Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
Figure 14: IPSec Security Parameters in Relation to the Secure IP Interface
Manual Versus Signaled Interfaces
The router supports both manual and signaled interfaces:
Manual interfaces use a preconfigured set of SA parameters to secure traffic flowing
through a secure IP interface. If SA parameters do not use a preconfigured, manual
secure interface, the interface drops all traffic it receives. The router keeps statistics
for dropped traffic. Both peer security gateways must contain a manually provisioned
manual secure IP tunnel.
Signaled interfaces negotiate an SA on demand with the remote security gateway.
The remote security gateway must also support SA negotiation; otherwise the gateway
drops traffic. Again, the router keeps statistics for dropped traffic.
The router supports SA negotiation within an IKE SA by means of the ISAKMP and IKE
protocols. Only one IKE SA is maintained between a set of local and remote IKE
endpoints. That means that if an IKE SA already exists between the two endpoints, it
is reused.
Secure IP interface parameters can be required, optional, or not applicable, depending
on whether the interface is manual or signaled. Table 10 on page 126 presents how the
other security parameters fit with manual and signaled interfaces.
Chapter 5: Configuring IPSec
125
Advertisement
Table of Contents
