1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.2.X IP SERVICES
  6. Configuration manual

Ike Overview; Main Mode And Aggressive Mode - Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

JunosE 11.2.x IP Services Configuration Guide

IKE Overview

Main Mode and Aggressive Mode

134
Tunnel failover is a two-way process. If the router detects that the remote peer is
unreachable, it switches to sending traffic to the backup destination. Likewise, if the
router is sending traffic to the backup destination when the connection is terminated,
the router switches to sending the traffic to the original remote peer.
NOTE: Even without tunnel failover configured, DPD still provides many benefits, such
as indicating that the destination interface is down, ensuring that the router stops
sending packets to the unreachable destination, and generating SNMP traps.
The IKE suite of protocols allows a pair of security gateways to:
Dynamically establish a secure tunnel over which the security gateways can exchange
tunnel and key information.
Set up user-level tunnels or SAs, including tunnel attribute negotiations and key
management. These tunnels can also be refreshed and terminated on top of the same
secure channel.
IKE is based on the Oakley and Skeme key determination protocols and the ISAKMP
framework for key exchange and security association establishment. IKE provides:
Automatic key refreshing on configurable timeout
Support for public key infrastructure (PKI) authentication systems
Antireplay defense
IKE is layered on UDP and uses UDP port 500 to exchange IKE information between the
security gateways. Therefore, UDP port 500 packets must be permitted on any IP interface
involved in connecting a security gateway peer.
The following sections expand on the IKE functionality available for the router.
IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase
2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or
aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some
of the characteristics of the two modes are:
Main mode
Protects the identities of the peers during negotiations and is therefore more secure.
Enables greater proposal flexibility than aggressive mode.
Is more time consuming than aggressive mode because more messages are
exchanged between peers. (Six messages are exchanged in main mode.)
Aggressive mode
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.2.X IP SERVICES

Related Content for Juniper JUNOSE 11.2.X IP SERVICES

This manual is also suitable for:

Junose 11.2.x

Table of Contents