Download Print this page

Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

JunosE™ Software

for E Series™ Broadband

Services Routers

IP Services Configuration Guide

Release

11.2.x

Published: 2010-06-29

Copyright © 2010, Juniper Networks, Inc.

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the JUNOSE 11.2.X IP SERVICES and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNOSE 11.2.X IP SERVICES

Page 1 JunosE™ Software for E Series™ Broadband Services Routers IP Services Configuration Guide Release 11.2.x Published: 2010-06-29 Copyright © 2010, Juniper Networks, Inc.
Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 6 Copyright © 2010, Juniper Networks, Inc.
Page 7: Table Of Contents
Index ............321 Copyright © 2010, Juniper Networks, Inc.
Page 8 JunosE 11.2.x IP Services Configuration Guide viii Copyright © 2010, Juniper Networks, Inc.
Page 9 Using a Prefix List ..........33 Copyright © 2010, Juniper Networks, Inc.
Page 10 Creating Static Inside Source Translations ......70 Creating Static Outside Source Translations ......70 Copyright © 2010, Juniper Networks, Inc.
Page 11 J-Flow show Commands ......... 101 Copyright © 2010, Juniper Networks, Inc.
Page 12 Lifetime ........... 137 Copyright © 2010, Juniper Networks, Inc.
Page 13 Specifying a Virtual Router for an IKE Policy Rule ..... 180 Defining Aggressive Mode for an IKE Policy Rule ..... . 181 Copyright © 2010, Juniper Networks, Inc. xiii...
Page 14 Verifying CRLs ..........210 Copyright © 2010, Juniper Networks, Inc.
Page 15 Monitoring Dynamic IP Tunnels ........259 Copyright © 2010, Juniper Networks, Inc.
Page 16 Commands ..........294 Copyright © 2010, Juniper Networks, Inc.
Page 17 Index ............321 Copyright © 2010, Juniper Networks, Inc.
Page 18 JunosE 11.2.x IP Services Configuration Guide xviii Copyright © 2010, Juniper Networks, Inc.
Page 19: List Of Figures
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation ... . . 281 Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation ....282 Copyright © 2010, Juniper Networks, Inc.
Page 20 Figure 29: GRE/IPSec Connection ........288 Copyright © 2010, Juniper Networks, Inc.
Page 21 Table 17: Configuration and Monitoring Tasks for NAT-T ....283 Table 18: Differences in Handling Timeout Periods for L2TP/IPSec Tunnels ..284 Copyright © 2010, Juniper Networks, Inc.
Page 22 JunosE 11.2.x IP Services Configuration Guide xxii Copyright © 2010, Juniper Networks, Inc.
Page 23: About The Documentation
Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxiv defines notice icons used in this documentation.
Page 24: Table 1: Notice Icons
Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxiv Copyright © 2010, Juniper Networks, Inc.
Page 25: Obtaining Documentation
CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 26: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 27: Chapters
Configuring IP Tunnels on page 237 Configuring Dynamic IP Tunnels on page 251 IP Reassembly for Tunnels on page 269 Securing L2TP and IP Tunnels with IPSec on page 275 Configuring the Mobile IP Home Agent on page 303 Copyright © 2010, Juniper Networks, Inc.
Page 28 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 29: Configuring Routing Policy
Routing policy determines how the system handles the routes it receives from and sends to neighboring routers. In many cases, routing policy consists of the following: Filtering routes Accepting certain routes Accepting and modifying other routes Copyright © 2010, Juniper Networks, Inc.
Page 30: Platform Considerations
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
Page 31: Route Map Configuration Example
Route Map Configuration Example Consider the network structure shown in Figure 1 on page 6. Suppose you do not want router Boston to receive any routes that originate in or pass through router Chicago. Copyright © 2010, Juniper Networks, Inc.
Page 32: Multiple Values In A Match Entry
Copyright © 2010, Juniper Networks, Inc.
Page 33: Configuring Routing Policy
10 Match clauses: match community corporate5 dade2 If you instead issue the following commands, the specified value is deleted: host1(config-route-map)#no match community dade2 Copyright © 2010, Juniper Networks, Inc.
Page 34: Matching A Community List Exactly
1 permit 231:10 231:20 You can, however, remove the lists with the set comm-list delete command if you created them separately with the following commands: host1(config)#ip community list 1 permit 231:10 Copyright © 2010, Juniper Networks, Inc.
Page 35: Matching A Policy List
Configuring IPv4 Multicast or chapter Configuring IPv6 Multicast in JunosE Multicast Routing Configuration Guide. match as-path Use to match an AS-path access list. The implemented weight is based on the first matched AS path. Copyright © 2010, Juniper Networks, Inc.
Page 36 ORed. Example host1(config-route-map)#match extcommunity topeka10 Use the no version to remove the match clause from a route map or a specified value from the match clause. See match extcommunity. match ip address Copyright © 2010, Juniper Networks, Inc.
Page 37 Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map. See match ipv6 next-hop. match ipv6 route-source Copyright © 2010, Juniper Networks, Inc.
Page 38 See match metric-type. match policy-list Use to reference a policy list that has the specified name. Example host1(config-route-map)#match policy-list list1 Use the no version to remove the match clause from a route map. See match policy-list. Copyright © 2010, Juniper Networks, Inc.
Page 39 You can specify match and set clauses to modify attributes of redistributed routes. Use route maps when you want to have detailed control over how routes are redistributed between routing processes. Copyright © 2010, Juniper Networks, Inc.
Page 40 1 permit 231:10 host1(config)#ip community-list 1 permit 231:20 host1(config)#router bgp 45 host1(config-router)#neighbor 10.6.2.5 remote-as 5 host1(config-router)#neighbor 10.6.2.5 route-map indelete in host1(config-router)#route-map indelete permit 10 host1(config-route-map)#set comm-list 1 delete Copyright © 2010, Juniper Networks, Inc.
Page 41 Example host1(config-route-map)#set dampening 5 1000 1500 45 15 Use the no version to delete the set clause from a route map. See set dampening. set distance Copyright © 2010, Juniper Networks, Inc.
Page 42 Use to set the next hop attribute of a route that matches a route map. You can specify an IPv6 address or an interface as the next hop. Example host1(config-route-map)#set ipv6 next-hop 1::1 Copyright © 2010, Juniper Networks, Inc.
Page 43 If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence. If you specify the internal metric type in a BGP outbound route map, BGP sets the MED of the advertised Copyright © 2010, Juniper Networks, Inc.
Page 44 (QoS). Example host1(config-route-map)#set route-class 50 Use the no version to delete the set clause from a route map. See set route-class. Copyright © 2010, Juniper Networks, Inc.
Page 45: Match Policy Lists
NOTE: For descriptions of all route map match clauses, see “Route Maps” on page 4 As in route maps, the match clauses in match policy lists contain permit and deny statements. When you reference a match policy list within a route map, the route map Copyright © 2010, Juniper Networks, Inc.
Page 46: Access Lists
If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit Copyright © 2010, Juniper Networks, Inc.
Page 47: Configuration Example 1
2 internal routes). host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 0x000002B7 0x3E1F 1198 0/0/0 Area Address: 47.0005.80FF.F800.0000.0001.0001 Copyright © 2010, Juniper Networks, Inc.
Page 48: Configuration Example 3
For a full discussion of regular expressions, with examples of how to use them, see “Using Regular Expressions” on page 42. Copyright © 2010, Juniper Networks, Inc.
Page 49: Configuration Example 1
10.2.8.2 remote-as 11 host1(config-router)#neighbor 10.2.8.2 filter-list 2 in host1(config-router)#neighbor 10.2.7.2 remote-as 435 host1(config-router)#neighbor 10.2.7.2 filter-list 3 out host1(config-router)#exit host1(config)#ip as-path access-list 1 deny ^11 host1(config)#ip as-path access-list 1 permit .* host1(config)#ip as-path access-list 2 deny ^621 Copyright © 2010, Juniper Networks, Inc.
Page 50: Using Access Lists In A Route Map
74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2. The following example configures router Chicago: Copyright © 2010, Juniper Networks, Inc.
Page 51 Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched. Example host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255 Copyright © 2010, Juniper Networks, Inc.
Page 52 Use to define an IPv6 access list to permit or deny routes based on the prefix. Each access list is a set of permit or deny conditions for routes based on matching a route's prefix. Copyright © 2010, Juniper Networks, Inc.
Page 53 AS-path access list. Access list values can be in the range 0–65535. Example host1:vr1(config-router)#neighbor group2 filter-list list2 out Use the no version to disassociate the access list from a neighbor. See neighbor filter-list. neighbor prefix-list Copyright © 2010, Juniper Networks, Inc.
Page 54 Use to redistribute routes from one routing domain to another routing domain. Example host1(config)#router bgp 100 host1(config-router)#neighbor 192.56.10.2 remote-as 200 host1(config-router)#redistribute static host1(config-router)#exit host1(config)#ip route 155.30.0.0 0.0.255.255 Use the no version to end redistribution of information. See redistribute. Copyright © 2010, Juniper Networks, Inc.
Page 55: Using Access Lists For Pim Join Filters
This interface (and any other PIM interface to which you do not specifically assign an access list filter) uses the default (bronze) join filter. Enable PIM sparse mode on another subinterface and assign the silver join filter. Copyright © 2010, Juniper Networks, Inc.
Page 56: Clearing Access List Counters
Use these commands when triggering on the policy values listed in Table 3 on page 30. Table 3: Match and Set Policy Values Match ip address metric metric distance Copyright © 2010, Juniper Networks, Inc.
Page 57 Use to filter static routes before adding them to the routing table. Example 1 host1(config)#ip static-route table-map map3 Example 2 host1(config)#ipv6 static-route table-map map4 Use the no version to delete the table map. See ip static-route table-map. See ipv6 static-route table-map. Copyright © 2010, Juniper Networks, Inc.
Page 58: Using The Null Interface
Unlike access lists, the prefix list specifies a base IP or IPv6 address and a length (the number of bits applied to the base to determine the network prefix). The tested address is matched against the prefix. Copyright © 2010, Juniper Networks, Inc.
Page 59: Using A Prefix List
Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values: prefix length < ge <= 32 prefix length < le <= ge If you do not specify either the ge or le keyword, an exact match is expected. Copyright © 2010, Juniper Networks, Inc.
Page 60 Example host1(config-route-map)#match ip next-hop prefix-list abc Use the no version to delete the match clause from a route map or a specified value from the match clause. See match ip next-hop. match ipv6 next-hop Copyright © 2010, Juniper Networks, Inc.
Page 61: Prefix Trees
Use to clear all hit counts in the prefix trees or the specified entry from the specified prefix tree. (The router increments the hit count by 1 each time an entry matches.) Example host1#clear ip prefix-tree xyz There is no no version. See clear ip prefix-tree. Copyright © 2010, Juniper Networks, Inc.
Page 62 Example host1(config-route-map)#match-set summary prefix-tree dog3 Use the no version to disable use of the prefix tree by the route map. See match-set summary prefix-tree. Copyright © 2010, Juniper Networks, Inc.
Page 63: Community Lists
By default, the community attribute is not sent to BGP peers. To send the community attribute to a neighbor, use the neighbor send community command. Copyright © 2010, Juniper Networks, Inc.
