Table of Contents
Advertisement
If either license is unavailable, the router denies access to the subscriber.
Inherited Subscriber Functionality
Dynamic IPSec subscribers inherit much of the built-in AAA subscriber management
functionality. This functionality includes the following:
For additional information on AAA functionality, see JUNOSe Broadband Access
Configuration Guide.
Using IPSec Tunnel Profiles
IPSec tunnel profiles serve the following purposes in the configuration of dynamic
IPSec subscribers:
One IPSec license
AAAA subscriber management commands
DNS (primary and secondary)
WINS (primary and secondary)
Session timeout
Accounting features (interval, duplication, immediate update, broadcasting,
Acct-stop)
Duplicate address checking
IP address pools
Per virtual-router subscriber limit
Policies
Packet mirroring
Controlling which connecting user, based on the IKE identification, belongs to
a given profile. Profile settings falling in this category include the following:
IKE identities from peers that can use this profile. These identities include
IP addresses, domain names, and E-mail addresses. In addition, distinguished
names that use X.509 certificates are permitted.
The router IKE identity.
Terminating extraneous security and IP profile settings that exist after a subscriber
is mapped to an IPSec tunnel. These settings include the following:
Maximum number of subscribers that this profile can terminate
AAA domain suffix intended for the username (helping to bridge users from
a given IPSec tunnel profile to an AAA domain map)
Phase 2 SA selectors for use in phase 2 SA exchanges
IP profiles intended for users logging in using this profile (helping to bridge
users from a given IPSec tunnel profile to an IP profile)
Chapter 6: Configuring Dynamic IPSec Subscribers
Overview
179
Advertisement
Table of Contents
