Download Print this page

Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Software for e series broadband services routers ip services configuration guide

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

JunosE™ Software

for E Series™ Broadband

Services Routers

IP Services Configuration Guide

Release

11.3.x

Published: 2010-10-01

Copyright © 2010, Juniper Networks, Inc.

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01

Page 1 JunosE™ Software for E Series™ Broadband Services Routers IP Services Configuration Guide Release 11.3.x Published: 2010-10-01 Copyright © 2010, Juniper Networks, Inc.
Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 6 Copyright © 2010, Juniper Networks, Inc.
Page 7: Table Of Contents
Index ............321 Copyright © 2010, Juniper Networks, Inc.
Page 8 JunosE 11.3.x IP Services Configuration Guide viii Copyright © 2010, Juniper Networks, Inc.
Page 9 Using a Prefix List ..........33 Copyright © 2010, Juniper Networks, Inc.
Page 10 Creating Static Inside Source Translations ......70 Creating Static Outside Source Translations ......71 Copyright © 2010, Juniper Networks, Inc.
Page 11 J-Flow show Commands ......... 101 Copyright © 2010, Juniper Networks, Inc.
Page 12 Lifetime ........... 137 Copyright © 2010, Juniper Networks, Inc.
Page 13 Specifying a Virtual Router for an IKE Policy Rule ..... 180 Defining Aggressive Mode for an IKE Policy Rule ..... . 181 Copyright © 2010, Juniper Networks, Inc. xiii...
Page 14 Verifying CRLs ..........210 Copyright © 2010, Juniper Networks, Inc.
Page 15 Monitoring Dynamic IP Tunnels ........259 Copyright © 2010, Juniper Networks, Inc.
Page 16 Commands ..........294 Copyright © 2010, Juniper Networks, Inc.
Page 17 Index ............321 Copyright © 2010, Juniper Networks, Inc.
Page 18 JunosE 11.3.x IP Services Configuration Guide xviii Copyright © 2010, Juniper Networks, Inc.
Page 19: List Of Figures
Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation ... . . 281 Figure 27: L2TP Data Frame with NAT-T UDP Encapsulation ....282 Copyright © 2010, Juniper Networks, Inc.
Page 20 Figure 29: GRE/IPSec Connection ........288 Copyright © 2010, Juniper Networks, Inc.
Page 21 Table 17: Configuration and Monitoring Tasks for NAT-T ....283 Table 18: Differences in Handling Timeout Periods for L2TP/IPSec Tunnels ..284 Copyright © 2010, Juniper Networks, Inc.
Page 22 JunosE 11.3.x IP Services Configuration Guide xxii Copyright © 2010, Juniper Networks, Inc.
Page 23: About The Documentation
Audience This guide is intended for experienced system and network specialists working with Juniper Networks E Series Broadband Services Routers in an Internet access environment. E Series and JunosE Text and Syntax Conventions Table 1 on page xxiv defines notice icons used in this documentation.
Page 24: Table 1: Notice Icons
Indicates that you must press two or more Press Ctrl + b. keys simultaneously. Syntax Conventions in the Command Reference Guide Plain text like this Represents keywords. terminal length Italic text like this Represents variables. mask, accessListName xxiv Copyright © 2010, Juniper Networks, Inc.
Page 25: Obtaining Documentation
CD-ROMs or DVD-ROMs, see the Portable Libraries page at http://www.juniper.net/techpubs/resources/index.html Copies of the Management Information Bases (MIBs) for a particular software release are available for download in the software image bundle from the Juniper Networks Web site at http://www.juniper.net/...
Page 26: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 27: Chapters
Configuring IP Tunnels on page 237 Configuring Dynamic IP Tunnels on page 251 IP Reassembly for Tunnels on page 269 Securing L2TP and IP Tunnels with IPSec on page 275 Configuring the Mobile IP Home Agent on page 303 Copyright © 2010, Juniper Networks, Inc.
Page 28 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 29: Configuring Routing Policy
Routing policy determines how the system handles the routes it receives from and sends to neighboring routers. In many cases, routing policy consists of the following: Filtering routes Accepting certain routes Accepting and modifying other routes Copyright © 2010, Juniper Networks, Inc.
Page 30: Platform Considerations
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the Juniper Networks ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the Juniper Networks E120 and E320 Broadband Services Routers.
Page 31: Route Map Configuration Example
Route Map Configuration Example Consider the network structure shown in Figure 1 on page 6. Suppose you do not want router Boston to receive any routes that originate in or pass through router Chicago. Copyright © 2010, Juniper Networks, Inc.
Page 32: Multiple Values In A Match Entry
Copyright © 2010, Juniper Networks, Inc.
Page 33: Configuring Routing Policy
10 Match clauses: match community corporate5 dade2 If you instead issue the following commands, the specified value is deleted: host1(config-route-map)#no match community dade2 Copyright © 2010, Juniper Networks, Inc.
Page 34: Matching A Community List Exactly
1 permit 231:10 231:20 You can, however, remove the lists with the set comm-list delete command if you created them separately with the following commands: host1(config)#ip community list 1 permit 231:10 Copyright © 2010, Juniper Networks, Inc.
Page 35: Matching A Policy List
NOTE: Both the admission bandwidth and QoS bandwidth are a constant bit rate. For more information about multicast admission control or QoS adjustment, see Configuring IPv4 Multicast or chapter Configuring IPv6 Multicast in JunosE Multicast Routing Configuration Guide. match as-path Copyright © 2010, Juniper Networks, Inc.
Page 36 ORed. Example host1(config-route-map)#match extcommunity topeka10 Use the no version to remove the match clause from a route map or a specified value from the match clause. See match extcommunity. Copyright © 2010, Juniper Networks, Inc.
Page 37 Use the no version to delete all next-hop match clauses from a route map unless you specify a prefix list, in which case only that prefix list match is removed from the route map. See match ipv6 next-hop. match ipv6 route-source Copyright © 2010, Juniper Networks, Inc.
Page 38 See match metric-type. match policy-list Use to reference a policy list that has the specified name. Example host1(config-route-map)#match policy-list list1 Use the no version to remove the match clause from a route map. See match policy-list. Copyright © 2010, Juniper Networks, Inc.
Page 39 You can specify match and set clauses to modify attributes of redistributed routes. Use route maps when you want to have detailed control over how routes are redistributed between routing processes. Copyright © 2010, Juniper Networks, Inc.
Page 40 1 permit 231:10 host1(config)#ip community-list 1 permit 231:20 host1(config)#router bgp 45 host1(config-router)#neighbor 10.6.2.5 remote-as 5 host1(config-router)#neighbor 10.6.2.5 route-map indelete in host1(config-router)#route-map indelete permit 10 host1(config-route-map)#set comm-list 1 delete Copyright © 2010, Juniper Networks, Inc.
Page 41 Example host1(config-route-map)#set dampening 5 1000 1500 45 15 Use the no version to delete the set clause from a route map. See set dampening. set distance Copyright © 2010, Juniper Networks, Inc.
Page 42 Use to set the next hop attribute of a route that matches a route map. You can specify an IPv6 address or an interface as the next hop. Example host1(config-route-map)#set ipv6 next-hop 1::1 Copyright © 2010, Juniper Networks, Inc.
Page 43 If the route map contains both a set metric-type and a set metric clause, the set metric clause takes precedence. If you specify the internal metric type in a BGP outbound route map, BGP sets the MED of the advertised Copyright © 2010, Juniper Networks, Inc.
Page 44 (QoS). Example host1(config-route-map)#set route-class 50 Use the no version to delete the set clause from a route map. See set route-class. Copyright © 2010, Juniper Networks, Inc.
Page 45: Match Policy Lists
4 . As in route maps, the match clauses in match policy lists contain permit and deny statements. When you reference a match policy list within a route map, the route map Copyright © 2010, Juniper Networks, Inc.
Page 46: Access Lists
If the first match is for a deny condition, the route is rejected or blocked. The order of conditions is critical because testing stops with the first match. If no conditions match, the router rejects or blocks the address; that is, the last action of any list is an implicit Copyright © 2010, Juniper Networks, Inc.
Page 47: Configuration Example 1
2 internal routes). host1#show isis database detail l2 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL 0000.0000.6666.00-00 0x000002B7 0x3E1F 1198 0/0/0 Area Address: 47.0005.80FF.F800.0000.0001.0001 Copyright © 2010, Juniper Networks, Inc.
Page 48: Configuration Example 3
For a full discussion of regular expressions, with examples of how to use them, see “Using Regular Expressions” on page 42. Copyright © 2010, Juniper Networks, Inc.
