Relocating Tunnel Interfaces; User Authentication; Platform Considerations - Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

JunosE 11.2.x IP Services Configuration Guide

Relocating Tunnel Interfaces

User Authentication

Platform Considerations

172
Reachable networks on the VPN (allowing for split tunneling when supported by the
client software)
Security parameters intended to protect user traffic (including IPSec encapsulating
protocol, encryption algorithms, authentication algorithms, lifetime parameters,
perfect forward secrecy, and DH group for key derivation)
Setting the IP address the router monitors for remote subscribers.
New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is
established. Like IPSec tunnels, IKE policy rules are required to control IKE SA acceptance
and denial.
Unlike static IPSec tunnels interfaces, dynamic IPSec subscribers do not relocate if the
IPSec server card becomes unavailable. If the IPSec server card becomes unavailable,
all dynamic subscribers that are logged in and located on that server card are logged out
and must log back in to connect.
For IPSec subscribers, user authentication occurs in two phases. The first phase is an
IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred to as "
machine" authentication, because the user PC is authenticated, the first authentication
phase verifies private or preshared keys that reside on the PC. These keys are not easily
moved from one PC to another and do not require user entry each time authentication
is performed.
Depending on the IKE phase 1 exchange, restrictions on the authentication type or the
access network setup might exist. To avoid any usage problems, keep the following in
mind:
If you are configuring a VPN where users perform preshared key IPSec authentication
and use the IKE main mode exchange for phase 1, you must setup the access network
such that the VPN has an exclusive local IP address.
If you want to share a single server address on the access network for more than one
VPN, you must either set the clients to use IKE aggressive mode or use a public and
private key pair for authentication. This authentication type includes X.509v3
certificates).
After the IPSec-level authentication takes place, a user authentication occurs. Often
considered a legacy form of authentication, the user authentication (like RADIUS) typically
requires the user to enter information in the form of a username and password.
For information about modules that support dynamic IPSec subscribers on the ERX7xx
models, ERX14xx models, and the ERX310 Broadband Services Router:
See IPSec Service support in ERX Module Guide, Table 1, Module Combinations for
detailed module specifications.
Copyright © 2010, Juniper Networks, Inc.