Page 64: Figure 5: Community Lists
10.2.2.4 route-map commtrc out host1(config-router)#exit host1(config)#route-map commtrc permit 1 host1(config-route-map)#match community 1 host1(config-route-map)#set metric 20 host1(config-route-map)#exit host1(config)#route-map commtrc permit 2 host1(config-route-map)#match community 2 host1(config-route-map)#set metric 75 host1(config-route-map)#exit host1(config)#route-map commtrc permit 3 host1(config-route-map)#match community 3 host1(config-route-map)#set metric 85 Copyright © 2010, Juniper Networks, Inc.
Page 65 Use to specify that a community attribute be sent to a BGP neighbor. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command. Example Copyright © 2010, Juniper Networks, Inc.
Page 66: Extended Community Lists
A BGP device can append the extended community attribute to a route that does not have the attribute before it advertises the route. For routes that do have the attribute, BGP can modify the attribute. ip extcommunity-list Copyright © 2010, Juniper Networks, Inc.
Page 67 Use to set the extended community attributes in a route map for BGP updates. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Copyright © 2010, Juniper Networks, Inc.
Page 68: Using Regular Expressions
The following commands apply access list 1 to routes inbound from BGP peer 10.5.5.2. Access list 1 uses a regular expression to deny routes that originate in autonomous system host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 filter-list 1 in host1(config-router)#exit host1(config)#ip as-path access-list 1 deny 32$ Copyright © 2010, Juniper Networks, Inc.
Page 69: Community Lists
Matches zero or more sequences of the immediately previous character or pattern. Matches one or more sequences of the immediately previous character or pattern. Matches zero or one sequence of the immediately previous character or pattern. Copyright © 2010, Juniper Networks, Inc.
Page 70: Using Metacharacters As Literal Tokens
Table 6 on page 45 lists some representative regular expressions that you might use in an AS-path access list or community list, along with sample attribute values that match or do not match the regular expression. Copyright © 2010, Juniper Networks, Inc.
Page 71: Table 6: Sample Regular Expressions
Includes a sequence that has a numeral 1373737 29 44 37137 78 1 immediately followed by one or more 137 42 21 instances of the pattern 37 but not 4 372 2121 37 5 1 456 881 Copyright © 2010, Juniper Networks, Inc.
Page 72 3 41 19 41 19 532 101 102 | 103 105 Includes either sequence 101 102 or 43 101 102 5103 105 22 sequence 103 105 but not 19 102 101102 103 Copyright © 2010, Juniper Networks, Inc.
Page 73: Managing The Routing Table
Global Configuration mode. You can specify different levels of severity for ipRoutePolicy. For more information about using log commands for troubleshooting, see Managing the System in JunosE System Basics Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 74: Monitoring Routing Policy
Use the detail keyword to display the automatically assigned element ID for each access list entry. Only rules that you explicitly create have element IDs. Example 1 host1#show access-list IP Access List 1: permit ip host 172.31.192.217 any permit ip 12.40.0.0 0.0.0.3 any Copyright © 2010, Juniper Networks, Inc.
Page 75 Display varies based on whether you issued the ip bgp community new-format command. Example 1—If you did not issue the ip bgp community new-format command, the display appears as follows: host1#show ip community-list Community List 1: permit 81200109 permit 81200110 permit 81200108 Community List 2: Copyright © 2010, Juniper Networks, Inc.
Page 76 Use the summary keyword to display abbreviated information about prefix lists. Example 1 host1#show ip prefix-list Prefix-list with the last deletion/insertion: def ip prefix-list name abc: 4 entries seq 5 permit 192.168.0.0/16 le 24 Copyright © 2010, Juniper Networks, Inc.
Page 77 1 See show ip prefix-tree. show ip protocols Use to display detailed information about the protocols currently configured on the router. Use the summary keyword to display only a list of the configured protocols. Copyright © 2010, Juniper Networks, Inc.
Page 78 Use to display configured route redistribution policy. Field descriptions To—Protocol into which routes are distributed From—Protocol from which routes are distributed status—Redistribution status route map number—Number of the route map Example Copyright © 2010, Juniper Networks, Inc.
Page 79 O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length Type Next Hop Dist/Met Intf ------------- ---- -------- -------- ------ 10.10.0.112/32 Static 192.168.1.1 fastEthernet0/0 Copyright © 2010, Juniper Networks, Inc.
Page 80 Field descriptions IP address—Address that is reachable through the interface Copyright © 2010, Juniper Networks, Inc.
Page 81 Met—Number of hops Dist—Administrative distance or weight assigned to the route Tag—Tag value assigned to the route Intf—Interface type and interface specifier Example host1#show ip static Prefix/Length Next Hop: Met: Dist: Tag: Intf: 10.2.0.0/24 192.168.1.1 ethernet6/0 Copyright © 2010, Juniper Networks, Inc.
Page 82 IP Statistics Route: Copyright © 2010, Juniper Networks, Inc.
Page 83 (ping) packets sent echo rpy—Number of echo replies sent Copyright © 2010, Juniper Networks, Inc.
Page 84 TCP Global Statistics Sent: Copyright © 2010, Juniper Networks, Inc.
Page 85 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: Copyright © 2010, Juniper Networks, Inc.
Page 86 Example host1(config)#route-map 1 permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map 1 route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400 See show route-map. Copyright © 2010, Juniper Networks, Inc.
Page 87: Configuring Nat
Network Address Translation (NAT) helps address these challenges by allowing the conservation of registered IP addresses within private networks and simplifying IP addressing management tasks through a form of transparent routing. Copyright © 2010, Juniper Networks, Inc.
Page 88: Platform Considerations
For more information about NAT, consult the following resources: RFC 2663-IP Network Address Translator (NAT) Terminology and Considerations (August 1999) RFC 2694-DNS extensions to Network Address Translators (DNS_ALG) (September 1999) RFC 2993-Architecture Implications of NAT (November 2000) Copyright © 2010, Juniper Networks, Inc.
Page 89: Nat Configurations
TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This method can translate the addresses and transport identifiers of many private hosts into a few external Copyright © 2010, Juniper Networks, Inc.
Page 90: Bidirectional Nat
The terms inside and outside refer to the host that the address is associated with. The terms local and global refer to the network on which the address appears. Copyright © 2010, Juniper Networks, Inc.
Page 91: Configuring Nat
You use inside source translation in traditional and bidirectional NAT configurations. Outside Source Translation Outside source translation is used in NAT configurations only when addresses of external hosts might create a conflict on the private network. This complementary translation Copyright © 2010, Juniper Networks, Inc.
Page 92: Address Assignment Methods
Inside (privately addressed) traffic enters the router on an interface marked as inside. A route lookup is performed. If the next interface is marked as outside, the router sends the traffic to the server module. Copyright © 2010, Juniper Networks, Inc.
Page 93: Outside-To-Inside Translation
Inside source static simple translations (inbound and outbound) Outside source static simple translations (inbound and outbound) Inside source dynamic simple translations (inbound and outbound) Outside source dynamic simple translations (inbound and outbound) Combinations of the preceding translations (for example, twice NAT) Copyright © 2010, Juniper Networks, Inc.
Page 94: Packet Discard Rules
Use to specify a NAT license. Purchase a NAT license to allow NAT configuration on the ERX router. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license nat license-value Use the no version to disable the license.
Page 95: Limiting Translation Entries
When you specify a static address translation or address/port pair translation, you issue commands to indicate how the translation is applied, along with more specific variables that further define the type of translation. Copyright © 2010, Juniper Networks, Inc.
Page 96: Creating Static Inside Source Translations
Creates a simple (IP address only) or extended (IP address, protocol, and port) entry in the translation table that maps the two addresses. Copyright © 2010, Juniper Networks, Inc.
Page 97: Defining Dynamic Translations
NOTE: The access lists do not filter any packets; they determine whether the packet requires translation. You use the access-list command to create an access list. access-list Copyright © 2010, Juniper Networks, Inc.
Page 98: Defining Address Pools
You cannot change the network mask if configured ranges already exist. The network mask (or prefix length) is used to recognize host addresses that end in either all zeros or all ones. These addresses are reserved as broadcast addresses and Copyright © 2010, Juniper Networks, Inc.
Page 99: Defining Dynamic Translation Rules
If an access list permits translation, the NAT router tries to allocate an address from the associated address pool to install a new translation. When you create dynamic translation rules, keep the following in mind: Copyright © 2010, Juniper Networks, Inc.
Page 100: Creating Dynamic Inside Source Translation Rules
Use the ip nat outside source list command to create a dynamic outside source translation rule. This command dynamically translates outside global source addresses to outside local addresses when packets are routed from the outside network to the inside network Copyright © 2010, Juniper Networks, Inc.
Page 101: Defining Translation Timeouts
GRE protocol translations; default value is 300 seconds (5 minutes) All timeouts for this command support a maximum value of 2147483 seconds (about 25 days). The no version of this command resets the timer to its default value. ip nat translation Copyright © 2010, Juniper Networks, Inc.
Page 102: Clearing Dynamic Translations
Both offices use private addresses. The corporate office has a dual T-3 link and a public FTP server that has a global address (that is, it does not need translation). Copyright © 2010, Juniper Networks, Inc.
Page 103: Figure 6: Napt Example
190.22.8.18 21 190.22.8.18 21 Create the address pool for dynamic translations. host1:blue(config)#ip nat pool corpxyz 192.32.6.4 192.32.6.7 prefix-length 24 Create the access list for addresses eligible for dynamic translation. host1:blue(config)#access-list justcorp permit 10.10.1.0 0.0.0.255 Copyright © 2010, Juniper Networks, Inc.
Page 104: Bidirectional Nat Example
(192.168.22/24) and registered public addresses. Figure 7: Bidirectional NAT Example To configure this example: Enter the correct virtual router context. host1(config)#virtual-router blue Mark the inside interface. host1:blue(config)#interface serial 1/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit Copyright © 2010, Juniper Networks, Inc.
Page 105: Twice Nat Example
Figure 8 on page 80 illustrates how the inside network is using the unregistered global address space of 15.12.0.0/16. Outside hosts whose addresses overlap with this subnetwork that want to access the inside network need their global addresses translated. Copyright © 2010, Juniper Networks, Inc.
Page 106: Figure 8: Twice Nat Example
Using an address range of 10.1.32.0/8 prevents any overlap with the private network (15.12.0.0/16). host1:blue(config)#ip nat pool entAinpool 10.1.32.1 10.1.32.255 prefix-length 16 NOTE: This pool is purposely small, allowing for only a few connections. Copyright © 2010, Juniper Networks, Inc.
Page 107: Cross-Vrf Example
RFC2547bis (MPLS VPNs). VR1, of which the VRF is administratively a member, represents the public network. The interface to EnterpriseA is marked as an inside interface. The normal steps for configuring inside source translation are applied. A Copyright © 2010, Juniper Networks, Inc.
Page 108 Point the default route to the shared interface. host1:vr1:vrf11(config)#ip route 0.0.0.0 0.0.0.0 ip vrf11vr1 Install a null route to avoid routing loops to the inside global address. host1:vr1:vrf11(config)#ip route 128.13.44.0 255.255.255.0 null 0 Copyright © 2010, Juniper Networks, Inc.
Page 109: Tunnel Configuration Through Nat Examples
In this example, an outside subscriber initiates PPTP tunnels to a PPTP server located in the service provider network. The PPTP connection to the server traverses an E Series router that has NAT enabled. Copyright © 2010, Juniper Networks, Inc.