Page 49: Configuration Example 1
10.2.8.2 remote-as 11 host1(config-router)#neighbor 10.2.8.2 filter-list 2 in host1(config-router)#neighbor 10.2.7.2 remote-as 435 host1(config-router)#neighbor 10.2.7.2 filter-list 3 out host1(config-router)#exit host1(config)#ip as-path access-list 1 deny ^11 host1(config)#ip as-path access-list 1 permit .* host1(config)#ip as-path access-list 2 deny ^621 Copyright © 2010, Juniper Networks, Inc.
Page 50: Using Access Lists In A Route Map
74. When these routes are advertised through AS 837 and AS 32 to router Chicago, instance 1 of route map 2 matches such routes and sets their weight to 175, overriding the neighbor weight set for updates received from 10.5.5.2. The following example configures router Chicago: Copyright © 2010, Juniper Networks, Inc.
Page 51 Use the log keyword to log an Info event in the ipAccessList log whenever an access list rule is matched. Example host1(config)#access-list bronze permit ip host any 228.0.0.0 0.0.0.255 Copyright © 2010, Juniper Networks, Inc.
Page 52 Use to define an IPv6 access list to permit or deny routes based on the prefix. Each access list is a set of permit or deny conditions for routes based on matching a route's prefix. Copyright © 2010, Juniper Networks, Inc.
Page 53 AS-path access list. Access list values can be in the range 0–65535. Example host1:vr1(config-router)#neighbor group2 filter-list list2 out Use the no version to disassociate the access list from a neighbor. See neighbor filter-list. neighbor prefix-list Copyright © 2010, Juniper Networks, Inc.
Page 54 Use to redistribute routes from one routing domain to another routing domain. Example host1(config)#router bgp 100 host1(config-router)#neighbor 192.56.10.2 remote-as 200 host1(config-router)#redistribute static host1(config-router)#exit host1(config)#ip route 155.30.0.0 0.0.255.255 Use the no version to end redistribution of information. See redistribute. Copyright © 2010, Juniper Networks, Inc.
Page 55: Using Access Lists For Pim Join Filters
This interface (and any other PIM interface to which you do not specifically assign an access list filter) uses the default (bronze) join filter. Enable PIM sparse mode on another subinterface and assign the silver join filter. host1(config-if)#interface atm 3/0.102 Copyright © 2010, Juniper Networks, Inc.
Page 56: Clearing Access List Counters
Use these commands when triggering on the policy values listed in Table 3 on page 30. Table 3: Match and Set Policy Values Match ip address metric metric distance Copyright © 2010, Juniper Networks, Inc.
Page 57 Use to filter static routes before adding them to the routing table. Example 1 host1(config)#ip static-route table-map map3 Example 2 host1(config)#ipv6 static-route table-map map4 Use the no version to delete the table map. See ip static-route table-map. See ipv6 static-route table-map. Copyright © 2010, Juniper Networks, Inc.
Page 58: Using The Null Interface
Unlike access lists, the prefix list specifies a base IP or IPv6 address and a length (the number of bits applied to the base to determine the network prefix). The tested address is matched against the prefix. Copyright © 2010, Juniper Networks, Inc.
Page 59: Using A Prefix List
Use the ge and le keywords to specify a range of network prefixes. These keywords have the following values: prefix length < ge <= 32 prefix length < le <= ge If you do not specify either the ge or le keyword, an exact match is expected. Copyright © 2010, Juniper Networks, Inc.
Page 60 Example host1(config-route-map)#match ip next-hop prefix-list abc Use the no version to delete the match clause from a route map or a specified value from the match clause. See match ip next-hop. match ipv6 next-hop Copyright © 2010, Juniper Networks, Inc.
Page 61: Prefix Trees
Use to clear all hit counts in the prefix trees or the specified entry from the specified prefix tree. (The router increments the hit count by 1 each time an entry matches.) Example host1#clear ip prefix-tree xyz There is no no version. See clear ip prefix-tree. Copyright © 2010, Juniper Networks, Inc.
Page 62 Example host1(config-route-map)#match-set summary prefix-tree dog3 Use the no version to disable use of the prefix tree by the route map. See match-set summary prefix-tree. Copyright © 2010, Juniper Networks, Inc.
Page 63: Community Lists
By default, the community attribute is not sent to BGP peers. To send the community attribute to a neighbor, use the neighbor send community command. Copyright © 2010, Juniper Networks, Inc.
Page 64: Figure 5: Community Lists
10.2.2.4 route-map commtrc out host1(config-router)#exit host1(config)#route-map commtrc permit 1 host1(config-route-map)#match community 1 host1(config-route-map)#set metric 20 host1(config-route-map)#exit host1(config)#route-map commtrc permit 2 host1(config-route-map)#match community 2 host1(config-route-map)#set metric 75 host1(config-route-map)#exit host1(config)#route-map commtrc permit 3 host1(config-route-map)#match community 3 host1(config-route-map)#set metric 85 Copyright © 2010, Juniper Networks, Inc.
Page 65 Use to specify that a community attribute be sent to a BGP neighbor. If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group inherit the characteristic configured with this command. Example Copyright © 2010, Juniper Networks, Inc.
Page 66: Extended Community Lists
A BGP device can append the extended community attribute to a route that does not have the attribute before it advertises the route. For routes that do have the attribute, BGP can modify the attribute. ip extcommunity-list Copyright © 2010, Juniper Networks, Inc.
Page 67 Use to set the extended community attributes in a route map for BGP updates. Use the rt keyword to specify a route target community, which consists of one or more routers that can receive a set of routes advertised by BGP that carry the extended community attribute. Copyright © 2010, Juniper Networks, Inc.
Page 68: Using Regular Expressions
The following commands apply access list 1 to routes inbound from BGP peer 10.5.5.2. Access list 1 uses a regular expression to deny routes that originate in autonomous system host1(config-router)#neighbor 10.5.5.2 remote-as 32 host1(config-router)#neighbor 10.5.5.2 filter-list 1 in host1(config-router)#exit host1(config)#ip as-path access-list 1 deny 32$ Copyright © 2010, Juniper Networks, Inc.
Page 69: Community Lists
Matches zero or more sequences of the immediately previous character or pattern. Matches one or more sequences of the immediately previous character or pattern. Matches zero or one sequence of the immediately previous character or pattern. Copyright © 2010, Juniper Networks, Inc.
Page 70: Using Metacharacters As Literal Tokens
Table 6 on page 45 lists some representative regular expressions that you might use in an AS-path access list or community list, along with sample attribute values that match or do not match the regular expression. Copyright © 2010, Juniper Networks, Inc.
Page 71: Table 6: Sample Regular Expressions
Includes a sequence that has a numeral 1373737 29 44 37137 78 1 immediately followed by one or more 137 42 21 instances of the pattern 37 but not 4 372 2121 37 5 1 456 881 Copyright © 2010, Juniper Networks, Inc.
Page 72 3 41 19 41 19 532 101 102 | 103 105 Includes either sequence 101 102 or 43 101 102 5103 105 22 sequence 103 105 but not 19 102 101102 103 Copyright © 2010, Juniper Networks, Inc.
Page 73: Managing The Routing Table
Global Configuration mode. You can specify different levels of severity for ipRoutePolicy. For more information about using log commands for troubleshooting, see Managing the System in JunosE System Basics Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 74: Monitoring Routing Policy
Use the detail keyword to display the automatically assigned element ID for each access list entry. Only rules that you explicitly create have element IDs. Example 1 host1#show access-list IP Access List 1: permit ip host 172.31.192.217 any permit ip 12.40.0.0 0.0.0.3 any Copyright © 2010, Juniper Networks, Inc.
Page 75 Display varies based on whether you issued the ip bgp community new-format command. Example 1—If you did not issue the ip bgp community new-format command, the display appears as follows: host1#show ip community-list Community List 1: permit 81200109 permit 81200110 permit 81200108 Community List 2: Copyright © 2010, Juniper Networks, Inc.
Page 76 Use the summary keyword to display abbreviated information about prefix lists. Example 1 host1#show ip prefix-list Prefix-list with the last deletion/insertion: def ip prefix-list name abc: 4 entries seq 5 permit 192.168.0.0/16 le 24 Copyright © 2010, Juniper Networks, Inc.
Page 77 1 See show ip prefix-tree. show ip protocols Use to display detailed information about the protocols currently configured on the router. Use the summary keyword to display only a list of the configured protocols. Copyright © 2010, Juniper Networks, Inc.
Page 78 Use to display configured route redistribution policy. Field descriptions To—Protocol into which routes are distributed From—Protocol from which routes are distributed status—Redistribution status route map number—Number of the route map Example Copyright © 2010, Juniper Networks, Inc.
