode_1002 ATM4/0.301 Accessnode_10 atm2/3:0.0 accessnode_1002 ATM4/0.302 Accessnode_10 atm2/4:0.0 accessnode_1002 ATM4/0.303 Accessnode_10 atm2/5:0.0...
Page 237 Chapter 7: Configuring ANCP Connection Time Date and time at which this neighbor was connected Add Branches Sent Number of add branch messages sent to this neighbor Delete Branches Sent Number of delete branch messages sent to this neighbor Line-configurations Number of line configurations sent to this neighbor OAM Loopback Requests Sent Number of OAM loopback requests sent to this neighbor OAM Loopback Responses Received Number of OAM loopback responses...
Page 238 JUNOSe 11.1.x IP Services Configuration Guide Number of Neighbors in GSMP_ESTAB state: 1 Number of neighbors in GSMP_EMPTY state: 0 See show l2c neighbor. show l2c statistics Use to display information about the ANCP statistics. Field descriptions Current session timeout Configured session timeout (in seconds) Discovery State of topology discovery (Enabled or Disabled) Number of configured routers Number of ANCP configured routers Number of neighbors Number of ANCP neighbors...
Page 239: Configuring Digital Certificates
Chapter 8 Configuring Digital Certificates This chapter describes how to configure digital certificates; it contains the following sections: Overview on page 213 Platform Considerations on page 214 References on page 214 IKE Authentication with Digital Certificates on page 215 IKE Authentication Using Public Keys Without Digital Certificates on page 220 Configuring Digital Certificates Using the Offline Method on page 221 Configuring Digital Certificates Using the Online Method on page 227 Configuring Peer Public Keys Without Digital Certificates on page 232...
Page 240: Platform Considerations
JUNOSe 11.1.x IP Services Configuration Guide Table 14: Digital Certificate Terms and Acronyms (continued) Term or Abbreviation Description Certificate revocation list; a list of certificates that a CA has revoked Encapsulating Security Payload; provides data integrity, data confidentiality and, optionally, sender's authentication Internet Key Exchange PKCS Public-Key Cryptography Standards;...
Page 241: Ike Authentication With Digital Certificates
Chapter 8: Configuring Digital Certificates RFC 2409 The Internet Key Exchange (IKE) (November 1998) RFC 2459 Internet X.509 Public Key Infrastructure Certificate and CRL Profile (January 1999) RFC 2986 PKCS #10: Certification Request Syntax Specification Version 1.7 (November 2000) RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (April 2002) RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 (February 2003)
Page 242: Generating Public/Private Key Pairs
JUNOSe 11.1.x IP Services Configuration Guide The router requires at least one root CA certificate to send to IKE peers and also to verify that a peer's certificate is genuine. Obtaining a public key certificate The router requires at least one public key certificate, which binds the router identity to its public key.
Page 243: Obtaining A Public Key Certificate
Chapter 8: Configuring Digital Certificates In the manual method, an operator obtains the root CA certificate, typically through a Web browser, and copies the certificate file to the E Series router so that the router can use it as part of IKE negotiations. In the automatic method, the router uses SCEP and HTTP to authenticate with the CA and retrieve the certificate.
Page 244: Authenticating The Peer
JUNOSe 11.1.x IP Services Configuration Guide The router uses SCEP and HTTP to enroll with the specified CA and retrieve the certificate that the router uses in IKE negotiations. Authenticating the Peer The ERX router validates X.509v3 certificates from the peer by confirming that the ID payload passed in IKE matches the identifiers in the peer certificate.
Page 245: File Extensions
Chapter 8: Configuring Digital Certificates Table 15 on page 219 presents how the CRL setting affects the outcome of IKE phase 1 negotiations. It lists common problem conditions such as ERX Cert revoked. Table 15: Outcome of IKE Phase 1 Negotiations CRL Setting Condition Ignored...
Page 246: Ike Authentication Using Public Keys Without Digital Certificates
JUNOSe 11.1.x IP Services Configuration Guide supports CA hierarchies, which consist of a top-level root CA and one or more sub-CAs (also called issuing CAs). In a CA hierarchy, the router obtains its public key certificates and the CA certificate from a sub-CA.
Page 247: Public Key Format
Chapter 8: Configuring Digital Certificates For instructions on setting up peer public keys without a digital certificate, see “Configuring Peer Public Keys Without Digital Certificates” on page 232 . Public Key Format RSA encryption and authentication require the use of a public key on both the ERX router and on the remote peer with which the router seeks to establish IKE SAs.
Page 248 JUNOSe 11.1.x IP Services Configuration Guide NOTE: For more information about setting up IKE policies, see “Defining an IKE Policy” on page 156 in “Configuring IPSec” on page 125. Enter IPSec Identity Configuration mode. host1(config)#ipsec identity host1(config-ipsec-identity)# Specify the information that the router uses to generate a certificate request. a.
Page 249 Chapter 8: Configuring Digital Certificates Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature. Example host1(config-ike-policy)#authentication rsa-sig Use the no version to restore the default, preshared keys. See authentication. common-name Use to specify a common name used to generate certificate requests.
Page 250 JUNOSe 11.1.x IP Services Configuration Guide required Requires a valid CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting Example host1(config)#ike crl ignored Use the no version to return the CRL setting to the default, optional. NOTE: This command has been replaced by “ipsec crl”...
Page 251 Chapter 8: Configuring Digital Certificates Use to control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords: ignored Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL;...
Page 252 JUNOSe 11.1.x IP Services Configuration Guide NOTE: This command replaces “ipsec isakmp-policy-rule” on page 226 , which may be removed completely in a future release. See ipsec ike-policy-rule. ipsec isakmp-policy-rule Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy.
Page 253: Configuring Digital Certificates Using The Online Method
Chapter 8: Configuring Digital Certificates host1(config)#ipsec key zeroize rsa There is no no version. See ipsec key zeroize. organization Use to specify the organization used in the Subject Name field of certificates. Example host1(config-ipsec-identity)#organization juniperNetworks Use the no version to remove the organization name. See organization.