Page 110: Gre Flows Through Nat
This section explains how to view NAT license information, NAT statistics, NAT translation entries, NAT address pool information, and NAT inside and outside rule settings. Displaying the NAT License Key The show license nat command displays the NAT license key. Copyright © 2010, Juniper Networks, Inc.
Page 111: Displaying Translation Statistics
Forwarding statistics for packets received on inside or outside interfaces forwarded directly—Number of packets forwarded directly (that is, without the need of translation) forwarded through translator—Number of packets forwarded through the NAT translator Copyright © 2010, Juniper Networks, Inc.
Page 112: Displaying Translation Entries
Bytes received on outside interface and forwarded directly forwarded through translator 47454704 See show ip nat statistics. Displaying Translation Entries The show ip nat translations command displays current translations that reside in the translation table. Copyright © 2010, Juniper Networks, Inc.
Page 113 Example 2 host1# show ip nat translations verbose Time Time Inside Inside Outside Outside since since Prot local global global local creation last use ---- ----------- ---------- ----------- ----------- ---------- -------- 20.0.0.3 30.0.0.3 00:04:50 00:00:01 Copyright © 2010, Juniper Networks, Inc.
Page 114: Displaying Address Pool Information
255.255.255.0 prefix length: 24 range: 3.3.3.1 to 3.3.3.255 range: 4.4.4.1 to 4.4.4.32 pool: pool2 netmask: 255.255.255.0 prefix length: 24 range: 1.1.1.1 to 1.1.1.24 range: 2.2.2.1 to 2.2.2.55 Example 2 Copyright © 2010, Juniper Networks, Inc.
Page 115: Displaying Inside And Outside Rule Settings
Example host1#show ip nat outside rule access list name: list4 pool name: poolD rule type: outside source See show ip nat outside rule. Copyright © 2010, Juniper Networks, Inc.
Page 116 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 117: Chapter 3 Configuring J-Flow Statistics
This means, for example, that if a packet uses the address of an output interface or next-hop value altered by a policy setting, the system records the altered value in the flow record. Copyright © 2010, Juniper Networks, Inc.
Page 118: Aggregation Caches
Main Flow Cache Contents The following 7-tuple distinguishes an entry in the flow cache for a VR: Source IP address (SA) Destination IP address (DA) Source port number (SP) Destination port number (DP) Layer 3 protocol type Copyright © 2010, Juniper Networks, Inc.
Page 119: Configuring J-Flow Statistics
The inactive timer removes flows if they do not contain any data traffic for a specified period of time. Operation with NAT When functioning with Network Address Translation (NAT), J-Flow sampling occurs before NAT applies any translation. Copyright © 2010, Juniper Networks, Inc.
Page 120: Operation With High Availability
(Optional) Define the sampling interval at which you want to collect statistics. (Optional) Customize the size of the main flow cache. (Optional) Define flow cache aging timers. (Optional) Specify to where you want to export J-Flow statistics. Copyright © 2010, Juniper Networks, Inc.
Page 121: Enabling Flow-Based Statistics
The sampling interval specifies the rate at which the virtual router samples J-Flow information. This rate is used for all interfaces that have J-Flow enabled. After you enable J-Flow on an interface, the virtual router samples one packet Copyright © 2010, Juniper Networks, Inc.
Page 122 IOA on E120 routers and E320 routers, see “Defining a Sampling Interval” on page 95 . Example—Samples 1 out of 50 packets from the line module on which the interface resides host1(config)#ip flow-sampling-mode packet-interval 50 Copyright © 2010, Juniper Networks, Inc.
Page 123: Setting Cache Size
Use the ip flow-cache timeout inactive command to specify a value for the inactivity timer. The inactivity timer measures the length of time expired since the virtual router recorded the last datagram for a given flow. When this timer expires, the virtual router Copyright © 2010, Juniper Networks, Inc.
Page 124: Specifying Flow Export
The commands to configure the minimum mask size for the source and destination address are issued in Flow Cache Configuration mode and are specific to each aggregation cache: host1(config-flow-cache)#mask source minimum value host1(config-flow-cache)#mask destination minimum value Copyright © 2010, Juniper Networks, Inc.
Page 125 Use to set the number of entries in the aggregation cache. Example Copyright © 2010, Juniper Networks, Inc.
Page 126 Use the no version to remove the destination. See export source. ip flow-aggregation cache Use to create an aggregation cache. Example host1(config)#ip flow-aggregation cache Use the no version to remove the aggregation cache and its configuration. See ip flow-aggregation cache. Copyright © 2010, Juniper Networks, Inc.
Page 127: Monitoring J-Flow Statistics
See clear ip flow stats. J-Flow show Commands You can monitor the following aspects of J-Flow statistics by using the following commands: To Display Command Main cache flow operational statistics show ip cache flow Copyright © 2010, Juniper Networks, Inc.
Page 128 Dst. Addr—Destination address of sampled packets Dst. Intf—Destination interface of sampled packets Summary Total Flows Processed—Total number of flows processed Total Packets—Total number of packets sampled Total Bytes—Total number of bytes received Example 1—Brief output Copyright © 2010, Juniper Networks, Inc.
Page 129 Main Cache Max Entries: 65536 Activity Timeout: 60 mins. Inactivity Timeout: 600 secs. Cache Enabled 32012 packets sampled. Distribution of IP packets by size. Copyright © 2010, Juniper Networks, Inc.
Page 130 35604 packets sampled. Distribution of IP packets by size. Size Percent ---------- ------- 1 - 32 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Copyright © 2010, Juniper Networks, Inc.
Page 131 Flows/Sec—Number of flows per second Packets/Flow—Number of packets per flow Bytes/Packet—Number of bytes per packet Packets/Sec—Number of packets per second Src. Addr—Source address of sampled packets Src. Intf—Source interface of sampled packets Dst. Addr—Destination address of sampled packets Copyright © 2010, Juniper Networks, Inc.
Page 132 Use to display configuration values for IP flow cache sampling. Example host1#show ip flow sampling Flow sampling is enabled 'Packet Interval' sampling mode is configured. 1 out of every 1000 packets is being sampled. See show ip flow. Copyright © 2010, Juniper Networks, Inc.
Page 133: Configuring Bfd
BFD poll bit to detect path activity. You can also configure a BFD session with a BGP neighbor or peer group to determine relatively quickly whether the neighbor or peer group is reachable. For information about Copyright © 2010, Juniper Networks, Inc.
Page 134: How Bfd Works
BFD session to the remote peer. Each pair of peers negotiates acceptable transmit and receive intervals for BFD packets. These values can be different on each peer. Copyright © 2010, Juniper Networks, Inc.
Page 135: Configuring Bfd
A declares the BFD session to be down. Similarly, if Router B fails to receive a BFD packet from Router A within 900 milliseconds, Router B declares the BFD session to be down. In either case, all routes learned from the failed peer are purged immediately. Copyright © 2010, Juniper Networks, Inc.
Page 136: Bfd Platform Considerations
BFD for IPv4 and IPv6 (Single Hop)—draft-ietf-bfd-v4v6-1hop-00.txt (January 2005 expiration) Bidirectional Forwarding Detection—draft-ietf-bfd-base-00.txt. (January 2005 expiration) Configuring a BFD License You must configure a BFD license before the router configuration can use any BFD commands. Copyright © 2010, Juniper Networks, Inc.
Page 137: Bfd Version Support
Use to specify a BFD license. Purchase a BFD license to allow BFD configuration on the E Series router. NOTE: Acquire the BFD license from Juniper Networks Customer Service or your Juniper Networks sales representative. Example host1(config)#license bfd license-value Use the no version to disable the license.
Page 138: Configuring Bfd
NOTE: Enabling BFD adaptive timers targets only rapidly flapping events and not genuine BFD down events. If BFD down events occur in intervals longer than 5 seconds, the session does not attempt to adapt. Copyright © 2010, Juniper Networks, Inc.
Page 139: Clearing Bfd Sessions
Use the address keyword to indicate the IPv4 address of the destination to which the session has been established. Use the discriminator keyword to clear the BFD session associated with the unique system-wide identifier. Example 1 host1#clear bfd session Example 2 host1#clear bfd session address 10.10.5.24 Example 3 Copyright © 2010, Juniper Networks, Inc.
Page 140: Monitoring Bfd
To troubleshoot and monitor BFD, use the following system event logs: bfdGeneral bfdSession bfdEvents bgpConnections isisBfdEvents ospfEvents ospfv3General ripBfdLog For more information about using event logs, see the JunosE System Event Logging Reference Guide. Copyright © 2010, Juniper Networks, Inc.
Page 141: Viewing Bfd Information
Up/Down count—Number of times up/down transitions have occurred on the session Adaptivity—Number of times this session has adapted its intervals, or that additional adaptivity is disabled for this BFD session on the router Copyright © 2010, Juniper Networks, Inc.
Page 142 Echo mode—State of echo mode (enabled or disabled; active or inactive) Client—Name of the client desired tx—Minimum transmit interval (in seconds) requested by the client required rx—Minimum required receive interval (in seconds) specified by the client multiplier—Multiplier requested by the client Copyright © 2010, Juniper Networks, Inc.
Page 143 Local diagnostic: None, Remote diagnostic: None Remote heard, hears us Min async interval 0.3, min slow interval 0.3 Echo mode disabled/inactive 1 Client: Client OSPFv3, desired tx: 0.3, required rx: 0.3, multiplier 3 See show bfd session. Copyright © 2010, Juniper Networks, Inc.
Page 144 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 145: Configuring Ipsec
Table 8 on page 119 describes terms and abbreviations that are used in this discussion of IPSec. Table 8: IPSec Terms and Abbreviations Term or Abbreviation Description 3DES Triple DES encryption/decryption algorithm Authentication header. Provides authentication of the sender and of data integrity. Copyright © 2010, Juniper Networks, Inc.
Page 146 In the context of a secure interface, the clear traffic forwarded to the interface traffic (either by policy or by routing) that is typically secured according to security parameters set for that interface. Perfect forward secrecy Rivest-Shamir-Adleman encryption algorithm Copyright © 2010, Juniper Networks, Inc.
Page 147: Configuring Ipsec
RFC 2404—The Use of HMAC-SHA-1-96 within ESP and AH (November 1998) RFC 2405—The ESP DES-CBC Cipher Algorithm With Explicit IV (November 1998) RFC 2406—IP Encapsulating Security Payload (ESP) (November 1998) RFC 2407—The Internet IP Security Domain of Interpretation for ISAKMP (November 1998) Copyright © 2010, Juniper Networks, Inc.
Page 148: Ipsec Concepts
IP interfaces. Secure tunnels carry only IP traffic. A secure IP interface is a layer 3 entity; that is, an IP interface mapped on top of a secure tunnel that inherits all security associated with it. Copyright © 2010, Juniper Networks, Inc.
Page 149: Rfc 2401 Compliance
The layers where the data can be encrypted are shown in gray. Figure 12: IPSec Tunneling Stack Figure 13 on page 124 shows the packet encapsulation for IPSec tunneling. Copyright © 2010, Juniper Networks, Inc.
Page 150: Security Parameters
Figure 14 on page 125 shows the relationships of the various security parameters to the IPSec security interface. The following sections discuss each parameter in detail. Copyright © 2010, Juniper Networks, Inc.