Page 79 O- OSPF, E1- external type 1, E2- external type2, N1- NSSA external type1, N2- NSSA external type2 Prefix/Length Type Next Hop Dist/Met Intf ------------- ---- -------- -------- ------ 10.10.0.112/32 Static 192.168.1.1 fastEthernet0/0 Copyright © 2010, Juniper Networks, Inc.
Page 80 Field descriptions IP address—Address that is reachable through the interface Copyright © 2010, Juniper Networks, Inc.
Page 81 Met—Number of hops Dist—Administrative distance or weight assigned to the route Tag—Tag value assigned to the route Intf—Interface type and interface specifier Example host1#show ip static Prefix/Length Next Hop: Met: Dist: Tag: Intf: 10.2.0.0/24 192.168.1.1 ethernet6/0 Copyright © 2010, Juniper Networks, Inc.
Page 82 IP Statistics Route: Copyright © 2010, Juniper Networks, Inc.
Page 83 (ping) packets sent echo rpy—Number of echo replies sent Copyright © 2010, Juniper Networks, Inc.
Page 84 TCP Global Statistics Sent: Copyright © 2010, Juniper Networks, Inc.
Page 85 0 chksum err pkts, 0 authentication err pkts, 0 bad offset 0 short pkts, 0 duplicate pkts, 0 out of order pkts Sent: 82318 total pkts, 44381 data pkts, 656321 bytes 34 retransmitted pkts, 487 retransmitted bytes OSPF Statistics: IGMP Statistics: Copyright © 2010, Juniper Networks, Inc.
Page 86 Example host1(config)#route-map 1 permit 10 host1(config-route-map)#match community 44 host1(config-route-map)#set local-pref 400 host1(config-route-map)#exit host1(config)#exit host1#show route-map 1 route-map 1, permit, sequence 10 Match clauses: match community 44 Set clauses: set local-pref 400 See show route-map. Copyright © 2010, Juniper Networks, Inc.
Page 87: Configuring Nat
Network Address Translation (NAT) helps address these challenges by allowing the conservation of registered IP addresses within private networks and simplifying IP addressing management tasks through a form of transparent routing. Copyright © 2010, Juniper Networks, Inc.
Page 88: Platform Considerations
For more information about NAT, consult the following resources: RFC 2663-IP Network Address Translator (NAT) Terminology and Considerations (August 1999) RFC 2694-DNS extensions to Network Address Translators (DNS_ALG) (September 1999) RFC 2993-Architecture Implications of NAT (November 2000) Copyright © 2010, Juniper Networks, Inc.
Page 89: Nat Configurations
TCP or UDP port number, or the ICMP query identifier) and places the mapping into the translation table (this entry is called an extended translation). This method can translate the addresses and transport identifiers of many private hosts into a few external Copyright © 2010, Juniper Networks, Inc.
Page 90: Bidirectional Nat
The terms inside and outside refer to the host that the address is associated with. The terms local and global refer to the network on which the address appears. Copyright © 2010, Juniper Networks, Inc.
Page 91: Configuring Nat
(or address/port) into the inside local address (or address/port), or the packet is not routed into the inside network. NOTE: Dynamic inside source translations are established by outbound traffic. You use inside source translation in traditional and bidirectional NAT configurations. Copyright © 2010, Juniper Networks, Inc.
Page 92: Outside Source Translation
Order of Operations This section describes the order of operations for both inside-to-outside and outside-to-inside translation. Inside-to-Outside Translation Inside-to-outside translation occurs in the following order: Copyright © 2010, Juniper Networks, Inc.
Page 93: Outside-To-Inside Translation
GRE flows. When configured, the following types of translations are supported for GRE and PPTP tunnels: Inside source static simple translations (inbound and outbound) Outside source static simple translations (inbound and outbound) Copyright © 2010, Juniper Networks, Inc.
Page 94: Packet Discard Rules
Use to specify a NAT license. Purchase a NAT license to allow NAT configuration on the ERX router. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license nat license-value...
Page 95: Limiting Translation Entries
Use the keyword (inside or outside) to specify the side of the network on which the interface resides. Example host (config-if) # ip nat inside Use the no version to unmark the interface (the default) so that it does not participate in NAT translation. See ip nat. Copyright © 2010, Juniper Networks, Inc.
Page 96: Defining Static Address Translations
(config) # ip nat inside source static tcp 10.1.2.3 15 171.69.68.10 30 Use the no version to remove the static translation and purge the associated translations from the translation table. See ip nat inside source static. Copyright © 2010, Juniper Networks, Inc.
Page 97: Creating Static Outside Source Translations
Define an address pool from which the NAT router obtains addresses. Define inside and outside source translation rules for the NAT router to create NAT translations. Mark interfaces as inside or outside. (Optional) Modify any translation timeout values. Copyright © 2010, Juniper Networks, Inc.
Page 98: Creating Access List Rules
However, when you create multiple, nonoverlapping ranges, you omit the optional starting and ending IP addresses in the root ip nat pool command; this launches the IP NAT Pool Configuration (config-ipnat-pool) mode. Copyright © 2010, Juniper Networks, Inc.
Page 99: Defining Dynamic Translation Rules
(config-ipnat-pool)#exit Use the no version to remove the address range. See ip nat pool. Defining Dynamic Translation Rules You can use the CLI to define dynamic translation rules for inside and outside sources. Copyright © 2010, Juniper Networks, Inc.
Page 100: Creating Dynamic Inside Source Translation Rules
(resulting from the rule evaluation) from the translation table. To remove active translations from the translation table, see “Clearing Dynamic Translations” on page 76. ip nat inside source list Copyright © 2010, Juniper Networks, Inc.
Page 101: Creating Dynamic Outside Source Translation Rules
DNS but not yet used; as soon as the translation is used, the router applies the timeout value mentioned above. udp-timeout—UDP protocol extended translations; default is 300 seconds (5 minutes). Copyright © 2010, Juniper Networks, Inc.
Page 102: Clearing Dynamic Translations
GRE, ICMP, TCP, or UDP translations for the specified global IP address and local IP address. Example 1—Clear all dynamic translations host1 #clear ip nat translation* Copyright © 2010, Juniper Networks, Inc.
Page 103: Nat Configuration Examples
To configure this example: Enter the correct virtual router context. host1(config)#virtual-router blue Mark the inside interfaces. a. Mark the field office: host1:blue(config)#interface serial 2/1:1/1 host1:blue(config-interface)#ip nat inside host1:blue(config-interface)#exit b. Mark the two corporate T-3 links: Copyright © 2010, Juniper Networks, Inc.
Page 104: Bidirectional Nat Example
DNS server that resides on the inside network. The inside realm uses basic NAT. The inside network uses a mix of private subnetwork address space (192.168.22/24) and registered public addresses. Copyright © 2010, Juniper Networks, Inc.
Page 105: Figure 7: Bidirectional Nat Example
Configure a null route for the inside global addresses, to prevent routing loops when no matching translation exists. host1:blue(config)#ip route 192.32.6.0 255.255.255.192 null 0 NOTE: Null route applies to 192.32.6.0 and 192.32.6.1, which do not exist in the address pool. Copyright © 2010, Juniper Networks, Inc.
Page 106: Twice Nat Example
12.220.1.0 12.220.255.255 prefix-length NOTE: This pool is purposely smaller than the size of the company network because not all private hosts are likely to access the public network at the same time. Copyright © 2010, Juniper Networks, Inc.
Page 107: Cross-Vrf Example
NAT implementation is both VR and VRF aware. Figure 9 on page 82 illustrates how the subscriber interface feature of the router is used in conjunction with NAT to connect the VPNs to the public network. Copyright © 2010, Juniper Networks, Inc.
Page 108: Figure 9: Cross-Vrf Example
10.16.5.0 0.0.0.255 Create the dynamic translation rule. host1:vr1:vrf11(config)#ip nat inside source list entA pool entApool Create the subscriber interface off the uplink. host1:vr1:vrf11(config)#interface ip vrf11vr1 host1:vr1:vrf11(config-interface)#ip share-interface atm 12/0.101 host1:vr1:vrf11(config-interface)#ip unnumbered loopback 1 Copyright © 2010, Juniper Networks, Inc.
Page 109: Tunnel Configuration Through Nat Examples
13.1.2.3 20.0.0.1 The PPTP client initiates its tunnels to the server at 11.11.11.1. The E Series router translates the SA from inside local 13.1.2.3 to inside global SA 20.0.0.1. Because GRE traffic can pass Copyright © 2010, Juniper Networks, Inc.