Page 254 JUNOSe 11.1.x IP Services Configuration Guide host1(config-ca-identity)#crl ignored (Optional) Specify the wait period between certificate request retries. host1(config-ca-identity)#enrollment retry-period 5 (Optional) Specify the absolute time limit on enrollment. host1(config-ca-identity)#enrollment retry-limit 60 (Optional) Specify the URL of your network's HTTP proxy server. host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit Retrieve the CA certificate.
Page 255 Chapter 8: Configuring Digital Certificates Use the no version to return the CRL setting to the default, optional. See crl. enrollment retry-limit Use to set the time period during which the router continues to send a certificate request to the CA. You can specify a time period in the range 0–480 minutes, with 0 specifying an infinite time period.
Page 256 JUNOSe 11.1.x IP Services Configuration Guide INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for ca:trustedca1 fingerprint:28:19:ba:76:d8:e0:bb:22:60:cd:b9:2d:dc:b8:58:01 host1(config)# Use the no ipsec ca identity command for the specified CA, or boot the router using the factory defaults to remove the CA certificate that was generated during the online configuration.
Page 257 Chapter 8: Configuring Digital Certificates Use to define an ISAKMP/IKE policy. When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority. Example host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#...
Page 258: Configuring Peer Public Keys Without Digital Certificates
JUNOSe 11.1.x IP Services Configuration Guide There is no no version. To remove a key pair, use the ipsec key zeroize command. See ipsec key generate. ipsec key zeroize Use to delete RSA key pairs. Include one of the following keywords: rsa Removes the RSA key pair from the router pre-share Removes all preshared keys from the router all Removes all keys within the VR context from the router...
Page 259 Chapter 8: Configuring Digital Certificates public keys are exchanged in messages containing an X.509v3 digital certificate. As an alternative, however, you can configure and exchange peer public keys and use them for RSA authentication without having to obtain a digital certificate. To configure and exchange peer public keys without obtaining a digital certificate: Generate the RSA key pair on the router.
Page 260 JUNOSe 11.1.x IP Services Configuration Guide host1(config)#ipsec key pubkey-chain rsa address 192.168.15.5 host1(config-peer-public-key)# b. Enter the peer public key that you obtained in Step 5. host1(config-peer-public-key)#key-string " Enter remainder of text message. End with the character '"'. 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698 748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b...
Page 261 Chapter 8: Configuring Digital Certificates Example host1(config)#ipsec ike-policy-rule 2 host1(config-ike-policy)# Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed. See ipsec ike-policy-rule. ipsec key generate Use to generate a 1024-bit or 2048-bit RSA key pair. Example host1(config)#ipsec key generate rsa 2048 Please wait..........
Page 262 JUNOSe 11.1.x IP Services Configuration Guide host1(config-peer-public-key)# Example 2 Enables you to configure the public key for a remote peer with the FQDN sales.company_xyz.com host1(config)#ipsec key pubkey-chain rsa name sales.company_xyz.com host1(config-peer-public-key)# Example 3 Enables you to configure the public key for a remote peer with the FQDN tsmith@sales.company_xyz.com host1(config)#ipsec key pubkey-chain rsa name tsmith@sales.company_xyz.com host1(config-peer-public-key)#...
Page 263: Monitoring Digital Certificates And Public Keys
Chapter 8: Configuring Digital Certificates 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00c03cc6 0bad55ea b4f8a01f 5cf69de5 f03185e2 1338b5cb fa8418c3 6cbe1a77 bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff 2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a2531 9787ce37 2601bdf9 1434b174 4fd21cf2 48e10f58 9ac89df1 56e360b1 66fb0b3f 27ad6396 7a491d74 3b8379ea be502979 8f0270b2 6063a474 fadc5f18 f0ca6f7a...
Page 264 JUNOSe 11.1.x IP Services Configuration Guide retry limit Number of minutes during which the router continues to send a certificate request to the CA crl setting Setting that controls how the router checks the certificate revocation lists proxy url HTTP proxy server used to retrieve the root CA certificate, if any Example host1#show ipsec ca identity mysecureca1 CA: mysecureca1 parameters:...
Page 265 Chapter 8: Configuring Digital Certificates SignatureAlgorithm Algorithm used for the digital signature Validity Beginning and ending period during which the certificate is valid PublicKeyInfo Information about the public key Extensions Fields that provide additional information for the certificate Fingerprints Unique hash of the certificate, which can be used to verify that the certificate is valid Example 1 host1#show ipsec certificates public-certs...
Page 266 SHA-1 = 58:ba:fb:0d:68:61:42:2a:52:7e:19:82:77:a4:55:4c:25:8c:c5:60 Example 2 host1# show ipsec certificates root-cas ---------- Root CAs: ---------- Ca Identity:[trustedca1]Certificate = SubjectName = <C=CA, ST=ON, L=Kanata, O=Juniper Networks, OU=VTS Group, CN=VTS Root CA> IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA> SerialNumber= 79592882508437425959858112994892506178 SignatureAlgorithm = rsa-pkcs1-sha1 Certificate seems to be self-signed.
Page 267 Chapter 8: Configuring Digital Certificates 09443381900005615652631560044304863856421739848326865877661787314144447 8276502323232108941157077 Exponent e ( 17 bits) : 65537 Extensions = Available = subject key identifier, key usage, basic constraints(critical), CRL distribution points, unknown KeyUsage = DigitalSignature NonRepudiation KeyCertSign CRLSign BasicConstraints = = TRUE [critical] CRLDistributionPoints = % Entry 1 FullName =...
Page 268 Example host1#show ipsec ike-configuration Ike configuration: Ike identity: Domain Name :treverxsys2.juniper.net Common Name :Sys2 ERX Organization:Juniper Networks Country CRL Check:optional See show ipsec ike-configuration. See show ike configuration. show ipsec key mypubkey rsa Use to display the 1024-bit or 2048-bit RSA public key configured on the router.