Page 151: Manual Versus Signaled Interfaces
Secure IP interface parameters can be required, optional, or not applicable, depending on whether the interface is manual or signaled. Table 10 on page 126 presents how the other security parameters fit with manual and signaled interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 152: Operational Virtual Router
The transport VR information is required, although its explicit configuration is not. If omitted, the transport VR is assumed to be the same as the operational VR. However, the tunnel source and destination are mandatory elements. Copyright © 2010, Juniper Networks, Inc.
Page 153: Perfect Forward Secrecy
PFS is an optional feature that causes every newly refreshed key to be completely unrelated to the previous key. PFS provides added security, but requires extra processing for a new Diffie-Hellmann key exchange on every key refresh. Copyright © 2010, Juniper Networks, Inc.
Page 154: Lifetime
You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime. To set the tunnel lifetime, use the tunnel lifetime command. To set the global (default) lifetime, use the ipsec lifetime command. Copyright © 2010, Juniper Networks, Inc.
Page 155: Inbound And Outbound Sas
Transform sets are used during user SA negotiation to find common agreement between the local and the remote security gateway on how to protect that specific data flow. Copyright © 2010, Juniper Networks, Inc.
Page 156: Table 11: Supported Transforms
IPSec performs AH protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. ESP-MD5 IPSec performs ESP protocol encapsulation using the MD5 hash function with HMAC message authentication. Copyright © 2010, Juniper Networks, Inc.
Page 157: Table 12: Supported Security Transform Combinations
AH-HMAC-SHA ESP-HMAC-MD5 ESP-HMAC-SHA Data confidentiality only ESP-DES ESP-3DES Data authentication and confidentiality ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA The ISM does not support both the ESP and AH encapsulation modes concurrently on the same secure tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 158: Other Security Features
ESP security options on a per-tunnel (per-SA) basis Tunnel mode AH Processing The router supports AH encapsulation as defined in RFC 2402. Specifically, the router supports: HMAC-SHA and HMAC-MD5 authentication algorithms AH authentication options on a per-tunnel (per-SA) basis Tunnel mode Copyright © 2010, Juniper Networks, Inc.
Page 159: Ipsec Maximums Supported
IKE SA set up is unsuccessful. During failover, the IPSec tunnel switches to the alternate destination and establishes IPSec SAs with the new peer. To configure tunnel failover, you specify the tunnel destination backup endpoint. Copyright © 2010, Juniper Networks, Inc.
Page 160: Ike Overview
Protects the identities of the peers during negotiations and is therefore more secure. Enables greater proposal flexibility than aggressive mode. Is more time consuming than aggressive mode because more messages are exchanged between peers. (Six messages are exchanged in main mode.) Aggressive mode Copyright © 2010, Juniper Networks, Inc.
Page 161: Aggressive Mode Negotiations
Failing that, the two peers are not able to successfully negotiate the IKE SA, and no data flow is possible. Copyright © 2010, Juniper Networks, Inc.
Page 162: Priority
As part of the IKE protocol, one security gateway needs to authenticate the other security gateway to make sure that the IKE SA is established with the intended party. The ERX router supports two authentication methods: Digital certificates (using RSA algorithms) Copyright © 2010, Juniper Networks, Inc.
Page 163: Diffie-Hellman Group
The private key is used only by the system itself. It is never exchanged with any other nodes. When generated, the private key is securely stored internally to the system in Copyright © 2010, Juniper Networks, Inc.
Page 164: Configuration Tasks
The number of additional tunnels is independent of the number of ISMs installed in the router. However, the router chassis enforces the following tunnel limits: SRP 10G – 10,000 SRP 40G – 20,000 license ipsec-tunnels Copyright © 2010, Juniper Networks, Inc.
Page 165: Configuring Ipsec Parameters
Chapter 5: Configuring IPSec Use to specify an IPSec tunnel license. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license ipsec-tunnels license string Use the no version to disable the license.
Page 166 Example 1 host1(config)#ipsec lifetime kilobytes 42000000 Example 2 host1(config)#ipsec lifetime seconds 8600 Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours). See ipsec lifetime. ipsec local-endpoint Copyright © 2010, Juniper Networks, Inc.
Page 167 Example 1 host1(config-manual-key)#key dj5fe23owi8er49fdsa Example 2 host1(config-manual-key)#key “ my key with spaces” There is no no version. To delete a key, use the no version of the ipsec key manual command. See key. masked-key Copyright © 2010, Juniper Networks, Inc.
Page 168: Creating An Ipsec Tunnel
10.3.0.0 255.255.0.0 Specify an existing interface address that the tunnel uses as its source address. host1:vrA(config-if)#tunnel source 5.1.0.1 Specify the address or identity of the tunnel destination endpoint. host1:vrA(config-if)#tunnel destination identity branch245.customer77.isp.net Copyright © 2010, Juniper Networks, Inc.
Page 169 For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify the remote tunnel endpoint, which does not have a fixed IP address. The identity string can include an optional user@ specification preceding the FQDN. Example 1 host1(config-if)#tunnel destination 10.10.11.12 Example 2 Copyright © 2010, Juniper Networks, Inc.
Page 170 Example 2 host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0 Use the no version to restore the default identity, which is subnet 0.0.0.00.0.0.0 See tunnel local-identity. tunnel mtu Use to set the MTU size for the tunnel. Example Copyright © 2010, Juniper Networks, Inc.
Page 171 Use the online Help to see a list of available algorithm sets. Each key is an arbitrary hexadecimal string. If the algorithm set includes: DES, create an 8-byte key using 16 hexadecimal characters 3DES, create a 24-byte key using 48 hexadecimal characters Copyright © 2010, Juniper Networks, Inc.
Page 172 ISAKMP/IKE to negotiate SAs and to establish keys manual—Specifies that security parameters and keys are configured manually Example host1(config-if)#tunnel signaling manual Use the no version to restore the default value, isakmp. See tunnel signaling. tunnel source Copyright © 2010, Juniper Networks, Inc.
Page 173: Configuring Dpd And Ipsec Tunnel Failover
Create an IPSec tunnel, and specify the transport VR. host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)# Specify the address or identity of the tunnel destination backup endpoint. host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net ipsec option dpd Copyright © 2010, Juniper Networks, Inc.
Page 174: Defining An Ike Policy
Use the no version to restore the default in which the regular tunnel destination is also the backup tunnel destination. See tunnel destination backup. Defining an IKE Policy IKE policies define parameters that the router uses during IKE phase 1 negotiation. To create an IKE policy: host1(config)#ipsec ike-policy-rule 3 Copyright © 2010, Juniper Networks, Inc.
Page 175 Use to specify the authentication method the router uses in the IKE policy: preshared keys or RSA signature. Example host1(config-ike-policy)#authentication pre-share Use the no version to restore the default, preshared keys. See authentication. Copyright © 2010, Juniper Networks, Inc.
Page 176 Use the no version to restore the default, sha. See hash. ipsec ike-policy-rule ipsec isakmp-policy-rule NOTE: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release. Copyright © 2010, Juniper Networks, Inc.
Page 177: Refreshing Sas
To reinitialize SAs on tunnels that are in a specific state, use the state keyword. To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword. Example host1(config)#ipsec clear sa all phase 2 There is no no version. See ipsec clear sa. Copyright © 2010, Juniper Networks, Inc.
Page 178: Enabling Notification Of Invalid Cookies
Configuration Notes Both the local and remote identities shown in these examples serve two purposes: They identify multiple IPSec tunnels between the same endpoints. Copyright © 2010, Juniper Networks, Inc.
Page 179: Figure 15: Customer A's Corporate Frame Relay Network
To configure the connections as shown in Figure 16 on page 153: On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet. erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha Copyright © 2010, Juniper Networks, Inc.
Page 180 Ottawa and another to carry the traffic between Boca and Boston: Tunnel 1: erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 Copyright © 2010, Juniper Networks, Inc.
Page 181 1, except that a different VR domain is possible. Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR. Copyright © 2010, Juniper Networks, Inc.
Page 182: Figure 17: Connecting Customers Who Use Similar Address Schemes
5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 Copyright © 2010, Juniper Networks, Inc.
Page 183 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.2.0.1 erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#exit Virtual router B: erx1(config)#virtual-router vrB erx1:vrB(config)# Copyright © 2010, Juniper Networks, Inc.
Page 184 Tunnel from Boca to Boston on virtual router A: erx2:vrA(config)#interface tunnel ipsec:Aboca2boston transport-virtual-router default erx2:vrA(config-if)#tunnel transform-set customerAprotection erx2:vrA(config-if)#tunnel local-identity subnet 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit Virtual router B: Copyright © 2010, Juniper Networks, Inc.
Page 185 Tunnel from Boston to Boca on virtual router A: erx3:vrA(config)#interface tunnel ipsec:Aboston2boca transport-virtual-router default erx3:vrA(config-if)#tunnel transform-set customerAprotection erx3:vrA(config-if)#tunnel local-identity subnet 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit Virtual router B: Copyright © 2010, Juniper Networks, Inc.
Page 186: Monitoring Ipsec
For more information about using event logs, see the JunosE System Event Logging Reference Guide. show Commands To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands. show ipsec ike-policy-rule show ike policy-rule Copyright © 2010, Juniper Networks, Inc.
Page 187 :SHA Secure Hash Standard authentication method:Pre Shared Keys Diffie-Hellman group :2 (1024 bit) lifetime :28800 seconds aggressive mode :Not Allowed See show ipsec ike-policy-rule. See show ike policy-rule. show ipsec ike-sa show ike sa Copyright © 2010, Juniper Networks, Inc.
Page 188 IKE Phase 1 SA's: Local:Port Remote:Port Time(Sec) State Local Cookie Remote Cookie 195.0.0.100:500 195.0.0.200:500 1551 DONE 0x90ee723e6cb0c016 0xf7d3651e93d56431 195.0.0.100:500 195.0.0.200:500 1552 DONE 0x821bccf81dcedbb0 0x35152bdb7a9c734e 195.0.1.100:500 195.0.1.200:500 1687 DONE 0x1b4fbcebe36d1b16 0xed742166a305a6a0 Copyright © 2010, Juniper Networks, Inc.
Page 189 IPSec” on page 275. Transmission of invalid cookie notification in ISAKMP messages to peers Example host1:vrA#show ipsec option IPsec options: Dead Peer Detection: disabled NAT Traversal : enabled TX Invalid Cookie : disabled See show ipsec option. Copyright © 2010, Juniper Networks, Inc.
Page 190 Tunnel local identity—IP address of local endpoint identity that ISAKMP uses Tunnel peer identity—IP address of peer endpoint identity that ISAKMP uses Tunnel outbound spi/SA—SPI and SA in use on traffic sent to the tunnel (manual tunnels only) Copyright © 2010, Juniper Networks, Inc.
Page 191 InDecryptErrors—Number of decryption errors in received traffic InPadErrors—Number of packets received that had invalid values after the packet was decrypted OutUserPackets—Number of user packets sent OutUserOctets—Number of octets sent in user packets Copyright © 2010, Juniper Networks, Inc.
Page 192 7200s, remaining 7100s outbound traffic: allowed 1024000KB, remaining 1023997KB Tunnel Statistics: InUserPackets InUserOctets 1920 InAccPackets InAccOctets 2760 InAuthErrors InReplayErrors InPolicyErrors InOtherRxErrors InDecryptErrors InPadErrors OutUserPackets OutUserOctets 1920 OutAccPackets OutAccOctets 2760 OutPolicyErrors OutOtherTxErrors See show ipsec tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 193 IPSEC tunnel s0l4e3d1 is up IPSEC tunnel s0l5e3d0 is up See show ipsec tunnel. show license ipsec-tunnels Use to display the IPSec license key configured on the router and the number of tunnels allowed on the router. Example Copyright © 2010, Juniper Networks, Inc.