Page 110: Clients On An Outside Network
GRE tunnel, they are again sent through the tunnel server module where an outer header is prepended to the packet and the packet is then sent to the appropriate GRE tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 111: Monitoring Nat
Current—Current number of dynamic translations of the associated translation type Peak—Peak number of dynamic translations of the associated translation type Accumulated—Accumulated number of dynamic translations of the associated type; this value reflects the accumulation of dynamic translations since the last router reboot operation Copyright © 2010, Juniper Networks, Inc.
Page 112 Bytes received on inside interface and forwarded directly forwarded through translator 5141098074 Packets received on outside interface and forwarded directly forwarded through translator 1031624 discarded discarded by translator 578961 Bytes received on outside interface and forwarded directly Copyright © 2010, Juniper Networks, Inc.
Page 113: Displaying Translation Entries
Time since last use—Amount of time elapsed since the translation entry was used Example 1 host1# show ip nat translations Prot Inside local Inside global Outside global Outside local ---- ------------- -------------- -------------- --------------- 13.1.2.1:* 20.0.0.1:* ICMP 13.1.2.2:4 20.0.0.2:4 13.1.2.3:20 20.0.0.3:50 Copyright © 2010, Juniper Networks, Inc.
Page 114: Displaying Address Pool Information
(mask and address ranges) of all address pools, unless you supply a specific pool name. show ip nat pool Use to display NAT address pool information. Field descriptions pool—Name of the address pool netmask—Network prefix associated with the NAT address pool Copyright © 2010, Juniper Networks, Inc.
Page 115: Displaying Inside And Outside Rule Settings
See show ip nat inside rule. show ip nat outside rule Copyright © 2010, Juniper Networks, Inc.
Page 116 Example host1#show ip nat outside rule access list name: list4 pool name: poolD rule type: outside source See show ip nat outside rule. Copyright © 2010, Juniper Networks, Inc.
Page 117: Chapter 3 Configuring J-Flow Statistics
This means, for example, that if a packet uses the address of an output interface or next-hop value altered by a policy setting, the system records the altered value in the flow record. Copyright © 2010, Juniper Networks, Inc.
Page 118: Aggregation Caches
Main Flow Cache Contents The following 7-tuple distinguishes an entry in the flow cache for a VR: Source IP address (SA) Destination IP address (DA) Source port number (SP) Destination port number (DP) Layer 3 protocol type Copyright © 2010, Juniper Networks, Inc.
Page 119: Configuring J-Flow Statistics
The inactive timer removes flows if they do not contain any data traffic for a specified period of time. Operation with NAT When functioning with Network Address Translation (NAT), J-Flow sampling occurs before NAT applies any translation. Copyright © 2010, Juniper Networks, Inc.
Page 120: Operation With High Availability
(Optional) Define the sampling interval at which you want to collect statistics. (Optional) Customize the size of the main flow cache. (Optional) Define flow cache aging timers. (Optional) Specify to where you want to export J-Flow statistics. Copyright © 2010, Juniper Networks, Inc.
Page 121: Enabling Flow-Based Statistics
The sampling interval specifies the rate at which the virtual router samples J-Flow information. This rate is used for all interfaces that have J-Flow enabled. After you enable J-Flow on an interface, the virtual router samples one packet Copyright © 2010, Juniper Networks, Inc.
Page 122 IOA on E120 routers and E320 routers, see “Defining a Sampling Interval” on page 95 . Example—Samples 1 out of 50 packets from the line module on which the interface resides host1(config)#ip flow-sampling-mode packet-interval 50 Copyright © 2010, Juniper Networks, Inc.
Page 123: Setting Cache Size
Use the ip flow-cache timeout inactive command to specify a value for the inactivity timer. The inactivity timer measures the length of time expired since the virtual router recorded the last datagram for a given flow. When this timer expires, the virtual router Copyright © 2010, Juniper Networks, Inc.
Page 124: Specifying Flow Export
The commands to configure the minimum mask size for the source and destination address are issued in Flow Cache Configuration mode and are specific to each aggregation cache: host1(config-flow-cache)#mask source minimum value host1(config-flow-cache)#mask destination minimum value Copyright © 2010, Juniper Networks, Inc.
Page 125 Use to set the number of entries in the aggregation cache. Example Copyright © 2010, Juniper Networks, Inc.
Page 126 Use the no version to remove the destination. See export source. ip flow-aggregation cache Use to create an aggregation cache. Example host1(config)#ip flow-aggregation cache Use the no version to remove the aggregation cache and its configuration. See ip flow-aggregation cache. Copyright © 2010, Juniper Networks, Inc.
Page 127: Monitoring J-Flow Statistics
See clear ip flow stats. J-Flow show Commands You can monitor the following aspects of J-Flow statistics by using the following commands: To Display Command Main cache flow operational statistics show ip cache flow Copyright © 2010, Juniper Networks, Inc.
Page 128 Dst. Addr—Destination address of sampled packets Dst. Intf—Destination interface of sampled packets Summary Total Flows Processed—Total number of flows processed Total Packets—Total number of packets sampled Total Bytes—Total number of bytes received Example 1—Brief output Copyright © 2010, Juniper Networks, Inc.
Page 129 NOTE: The output format for this command was modified slightly to fit within the confines of this document. host1# show ip cache flow active detail Main Cache Max Entries: 65536 Activity Timeout: 60 mins. Inactivity Timeout: 600 secs. Cache Enabled 32012 packets sampled. Copyright © 2010, Juniper Networks, Inc.
Page 130 35604 packets sampled. Distribution of IP packets by size. Size Percent ---------- ------- 1 - 32 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Copyright © 2010, Juniper Networks, Inc.
Page 131 Flows/Sec—Number of flows per second Packets/Flow—Number of packets per flow Bytes/Packet—Number of bytes per packet Packets/Sec—Number of packets per second Src. Addr—Source address of sampled packets Src. Intf—Source interface of sampled packets Dst. Addr—Destination address of sampled packets Copyright © 2010, Juniper Networks, Inc.
Page 132 Use to display configuration values for IP flow cache sampling. Example host1#show ip flow sampling Flow sampling is enabled 'Packet Interval' sampling mode is configured. 1 out of every 1000 packets is being sampled. See show ip flow. Copyright © 2010, Juniper Networks, Inc.
Page 133: Configuring Bfd
BFD poll bit to detect path activity. You can also configure a BFD session with a BGP neighbor or peer group to determine relatively quickly whether the neighbor or peer group is reachable. For information about Copyright © 2010, Juniper Networks, Inc.
Page 134: How Bfd Works
BFD session to the remote peer. Each pair of peers negotiates acceptable transmit and receive intervals for BFD packets. These values can be different on each peer. Copyright © 2010, Juniper Networks, Inc.
Page 135: Configuring Bfd
A declares the BFD session to be down. Similarly, if Router B fails to receive a BFD packet from Router A within 900 milliseconds, Router B declares the BFD session to be down. In either case, all routes learned from the failed peer are purged immediately. Copyright © 2010, Juniper Networks, Inc.
Page 136: Bfd Platform Considerations
BFD timer range for each routing protocol is extended from a minimum of 100 ms to 10 ms. BFD References For information about BFD, see the following: BFD for IPv4 and IPv6 (Single Hop)—draft-ietf-bfd-v4v6-1hop-00.txt (January 2005 expiration) Bidirectional Forwarding Detection—draft-ietf-bfd-base-00.txt. (January 2005 expiration) Copyright © 2010, Juniper Networks, Inc.
Page 137: Configuring A Bfd License
Use to specify a BFD license. Purchase a BFD license to allow BFD configuration on the E Series router. NOTE: Acquire the BFD license from Juniper Networks Customer Service or your Juniper Networks sales representative. Example host1(config)#license bfd license-value Use the no version to disable the license.
Page 138: Configuring Bfd
Enabling BFD adaptive timers avoids BFD session flaps that might occur because of misconfiguration or other errors. When enabled, BFD attempts to adapt timer intervals on the router by making them less restrictive and increasing the survival chances for the session. Copyright © 2010, Juniper Networks, Inc.
Page 139: Clearing Bfd Sessions
Use the address keyword to indicate the IPv4 address of the destination to which the session has been established. Use the discriminator keyword to clear the BFD session associated with the unique system-wide identifier. Example 1 Copyright © 2010, Juniper Networks, Inc.
Page 140: Monitoring Bfd
This section lists the system event logs associated with the BFD protocol and describes the show commands you can use to view BFD-related information. System Event Logs To troubleshoot and monitor BFD, use the following system event logs: bfdGeneral bfdSession bfdEvents bgpConnections isisBfdEvents ospfEvents Copyright © 2010, Juniper Networks, Inc.
