Relocating Tunnel Interfaces; User Authentication; Platform Considerations - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

JUNOSe 11.0.x IP Services Configuration Guide
New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is
established. Like IPSec tunnels, IKE policy rules are required to control IKE SA
acceptance and denial.

Relocating Tunnel Interfaces

Unlike static IPSec tunnels interfaces, dynamic IPSec subscribers do not relocate if
the IPSec server card becomes unavailable. If the IPSec server card becomes
unavailable, all dynamic subscribers that are logged in and located on that server
card are logged out and must log back in to connect.

User Authentication

For IPSec subscribers, user authentication occurs in two phases. The first phase is
an IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred
to as " machine" authentication, because the user PC is authenticated, the first
authentication phase verifies private or preshared keys that reside on the PC. These
keys are not easily moved from one PC to another and do not require user entry
each time authentication is performed.
Depending on the IKE phase 1 exchange, restrictions on the authentication type or
the access network setup might exist. To avoid any usage problems, keep the following
in mind:
After the IPSec-level authentication takes place, a user authentication occurs. Often
considered a legacy form of authentication, the user authentication (like RADIUS)
typically requires the user to enter information in the form of a username and
password.

Platform Considerations

For information about modules that support dynamic IPSec subscribers on the ERX7xx
models, ERX14xx models, and the ERX310 Broadband Services Router:
180
Platform Considerations
Reachable networks on the VPN (allowing for split tunneling when supported
by the client software)
Security parameters intended to protect user traffic (including IPSec
encapsulating protocol, encryption algorithms, authentication algorithms,
lifetime parameters, perfect forward secrecy, and DH group for key
derivation)
Setting the IP address the router monitors for remote subscribers.
If you are configuring a VPN where users perform preshared key IPSec
authentication and use the IKE main mode exchange for phase 1, you must setup
the access network such that the VPN has an exclusive local IP address.
If you want to share a single server address on the access network for more than
one VPN, you must either set the clients to use IKE aggressive mode or use a
public and private key pair for authentication. This authentication type includes
X.509v3 certificates).