Page 194 JunosE 11.2.x IP Services Configuration Guide host1#show license ipsec-tunnels ipsec-tunnels license is 'g1k23b23eb2j' which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards. See show license. Copyright © 2010, Juniper Networks, Inc.
Page 195: Chapter 6 Configuring Dynamic Ipsec Subscribers
Dynamic Connection Setup Dynamic secure remote access subscribers initiate connections to the E Series router by establishing an IPSec phase 1 security association (SA; also known as an IKE SA or P1) with the router. Copyright © 2010, Juniper Networks, Inc.
Page 196: Dynamic Connection Teardown
2 SAs. Conversely, phase 1 SAs that are not recognized as dynamic are used only to negotiate phase 2 SA static tunnels. Licensing Requirements Each dynamic IPSec subscribers requires the use of two licenses: One B-RAS license Copyright © 2010, Juniper Networks, Inc.
Page 197: Configuring Dynamic Ipsec Subscribers
Phase 2 SA selectors for use in phase 2 SA exchanges IP profiles intended for users logging in using this profile (helping to bridge users from a given IPSec tunnel profile to an IP profile) Copyright © 2010, Juniper Networks, Inc.
Page 198: Relocating Tunnel Interfaces
For information about modules that support dynamic IPSec subscribers on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See IPSec Service support in ERX Module Guide, Table 1, Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 199: References
(if you do not specify a virtual router name, the profile is created on the context virtual router) Example host1(config)#ipsec tunnel profile tunnel1 host1(config-ipsec-tunnel-profile)# Use the no version to delete the tunnel profile. See ipsec tunnel profile. Copyright © 2010, Juniper Networks, Inc.
Page 200: Configuring Ipsec Tunnel Profiles
Use to set the IKE local identity used for IKE security association (SA) negotiations. Example host1(config-ipsec-tunnel-profile)#ike local-identity domain-name domain1 Use the no version to remove the specified IKE local identity. See ike local-identity. Copyright © 2010, Juniper Networks, Inc.
Page 201: Setting The Ike Peer Identity
The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain for authentication, you can use the domain-suffix command to append a domain suffix Copyright © 2010, Juniper Networks, Inc.
Page 202: Overriding Ipsec Local And Peer Identities For Sa Negotiations
See peer ip identity. Specifying an IP Profile for IP Interface Instantiations The ip profile command specifies the IP profile that is passed from the IPSec layer to the IP layer upon request for upper layer instantiation. Copyright © 2010, Juniper Networks, Inc.
Page 203: Defining The Server Ip Address
IPSec tunnel. This type of “ split tunneling” enables a remote station to separate VPN traffic from Internet traffic. For example a client connecting to a corporate Intranet could use split-tunneling to send all traffic destined to 10.0.0.0/8 through the secure tunnel Copyright © 2010, Juniper Networks, Inc.
Page 204: Defining Ipsec Security Association Lifetime Parameters
IKE SA establishment. Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users. NOTE: For maximum security, enable reauthentication. The skip-peer-config keyword disables the router from configuring peer IP characteristics. Copyright © 2010, Juniper Networks, Inc.
Page 205: Specifying Ipsec Security Association Transforms
Specifying IPSec Security Association PFS and DH Group Parameters The pfs group command specifies the IPSec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPSec SA negotiations can use for this profile. Copyright © 2010, Juniper Networks, Inc.
Page 206: Defining The Tunnel Mtu
IKE policy rules. If more than one IP-address-specific IKE policy rule exists, the router evaluates the policy rule with the lowest priority number first and then evaluates the policy rule with the next highest priority number and so on. Copyright © 2010, Juniper Networks, Inc.
Page 207: Defining Aggressive Mode For An Ike Policy Rule
Example host1(config-ike-policy)#aggressive-mode accepted Use the no version to set the negotiation mode to main mode. See aggressive-mode. Monitoring IPSec Tunnel Profiles This section contains information about troubleshooting and monitoring dynamic IPSec subscribers. Copyright © 2010, Juniper Networks, Inc.
Page 208: System Event Logs
Lifetime: between 1800 and 7200 seconds, and between 100000 and 500000 Reachable networks: none PFS not configured Transforms:, tunnel-esp-3des-sha1 Subscribers rejected due to maximum subscribers limit: 0 Completed sessions: 43, totaling 4873 seconds, statistics: ipsec stats: outbound: outboundUserPacketsReceived = 88 Copyright © 2010, Juniper Networks, Inc.
Page 209 Router ----------------------- ----- -------------------- ------------ xcfgUser1@vpn1 ipsec 10.227.5.106/local vpn1 User Name Interface ----------------------- -------------------------------- xcfgUser1@vpn1 FastEthernet 5/2.4 User Name Login Time Circuit Id ----------------------- ------------------- ------------------- xcfgUser1@vpn1 06/05/12 10:58:42 0.4.1.10.fe.25.3b.0 User Name Remote Id Copyright © 2010, Juniper Networks, Inc.
Page 210 JunosE 11.2.x IP Services Configuration Guide ----------------------- ---------------- xcfgUser1@vpn1 (800) 555-1212 See show subscribers. Copyright © 2010, Juniper Networks, Inc.
Page 211: Configuring Ancp
It also enables the switch to inform the controller of asynchronous events such as a link going down. Deploying value-added services across digital subscriber line (DSL) access networks requires special attention to quality of service (QoS) and service control. This control Copyright © 2010, Juniper Networks, Inc.
Page 212: Access Topology Discovery
This type of replication wastes access bandwidth when multiple subscribers access network services using the same access node. The amount of multicast replication is based on the number of subscribers, rather than the number of access nodes. Copyright © 2010, Juniper Networks, Inc.
Page 213: Configuring Ancp
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the E120 and E320 Broadband Services Routers. Copyright © 2010, Juniper Networks, Inc.
Page 214: References
L2C Neighbor Configuration mode to configure an ANCP neighbor. Use to launch the L2C Configuration (config-l2c) mode for ANCP. Example host1(config)#l2c host1(config-l2c)# Use the no version to remove all ANCP configurations. See l2c. Copyright © 2010, Juniper Networks, Inc.
Page 215: Defining The Ancp Session Timeout
ANCP uses several interface-level configuration commands. These commands provide the ability to define GSMP input and output labels associated with the interface and specify the number of branches the ANCP end user can support. l2c end-user-id Copyright © 2010, Juniper Networks, Inc.
Page 216: Configuring Ancp Neighbors
Use to create an ANCP neighbor and access the L2C Neighbor Configuration (config-l2c-neighbor) mode. Example host1(config-l2c)#neighbor ACCESS-NODE-1 host1(config-l2c-neighbor)# Use the no version to remove a specific ANCP neighbor configuration or, by omitting the neighbor name, all ANCP neighbor configurations. See neighbor. Copyright © 2010, Juniper Networks, Inc.
Page 217: Defining An Ancp Neighbor
Use to specify the maximum number of discovery table entries a neighbor can have in the range 1–64000 entries. Example host1(l2c-neighbor)#max-discovery-table-entries 4000 Use the no version to return the maximum number of discovery table entries to its default value, 10,000 entries. See max-discovery-table-entries. Copyright © 2010, Juniper Networks, Inc.
Page 218: Clearing Ancp Neighbors
ANCP. Issuing the clear l2c neighbor command removes all QoS parameter instances associated with the neighbor, including those associated with the QoS downstream rate and QoS cell mode applications. Copyright © 2010, Juniper Networks, Inc.
Page 219: Triggering Ancp Line Configuration
Use to trigger a GSMP port management message to the access node. This message enables the B-RAS to configure a service profile name on an access loop. Example host1#l2c line-configuration interface atm 2/0.11 profile1 Copyright © 2010, Juniper Networks, Inc.
Page 220: Adjusting The Data Rate Reported By Ancp For Dsl Lines
ANCP works with a special IGMP session to collect OIF mapping events in a scalable manner. For additional information about configuring IGMP and about OIF mapping, see Configuring IGMP in JunosE Multicast Routing Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 221: Creating An Igmp Session For Ancp
OIF maps, see “Configuring Transactional Multicast for IGMP” on page 194. Configure an OIF map for the access node that maps each multicast group to an outgoing interface. Define ANCP parameters. Copyright © 2010, Juniper Networks, Inc.
Page 222: Complete Configuration Example
2/0.102 host1(config-interface)#ip igmp version passive host1(config-interface)#l2c peer-attachment-id “ in_multicast_port_5” !Configure ANCP output labels, neighbor information, and apply OIF map host1(config)#interface atm 2/0.11 host1(config-interface)#ip igmp apply-oif-map OIFMAP host1(config-interface)#l2c end-user-id “ out_subscriber_port_6” neighbor ACCESS_NODE_1 Copyright © 2010, Juniper Networks, Inc.
Page 223: Triggering Ancp Oam
0x503 : DSL line status showtime. DEFAULT RESPONSE There is no no version. See l2c oam. Monitoring ANCP You can display ANCP information with the following commands. show adjustment-factor Copyright © 2010, Juniper Networks, Inc.
Page 224 Qos adaptive mode—Whether QoS adaptive mode is enabled (true) or disabled (false) Wait-for-gsmp-syn—Whether learning is enabled or disabled gsmp-syn-timeout—Configured TCP session timeout (in seconds) Example host1#show l2c L2C: Current session timeout: 25 seconds Qos adaptive mode: false Copyright © 2010, Juniper Networks, Inc.
Page 225 Example 2—Topology discovery table for a particular end-user-id host1# show l2c discovery-table end-user-id "Accessnode_10 atm 2/3:0.0"Access-Loop-Id: Dslam_10 atm 2/3:0.0 Neighbor: ACCESSNODE_10 Actual-Data-Rate-Upstream: 1152(kbps) Actual-Data-Rate-Downstream: 8064(kbps) Attainable-Data-Rate-Upstream: 1176(kbps) Attainable-Data-Rate-Downstream: 9376(kbps) Line-State: 1(SHOWTIME) Dsl-Type: 0(Invalid transmission type) Total Line Attributes: 6 Copyright © 2010, Juniper Networks, Inc.
Page 226 Max-Branches—Maximum number of branches to which the ANCP interface can subscribe Peer-Attach-Id—Input label associated with the interface Example 1 host1# show l2c label Interface: ATM2/0.300 End-User-Id: Accessnode_10 atm2/2:0.0 Neighbor: accessnode _1002 Max-Branches: 5 Interface: ATM2/0.301 Copyright © 2010, Juniper Networks, Inc.
Page 227 Use the summary keyword to display the number of active neighbors. Field descriptions Neighbor Name—Name associated with the neighbor Neighbor Id—ID associated with the neighbor Maximum Branches—Maximum number of branches this neighbor can have Copyright © 2010, Juniper Networks, Inc.
Page 228 OAM Loopback Requests Sent: 0 OAM Loopback Responses Received: 0 Protocol State: GSMP_ESTAB Example 2 host1#show l2c neighbor brief Name Mac Address Remote Address Protocol State -------------------- ---------------- ---------------- ---------------- accessnode1 0abc.0abc.0abc null EMPTY Copyright © 2010, Juniper Networks, Inc.