Page 141: Viewing Bfd Information
Detect/Detection Time—Time (in seconds) taken to declare the remote interface down when no packets are received from that interface Local discriminator—Value used to identify the session at the local end Remote discriminator—Value used to identify the session at the remote end Copyright © 2010, Juniper Networks, Inc.
Page 142 Min async interval—Minimum interval (in seconds) between packets sent when in asynchronous mode min slow interval—Minimum interval (in seconds) between packets when the remote end is first being detected Copyright © 2010, Juniper Networks, Inc.
Page 143 Local: min tx interval 0.3, min rx interval 0.3, multiplier 3 (Adapted) min tx interval 0, min rx interval 0, multiplier 4 Remote: min tx interval 0.3, min rx interval 0.3, multiplier 3 Local diagnostic: None, Remote diagnostic: None Copyright © 2010, Juniper Networks, Inc.
Page 144 JunosE 11.3.x IP Services Configuration Guide Remote heard, hears us Min async interval 0.3, min slow interval 0.3 Echo mode disabled/inactive 1 Client: Client OSPFv3, desired tx: 0.3, required rx: 0.3, multiplier 3 See show bfd session. Copyright © 2010, Juniper Networks, Inc.
Page 145: Configuring Ipsec
Table 8 on page 119 describes terms and abbreviations that are used in this discussion of IPSec. Table 8: IPSec Terms and Abbreviations Term or Abbreviation Description 3DES Triple DES encryption/decryption algorithm Authentication header. Provides authentication of the sender and of data integrity. Copyright © 2010, Juniper Networks, Inc.
Page 146 In the context of a secure interface, the clear traffic forwarded to the interface traffic (either by policy or by routing) that is typically secured according to security parameters set for that interface. Perfect forward secrecy Rivest-Shamir-Adleman encryption algorithm Copyright © 2010, Juniper Networks, Inc.
Page 147: Configuring Ipsec
RFC 2404—The Use of HMAC-SHA-1-96 within ESP and AH (November 1998) RFC 2405—The ESP DES-CBC Cipher Algorithm With Explicit IV (November 1998) RFC 2406—IP Encapsulating Security Payload (ESP) (November 1998) RFC 2407—The Internet IP Security Domain of Interpretation for ISAKMP (November 1998) Copyright © 2010, Juniper Networks, Inc.
Page 148: Ipsec Concepts
IP interfaces. Secure tunnels carry only IP traffic. A secure IP interface is a layer 3 entity; that is, an IP interface mapped on top of a secure tunnel that inherits all security associated with it. Copyright © 2010, Juniper Networks, Inc.
Page 149: Rfc 2401 Compliance
The layers where the data can be encrypted are shown in gray. Figure 12: IPSec Tunneling Stack Figure 13 on page 124 shows the packet encapsulation for IPSec tunneling. Copyright © 2010, Juniper Networks, Inc.
Page 150: Security Parameters
Figure 14 on page 125 shows the relationships of the various security parameters to the IPSec security interface. The following sections discuss each parameter in detail. Copyright © 2010, Juniper Networks, Inc.
Page 151: Manual Versus Signaled Interfaces
Secure IP interface parameters can be required, optional, or not applicable, depending on whether the interface is manual or signaled. Table 10 on page 126 presents how the other security parameters fit with manual and signaled interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 152: Operational Virtual Router
See “Transport VR Definitions with an FQDN” on page 127 in this section. The tunnel source IP address must be one of the local IP addresses configured on the router. The tunnel destination address must be a routable IP address within the transport VR routing tables. Copyright © 2010, Juniper Networks, Inc.
Page 153 With digital certificates, the two sides of the tunnel must use the same identity format, with or without the user@ specification; no stripping operation and no second search occurs. NOTE: The E Series router does not support FQDN-to-IP address resolution by DNS. Copyright © 2010, Juniper Networks, Inc.
Page 154: Perfect Forward Secrecy
SAs ignore this parameter. You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime. To set the tunnel lifetime, use the tunnel lifetime command. Copyright © 2010, Juniper Networks, Inc.
Page 155: Inbound And Outbound Sas
Transform sets are used during user SA negotiation to find common agreement between the local and the remote security gateway on how to protect that specific data flow. Copyright © 2010, Juniper Networks, Inc.
Page 156: Table 11: Supported Transforms
IPSec performs AH protocol encapsulation using the SHA-1 hash function with HMAC message authentication. SHA-1 is considered stronger than MD5. ESP-MD5 IPSec performs ESP protocol encapsulation using the MD5 hash function with HMAC message authentication. Copyright © 2010, Juniper Networks, Inc.
Page 157: Table 12: Supported Security Transform Combinations
AH-HMAC-SHA ESP-HMAC-MD5 ESP-HMAC-SHA Data confidentiality only ESP-DES ESP-3DES Data authentication and confidentiality ESP-DES-MD5 ESP-DES-SHA ESP-3DES-MD5 ESP-3DES-SHA The ISM does not support both the ESP and AH encapsulation modes concurrently on the same secure tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 158: Other Security Features
ESP security options on a per-tunnel (per-SA) basis Tunnel mode AH Processing The router supports AH encapsulation as defined in RFC 2402. Specifically, the router supports: HMAC-SHA and HMAC-MD5 authentication algorithms AH authentication options on a per-tunnel (per-SA) basis Copyright © 2010, Juniper Networks, Inc.
Page 159: Ipsec Maximums Supported
DPD and with IKE SA negotiation. The tunnel failover feature provides an alternate tunnel destination when DPD detects that the current destination is unreachable or when IKE SA set up is unsuccessful. During failover, the IPSec tunnel switches to the Copyright © 2010, Juniper Networks, Inc.
Page 160: Ike Overview
The choice of main or aggressive mode is a matter of tradeoffs. Some of the characteristics of the two modes are: Main mode Protects the identities of the peers during negotiations and is therefore more secure. Enables greater proposal flexibility than aggressive mode. Copyright © 2010, Juniper Networks, Inc.
Page 161: Aggressive Mode Negotiations
None Main mode Main Mode Main mode The router responds to phase 1 negotiations with the highest-priority policy rule that matches the initiator. A match means that all parameters, including the exchange type, match. Copyright © 2010, Juniper Networks, Inc.
Page 162: Ike Policies
A specific hash function can be applied to an IKE policy. The supported ones are: SHA-1 IKE also uses an authentication algorithm during IKE exchanges. This authentication algorithm is automatically set to the HMAC version of the specified hash algorithm. Copyright © 2010, Juniper Networks, Inc.
Page 163: Authentication Mode
As the responder of an IKE negotiation, the router receives all IKE policies from a remote security gateway. The router then scans its own list of IKE policies to determine whether a match exists, starting from the highest priority. If it finds a match, that policy is Copyright © 2010, Juniper Networks, Inc.
Page 164: Generating Private And Public Key Pairs
ERX router. However, you can purchase licenses that support the following IPSec tunnel maximums: 1000 2000 4000 8000 16,000 32,000 The number of additional tunnels is independent of the number of ISMs installed in the router. However, the router chassis enforces the following tunnel limits: Copyright © 2010, Juniper Networks, Inc.
Page 165: Configuring Ipsec Parameters
SRP 10G – 10,000 SRP 40G – 20,000 license ipsec-tunnels Use to specify an IPSec tunnel license. NOTE: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative. Example host1(config)#license ipsec-tunnels license string Use the no version to disable the license.
Page 166 Example 1 host1(config)#ipsec lifetime kilobytes 42000000 Example 2 host1(config)#ipsec lifetime seconds 8600 Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours). See ipsec lifetime. ipsec local-endpoint Copyright © 2010, Juniper Networks, Inc.
Page 167 Example 1 host1(config-manual-key)#key dj5fe23owi8er49fdsa Example 2 host1(config-manual-key)#key “ my key with spaces” There is no no version. To delete a key, use the no version of the ipsec key manual command. See key. masked-key Copyright © 2010, Juniper Networks, Inc.
Page 168: Creating An Ipsec Tunnel
10.3.0.0 255.255.0.0 Specify an existing interface address that the tunnel uses as its source address. host1:vrA(config-if)#tunnel source 5.1.0.1 Specify the address or identity of the tunnel destination endpoint. host1:vrA(config-if)#tunnel destination identity branch245.customer77.isp.net Copyright © 2010, Juniper Networks, Inc.
Page 169 For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify the remote tunnel endpoint, which does not have a fixed IP address. The identity string can include an optional user@ specification preceding the FQDN. Example 1 host1(config-if)#tunnel destination 10.10.11.12 Example 2 Copyright © 2010, Juniper Networks, Inc.