Page 269 Chapter 8: Configuring Digital Certificates For information about the format of an RSA public key, see “Public Key Format” on page 221 . Example host1#show ipsec key mypubkey rsa 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 009cfbde a16cf72c 49fbd3c1 10d5d9d4 8ba15ec0 9adcb19e 18d488f8 e0370c51 2d10e751 ddd81be4 dfc78aad 9deb797f b2c51172 18967cfb e18f6efa 69285fef 10337527 78ca6bbc 907abb9e 44b12713 ab70cb0e a86d9c6c 80c99bd1 e2bf6b70 91222295 616a88bb cc479e15 be04f3a5 a6160645 844598c3 314b66af 3a8b7602 ed020301...
Page 270 JUNOSe 11.1.x IP Services Configuration Guide Example 2 Displays the peer public key for a remote peer with the specified IP address host1#show ipsec key pubkey-chain rsa address 192.168.32.3 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 0082065f 841aa03a fadfda9f bf8be05c d2fe3596 abc3e265 0b86b99a df9b4907 29c7a737 8bf08491 5c96e72d 28471a12 f0735ff4 04d76ad1 3a80f10c 23dcadda b68ce8ec 5fdfbe58 a52008db 9a11f867 d38d0483 e4abd53c 89a4dc3c 985ea450 f17748c4 3f04def0 a3cf5d89 b62dfeae 5990641b 370bb113 73105ba7 585a41fc 3b020301...
Page 271: Configuring Ip Tunnels
Chapter 9 Configuring IP Tunnels IP tunnels provide a way of transporting datagrams between routers separated by networks that do not support all the protocols that those routers support. This chapter describes how to configure IP tunnels on E Series routers; it contains the following sections: Overview on page 245 Platform Considerations on page 246...
Page 272: Gre Tunnels
JUNOSe 11.1.x IP Services Configuration Guide GRE Tunnels GRE encapsulates IP packets to enable data transmission through an IP tunnel. The resulting encapsulated packet contains a GRE header and a delivery header. Consequently, the packet requires more processing than an IP packet, and GRE can be slower than native routing protocols.
Page 273: E120 Router And E320 Router
Chapter 9: Configuring IP Tunnels SMs provide dedicated tunnel-server ports that are always configured on the module. Unlike other line modules, SMs do not pair with corresponding I/O modules that contain ingress and egress ports. Instead, they receive data from and transmit data to other line modules with access to ingress and egress ports on their own associated I/O modules.
Page 274: Configuration Tasks
JUNOSe 11.1.x IP Services Configuration Guide RFC 791 Internet Protocol DARPA Internet Program Protocol Specification (September 1981) RFC 1700 Assigned Numbers (October 1994) RFC 1701 Generic Routing Encapsulation (October 1994) RFC 1702 Generic Routing Encapsulation over IPv4 Networks (October 1994) RFC 2003 IP Encapsulation within IP (October 1996) RFC 2784 Generic Routing Encapsulation (GRE) (March 2000) Configuration Tasks...
Page 275 Chapter 9: Configuring IP Tunnels NOTE: When you delete a virtual router that has been configured as a transport virtual router for a DVMRP tunnel, the show configuration output displays No Router for the transport virtual router. To remove the DVMRP tunnel interface, simply omit any reference to the transport virtual router.
Page 276: Configuration Example
JUNOSe 11.1.x IP Services Configuration Guide Use to set the MTU for the tunnel. Specify a value in the range 1024–10240 bytes. Example host1(config-if)#tunnel mtu 7500 Use the no version to restore the default, 10240 bytes. See tunnel mtu. tunnel source Use to configure the source of the tunnel.
Page 277 Chapter 9: Configuring IP Tunnels Configure a physical or loopback interface for the end of the tunnel on virtual router boston. The IP address of this interface appears in the header of tunneled frames and is used for forwarding traffic. host1:boston#interface atm 12/0.5 host1:boston(config-if)#ip address 10.5.5.5 255.255.255.0 Configure the tunnel interface on virtual router boston.
Page 278: Configuring Ip Tunnels To Forward Ip Frames
JUNOSe 11.1.x IP Services Configuration Guide host1:chicago(config-if)#tunnel mtu 8000 d. Configure the IP address of the tunnel interface. host1:chicago(config-if)#ip address 10.9.9.9 255.255.255.0 Configuring IP Tunnels to Forward IP Frames When a line module receives IP frames destined for a tunnel, the module forwards the frames to a tunnel-service module.
Page 279: Creating Multicast Vpns Using Gre Tunnels
Chapter 9: Configuring IP Tunnels Figure 20: Transport and Tunnel Networks Using Different Routing Protocols Creating Multicast VPNs Using GRE Tunnels For information about configuring multicast VPNs using GRE tunnels, see Configuring PIM for IPv4 Multicast in JUNOSe Multicast Routing Configuration Guide. Monitoring IP Tunnels You can monitor DVMRP and GRE tunnels by using the following commands.
Page 280 JUNOSe 11.1.x IP Services Configuration Guide Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name of the virtual router associated with the tunnel Tunnel up/down trap Indicates whether or not the E Series router sends traps to SNMP when the operational state of the tunnels changes, enabled or disabled Tunnel server location Location of the tunnel server in slot/port format...
Page 281 Chapter 9: Configuring IP Tunnels Data tx 1 DVMRP tunnel found 1 tunnel was created static Example 3 host1#show dvmrp tunnel state enabled DVMRP tunnel boston1 is up 1 DVMRP tunnel found 1 tunnel was created static Example 4 host1#show dvmrp tunnel virtual-router vr1 ip 0.0.0.0 DVMRP tunnel boston1 is up 1 DVMRP tunnel found 1 tunnel was created static...
Page 282 JUNOSe 11.1.x IP Services Configuration Guide host1#show dvmrp tunnel summary Administrative status enabled disabled Operational status down not-present See show dvmrp tunnel. show gre tunnel Use to display information about a GRE tunnel or a list of GRE tunnels. To view detailed information about tunnels, specify the detail keyword. To view the number of tunnels in a specific state, specify the state keyword and the state of the tunnel (disabled, down, enabled, lower-down, not-present, up).
Page 283 Chapter 9: Configuring IP Tunnels Octets Number of octets received or transmitted by the tunnel Discards Number of packets not accepted by the tunnel Errors Number of packets with errors received or transmitted by the tunnel Data rx Received data Data tx Transmitted data Number of tunnels found Total number of GRE tunnels found Number of static tunnels Number of tunnels created statically...
Page 284 JUNOSe 11.1.x IP Services Configuration Guide Tunnel destination address is '0.0.0.0' Tunnel transport virtual router is vr1 Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel administrative state is up Statistics packets octets discards errors Data rx...
Page 285 Chapter 9: Configuring IP Tunnels Statistics packets octets discards errors Data rx Data tx 2 GRE tunnels found 2 tunnels were created static See show gre tunnel. show gre tunnel summary Use to display a summary of information about GRE tunnels. Field descriptions Administrative status enabled Tunnel is available for use...
Page 286 JUNOSe 11.1.x IP Services Configuration Guide Monitoring IP Tunnels...
Page 287: Configuring Dynamic Ip Tunnels
Chapter 10 Configuring Dynamic IP Tunnels IP tunnels provide a way of transporting datagrams between routers separated by networks that do not support all the protocols that those routers support. This chapter describes how to configure dynamic IP tunnels on E Series routers; it contains the following sections: Dynamic IP Tunnel Overview on page 261 Platform Considerations on page 263...
Page 288: Mobile Ip And Dynamic Ip Tunnels
JUNOSe 11.1.x IP Services Configuration Guide The data MDT application enables you to solve the problem of IP routers flooding unnecessary multicast information to PE routers that have no interested receivers for a particular VPN multicast group. The multicast data MDT solution requires the creation of a new dynamic IP tunnel by the PE router if the source exceeds a configured rate threshold parameter.
Page 289: Combining Dynamic And Static Ip Tunnels In The Same Chassis
Chapter 10: Configuring Dynamic IP Tunnels For more information about configuring Mobile IP using GRE or DVMRP tunnels, see “Configuring the Mobile IP Home Agent” on page 315 . Combining Dynamic and Static IP Tunnels in the Same Chassis You can configure both dynamic and static IP tunnels in the same chassis. A tunnel pair consists of two endpoints;...
Page 290: Module Requirements
JUNOSe 11.1.x IP Services Configuration Guide See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module specifications. See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information about the modules that support IP tunnels. Module Requirements The supported modules for creating IP tunnels depends on the type of E Series router that you have.
Page 291: Redundancy And Tunnel Distribution
Chapter 10: Configuring Dynamic IP Tunnels You can also create IP tunnels on IOAs that support shared tunnel-server ports. You can configure (provision) a shared tunnel-server port to use a portion of the IOA's bandwidth to provide tunnel services. For a list of the IOAs that support shared tunnel-server ports, see the E120 and E320 Module Guide.
Page 292: Configuring A Destination Profile For Gre Tunnels
JUNOSe 11.1.x IP Services Configuration Guide host1(config)#gre destination profile global any-virtual-router Modify the options for the default destination profile. host1(config-dest-profile)#tunnel mtu 5000 host1(config-dest-profile)#tunnel checksum NOTE: You cannot configure a tunnel source, tunnel destination, or virtual router in the default destination profile. Configuring a Destination Profile for GRE Tunnels To configure a destination profile for dynamic GRE tunnels: Configure a destination profile for GRE.
Page 293: Creating A Destination Profile For Dvmrp Tunnels
Chapter 10: Configuring Dynamic IP Tunnels Creating a Destination Profile for DVMRP Tunnels To configure a destination profile for dynamic DVMRP tunnels: Configure a destination profile for DVMRP. host1(config-dest-profile)#dvmrp destination profile kanata1 virtual-router Set the source address for the tunnel. host1(config-dest-profile)#tunnel source 1.1.1.1 Set the destination address for the tunnel.
Page 294 JUNOSe 11.1.x IP Services Configuration Guide Use to specify that the router accepts only dynamic IP tunnels protected by an IPSec transport connection. This command is supported in the destination profile only when you have installed an ISM on ERX routers. Example host1(config-dest-profile)#enable ipsec-transport Use the no version to disable IPSec transport mode.
Page 295 Chapter 10: Configuring Dynamic IP Tunnels tunnel destination Use to configure the remote end of the tunnel. Specify the IP address of an interface on the remote router or the range of destination addresses: Use the subnet keyword to configure the IP address for the destination interface and the mask.
Page 296: Monitoring Dynamic Ip Tunnels
JUNOSe 11.1.x IP Services Configuration Guide Use to configure the source of the tunnel. Specify either the primary IP address or the type and specifier of an interface. Do not specify an unnumbered interface. You can configure multiple sources in a GRE destination profile or a DVMRP destination profile.
Page 297 Chapter 10: Configuring Dynamic IP Tunnels host1#show dvmrp destination profile default dvmrp destination profile global dvmrp destination profile kanata1 dvmrp destination profile kanata2 3 dvmrp destination profiles found the default destination profile is present Example 2 Displays a specific destination profile host1#show dvmrp destination profile kanata1 dvmrp destination profile kanata1 tunnel mtu 10240...
Page 298 JUNOSe 11.1.x IP Services Configuration Guide Tunnel transport virtual router Name of the virtual router associated with the tunnel Tunnel mdt Tunnel MDT state Tunnel checksum option State of the checksum feature: enabled or disabled Tunnel sequence number option State of the sequence number feature; enabled or disabled Tunnel up/down trap is enabled Indicates whether or not the E Series router sends traps to SNMP when the operational state of the tunnels changes...
Page 299 Chapter 10: Configuring Dynamic IP Tunnels Tunnel source address is '1.1.1.1' Tunnel destination address is '2.2.2.2' Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel up/down trap is enabled Tunnel-server location is 4/0 Tunnel administrative state is Up Statistics packets octets...
Page 300 JUNOSe 11.1.x IP Services Configuration Guide Example host1#show dvmrp tunnel summary Administrative status enabled disabled Operational status down not-present See show dvmrp tunnel. show gre destination profile Use to display the configuration of GRE destination profiles. Field descriptions default gre destination profile Name of the modified default destination profile on the system gre destination profile Name of the GRE destination profiles configured on the system...