Page 229 Number of configured routers: 1 Number of neigbhors: 5 Number of active neighbors: 1 Number of end-user-ids: 25 Number of peer-attachment-ids: 39 Number of add-branches: 0 Number of delete-branches: 0 See show l2c statistics. Copyright © 2010, Juniper Networks, Inc.
Page 230 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 231: Configuring Digital Certificates
Method used to encode certificate requests and certificates before they are sent to or from the CA Certificate authority; an organization that creates digital certificates Certificate Binds a person or entity to a public key using a digital signature Copyright © 2010, Juniper Networks, Inc.
Page 232: Platform Considerations
See ERX Module Guide, Appendix A, Module Protocol Support for information about the modules that support IPSec. NOTE: The E120 and E320 Broadband Services Routers do not support configuration of IPSec and digital certificates. References For information about digital certificates, see the following references: Copyright © 2010, Juniper Networks, Inc.
Page 233: Configuring Digital Certificates
Before the router can place a digital signature on messages, it requires a private key to sign, and requires a public key so that message receivers can verify the signature. Obtaining a root CA certificate Copyright © 2010, Juniper Networks, Inc.
Page 234: Generating Public/Private Key Pairs
The ERX router enables the use of either a manual or automatic method to download the root CA's self-signed certificate. The standards supported for obtaining root CAs are X.509v3, base64, and basic-encoding-rules (BER)–encoded certificates. Copyright © 2010, Juniper Networks, Inc.
Page 235: Obtaining A Public Key Certificate
The operator copies the certificate file onto the ERX router so that it can be used for IKE negotiations. Online Certificate Enrollment Online certificate enrollment works as follows: NOTE: The ERX router must have a root CA certificate for the specified CA before online certificate enrollment. Copyright © 2010, Juniper Networks, Inc.
Page 236: Authenticating The Peer
ERX Cert revoked—The CRL contains the E Series router's certificate. Table 15 on page 211 presents how the CRL setting affects the outcome of IKE phase 1 negotiations. It lists common problem conditions such as ERX Cert revoked. Copyright © 2010, Juniper Networks, Inc.
Page 237: File Extensions
CA and one or more sub-CAs (also called issuing CAs). In a CA hierarchy, the router obtains its public key certificates and the CA certificate from a sub-CA. The sub-CA's certificate is signed by the root CA. Copyright © 2010, Juniper Networks, Inc.
Page 238: Ike Authentication Using Public Keys Without Digital Certificates
Peer Public Keys Without Digital Certificates” on page 224 . Public Key Format RSA encryption and authentication require the use of a public key on both the ERX router and on the remote peer with which the router seeks to establish IKE SAs. Copyright © 2010, Juniper Networks, Inc.
Page 239: Configuring Digital Certificates Using The Offline Method
NOTE: For more information about setting up IKE policies, see “Defining an IKE Policy” on page 148 in “Configuring IPSec” on page 119. Enter IPSec Identity Configuration mode. host1(config)#ipsec identity host1(config-ipsec-identity)# Specify the information that the router uses to generate a certificate request. Specify a country name. Copyright © 2010, Juniper Networks, Inc.
Page 240 Use the no version to restore the default, preshared keys. See authentication. common-name Use to specify a common name used to generate certificate requests. Example host1(config-ipsec-identity)#common-name Jim Use the no version to remove the common name. See common-name. country Copyright © 2010, Juniper Networks, Inc.
Page 241 Use the no version to return the CRL setting to the default, optional. NOTE: This command has been replaced by “ipsec crl” on page 216 and may be removed completely in a future release. See ike crl. ipsec certificate-database refresh Copyright © 2010, Juniper Networks, Inc.
Page 242 CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting Example host1(config)#ipsec crl ignored Use the no version to return the CRL setting to the default, optional. Copyright © 2010, Juniper Networks, Inc.
Page 243 When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority. Example host1(config)#ipsec isakmp-policy-rule 3 host1(config-ike-policy)# Copyright © 2010, Juniper Networks, Inc.
Page 244 There is no no version. See ipsec key zeroize. organization Use to specify the organization used in the Subject Name field of certificates. Example host1(config-ipsec-identity)#organization juniperNetworks Use the no version to remove the organization name. See organization. Copyright © 2010, Juniper Networks, Inc.
Page 245: Configuring Digital Certificates Using The Online Method
(Optional) Specify the URL of your network's HTTP proxy server. host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit Retrieve the CA certificate. host1(config)#ipsec ca authenticate trustedca1 Enroll with the CA and retrieve the router's certificate from the CA. Copyright © 2010, Juniper Networks, Inc.
Page 246 Use to set the number of minutes that the router waits after receiving no response before resending a certificate request to the CA. You can specify a wait period in the range 0–60 minutes. Example Copyright © 2010, Juniper Networks, Inc.
Page 247 Use the password option, if required by the CA, to access the CA and enable enrollment. The CA must be previously declared by the ipsec ca identity command. Example host1(config)#ipsec ca enroll trustedca1 My498pWd host1(config)#INFO 10/18/2003 03:49:33 ikeEnrollment (): Received erx certificate for ca:trustedca1 Copyright © 2010, Juniper Networks, Inc.
Page 248 When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority. Example Copyright © 2010, Juniper Networks, Inc.
Page 249 URL specified by the enrollment url command are used together to create the CA authentication requests. Example host1(config-ca-identity)#issuer-identifier BetaSecurityCorp Use the no version to remove the name from the configuration. See issuer-identifier. Copyright © 2010, Juniper Networks, Inc.
Page 250: Configuring Peer Public Keys Without Digital Certificates
For information about the format of an RSA public key, see “Public Key Format” on page 212 . Use the output from the show ipsec key mypubkey rsa command to provide information to the remote peer about the public key configured on the E Series router. Copyright © 2010, Juniper Networks, Inc.
Page 251 35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714 0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164 8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8 5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506 01020301 0001 authentication Copyright © 2010, Juniper Networks, Inc.
Page 252 To specify the identity of the remote peer associated with the public key, use the name keyword followed by either: The fully qualified domain name (FQDN) The FQDN preceded by an optional user@ specification; this is also referred to as user FQDN format Copyright © 2010, Juniper Networks, Inc.
Page 253 Enter remainder of text message. End with the character '"'. 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d3a447 0b997844 213de4ae 13a2c09b f74051cd d404a187 c5e86867 d525cb6e 571a44f2 92bac7e8 bb282857 fb20357c d94ec241 b651596c 350dd770 6853526b c95e60c1 Copyright © 2010, Juniper Networks, Inc.
Page 254: Monitoring Digital Certificates And Public Keys
Use to display information about IKE CA identities used by the router for online digital certificate configuration. You can display information for a specific CA or for all CAs configured on the router. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 255 CA certificates Use the hex-format keyword to display certificate data, such as serial numbers, in hexadecimal format. Doing so allows easier comparison with CAs, such as Microsoft, that display certificates in hexadecimal format. Copyright © 2010, Juniper Networks, Inc.
Page 256 Available = authority key identifier, subject key identifier, key usage, subject alternative name, authority information access, CRL distribution points SubjectAlternativeNames = Following names detected = DNS (domain name server name) Viewing specific name types = Copyright © 2010, Juniper Networks, Inc.
Page 257 SHA-1 = 58:ba:fb:0d:68:61:42:2a:52:7e:19:82:77:a4:55:4c:25:8c:c5:60 Example 2 host1# show ipsec certificates root-cas ---------- Root CAs: ---------- Ca Identity:[trustedca1]Certificate = SubjectName = <C=CA, ST=ON, L=Kanata, O=Juniper Networks, OU=VTS Group, CN=VTS Root CA> IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA> SerialNumber= 79592882508437425959858112994892506178 SignatureAlgorithm = rsa-pkcs1-sha1 Certificate seems to be self-signed.
Page 258 See show ipsec certificates. show ipsec identity show ike identity NOTE: The show ike identity command has been replaced by the show ipsec identity command and may be removed completely in a future release. Copyright © 2010, Juniper Networks, Inc.
Page 259 CRL Check—Setting of the CRL check: optional, required, ignored Example host1#show ipsec ike-configuration Ike configuration: Ike identity: Domain Name :treverxsys2.juniper.net Common Name :Sys2 ERX Organization:Juniper Networks Country CRL Check:optional See show ipsec ike-configuration. See show ike configuration. Copyright © 2010, Juniper Networks, Inc.
Page 260 Key Type—Type of remote peer identifier: ip address (if IP address is specified) or identity (if FQDN or user FQDN is specified) Example 1—Displays a summary of the remote peers for which peer public keys are configured Copyright © 2010, Juniper Networks, Inc.
Page 261 8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51 f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74 cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b 29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301 0001 See show ipsec key pubkey-chain rsa. Copyright © 2010, Juniper Networks, Inc.
Page 262 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 263: Configuring Ip Tunnels
Distance Vector Multicast Routing Protocol (DVMRP) tunnels, also known as IP-in-IP tunnels GRE Tunnels GRE encapsulates IP packets to enable data transmission through an IP tunnel. The resulting encapsulated packet contains a GRE header and a delivery header. Consequently, Copyright © 2010, Juniper Networks, Inc.
Page 264: Dvmrp Tunnels
I/O modules. However, you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 265: E120 Router And E320 Router
RFC 1700—Assigned Numbers (October 1994) RFC 1701—Generic Routing Encapsulation (October 1994) RFC 1702—Generic Routing Encapsulation over IPv4 Networks (October 1994) RFC 2003—IP Encapsulation within IP (October 1996) RFC 2784—Generic Routing Encapsulation (GRE) (March 2000) Copyright © 2010, Juniper Networks, Inc.
Page 266: Configuration Tasks
No Router from the configuration, issue the command, no interface tunnel dvmrp:boston-tunnel-1. See interface tunnel. tunnel checksum Use to enable checksum computation across a GRE tunnel. Checksum computation is not supported for DVMRP tunnels. Copyright © 2010, Juniper Networks, Inc.
Page 267 Use to configure the source of the tunnel. Specify either the primary IP address or the type and specifier of an interface. Do not specify an unnumbered interface. Example 1—Primary IP address host1(config)#interface tunnel dvmrp:boston-tunnel-1 host1(config-if)#tunnel source 192.10.2.1 Copyright © 2010, Juniper Networks, Inc.
Page 268: Configuration Example
Set the MTU for the tunnel. host1:boston(config-if)#tunnel mtu 8000 Configure the IP address of the tunnel interface. host1:boston(config-if)#ip address 10.7.7.7 255.255.255.0 Configure a virtual router called chicago that supports the other end of the tunnel. host1(config)#virtual-router chicago Copyright © 2010, Juniper Networks, Inc.
Page 269: Configuring Ip Tunnels To Forward Ip Frames
The IP configurations you apply to the tunnels control how traffic travels through the network. Preventing Recursive Tunnels If routing information about the tunnel network combines with routing information about the transport networks (the networks that the tunnel services), a recursive tunnel can Copyright © 2010, Juniper Networks, Inc.
Page 270: Creating Multicast Vpns Using Gre Tunnels
To view the number of tunnels associated with that IP address, specify an IP address. To view the number of tunnels associated with an IP address on the virtual router, specify an IP address with the virtual-router keyword and the name of the virtual router. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 271 Number of tunnels found—Total number of DVMRP tunnels found Number of static tunnels—Number of tunnels created statically Example 1 host1#show dvmrp tunnel DVMRP tunnel boston1 is up 1 DVMRP tunnel found 1 tunnel was created static Example 2 Copyright © 2010, Juniper Networks, Inc.
Page 272 Data tx See show dvmrp tunnel. show dvmrp tunnel summary Use to display a summary of information about DVMRP tunnels. Field descriptions Administrative status enabled—Tunnel is available for use disabled—Tunnel is not available for use Copyright © 2010, Juniper Networks, Inc.
Page 273 SNMP when the operational state of the tunnels changes, enabled or disabled Tunnel server location—Location of the tunnel server in slot/port format (ERX7xx models, ERX14xx models, and the ERX310 router) or slot/adapter/port format (E120 and E320 routers). Copyright © 2010, Juniper Networks, Inc.
Page 274 Tunnel destination address is '10.0.0.2' Tunnel transport virtual router is default Tunnel checksum option is disabled Tunnel up/down trap is enabled Tunnel server location is 4/0 Tunnel secured by ipsec transport interface 1 Tunnel administrative state is up Copyright © 2010, Juniper Networks, Inc.
Page 275 Tunnel administrative state is Up Statistics packets octets discards errors Data rx Data tx GRE tunnel end is Up Tunnel operational configuration Tunnel mtu is '10240' Tunnel source address is '15.0.0.2' Tunnel destination address is '15.0.0.1' Copyright © 2010, Juniper Networks, Inc.
Page 276 (such as a line module) supporting the tunnel is inaccessible Example host1#show gre tunnel summary Administrative status enabled disabled Operational status down not-present See show gre tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 277: Configuring Dynamic Ip Tunnels
IP tunnel. The application can automatically create an upper layer IPv4 interface over the GRE or DVMRP interface by using the IP characteristics defined in a profile referenced in the GRE or DVMRP destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 278: Data Mdt For Multicast Vpns And Dynamic Ip Tunnels
IP header. The Mobile IP home agent uses the dynamic IP tunnel for routing loop detection. The home agent examines packets that are intercepted by the home agent and destined for Copyright © 2010, Juniper Networks, Inc.
Page 279: Configuring Dynamic Ip Tunnels
Platform Considerations For information about modules that support IP tunnels on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 280: Module Requirements
ES2 4G line module or an ES2 10G ADV line module (LM) with an ES2-S1 Service I/O adapter (IOA), or an IOA that supports the use of shared tunnel-server ports. For information about installing modules in these routers, see the E120 and E320 Hardware Guide. Copyright © 2010, Juniper Networks, Inc.
Page 281: Redundancy And Tunnel Distribution
By default, the data MDT application is disabled in the default destination profiles. The Mobile IP application can use the default destination profile. You can modify the configuration of the default destination profiles. Copyright © 2010, Juniper Networks, Inc.
Page 282: Modifying The Configuration Of The Default Destination Profile
(Optional) Enable IPSec transport mode. host1(config-dest-profile)#enable ipsec-transport (Optional) Create a multicast VPN tunnel. host1(config-dest-profile)#tunnel mdt profile kanata-mdt Creating a Destination Profile for DVMRP Tunnels To configure a destination profile for dynamic DVMRP tunnels: Copyright © 2010, Juniper Networks, Inc.
Page 283 This command is supported in the destination profile only when you have installed an ISM on ERX routers. Example host1(config-dest-profile)#enable ipsec-transport Use the no version to disable IPSec transport mode. See enable ipsec-transport. gre destination profile Copyright © 2010, Juniper Networks, Inc.
Page 284 Use the range keyword to configure the first IP address and the last IP address of the destination interface range Example 1—Specifies an IP address and mask for the destination interface host1(config-dest-profile)#tunnel destination subnet 192.13.7.1 255.0.0.0 Example 2—Specifies a range of IP addresses for the destination interface Copyright © 2010, Juniper Networks, Inc.
Page 285: Monitoring Dynamic Ip Tunnels
Use the no version to remove the source of a tunnel. See tunnel source. Monitoring Dynamic IP Tunnels You can monitor dynamic DVMRP and GRE tunnels by using the following commands. show dvmrp destination profile Copyright © 2010, Juniper Networks, Inc.
Page 286 10.0.0.0 255.0.0.0 tunnel source 1.1.1.1 tunnel source 1.1.1.2 tunnel source 1.1.1.3 See show dvmrp destination profile. show dvmrp tunnel Copyright © 2010, Juniper Networks, Inc.
Page 287 Tunnel administrative state—Configured state of the tunnel: Up or Down Statistics—Details of packets received or transmitted by the tunnel packets—Number of packets received or transmitted by the tunnel octets—Number of octets received or transmitted by the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 288 Application is Mobile-IP Tunnel operational configuration Tunnel mtu is '5000' Tunnel source address is '6.6.6.6' Tunnel destination address is '3.3.3.3' Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Copyright © 2010, Juniper Networks, Inc.
Page 289 GRE destination profiles configured on the system tunnel checksum—Status of tunnel checksum configuration; enabled or disabled tunnel sequence-datagrams—Status of tunnel sequence datagrams configuration; enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 290 10240 ipsec transport mode disabled tunnel mdt profile kanata-mdt profile kanata virtual router vr2 tunnel destination subnet 224.0.0.0 255.0.0.0 tunnel source 1.1.1.1 tunnel source 1.1.1.2 tunnel source 1.1.1.3 See show gre destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 291 E320 routers). Tunnel is secured by ipsec transport interface—IPSec interface that secures the tunnel. Tunnel administrative state—Configured state of the tunnel: up or down Statistics—Details of packets received or transmitted by the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 292 Example 3—Displays the detail of a dynamically created GRE tunnel for the Mobile IP application host1:vr12#show gre tunnel detail mobileIp-dynamic-1 GRE tunnel mobileIp-dynamic-1 is Up tunnel is dynamic Application is Mobile-IP Tunnel operational configuration Copyright © 2010, Juniper Networks, Inc.
Page 293 (such as a line module) supporting the tunnel is inaccessible Example host1#show gre tunnel summary Administrative status enabled disabled Operational status down not-present See show gre tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 294 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 295: Ip Reassembly For Tunnels
Router D must reassemble the packets before tunnel egress processing and de-encapsulation are performed. For more information about configuring tunnel-service interfaces, see Managing Tunnel Service and IPSec Service Interfaces in JunosE Physical Layer Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 296: Platform Considerations
Unlike other line modules, SMs, and ISMs do not pair with corresponding I/O modules that contain ingress and egress ports. Instead, they receive data from and transmit data to other line modules with access to ingress and egress ports on their own associated I/O modules. Copyright © 2010, Juniper Networks, Inc.
Page 297: E120 Router And E320 Router
Example—Enables reassembly for virtual router vr12 and disables reassembly for virtual router vr8 host1:vr12(config)#ip tunnel reassembly host1:vr12(config)#virtual-router vr8 host1:vr8(config)#no ip tunnel reassembly Use the no version to return IP tunnel reassembly to the default, disabled. See ip tunnel reassembly. Copyright © 2010, Juniper Networks, Inc.
Page 298: Monitoring Ip Reassembly
You can display statistics for a single virtual router or for all virtual routers. You can also display statistics relative to a baseline. Copyright © 2010, Juniper Networks, Inc.
Page 299 Example 2—Shows detailed reassembly statistics for the default virtual router host1#show ip tunnel reassembly statistics detail Tunnel IP Reassembly Statistics for Virtual Router: default Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: L2TP: GRE: IPSec: Control/Other: Copyright © 2010, Juniper Networks, Inc.
Page 300 Tunnel IP Reassembly Statistics for Virtual Router: vr2 Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: Reassembly Errors: Reassembly Discards: See show ip tunnel reassembly statistics. Copyright © 2010, Juniper Networks, Inc.
Page 301: Securing L2Tp And Ip Tunnels With Ipsec
IPSec. However, unsecured L2TP tunnels are not allowed on the ISM. You use the following commands to create a secure tunnel: L2TP tunnels—Use the enable ipsec transport command in the L2TP destination profile GRE and DVMRP tunnels—Use the ipsec-transport keyword in the interface tunnel command Copyright © 2010, Juniper Networks, Inc.
Page 302: Ipsec Secured-Tunnel Maximums
RFC 2401—Security Architecture for the Internet Protocol (November 1998) RFC 2661—Layer Two Tunneling Protocol “ L2TP” (August 1999) RFC 3193—Securing L2TP using IPSec (November 2001) RFC 3715—IPsec-Network Address Transation (NAT) Compatibility Requirements (March 2004) Copyright © 2010, Juniper Networks, Inc.
Page 303: Securing L2Tp And Ip Tunnels With Ipsec
L2TP tunnel to the same L2TP/IPSec gateway, which provides the client with another IP interface to access the private network it is connecting to. The L2TP tunnel is completely protected by the IPSec connection established earlier. Copyright © 2010, Juniper Networks, Inc.
Page 304: Setting Up The Secure L2Tp Connection
L2TP and IPSec define control and data messages used for L2TP/IPSec. Figure 24 on page 279 shows an L2TP control frame encapsulated by IPSec. The shaded area shows the encrypted portion of the frame. Copyright © 2010, Juniper Networks, Inc.
Page 305: Compatibility And Requirements
PPP defines the Compression Control Protocol (CCP) and the Encryption Control Protocol (ECP) modes. These modes are currently not supported in the E Series router. There is no interaction related to encryption directives between IPSec and PPP. Copyright © 2010, Juniper Networks, Inc.
Page 306: Lns Change Of Port
NAT device resides between the router and the remote users. In addition, NAT passthrough mode does not provide secure access for groups of remote users at corporate locations where a NAT device resides between the company's intranet and the public IP network. Copyright © 2010, Juniper Networks, Inc.
Page 307: How Nat-T Works
Figure 26 on page 281 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPSec. Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation Copyright © 2010, Juniper Networks, Inc.
Page 308: Udp Statistics
If the router receives NAT keepalive messages as part of the L2TP/IPSec traffic flow, it discards these messages at the ingress line module on which the messages were received. Copyright © 2010, Juniper Networks, Inc.
Page 309: Configuring And Monitoring Nat-T
Table 18 on page 284 describes the differences between how the router handles the idle timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct timeout period (configured with the l2tp destruct-timeout command) for standard Copyright © 2010, Juniper Networks, Inc.
Page 310: Configuration Tasks For Client Pc
To set up preshared keys, see “Configuring IPSec Parameters” on page 139 in “Configuring IPSec” on page 119. Create IPSec policies. See “Defining an IKE Policy” on page 148 in “Configuring IPSec” on page 119. Configure RADIUS authentication and accounting. See JunosE Broadband Access Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 311: Enabling Ipsec Support For L2Tp
Use to specify that the router accept only L2TP tunnels protected by an IPSec transport connection. Example host1(config-l2tp-dest-profile-host)#enable ipsec-transport Use the no version to disable IPSec transport mode. See enable ipsec-transport. l2tp destination profile Copyright © 2010, Juniper Networks, Inc.
Page 312: Configuring Nat-T
Use the no version to disable NAT-T for the current virtual router. Use the default version to restore the default NAT-T setting on the virtual router, enabled. See ipsec option nat-t. Copyright © 2010, Juniper Networks, Inc.
Page 313: Configuring Single-Shot Tunnels
A single-shot tunnel does not persist beyond its last connected L2TP session. As a result, using single-shot L2TP/IPSec tunnels instead of the default (standard) tunnel Copyright © 2010, Juniper Networks, Inc.