Page 170 Example 2 host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0 Use the no version to restore the default identity, which is subnet 0.0.0.00.0.0.0 See tunnel local-identity. tunnel mtu Use to set the MTU size for the tunnel. Example Copyright © 2010, Juniper Networks, Inc.
Page 171 Use the online Help to see a list of available algorithm sets. Each key is an arbitrary hexadecimal string. If the algorithm set includes: DES, create an 8-byte key using 16 hexadecimal characters 3DES, create a 24-byte key using 48 hexadecimal characters Copyright © 2010, Juniper Networks, Inc.
Page 172 ISAKMP/IKE to negotiate SAs and to establish keys manual—Specifies that security parameters and keys are configured manually Example host1(config-if)#tunnel signaling manual Use the no version to restore the default value, isakmp. See tunnel signaling. tunnel source Copyright © 2010, Juniper Networks, Inc.
Page 173: Configuring Dpd And Ipsec Tunnel Failover
Create an IPSec tunnel, and specify the transport VR. host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)# Specify the address or identity of the tunnel destination backup endpoint. host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net ipsec option dpd Copyright © 2010, Juniper Networks, Inc.
Page 174: Defining An Ike Policy
Use the no version to restore the default in which the regular tunnel destination is also the backup tunnel destination. See tunnel destination backup. Defining an IKE Policy IKE policies define parameters that the router uses during IKE phase 1 negotiation. To create an IKE policy: host1(config)#ipsec ike-policy-rule 3 Copyright © 2010, Juniper Networks, Inc.
Page 175 Use to specify the authentication method the router uses in the IKE policy: preshared keys or RSA signature. Example host1(config-ike-policy)#authentication pre-share Use the no version to restore the default, preshared keys. See authentication. Copyright © 2010, Juniper Networks, Inc.
Page 176 Use the no version to restore the default, sha. See hash. ipsec ike-policy-rule ipsec isakmp-policy-rule NOTE: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release. Copyright © 2010, Juniper Networks, Inc.
Page 177: Refreshing Sas
To reinitialize SAs on tunnels that are in a specific state, use the state keyword. To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword. Example host1(config)#ipsec clear sa all phase 2 There is no no version. See ipsec clear sa. Copyright © 2010, Juniper Networks, Inc.
Page 178: Enabling Notification Of Invalid Cookies
Configuration Notes Both the local and remote identities shown in these examples serve two purposes: They identify multiple IPSec tunnels between the same endpoints. Copyright © 2010, Juniper Networks, Inc.
Page 179: Figure 15: Customer A's Corporate Frame Relay Network
To configure the connections as shown in Figure 16 on page 153: On each ERX router, create a protection suite that provides 3DES encryption with SHA-1 authentication on every packet. erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha Copyright © 2010, Juniper Networks, Inc.
Page 180 Ottawa and another to carry the traffic between Boca and Boston: Tunnel 1: erx2(config)#interface tunnel ipsec:Aboca2ottawa erx2(config-if)#tunnel transform-set customerAprotection erx2(config-if)#tunnel local-identity subnet 200.2.0.0 255.255.0.0 erx2(config-if)#tunnel peer-identity subnet 200.1.0.0 255.255.0.0 erx2(config-if)#tunnel source 100.2.0.1 erx2(config-if)#tunnel destination 100.1.0.1 Copyright © 2010, Juniper Networks, Inc.
Page 181 1, except that a different VR domain is possible. Another solution, as described in this example, simply duplicates the endpoints for the transport VR. This example assumes that the transport VR is the default VR. Copyright © 2010, Juniper Networks, Inc.
Page 182: Figure 17: Connecting Customers Who Use Similar Address Schemes
5.3.0.1 erx1(config-manual-key)#key customerASecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.2.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx1(config)#ipsec key manual pre-share 5.3.0.2 erx1(config-manual-key)#key customerBSecret erx1(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.1.0.1 erx2(config-manual-key)#key customerASecret erx2(config-manual-key)#exit erx2(config)#ipsec key manual pre-share 5.3.0.1 Copyright © 2010, Juniper Networks, Inc.
Page 183 10.1.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#tunnel source 5.1.0.1 erx1:vrA(config-if)#tunnel destination 5.2.0.1 erx1:vrA(config-if)#ip address 10.2.0.0 255.255.0.0 erx1:vrA(config-if)#exit Virtual router B: erx1(config)#virtual-router vrB erx1:vrB(config)# Copyright © 2010, Juniper Networks, Inc.
Page 184 10.2.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#tunnel source 5.2.0.1 erx2:vrA(config-if)#tunnel destination 5.3.0.1 erx2:vrA(config-if)#ip address 10.3.0.0 255.255.0.0 erx2:vrA(config-if)#exit Virtual router B: erx2(config)#virtual-router vrB erx2:vrB(config)# Copyright © 2010, Juniper Networks, Inc.
Page 185 10.3.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel peer-identity subnet 10.2.0.0 255.255.0.0 erx3:vrA(config-if)#tunnel source 5.3.0.1 erx3:vrA(config-if)#tunnel destination 5.2.0.1 erx3:vrA(config-if)#ip address 10.1.0.0 255.255.0.0 erx3:vrA(config-if)#exit Virtual router B: erx3(config)#virtual-router vrB erx3:vrB(config)# Tunnel from Boston to Ottawa on virtual router B: Copyright © 2010, Juniper Networks, Inc.
Page 186: Monitoring Ipsec
To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands. show ipsec ike-policy-rule show ike policy-rule NOTE: The show ipsec ike-policy-rule command replaces the show ipsec isakmp-policy-rule command, which may be removed completely in a future release. Copyright © 2010, Juniper Networks, Inc.
Page 187 NOTE: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release. Use to display IKE phase 1 SAs running on the router. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 188 195.0.1.100:500 195.0.1.200:500 1687 DONE 0xacf3acd1b3555b6a 0x0af9edbc95622869 195.0.2.100:500 195.0.2.200:500 1688 DONE 0x3153379b32d8c936 0x17f5d77f9badc3cf 195.0.2.100:500 195.0.2.200:500 1688 DONE 0x6573dcbc9bf31fae 0x7af8b4d13078b463 195.0.3.100:500 195.0.3.200:500 1685 DONE 0xdc7df648fcac375a 0x0346752d2881d5c5 195.0.3.100:500 195.0.3.200:500 1685 DONE 0xe776e9ffb6678635 0x8de857af1c681874 195.0.4.100:500 195.0.4.200:500 1690 DONE 0x16410d890500e94e 0xbd47831b55e81c27 Copyright © 2010, Juniper Networks, Inc.
Page 189 : enabled TX Invalid Cookie : disabled See show ipsec option. show ipsec transform-set Use to display transform sets configured on the router. To display a specific transform set, include the transform set name. Copyright © 2010, Juniper Networks, Inc.
Page 190 Tunnel outbound spi/SA—SPI and SA in use on traffic sent to the tunnel (manual tunnels only) Tunnel inbound spi/SA—SPI and SA in use on traffic received from the tunnel (manual tunnels only) Tunnel lifetime seconds—Configured time-based lifetime in seconds Tunnel lifetime kilobytes—Configured traffic-based lifetime in kilobytes Copyright © 2010, Juniper Networks, Inc.
Page 191 InPadErrors—Number of packets received that had invalid values after the packet was decrypted OutUserPackets—Number of user packets sent OutUserOctets—Number of octets sent in user packets OutAccPackets—Number of encapsulated packets sent OutAccOctets—Number of octets sent in encapsulated packets Copyright © 2010, Juniper Networks, Inc.
Page 192 1024000KB, remaining 1023997KB Tunnel Statistics: InUserPackets InUserOctets 1920 InAccPackets InAccOctets 2760 InAuthErrors InReplayErrors InPolicyErrors InOtherRxErrors InDecryptErrors InPadErrors OutUserPackets OutUserOctets 1920 OutAccPackets OutAccOctets 2760 OutPolicyErrors OutOtherTxErrors See show ipsec tunnel. show ipsec tunnel summary Copyright © 2010, Juniper Networks, Inc.
Page 193 Use to display the IPSec license key configured on the router and the number of tunnels allowed on the router. Example host1#show license ipsec-tunnels ipsec-tunnels license is 'g1k23b23eb2j' which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards. Copyright © 2010, Juniper Networks, Inc.
Page 194 JunosE 11.3.x IP Services Configuration Guide See show license. Copyright © 2010, Juniper Networks, Inc.
Page 195: Chapter 6 Configuring Dynamic Ipsec Subscribers
Dynamic Connection Setup Dynamic secure remote access subscribers initiate connections to the E Series router by establishing an IPSec phase 1 security association (SA; also known as an IKE SA or P1) with the router. Copyright © 2010, Juniper Networks, Inc.
