1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Inbound And Outbound Sas; Transform Sets - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

To set the tunnel lifetime, use the tunnel lifetime command.
To set the global (default) lifetime, use the ipsec lifetime command.

Inbound and Outbound SAs

SA parameters are the actual session parameters used to secure a specific data flow
associated with a specific secure IP interface. How SA parameters are set depends
on how the IP interfaces are secured:
For manual secure IP interfaces, the system administrator sets SA parameters.
Manually setting SA parameters allows provisioning of IP security to destinations
that do not support SA negotiation via IKE.
For signaled secure IP interfaces, the two security gateway peers negotiate SA
parameters; the system administrator is not allowed to set any of the parameters.
In fact, for some of these parameters, such as session keys, the system
administrator is not even granted read access.
Similarly to IPSec SAs, SA parameters are unidirectional. Therefore, for a two-way
data flow, two SAs need to be established one for inbound traffic and another for
outbound traffic. For each direction, SA parameters must be set for each transform
associated with a secure IP interface. Therefore, two sets of SA parameters exist for
each secure IP interface, one being the inbound SA parameters and the other the
outbound SA parameters.
The following parameters form each set of SA parameters:
SPI The SPI is a unique identifier that is applied to the SA when securing a flow.
An SPI is unique for a given destination IP address and protocol tuple. The
destination IP address is either the remote secure IP interface endpoint for the
outbound direction or the local secure IP interface endpoint for the inbound
direction.
Encapsulation The encapsulation options include both an encapsulating protocol
and an encapsulating mode. The protocol can be either ESP or AH. The mode is
tunnel mode.
Transforms The allowed transforms for given SA parameters depend on the
encapsulation protocol. See "Transform Sets" on page 135 for more information.
Keys The session key is used for the respective SA transform. The key length
depends on the SA transform to which it applies, and is as follows:
DES 8 bytes
3DES 24 bytes
MD5 16 bytes
SHA 20 bytes

Transform Sets

Transform sets are composed of security parameters that provide a required security
level to a particular data flow. Transform sets are used during user SA negotiation
Chapter 5: Configuring IPSec
135
IPSec Concepts

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents