Table of Contents
Advertisement
ESP Processing
The router supports both the encryption and authentication functions of ESP
encapsulation as defined in RFC 2406. Specifically, the router supports:
AH Processing
The router supports AH encapsulation as defined in RFC 2402. Specifically, the router
supports:
IPSec Maximums Supported
See JUNOSe Release Notes, Appendix A, System Maximums corresponding to your
software release for information about maximum values.
DPD and IPSec Tunnel Failover
Dead peer detection (DPD) is a keepalive mechanism that enables the E Series router
to detect when the connection between the router and a remote IPSec peer has been
lost. DPD enables the router to reclaim resources and to optionally redirect traffic to
an alternate failover destination. If DPD is not enabled, the traffic continues to be
sent to the unavailable destination.
When a disconnected state is detected between the E Series router and an IPSec
peer, the router:
DES and 3DES encryption algorithms
The HMAC-SHA and HMAC-MD5 authentication algorithms
ESP security options on a per-tunnel (per-SA) basis
Tunnel mode
HMAC-SHA and HMAC-MD5 authentication algorithms
AH authentication options on a per-tunnel (per-SA) basis
Tunnel mode
Tears down the IPSec connection and displays the interface's state as down in
output for the show ipsec tunnel detail command
Clears all SAs that were established between the two endpoints
Stops forwarding packets to the unavailable destination
Generates SNMP traps
Allows routing protocols running on the IP interfaces on top of the failed IPSec
tunnel to switch to alternate paths
(Optional) Redirects traffic to an alternate tunnel destination
Chapter 5: Configuring IPSec
139
IPSec Concepts
Advertisement
Table of Contents