Page 196: Dynamic Connection Teardown
2 SAs. Conversely, phase 1 SAs that are not recognized as dynamic are used only to negotiate phase 2 SA static tunnels. Licensing Requirements Each dynamic IPSec subscribers requires the use of two licenses: One B-RAS license Copyright © 2010, Juniper Networks, Inc.
Page 197: Configuring Dynamic Ipsec Subscribers
Phase 2 SA selectors for use in phase 2 SA exchanges IP profiles intended for users logging in using this profile (helping to bridge users from a given IPSec tunnel profile to an IP profile) Copyright © 2010, Juniper Networks, Inc.
Page 198: Relocating Tunnel Interfaces
For information about modules that support dynamic IPSec subscribers on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See IPSec Service support in ERX Module Guide, Table 1, Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 199: References
Use the optional virtual-router keyword to specify the name of the virtual router on which you want to create the profile (if you do not specify a virtual router name, the profile is created on the context virtual router) Example host1(config)#ipsec tunnel profile tunnel1 host1(config-ipsec-tunnel-profile)# Copyright © 2010, Juniper Networks, Inc.
Page 200: Configuring Ipsec Tunnel Profiles
Use to set the IKE local identity used for IKE security association (SA) negotiations. Example host1(config-ipsec-tunnel-profile)#ike local-identity domain-name domain1 Use the no version to remove the specified IKE local identity. See ike local-identity. Copyright © 2010, Juniper Networks, Inc.
Page 201: Setting The Ike Peer Identity
Appending a Domain Suffix to a Username The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain Copyright © 2010, Juniper Networks, Inc.
Page 202: Overriding Ipsec Local And Peer Identities For Sa Negotiations
(respectively). Example host1(config-ipsec-tunnel-profile)#peer ip identity address 10.227.1.2 Use the no version to restore the default value, the internal IP address allocated for the subscriber. See peer ip identity. Copyright © 2010, Juniper Networks, Inc.
Page 203: Specifying An Ip Profile For Ip Interface Instantiations
192.2.52.12 Use the no version to stop the router from monitoring UDP port 500 for user requests and remove any preshared key associations with the local IP address. See local ip address. Copyright © 2010, Juniper Networks, Inc.
Page 204: Specifying Local Networks
The re-authenticate keyword enables the reauthentication option (a subsequent authentication procedure). When this option is enabled, rekeying of IKE SAs uses the initial authentication protocol to reauthenticate the user. When this option is disabled, Copyright © 2010, Juniper Networks, Inc.
Page 205: Specifying Ipsec Security Association Transforms
119. transform Use to specify the eligible transforms for this profile for IPSec security association negotiations. Example host1(config-ipsec-tunnel-profile)#transform ah-hmac-md5 Use the no version to reset the transform to the default, esp-3des-sha1. See transform. Copyright © 2010, Juniper Networks, Inc.
Page 206: Specifying Ipsec Security Association Pfs And Dh Group Parameters
IP address on a specific virtual router. When enabled, this limitation ensures that this policy rule is evaluated for IKE security association evaluations for only the specified IP address and virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 207: Defining Aggressive Mode For An Ike Policy Rule
Use the accepted keyword to accept aggressive mode when proposed by peers Use the requested keyword to request aggressive mode when negotiating with peers Use the required keyword to only request and accept aggressive mode when negotiating with peers. Example host1(config-ike-policy)#aggressive-mode accepted Copyright © 2010, Juniper Networks, Inc.
Page 208: Monitoring Ipsec Tunnel Profiles
Peer IKE identity: IP network: not allowed username: * domain-name: spg.juniper.net DN: not allowed Maximum subscribers: no limit Domain suffix: @spg IP profile: ip-spg Local IPsec identity: subnet 0.0.0.0 0.0.0.0, proto 0, port 0 Copyright © 2010, Juniper Networks, Inc.
Page 209 Login Time—Date, in YY/MM/DD format, and time the subscriber logged in Circuit Id—User's circuit ID value specified by PPPoE Remote Id—User's remote ID value specified by PPPoE Example host1#show subscribers Subscriber List ---------------- Virtual Copyright © 2010, Juniper Networks, Inc.
Page 210 User Name Interface ----------------------- -------------------------------- xcfgUser1@vpn1 FastEthernet 5/2.4 User Name Login Time Circuit Id ----------------------- ------------------- ------------------- xcfgUser1@vpn1 06/05/12 10:58:42 0.4.1.10.fe.25.3b.0 User Name Remote Id ----------------------- ---------------- xcfgUser1@vpn1 (800) 555-1212 See show subscribers. Copyright © 2010, Juniper Networks, Inc.
Page 211: Configuring Ancp
It also enables the switch to inform the controller of asynchronous events such as a link going down. Deploying value-added services across digital subscriber line (DSL) access networks requires special attention to quality of service (QoS) and service control. This control Copyright © 2010, Juniper Networks, Inc.
Page 212: Access Topology Discovery
This type of replication wastes access bandwidth when multiple subscribers access network services using the same access node. The amount of multicast replication is based on the number of subscribers, rather than the number of access nodes. Copyright © 2010, Juniper Networks, Inc.
Page 213: Configuring Ancp
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router. See the E120 and E320 Module Guide for modules supported on the E120 and E320 Broadband Services Routers. Copyright © 2010, Juniper Networks, Inc.
Page 214: References
L2C Neighbor Configuration mode to configure an ANCP neighbor. Use to launch the L2C Configuration (config-l2c) mode for ANCP. Example host1(config)#l2c host1(config-l2c)# Use the no version to remove all ANCP configurations. See l2c. Copyright © 2010, Juniper Networks, Inc.
Page 215: Defining The Ancp Session Timeout
ANCP uses several interface-level configuration commands. These commands provide the ability to define GSMP input and output labels associated with the interface and specify the number of branches the ANCP end user can support. l2c end-user-id Copyright © 2010, Juniper Networks, Inc.
Page 216: Configuring Ancp Neighbors
Use to create an ANCP neighbor and access the L2C Neighbor Configuration (config-l2c-neighbor) mode. Example host1(config-l2c)#neighbor ACCESS-NODE-1 host1(config-l2c-neighbor)# Use the no version to remove a specific ANCP neighbor configuration or, by omitting the neighbor name, all ANCP neighbor configurations. See neighbor. Copyright © 2010, Juniper Networks, Inc.
Page 217: Defining An Ancp Neighbor
Use to specify the maximum number of discovery table entries a neighbor can have in the range 1–64000 entries. Example host1(l2c-neighbor)#max-discovery-table-entries 4000 Use the no version to return the maximum number of discovery table entries to its default value, 10,000 entries. See max-discovery-table-entries. Copyright © 2010, Juniper Networks, Inc.
Page 218: Clearing Ancp Neighbors
ANCP. Issuing the clear l2c neighbor command removes all QoS parameter instances associated with the neighbor, including those associated with the QoS downstream rate and QoS cell mode applications. Copyright © 2010, Juniper Networks, Inc.
Page 219: Triggering Ancp Line Configuration
Use to trigger a GSMP port management message to the access node. This message enables the B-RAS to configure a service profile name on an access loop. Example Copyright © 2010, Juniper Networks, Inc.
Page 220: Adjusting The Data Rate Reported By Ancp For Dsl Lines
ANCP works with a special IGMP session to collect OIF mapping events in a scalable manner. For additional information about configuring IGMP and about OIF mapping, see Configuring IGMP in JunosE Multicast Routing Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 221: Creating An Igmp Session For Ancp
For detailed information about creating OIF maps, see “Configuring Transactional Multicast for IGMP” on page 194. Configure an OIF map for the access node that maps each multicast group to an outgoing interface. Define ANCP parameters. Copyright © 2010, Juniper Networks, Inc.
Page 222: Complete Configuration Example
2/0.102 host1(config-interface)#ip igmp version passive host1(config-interface)#l2c peer-attachment-id “ in_multicast_port_5” !Configure ANCP output labels, neighbor information, and apply OIF map host1(config)#interface atm 2/0.11 host1(config-interface)#ip igmp apply-oif-map OIFMAP host1(config-interface)#l2c end-user-id “ out_subscriber_port_6” neighbor ACCESS_NODE_1 Copyright © 2010, Juniper Networks, Inc.
Page 223: Triggering Ancp Oam
0x503 : DSL line status showtime. DEFAULT RESPONSE There is no no version. See l2c oam. Monitoring ANCP You can display ANCP information with the following commands. show adjustment-factor Copyright © 2010, Juniper Networks, Inc.