Page 301 Chapter 10: Configuring Dynamic IP Tunnels Example 2 Displays a specific GRE destination profile used for dynamic IP tunnel creation host1#show gre destination profile boston1 gre destination profile boston1 tunnel checksum disabled tunnel sequence-datagrams disabled tunnel mtu 10240 ipsec transport mode disabled tunnel mdt disabled profile kanata virtual router vr1...
Page 302 JUNOSe 11.1.x IP Services Configuration Guide not-present Tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible Application Name of the application that created the tunnel Tunnel mtu Value of the maximum transmission unit for the tunnel Tunnel source address IP address of the source of the tunnel Tunnel destination address IP address of the destination of the tunnel Tunnel transport virtual router Name of the virtual router associated with...
Page 303 Chapter 10: Configuring Dynamic IP Tunnels 3 GRE tunnels found 3 tunnels were created dynamic Example 2 Displays the detail of a dynamically created GRE tunnel for the data MDT application host1:vr11#show dvmrp tunnel detail mvpn-dynamic-1 GRE tunnel mvpn-dynamic-1 is Up tunnel is dynamic Application is MVPN Tunnel operational configuration...
Page 304 JUNOSe 11.1.x IP Services Configuration Guide Use to display a summary of information about GRE tunnels. Field descriptions Administrative status enabled Tunnel is available for use disabled Tunnel is not available for use Operational status up Tunnel is operational down Tunnel is not operational not-present Tunnel is not operational, because the hardware (such as a line module) supporting the tunnel is inaccessible Example...
Page 305: Chapter 11 Ip Reassembly For Tunnels
Chapter 11 IP Reassembly for Tunnels This chapter describes IP packet reassembly for tunneled protocols on E Series routers; it contains the following sections: Overview on page 279 Platform Considerations on page 280 Configuring IP Reassembly on page 281 Monitoring IP Reassembly on page 282 Overview Tunneling protocols provide a method of forwarding packets of a particular protocol through a network of a different protocol type.
Page 306: Platform Considerations
JUNOSe 11.1.x IP Services Configuration Guide Figure 21: Tunneling Through an IP Network That Fragments Packets Platform Considerations For information about modules that support IP reassembly on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, Module Combinations for detailed module specifications.
Page 307: E120 Router And E320 Router
Chapter 11: IP Reassembly for Tunnels data to other line modules with access to ingress and egress ports on their own associated I/O modules. You can also create tunnels on router modules that support shared tunnel-server ports. You can configure (provision) a shared tunnel-server port to use a portion of the module's bandwidth to provide tunnel services.
Page 308: Monitoring Ip Reassembly
JUNOSe 11.1.x IP Services Configuration Guide Use the no version to return IP tunnel reassembly to the default, disabled. See ip tunnel reassembly. l2tp ignore-receive-data-sequencing Use to prevent sequence number verification for data packets received on all L2TP tunnels in the router. This command does not affect the insertion of sequence numbers in packets sent from the router.
Page 309: Displaying Statistics
Chapter 11: IP Reassembly for Tunnels Displaying Statistics The router keeps several statistics that are useful for diagnostic purposes. These statistics are organized by virtual router, and some are broken out by protocol as well. You can display statistics for a single virtual router or for all virtual routers. You can also display statistics relative to a baseline.
Page 310 JUNOSe 11.1.x IP Services Configuration Guide host1#show ip tunnel reassembly statistics detail Tunnel IP Reassembly Statistics for Virtual Router: default Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: L2TP: GRE: IPSec: Control/Other: Total Reassembly Errors: Fragmentation Errors: Too Many Fragments: Out of Resources: Packet Too Big: Reassembly Timeout:...
Page 311 Chapter 11: IP Reassembly for Tunnels host1:vr2#show ip tunnel reassembly statistics delta Tunnel IP Reassembly Statistics for Virtual Router: vr2 Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: Reassembly Errors: Reassembly Discards: See show ip tunnel reassembly statistics. Monitoring IP Reassembly...
Page 312 JUNOSe 11.1.x IP Services Configuration Guide Monitoring IP Reassembly...
Page 313: Securing L2Tp And Ip Tunnels With Ipsec
Chapter 12 Securing L2TP and IP Tunnels with IPSec This chapter describes how to secure generic routing encapsulation (GRE), Distance Vector Multicast Routing Protocol (DVMRP), and Layer 2 Tunneling Protocol (L2TP) tunnels with IP Security (IPSec) on your E Series router. It contains the following sections: Overview on page 287 Platform Considerations on page 288...
Page 314: Ipsec Secured-Tunnel Maximums
JUNOSe 11.1.x IP Services Configuration Guide IPSec Secured-Tunnel Maximums See JUNOSe Release Notes , Appendix A, System Maximums corresponding to your software release for information about the maximum number of GRE/IPSec, DVMRP/IPSec, and L2TP/IPSec connections supported on E Series routers. Platform Considerations For information about modules that support L2TP and IP tunnels with IPSec on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router:...
Page 315: L2Tp/Ipsec Tunnels
Chapter 12: Securing L2TP and IP Tunnels with IPSec Negotiation of NAT-Traversal in the IKE draft-ietf-ipsec-nat-t-ike-08.txt (July 2004 expiration) UDP Encapsulation of IPsec ESP Packets draft-ietf-ipsec-udp-encaps-09.txt (November 2004 expiration) NOTE: IETF drafts are valid for only 6 months from the date of issuance. They must be considered as works in progress.
Page 316: Setting Up The Secure L2Tp Connection
JUNOSe 11.1.x IP Services Configuration Guide Figure 22: L2TP with IPSec Application Setting Up the Secure L2TP Connection Figure 23 on page 290 gives an overview of the process used to set up a secure connection between the client PC and an E Series router that is acting as a VPN provider.
Page 317: L2Tp With Ipsec Control And Data Frames
Chapter 12: Securing L2TP and IP Tunnels with IPSec L2TP with IPSec Control and Data Frames L2TP and IPSec define control and data messages used for L2TP/IPSec. Figure 24 on page 291 shows an L2TP control frame encapsulated by IPSec. The shaded area shows the encrypted portion of the frame.