Page 314: Gre/Ipsec And Dvmrp/Ipsec Tunnels
The GRE tunnel now runs over the SAs that IKE established. Figure 29: GRE/IPSec Connection Configuration Tasks The main configuration tasks for setting up GRE or DVMRP over IPSec on E Series routers are: Copyright © 2010, Juniper Networks, Inc.
Page 315: Enabling Ipsec Support For Gre And Dvmrp Tunnels
See interface tunnel. Configuring IPSec Transport Profiles To configure an IPSec transport profile that will be used to secure DVMRP, GRE, or L2TP tunnels: Create the profile. host1(config)#ipsec transport profile secureGre virtual-router default ip address 5.5.5.5 Copyright © 2010, Juniper Networks, Inc.
Page 316 NAT devices that support IPSec passthrough. To allow these clients to connect, the router: Does not generate or verify UDP checksums. This does not compromise security, because IPSec protects UDP packets with an authentication algorithm far stronger than UDP checksums. Copyright © 2010, Juniper Networks, Inc.
Page 317 Example host1(config-ipsec-transport-profile)#lifetime seconds 900 86400 kilobytes 100000 4294967295 Use the no version to restore the default values, 100000–4294967295 KB and 900–86400 seconds (0.25–24 hours). See lifetime. local ip address Copyright © 2010, Juniper Networks, Inc.
Page 318 Assign a Diffie-Hellman prime modulus group using one of the following keywords: 1—768-bit group 2—1024-bit group 5—1536-bit group Example host1(config-ipsec-transport-profile)#pfs group 5 Use the no version to remove PFS from this profile, which is the default setting. See pfs group. pre-share Copyright © 2010, Juniper Networks, Inc.
Page 319 CAUTION: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider. Copyright © 2010, Juniper Networks, Inc.
Page 320: Monitoring Dvmrp/Ipsec, Gre/Ipsec, And L2Tp/Ipsec Tunnels
If the tunnel is protected by IPSec, the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface. The line is not shown for unsecured tunnels. The following is a partial display. See “Monitoring IP Copyright © 2010, Juniper Networks, Inc.
Page 321 Possible states are: AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator AM_FINAL_I—Initiator has finished aggressive mode negotiation Copyright © 2010, Juniper Networks, Inc.
Page 322 Use to display whether NAT-T is enabled or disabled on the current virtual router. The show ipsec option command also displays the status of dead peer detection (DPD) on the virtual router. For information about configuring and monitoring DPD, see “Configuring IPSec” on page 119. Example Copyright © 2010, Juniper Networks, Inc.
Page 323 InUserPackets—Number of user packets received InUserOctets—Number of octets received from user packets InAccPackets—Number of encapsulated packets received InAccOctets—Number of octets received in encapsulated packets InAuthErrors—Number of authentication errors received InReplyErrors—Number of reply errors in received traffic Copyright © 2010, Juniper Networks, Inc.
Page 324 Remote identity is subnet 10.255.0.62 255.255.255.255, proto 47, port Inbound spi 0x15c30204 Inbound transform transport-esp-3des-sha1 Inbound lifetime 900 seconds 102400 kilobytes Outbound spi is 0x16a10205 Outbound transform transport-esp-3des-sha1 Outbound lifetime 900 seconds 102400 kilobytes Copyright © 2010, Juniper Networks, Inc.
Page 325 Peer address—Remote endpoint address Application—Type(s) of application that this profile is protecting Lifetime range in seconds—Lifetime range in seconds configured for the profile Lifetime range in kilobytes—Lifetime range in kilobytes configured for the profile Copyright © 2010, Juniper Networks, Inc.
Page 326 Destination profile maximum sessions—Maximum number of sessions allowed for the destination profile Destination profile current session count—Number of current sessions for the destination profile Host profile attributes: Remote host is—Name of the remote host Tunnel password is—Password for the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 327 Interface profile is tunneled-user Local host name is lns-1 Ipsec transport is enabled Disconnect-cause avp is enabled Tunnels are single-shot Statistics Current session count is 1 1 L2TP host profile found See show l2tp destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 328 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 329: Configuring The Mobile Ip Home Agent
IP address, which is referred to as the care-of address (CoA). The mobile node registers this CoA with the home agent. The home agent then establishes a tunnel to the CoA if the tunnel is not established earlier. Copyright © 2010, Juniper Networks, Inc.
Page 330: Mobile Ip Agent Discovery
Home address allocation is done by one of the existing AAA back-end address mechanisms, such as: By RADIUS From an address pool returned by RADIUS From a local pool By the DHCP server Copyright © 2010, Juniper Networks, Inc.
Page 331: Configuring The Mobile Ip Home Agent
AAA based on its configuration, depending on the SPI provided in the registration request. If the aaa keyword is absent, then the home agent uses authentication parameters configured locally on the router to authenticate the Copyright © 2010, Juniper Networks, Inc.
Page 332: Subscriber Management
Juniper Networks vendor-specific attributes (VSAs) to provide the appropriate authentication algorithm and secure key for the authentication request. For information about the specific Juniper Networks VSAs used for Mobile IP RADIUS-based authentication, see JunosE Broadband Access Configuration Guide and RADIUS IETF Attributes...
Page 333: Mobile Ip Platform Considerations
Before you can configure the Mobile IP home agent on a virtual router, perform the following tasks: Create a virtual router to enable the Mobile IP license. (Optional) Configure the access list for filtering foreign agents. Configure an IP interface, which is used as the care-of address. Copyright © 2010, Juniper Networks, Inc.
Page 334: Configuring The Mobile Ip Home Agent
RADIUS accounting servers, see the JunosE Broadband Access Configuration Guide. Configuring the Mobile IP Home Agent To configure the Mobile IP home agent on a virtual router: Configure a license for the Mobile IP home agent. Configure the Mobile IP home agent settings. Copyright © 2010, Juniper Networks, Inc.
Page 335 Example host1(config)#ip mobile home-agent care-of-access acl lifetime 2000 replay 255 reverse-tunnel-off Use the no version to disable the home agent service on the virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 336 @yahoo.com aaa care-of-access acl2 host1(config)#ip mobile host nai bob@msn.net aaa lifetime 400 Use the no version to delete the configuration of the mobile node on the virtual router. See ip mobile host. ip mobile profile Copyright © 2010, Juniper Networks, Inc.
Page 337 See ip mobile secure foreign-agent. ip mobile secure host Use to configure the security associations for a mobile node. You must configure security associations only for mobile nodes on which local authentication is configured. Copyright © 2010, Juniper Networks, Inc.
Page 338 See ip mobile secure host. license mobile-ip home-agent Use to configure the license key to enable a home agent. Specify a name for the license key; up to a maximum of 16 alphanumeric characters. Copyright © 2010, Juniper Networks, Inc.
Page 339: Monitoring The Mobile Ip Home Agent
Home agent address—IP address of the home agent Care-of-address—IP address of the foreign agent care-of address or co-located care-of address Lifetime granted—Interval, in hh:mm:sec format, granted during registration before which the registration request exceeds the home agent configured time Copyright © 2010, Juniper Networks, Inc.
Page 340 (in seconds) 36000 Replay protection time (in seconds) Reverse tunnel enabled See show ip mobile home-agent. show ip mobile host Use to display configuration of all or specified mobile nodes or domain users. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 341 Use to display the security associations configured for all foreign agents on the virtual router. Field descriptions IP address—IP address of foreign agent SPI—Security parameter index (SPI) key for authenticating registration requests Copyright © 2010, Juniper Networks, Inc.
Page 342 Use to display protocol statistics for the Mobile IP home agent traffic, including advertisements, solicitations, registrations, registration errors, and security violations. To display baseline-relative statistics for the Mobile IP home agent traffic, use the optional delta keyword. Copyright © 2010, Juniper Networks, Inc.
Page 343 Unavailable encapsulation—Number of registration requests rejected because of unsupported encapsulation No reverse tunnel—Number of registration requests rejected because reverse tunneling is disabled Example host1#show ip mobile traffic Home Agent Registrations: Registration requests: Register: 0 Copyright © 2010, Juniper Networks, Inc.
Page 344 Mobile IP license is—Mobile IP license key associated with the home agent and the maximum number of users allowed by this license Example host1#show license mobile-ip home-agent Mobile IP license is PcZJ93Mt17 which allows 48000 users See show license mobile-ip home-agent. Copyright © 2010, Juniper Networks, Inc.
Page 345: Index
PART 2 Index Index on page 321 Copyright © 2010, Juniper Networks, Inc.
Page 346 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 347: Index
AS-path attribute..............22 clear ip commands authentication clear ip prefix-list............32 Mobile IP home agent..........303 clear ip prefix-tree............35 authentication commands clear ip routes..............47 authentication............219, 225 clearing L2C neighbors............192 communities, BGP..............37 Copyright © 2010, Juniper Networks, Inc.
Page 348 DVMRP (Distance Vector Multicast Routing tunnels................237 Protocol) gre destination profile command........258 reassembly of tunnel packets........270 GRE with IPSec tunnels................238 how it works..............288 dvmrp destination profile command......257 setting up secure connection.........288 Copyright © 2010, Juniper Networks, Inc.
Page 349 AH processing..............132 invalid cookies, IPSec............151 concepts................122 configuration managing the routing table........47 examples..............152 IP addresses tasks.................138 prefix lists................32 configuring prefix trees................35 IKE policy..............148 ip commands IPSec parameters..........139 ip as-path access-list...........22 tunnels..............141 ip bgp-community new-format.......38 digital certificates............205 Copyright © 2010, Juniper Networks, Inc.
Page 350 222 pfs group................289 ipsec lifetime..............139 transform-set...............289 ipsec local-endpoint............141 See also show ipsec transport commands ipsec option dpd............143 IPSec tunnel profile commands ipsec option nat-t............286 domain-suffix..............174 ipsec option tx-invalid-cookie........151 extended-authentication...........174 Copyright © 2010, Juniper Networks, Inc.
Page 351 L2TP (Layer 2 Tunneling Protocol) match extcommunity..........10, 41 reassembly of tunnel packets........270 match ip address........11, 32, 35, 36 l2tp commands match ip next-hop...........32, 35, 36 l2tp destination profile..........285 match level................12 l2tp ignore-receive-data-sequencing....271 match metric..............12 match metric-type............12 match policy-list..............12 Copyright © 2010, Juniper Networks, Inc.
Page 352 OSPF (Open Shortest Path First) creating................73 clearing IP routing table..........47 interfaces, specifying inside and outside.....69 reinstalling routes in IP routing table......47 license................68 monitoring................84 NAT-T ................280 overview................61 Copyright © 2010, Juniper Networks, Inc.
Page 353 254, 270 Copyright © 2010, Juniper Networks, Inc.
Page 354 238, 254 show ip nat commands monitoring parameters..........244 show ip nat inside rule..........85 redundancy............239, 255 show ip nat outside rule..........85 source, tunnel.................237 show ip nat statistics............85 static routes..............49, 244 show ip nat translations..........85 static tunnels................237 Copyright © 2010, Juniper Networks, Inc.
Page 355 254, 270 tunnels, IP DVMRP................251 DVMRP (IP in IP)............238 dynamic................251 endpoints................237 Copyright © 2010, Juniper Networks, Inc.
Page 356 JunosE 11.2.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.2.x