1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Nat Keepalive Messages; Configuring And Monitoring Nat-T; Single-Shot Tunnels; Table 17: Configuration And Monitoring Tasks For Nat-T - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

packets to and from the SRP module, as it does for other UDP packets. As a result,
the UDP statistics maintained by the SRP module do not reflect UDP-encapsulated
IPSec packets.

NAT Keepalive Messages

The router does not generate NAT keepalive messages. The following reasons explain
why this behavior does not generally pose problems for remote users.
If the router receives NAT keepalive messages as part of the L2TP/IPSec traffic flow,
it discards these messages at the ingress line module on which the messages were
received.

Configuring and Monitoring NAT-T

For instructions on configuring and monitoring NAT-T, see the sections listed in Table
17 on page 295.

Table 17: Configuration and Monitoring Tasks for NAT-T

Single-Shot Tunnels

You can use the single-shot-tunnel command in L2TP Destination Profile Host
Configuration mode to configure a single-shot L2TP tunnel. Although configuration
of single-shot tunnels is more typically used with secure L2TP/IPSec tunnels, as
described in this chapter, you can also configure single-shot tunnels for nonsecure
L2TP tunnels that do not run over an IPSec connection.
A single-shot tunnel has the following characteristics:
The primary application for using NAT-T is enabling secure L2TP/IPSec access
to an E Series router for remote hosts located behind a NAT device. The L2TP
protocol has its own keepalive mechanism that is sufficient for keeping NAT
entries alive.
In most NAT configurations, an ERX router does not operate behind the NAT
device, thereby making the generation of keepalive messages unnecessary.
Task
Enabling and disabling NAT-T on a
virtual router
Displaying information about the
current NAT-T setting on a virtual
router
Displaying information about the
IKE SA negotiation when NAT-T is
enabled
The L2TP tunnel can carry no more than a single L2TP session for the duration
of its existence.
Chapter 12: Securing L2TP and IP Tunnels with IPSec
Command
See Section
ipsec option nat-t
"Configuring NAT-T" on page 298
show ipsec option
"Monitoring DVMRP/IPSec,
GRE/IPSec, and L2TP/IPSec Tunnels"
on page 307
show ipsec ike-sa
"Monitoring DVMRP/IPSec,
GRE/IPSec, and L2TP/IPSec Tunnels"
on page 307
L2TP/IPSec Tunnels
295

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents