Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note page 112

Hide thumbs Also See for JUNOS OS 10.4 - RELEASE NOTES REV 6:

Release note (209 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

page of 216

/ 216
Contents
Table of Contents
Bookmarks

Table of Contents

JUNOS OS 10.4 Release Notes

112

syn-check-required: The syn-check-required value will override the global value

no-syn-check.

To configure per-policy TCP options, the respective global options must be turned off;

otherwise, the commit check will fail. If global TCP options are disabled and SYN flood

protection permits the first packet, then the per-policy TCP options will control whether

SYN check and/or sequence check are performed.

NOTE:

The per-policy SYN check required option will not override the behavior of

the

set security flow tcp-session no-syn-check-in-tunnel

Disabling the global SYN check reduces the effectiveness of the device In

defending against packet flooding.

VPNs

IKE and IPsec predefined proposals for dynamic VPN—This feature is supported on

SRX100, SRX210, SRX220, SRX240, and SRX650 devices.

In earlier releases, the administrators had to configure individual Internet Key Exchange

(IKE) and IP Security (IPsec) proposals for all IKE and IPsec policy configurations. This

procedure was tedious and time consuming when the administrators had to configure

many VPN policies because they had to configure custom proposals for all IKE and

IPsec configurations.

Junos OS Release 10.4 supports proposal-set configuration in IKE and IPsec; the

administrator can select basic, compatible, or standard proposal sets for dynamic VPN

clients. Each proposal set consists of two or more predefined proposals. The server

selects one predefined proposal from the set configured and pushes it to the client in

the client configuration. The client uses this proposal in negotiations with the server

to establish the connection.

The default values for IKE and IPsec security association (SA) rekey timeout are as

follows:

For IKE SA, the rekey timeout is 28800 seconds.

For IPsec SA, the rekey timeout is 3600 seconds.

The basic use cases of proposals are as follows:

IKE and IPsec both use proposal sets.

The server selects a predefined proposal from the proposal set and sends it to the

client, along with the default rekey timeout value.

IKE uses a proposal set, and IPsec uses a custom proposal.

The server sends a predefined IKE proposal from the configured IKE proposal set to

the client, along with the default rekey timeout value. For IPsec, the server sends the

setting that is configured in the IPsec proposal.

IKE uses a custom proposal, and IPsec uses a proposal set.

CLI command.

Table of Contents

Related Products for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

This manual is also suitable for:

Junos os 10.4

Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6 Release Note page 112

Related Manuals for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

Related Products for Juniper JUNOS OS 10.4 - RELEASE NOTES REV 6

This manual is also suitable for:

Table of Contents