Page 318: Interaction Between Ipsec And Ppp
JUNOSe 11.1.x IP Services Configuration Guide Configure the router to run in NAT passthrough mode by using the application l2tp-nat-passthrough command. For information, see “NAT Passthrough Mode” on page 292 . Configure the virtual router to enable NAT Traversal (NAT-T) by using the ipsec option nat-t command.
Page 319: Nat Traversal
Chapter 12: Securing L2TP and IP Tunnels with IPSec For information about configuring NAT passthrough mode as part of an IPSec transport profile, see “Configuring IPSec Transport Profiles” on page 302 . NAT Traversal Using NAT passthrough mode is an adequate solution when a single remote user located behind a NAT device needs secure access to an E Series router.
Page 320: Udp Statistics
JUNOSe 11.1.x IP Services Configuration Guide Figure 26 on page 294 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPSec. Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation Figure 27 on page 294 shows an L2TP data frame encapsulated with a NAT-T UDP header.
Page 321: Nat Keepalive Messages
Chapter 12: Securing L2TP and IP Tunnels with IPSec packets to and from the SRP module, as it does for other UDP packets. As a result, the UDP statistics maintained by the SRP module do not reflect UDP-encapsulated IPSec packets. NAT Keepalive Messages The router does not generate NAT keepalive messages.
Page 322: Configuration Tasks For Client Pc
JUNOSe 11.1.x IP Services Configuration Guide The router ignores the idle timeout period for single-shot tunnels. This means that as soon a single-shot tunnel's session is removed, the single-shot tunnel proceeds to disconnect. The following characteristics apply only to secure L2TP/IPSec single-shot tunnels: The underlying IPSec connection for a single-shot tunnel can carry no more than a single L2TP tunnel for the duration of its existence.
Page 323: Configuration Tasks For E Series Routers
Chapter 12: Securing L2TP and IP Tunnels with IPSec Create a VPN connection to the router. Log the client in to the E Series router. Configuration Tasks for E Series Routers The main configuration tasks for setting up L2TP/IPSec are: Set up IP connectivity to L2TP clients;...
Page 324: Configuring Nat-T
JUNOSe 11.1.x IP Services Configuration Guide host1(config-l2tp-dest-profile-host)#profile georgeProfile1 Specify the local IP address to be used in any packets sent to the LAC. host1(config-l2tp-dest-profile-host)#local ip address 10.0.0.1 For information about other L2TP destination profile commands, see LNS Configuration Prerequisites. enable ipsec-transport Use to specify that the router accept only L2TP tunnels protected by an IPSec transport connection.
Page 325: Configuring Single-Shot Tunnels
Chapter 12: Securing L2TP and IP Tunnels with IPSec host1(config)#virtual-router westford host1:westford(config)# Enable NAT-T for the current virtual router. host1:westford(config)#ipsec option nat-t ipsec option nat-t Use to enable NAT-T for the current virtual router. With NAT-T enabled, IPSec traffic flows transparently through a NAT device, thereby allowing one or more remote hosts located behind the NAT device to use secure L2TP/IPSec tunnel connections to access the router.
Page 326: Gre/Ipsec And Dvmrp/Ipsec Tunnels
JUNOSe 11.1.x IP Services Configuration Guide host1(config-l2tp-dest-profile-host)#single-shot-tunnel (Optional) Configure other attributes for the L2TP host profile. (Optional) Use the show l2tp destination profile command to verify configuration of the single-shot tunnel for a particular L2TP host profile. For information about how to use this command, see “show l2tp destination profile”...
Page 327: Setting Up The Secure Gre Or Dvmrp Connection
Chapter 12: Securing L2TP and IP Tunnels with IPSec Setting Up the Secure GRE or DVMRP Connection In Figure 29 on page 301, a secure GRE/IPSec connection is set up between two E Series routers. To set up the secure connection: Set up the IPSec connection between the two routers.
Page 328: Configuring Ipsec Transport Profiles
JUNOSe 11.1.x IP Services Configuration Guide interface tunnel gre Use with the ipsec-transport keyword to create a GRE or DVMRP tunnel that is protected with IPSec in transport mode. NOTE: After you create a clear GRE or DVMRP tunnel, you cannot convert it to an IPSec-secured tunnel, or vice versa.
Page 329 Chapter 12: Securing L2TP and IP Tunnels with IPSec host1(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha esp-3des-hmac-md5 To display the available transform sets, issue the transform-set ? command. Specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection, and enter Local IPSec Transport Profile mode. host1(config-ipsec-transport-profile)#local ip address 10.10.1.1 host1(config-ipsec-transport-profile-local)# (Optional) Configure a key for IKE negotiations.
Page 330 JUNOSe 11.1.x IP Services Configuration Guide For L2TP/IPSec connections, you can enter a fixed IP address or the wildcard address, 0.0.0.0. If you use the wildcard address, the profile accepts any remote client connection, which is a typical scenario for secure remote access.
Page 331 Chapter 12: Securing L2TP and IP Tunnels with IPSec Use the no version to delete the IP address. See local ip address. pfs group Use to configure perfect forward secrecy for connections created with this IPSec transport profile. Assign a Diffie-Hellman prime modulus group using one of the following keywords: 1 768-bit group 2 1024-bit group...
Page 332 JUNOSe 11.1.x IP Services Configuration Guide NOTE: After you enter a preshared key, the original (unencrypted) key cannot be retrieved. If you need to reenter the original key (for example, the system goes to factory default and you have only the show config output) you can: Use the show config command to see the encrypted (masked) form of the key.
Page 333: Monitoring Dvmrp/Ipsec, Gre/Ipsec, And L2Tp/Ipsec Tunnels
Chapter 12: Securing L2TP and IP Tunnels with IPSec Use the no version to reset the transform to the default, esp-3des-hmac-sha. See transform-set. Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels This section contains information about troubleshooting and monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels. System Event Logs To troubleshoot and monitor DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following system event log:...
