Table of Contents
Advertisement
Inherited Subscriber Functionality
Using IPSec Tunnel Profiles
Copyright © 2010, Juniper Networks, Inc.
One IPSec license
If either license is unavailable, the router denies access to the subscriber.
Dynamic IPSec subscribers inherit much of the built-in AAA subscriber management
functionality. This functionality includes the following:
AAAA subscriber management commands
DNS (primary and secondary)
WINS (primary and secondary)
Session timeout
Accounting features (interval, duplication, immediate update, broadcasting, Acct-stop)
Duplicate address checking
IP address pools
Per virtual-router subscriber limit
Policies
Packet mirroring
For additional information on AAA functionality, see JunosE Broadband Access
Configuration Guide.
IPSec tunnel profiles serve the following purposes in the configuration of dynamic IPSec
subscribers:
Controlling which connecting user, based on the IKE identification, belongs to a given
profile. Profile settings falling in this category include the following:
IKE identities from peers that can use this profile. These identities include IP
addresses, domain names, and E-mail addresses. In addition, distinguished names
that use X.509 certificates are permitted.
The router IKE identity.
Terminating extraneous security and IP profile settings that exist after a subscriber is
mapped to an IPSec tunnel. These settings include the following:
Maximum number of subscribers that this profile can terminate
AAA domain suffix intended for the username (helping to bridge users from a given
IPSec tunnel profile to an AAA domain map)
Phase 2 SA selectors for use in phase 2 SA exchanges
IP profiles intended for users logging in using this profile (helping to bridge users from
a given IPSec tunnel profile to an IP profile)
Chapter 6: Configuring Dynamic IPSec Subscribers
171
Advertisement
Table of Contents
