Table of Contents
Advertisement
JUNOSe 11.1.x IP Services Configuration Guide
Table 10: Security Parameters per IPSec Policy Type
Operational Virtual Router
The operational VR for a secure IP tunnel is the VR in which a secure IP tunnel exists.
The IP address and mask associated with a secure IP interface exist only within the
operational VR under which the interface is declared. The VR defines the network
prefix, which is reachable through the logical IP interface.
A secure IP tunnel is always a member of one and only one operational VR. Therefore,
the operational VR attributes are mandatory for any secure tunnel. These attributes
include:
Transport Virtual Router
The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel
endpoints, the source and destination, are routable addresses. Normally, the transport
VR is the default ISP routing infrastructure on top of which VPNs are provisioned.
The IPSec Service module (ISM) is a security gateway and, as such, is one of the
endpoints for secure tunnels. The tunnel endpoints are the tunnel source and the
tunnel destination IP addresses. For IKE signaled IPSec tunnels, you can use the fully
qualified domain name (FQDN) instead of the IP address to identify the tunnel
endpoints. You typically use this feature to identify the tunnel destination endpoint
in DSL and broadband environments. See "Transport VR Definitions with an FQDN"
on page 133 in this section.
132
IPSec Concepts
Security Parameter
Operational VR
Transport VR
Perfect forward secrecy
Lifetime
Inbound and outbound SAs
Transform set
IP address and mask
Virtual router on which the secure IP interface exists
The tunnel source IP address must be one of the local IP addresses configured
on the router.
The tunnel destination address must be a routable IP address within the transport
VR routing tables.
Manual
Signaled
Required
Required
Required
Required
Optional
Optional
Optional
Optional
Required
Not applicable
Required
Required
Advertisement
Table of Contents
