Other Security Features; Ip Security Policies - Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual

JUNOSe 11.1.x IP Services Configuration Guide
Table 12: Supported Security Transform Combinations (continued)
The ISM does not support both the ESP and AH encapsulation modes concurrently
on the same secure tunnel.
Negotiating Transforms
Inside a transform set, IPSec transforms are numbered in a priority sequence.

Other Security Features

The following sections briefly describe other supported security features for the ERX
routers. These features include the following:
This section also provides a pointer to the IPSec system maximums.

IP Security Policies

The ERX router does not support a systemwide SPD. Instead, the router takes
advantage of routing to forward traffic to and from a secure tunnel. The router still
applies IPSec selectors to traffic going into or coming out of a secure tunnel so that
unwanted traffic is not allowed inside the tunnel. Supported selectors include IP
addresses, subnets, and IP address ranges.
138
IPSec Concepts
Security Type
Data authentication and confidentiality
During negotiation as an initiator of the user SA, the router uses transform
number one first. If the remote system does not agree on the transform, the
router then tries number two, and so on. If both end systems do not agree on a
transform, the user SA fails and the secure IP tunnel is not established.
During negotiation as a responder, the router compares the proposed transform
from the remote end against each transform in the transform set. If there is no
match, the router provides a negative answer to the remote end, which can
either try another transform or give up. If no match is found, the secure IP tunnel
is not established.
"IP Security Policies" on page 138
"ESP Processing" on page 139
"AH Processing" on page 139
Supported Transform Combinations
ESP-DES-MD5
ESP-DES-SHA
ESP-3DES-MD5
ESP-3DES-SHA