1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. IP SERVICES - CONFIGURATION GUIDE V 11.1.X
  6. Configuration manual

Interaction Between Ipsec And Ppp; Lns Change Of Port; Group Preshared Key; Nat Passthrough Mode - Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual

Ip services configuration guide
Hide thumbs
Table of Contents

Advertisement

JUNOSe 11.1.x IP Services Configuration Guide

Interaction Between IPSec and PPP

PPP defines the Compression Control Protocol (CCP) and the Encryption Control
Protocol (ECP) modes. These modes are currently not supported in the E Series
router. There is no interaction related to encryption directives between IPSec and
PPP.

LNS Change of Port

In the L2TP world, the LNS is allowed to change its port number; this functionality
is currently not supported in ERX routers. IPSec allows only port 1701 to be used
for L2TP/IPSec tunnels. However, the LAC is allowed to use any source port it desires.

Group Preshared Key

Group preshared keys allow the provisioning of secure remote access by means of
L2TP/IPSec to networks that do not use a certificate authority (CA) to issue certificates.
A group preshared key is associated with a local IP address in the E Series router and
is used to authenticate L2TP/IPSec clients that target this IP address as their VPN
server address.
CAUTION: Group preshared keys are not fully secure, and we recommend that you
use digital certificates in place of group preshared keys. Group preshared keys are
open to man-in-the-middle attacks. To reduce this risk, the ERX routers accept only
IPSec connections that specify L2TP traffic selectors for security associations (SAs)
that are negotiated over IKE connections authenticated with group preshared keys.

NAT Passthrough Mode

NAT devices can change the IP address and port number of a traversing IP packet.
Encrypted frames, in which an ESP header follows the IP header, may or may not
get through the NAT device.
You can set up the router to run in NAT passthrough mode, which causes the router
to not check UDP checksums. The reason is that a NAT device may change the IP
address while the UDP header is encrypted. In this case, the UDP checksum cannot
be recalculated. Not checking UDP checksums does not compromise security, because
IPSec protects UDP with an authentication algorithm far stronger than UDP
checksums. To set up the router to run in NAT passthrough mode, use the application
l2tp-nat-passthrough command.
We recommend that you configure the router to use NAT passthrough mode when
the NAT device provides a feature commonly known as IPSec passthrough.
292
L2TP/IPSec Tunnels
Configure the router to run in NAT passthrough mode by using the application
l2tp-nat-passthrough command. For information, see "NAT Passthrough Mode"
on page 292 .
Configure the virtual router to enable NAT Traversal (NAT-T) by using the ipsec
option nat-t command. For information, see "NAT Traversal" on page 293 .

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IP SERVICES - CONFIGURATION GUIDE V 11.1.X and is the answer not in the manual?

Related Manuals for Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X

Related Content for Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X

This manual is also suitable for:

Junose 11.1.x ip servicesJunose v 11.1

Table of Contents