Page 334 JUNOSe 11.1.x IP Services Configuration Guide show ipsec ike-sa show ike sa NOTE: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release. Use to display IKE phase 1 SAs running on the router. When NAT-T is enabled on both the client PC and the E Series router, and the router has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in the Local:Port column is typically 4500.
Page 335 Chapter 12: Securing L2TP and IP Tunnels with IPSec Local Cookie Unique identifier (SPI) for the local phase 1 IKE SA Remote Cookie Unique identifier (SPI) for the remote phase 1 IKE SA Example The following example displays the IKE phase 1 SAs for three remote client PCs that are accessing an E Series router (IP address 21.227.9.8).
Page 336 JUNOSe 11.1.x IP Services Configuration Guide Virtual router Virtual router on which this profile is configured Application Type of application the connection can protect pfs group PFS group being used for the connection Mtu Tunnel's MTU size Local address Local endpoint address Remote address Remote endpoint address Local identity Shows the subnet, protocol, and port Remote identity Shows the subnet, protocol, and port...
Page 337 Chapter 12: Securing L2TP and IP Tunnels with IPSec OutPolicyErrors Number of packets arriving at the transport connection for encapsulation that do not meet the specified identifier (selector) OutOtherTxErrors Number of outbound packets that have errors other than those listed above Example 1 host1:vr11#show ipsec transport interface IPSEC transport interface 5 is Up...
Page 338 JUNOSe 11.1.x IP Services Configuration Guide OutPolicyErrors OutOtherTxErrors See show ipsec transport interface. show ipsec transport interface summary Use to display a summary of existing IPSec transport connections by application and state. Field descriptions up Number of IPSec transport interfaces that are currently up down Number of IPSec transport interfaces that are currently down upper-bound Number of IPSec transport interfaces that are currently bound to the upper layer...
Page 339 Chapter 12: Securing L2TP and IP Tunnels with IPSec IPSEC transport profile goi2 2 Ipsec transport profiles found Example 2 host1:vr11#show ipsec transport profile goi1 IPSEC transport profile goi1 Virtual router vr00 Peer address 10.255.0.62 Application gre,dvmrp Lifetime range in seconds 900 900 Lifetime range in kilobytes 102400 4294967294 TransformSet transport-esp-3des-sha1 Pfs group 0...
Page 340 JUNOSe 11.1.x IP Services Configuration Guide Tunnels are single-shot Indicates that single-shot tunnels are configured for this host profile Current session count is Number of current sessions for the host profile Example host1#show l2tp destination profile westford L2TP destination profile westford Configuration Destination address Transport ipUdp...
Page 341: Configuring The Mobile Ip Home Agent
Chapter 13 Configuring the Mobile IP Home Agent This chapter describes how to configure the Mobile IP home agent on E Series routers. Mobile IP Overview on page 315 Mobile IP Platform Considerations on page 319 Mobile IP References on page 319 Before You Configure the Mobile IP Home Agent on page 319 Configuring the Mobile IP Home Agent on page 320 Monitoring the Mobile IP Home Agent on page 325...
Page 342: Mobile Ip Agent Discovery
JUNOSe 11.1.x IP Services Configuration Guide Packets sent to the home address of the mobile node are redirected by the home agent through the tunnel to the CoA at the foreign agent. The foreign agent routes the packets to the mobile node's home address. If the mobile node's home address is a private address or if the foreign agent implements ingress filtering, a reverse tunnel from the CoA to the home agent is required.
Page 343: Aaa
Chapter 13: Configuring the Mobile IP Home Agent authentication algorithm and key are retrieved by checking the security association indexed by the security parameter index (SPI) value. This verification results in a 128-bit key and the authentication algorithm with which to compute an MD-5 message digest over the registration request.
Page 344: Subscriber Management
Juniper Networks vendor-specific attributes (VSAs) to provide the appropriate authentication algorithm and secure key for the authentication request. For information about the specific Juniper Networks VSAs used for Mobile IP RADIUS-based authentication, see JUNOSe Broadband Access Configuration Guide and...
Page 345: Mobile Ip Platform Considerations
Chapter 13: Configuring the Mobile IP Home Agent destination unreachable error message. For reverse tunnels, packets are de-tunneled and forwarded towards the next hop to the destination address. For more information about configuring GRE and DVMRP dynamic IP tunnels, see “Configuring Dynamic IP Tunnels”...
Page 346: Configuring The Mobile Ip Home Agent
JUNOSe 11.1.x IP Services Configuration Guide (Optional) Configure the B-RAS license. (Optional) Configure a RADIUS authentication server on the router. (Optional) Configure a RADIUS accounting server on the router. Configure a loopback interface to be used as the primary interface for a tunnel. Configure an interface profile for mobile host associations.
Page 347 Chapter 13: Configuring the Mobile IP Home Agent Configure the Mobile IP security associations for mobile hosts. Configure the Mobile IP security associations for foreign agents. Assign an interface profile to be referenced by the Mobile IP home agent. (Optional) Verify the Mobile IP configuration. See “Monitoring the Mobile IP Home Agent”...
Page 348 JUNOSe 11.1.x IP Services Configuration Guide NOTE: The values for lifetime, replay, and care-of-access configured per mobile host by using the ip mobile host command override the values configured by using the ip mobile home-agent command. See ip mobile home-agent. ip mobile host Use to configure a mobile node on a virtual router with an optional host network access identifier (NAI) address or the home address (IP address of the home...
Page 349 Chapter 13: Configuring the Mobile IP Home Agent ip mobile profile Use to configure or associate a preconfigured interface profile with the home agent in a virtual router. For information about configuring a virtual router, see the JUNOSe System Basics Configuration Guide.
Page 350 JUNOSe 11.1.x IP Services Configuration Guide Use to configure the security associations for a mobile node. You must configure security associations only for mobile nodes on which local authentication is configured. NOTE: If you delete a mobile node host by using the no ip mobile host command, all security associations that you configured for this host are deleted.
Page 351: Monitoring The Mobile Ip Home Agent
Chapter 13: Configuring the Mobile IP Home Agent license mobile-ip home-agent Use to configure the license key to enable a home agent. Specify a name for the license key; up to a maximum of 16 alphanumeric characters. Example host1(config)#license mobile-ip home-agent demo Use the no version to delete the license key configuration.
Page 352 JUNOSe 11.1.x IP Services Configuration Guide Home IP address IP address of the mobile node Home agent address IP address of the home agent Care-of-address IP address of the foreign agent care-of address or co-located care-of address Lifetime granted Interval, in hh:mm:sec format, granted during registration before which the registration request exceeds the home agent configured time Lifetime remaining Remaining interval, in hh:mm:sec format, at which the...
Page 353 Chapter 13: Configuring the Mobile IP Home Agent Replay protection time (in seconds) Reverse tunnel enabled See show ip mobile home-agent. show ip mobile host Use to display configuration of all or specified mobile nodes or domain users. Field descriptions MN-NAI Network access identifier of the mobile node in user@realm, @realm, or @ format Home IP address IP address of the mobile node...
Page 354 JUNOSe 11.1.x IP Services Configuration Guide See show ip mobile profile. show ip mobile secure foreign-agent Use to display the security associations configured for all foreign agents on the virtual router. Field descriptions IP address IP address of foreign agent SPI Security parameter index (SPI) key for authenticating registration requests Algorithm Algorithm (hmac-md5 or keyed-md5) for authenticating Mobile IP...
Page 355 Chapter 13: Configuring the Mobile IP Home Agent host1#show ip mobile secure host Home IP MN-NAI address Algorithm Replay ----------- ------- -------------- --------- ------ ---- @warner.com 288 ( 0x120 ) hmac-md5 time See show ip mobile secure host. show ip mobile traffic Use to display protocol statistics for the Mobile IP home agent traffic, including advertisements, solicitations, registrations, registration errors, and security violations.
Page 356 JUNOSe 11.1.x IP Services Configuration Guide Bad request form Number of registration requests rejected because of a malformed request Unavailable encapsulation Number of registration requests rejected because of unsupported encapsulation No reverse tunnel Number of registration requests rejected because reverse tunneling is disabled Example host1#show ip mobile traffic Home Agent Registrations:...
Page 357: Index
Part 2 Index Index on page 333 Index...
Page 358 JUNOSe 11.1.x IP Services Configuration Guide Index...
Page 359: Index
Index baseline, setting Mobile IP home agent.........325 tunnel reassembly..........282 BFD (Bidirectional Forwarding Detection) and Mobile IP home agent........315 BGP peer reachability detection......113 access lists, BGP............21 license..............117 access lists, IP liveness detection..........114 monitoring............50 liveness detection interval, negotiating the..114 redirecting traffic with null interface instead..33 transmit interval, negotiating the......114 redistributing access routes........6 BFD commands...
Page 360 JUNOSe 11.1.x IP Services Configuration Guide filtering AS paths...............23 dead peer detection. See DPD network prefixes...........21 default-information originate command.......27 undesirable traffic..........33 destination profiles firewall configuring............265 configuring............113 monitoring............270 monitoring............120 destruct timeout period for single-shot tunnels..296 firewall commands digital certificates license firewall maximum-virtual-router....117 authenticating the peer........216 flow statistics commands base64..............213...
Page 361 Index IKE policies..............142 ip nat translation...........78 authentication mode...........142 ip nat translation max-entries.......71 Diffie-Hellman group...........142 See also show ip nat commands encryption algorithms IP reassembly of tunnel packets.........279 3DES............142 configuring............281 DES.............142 monitoring............282 hash function IP security policies.............138 MD5............142 IP tunnels............245, 261 SHA-1............142 configuring............248 IPSec tunnels............189...
Page 362 JUNOSe 11.1.x IP Services Configuration Guide ipsec commands............227 IPSec transport profile commands......302 ipsec ca authenticate...........227 application............302 ipsec ca enroll.............227 ipsec transport profile.........302 ipsec ca identity..........230 lifetime...............302 ipsec clear............158 local ip address...........302 ipsec crl............223, 225 pfs group............302 ipsec identity............225 transform-set............302 ipsec ike-policy-rule..........158 See also show ipsec transport commands ipsec isakmp-policy-rule........158 IPSec tunnel profile commands...
Page 363 Index L2TP (Layer 2 Tunneling Protocol) match tag..............13 reassembly of tunnel packets......280 match-set summary prefix-tree.......36, 38 l2tp commands max-interfaces command..........182 l2tp destination profile........297 Mobile IP home agent..........330 l2tp ignore-receive-data-sequencing....281 AAA..............315 L2TP with IPSec..........177, 287 agent discovery...........315 client software supported........291 authentication.............315 compatibility............291 configuration prerequisites.........319 configuring...
Page 364 JUNOSe 11.1.x IP Services Configuration Guide translation entries, limiting........71 public keys translation rules, defining........76 displaying on router..........237 translations, clearing..........79 format of............221 NAT-T (Network Address Translation Traversal) obtaining without digital certificates...220, 232 configuring............298 ipsec option nat-t command.......299 keepalive messages..........295 overview.............293 qos-adaptive-mode command........201 show ike sa command........308 show ipsec ike-sa command.......308 show ipsec option command......309...
Page 365 Index routing, IP..............95 show ip protocols..........51 monitoring............51 show ip redistribute..........51 See also IP show ip route............51 show ip route slot..........51 show ip static............51 show ip traffic............51 secure IP interfaces............128 show ip tunnel reassembly statistics....283 security parameters...........130 show ip flow sampling command......106, 111 sequence number, route map........4 show ip match-policy-list command......51 Service Modules.
Page 366 JUNOSe 11.1.x IP Services Configuration Guide show license commands tunnel signaling..........150 show license mobile-ip home-agent....330 tunnel source............150 show route-map command..........51 tunnel transform set...........150 single-shot tunnels tunnel-server ports configuring............299 shared..........246, 264, 280 handling timeout periods........296 tunnels, IP monitoring............313 DVMRP...............261 overview.............295 DVMRP (IP in IP)..........246 single-shot-tunnel command........300 dynamic..............261 SMs (Service modules)

This manual is also suitable for:

Junose 11.1.x ip services Junose v 11.1