Page 224 Qos adaptive mode—Whether QoS adaptive mode is enabled (true) or disabled (false) Wait-for-gsmp-syn—Whether learning is enabled or disabled gsmp-syn-timeout—Configured TCP session timeout (in seconds) Example host1#show l2c L2C: Current session timeout: 25 seconds Qos adaptive mode: false Copyright © 2010, Juniper Networks, Inc.
Page 225 Example 2—Topology discovery table for a particular end-user-id host1# show l2c discovery-table end-user-id "Accessnode_10 atm 2/3:0.0"Access-Loop-Id: Dslam_10 atm 2/3:0.0 Neighbor: ACCESSNODE_10 Actual-Data-Rate-Upstream: 1152(kbps) Actual-Data-Rate-Downstream: 8064(kbps) Attainable-Data-Rate-Upstream: 1176(kbps) Attainable-Data-Rate-Downstream: 9376(kbps) Line-State: 1(SHOWTIME) Dsl-Type: 0(Invalid transmission type) Total Line Attributes: 6 Copyright © 2010, Juniper Networks, Inc.
Page 226 Max-Branches—Maximum number of branches to which the ANCP interface can subscribe Peer-Attach-Id—Input label associated with the interface Example 1 host1# show l2c label Interface: ATM2/0.300 End-User-Id: Accessnode_10 atm2/2:0.0 Neighbor: accessnode _1002 Max-Branches: 5 Interface: ATM2/0.301 Copyright © 2010, Juniper Networks, Inc.
Page 227 Use the summary keyword to display the number of active neighbors. Field descriptions Neighbor Name—Name associated with the neighbor Neighbor Id—ID associated with the neighbor Maximum Branches—Maximum number of branches this neighbor can have Copyright © 2010, Juniper Networks, Inc.
Page 228 OAM Loopback Requests Sent: 0 OAM Loopback Responses Received: 0 Protocol State: GSMP_ESTAB Example 2 host1#show l2c neighbor brief Name Mac Address Remote Address Protocol State -------------------- ---------------- ---------------- ---------------- accessnode1 0abc.0abc.0abc null EMPTY Copyright © 2010, Juniper Networks, Inc.
Page 229 Number of configured routers: 1 Number of neigbhors: 5 Number of active neighbors: 1 Number of end-user-ids: 25 Number of peer-attachment-ids: 39 Number of add-branches: 0 Number of delete-branches: 0 See show l2c statistics. Copyright © 2010, Juniper Networks, Inc.
Page 230 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 231: Configuring Digital Certificates
Method used to encode certificate requests and certificates before they are sent to or from the CA Certificate authority; an organization that creates digital certificates Certificate Binds a person or entity to a public key using a digital signature Copyright © 2010, Juniper Networks, Inc.
Page 232: Platform Considerations
See ERX Module Guide, Appendix A, Module Protocol Support for information about the modules that support IPSec. NOTE: The E120 and E320 Broadband Services Routers do not support configuration of IPSec and digital certificates. References For information about digital certificates, see the following references: Copyright © 2010, Juniper Networks, Inc.
Page 233: Configuring Digital Certificates
Before the router can place a digital signature on messages, it requires a private key to sign, and requires a public key so that message receivers can verify the signature. Obtaining a root CA certificate Copyright © 2010, Juniper Networks, Inc.
Page 234: Generating Public/Private Key Pairs
The ERX router enables the use of either a manual or automatic method to download the root CA's self-signed certificate. The standards supported for obtaining root CAs are X.509v3, base64, and basic-encoding-rules (BER)–encoded certificates. Copyright © 2010, Juniper Networks, Inc.
Page 235: Obtaining A Public Key Certificate
The operator copies the certificate file onto the ERX router so that it can be used for IKE negotiations. Online Certificate Enrollment Online certificate enrollment works as follows: NOTE: The ERX router must have a root CA certificate for the specified CA before online certificate enrollment. Copyright © 2010, Juniper Networks, Inc.
Page 236: Authenticating The Peer
ERX Cert revoked—The CRL contains the E Series router's certificate. Table 15 on page 211 presents how the CRL setting affects the outcome of IKE phase 1 negotiations. It lists common problem conditions such as ERX Cert revoked. Copyright © 2010, Juniper Networks, Inc.
Page 237: File Extensions
CA and one or more sub-CAs (also called issuing CAs). In a CA hierarchy, the router obtains its public key certificates and the CA certificate from a sub-CA. The sub-CA's certificate is signed by the root CA. Copyright © 2010, Juniper Networks, Inc.
Page 238: Ike Authentication Using Public Keys Without Digital Certificates
Peer Public Keys Without Digital Certificates” on page 224 . Public Key Format RSA encryption and authentication require the use of a public key on both the ERX router and on the remote peer with which the router seeks to establish IKE SAs. Copyright © 2010, Juniper Networks, Inc.
Page 239: Configuring Digital Certificates Using The Offline Method
NOTE: For more information about setting up IKE policies, see “Defining an IKE Policy” on page 148 in “Configuring IPSec” on page 119. Enter IPSec Identity Configuration mode. host1(config)#ipsec identity host1(config-ipsec-identity)# Specify the information that the router uses to generate a certificate request. Copyright © 2010, Juniper Networks, Inc.
Page 240 Use the no version to restore the default, preshared keys. See authentication. common-name Use to specify a common name used to generate certificate requests. Example host1(config-ipsec-identity)#common-name Jim Use the no version to remove the common name. See common-name. Copyright © 2010, Juniper Networks, Inc.
Page 241 Use the no version to return the CRL setting to the default, optional. NOTE: This command has been replaced by “ipsec crl” on page 216 and may be removed completely in a future release. See ike crl. ipsec certificate-database refresh Copyright © 2010, Juniper Networks, Inc.
Page 242 CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting Example host1(config)#ipsec crl ignored Use the no version to return the CRL setting to the default, optional. Copyright © 2010, Juniper Networks, Inc.
Page 243 When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority. Example host1(config)#ipsec isakmp-policy-rule 3 host1(config-ike-policy)# Copyright © 2010, Juniper Networks, Inc.
Page 244 There is no no version. See ipsec key zeroize. organization Use to specify the organization used in the Subject Name field of certificates. Example host1(config-ipsec-identity)#organization juniperNetworks Use the no version to remove the organization name. See organization. Copyright © 2010, Juniper Networks, Inc.
Page 245: Configuring Digital Certificates Using The Online Method
(Optional) Specify the URL of your network's HTTP proxy server. host1(config-ca-identity)#root proxy url http://192.168.5.45 host1(config-ca-identity)#exit Retrieve the CA certificate. host1(config)#ipsec ca authenticate trustedca1 Enroll with the CA and retrieve the router's certificate from the CA. Copyright © 2010, Juniper Networks, Inc.
Page 246 Use to set the number of minutes that the router waits after receiving no response before resending a certificate request to the CA. You can specify a wait period in the range 0–60 minutes. Example Copyright © 2010, Juniper Networks, Inc.
Page 247 Use the password option, if required by the CA, to access the CA and enable enrollment. The CA must be previously declared by the ipsec ca identity command. Example host1(config)#ipsec ca enroll trustedca1 My498pWd host1(config)#INFO 10/18/2003 03:49:33 ikeEnrollment (): Received erx certificate for ca:trustedca1 Copyright © 2010, Juniper Networks, Inc.
Page 248 When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority. Example Copyright © 2010, Juniper Networks, Inc.
Page 249 URL specified by the enrollment url command are used together to create the CA authentication requests. Example host1(config-ca-identity)#issuer-identifier BetaSecurityCorp Use the no version to remove the name from the configuration. See issuer-identifier. Copyright © 2010, Juniper Networks, Inc.
Page 250: Configuring Peer Public Keys Without Digital Certificates
12d9fe7a 68e8507c 99b59ff3 bb0c3942 b0a90c76 3ae3acbb 4a777037 31527ea0 23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301 0001 For information about the format of an RSA public key, see “Public Key Format” on page 212 . Copyright © 2010, Juniper Networks, Inc.
Page 251 35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714 0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164 8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8 5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506 01020301 0001 Copyright © 2010, Juniper Networks, Inc.
Page 252 IP address, in 32-bit dotted decimal format. To specify the identity of the remote peer associated with the public key, use the name keyword followed by either: The fully qualified domain name (FQDN) Copyright © 2010, Juniper Networks, Inc.
Page 253 Example 1—Configures the public key for a remote peer with IP address 192.168.50.10, using “ (double quotation marks) as the key string delimiter character host1(config)#ipsec key pubkey-chain rsa address 192.168.50.10 host1(config-peer-public-key)#key-string " Enter remainder of text message. End with the character '"'. Copyright © 2010, Juniper Networks, Inc.
Page 254: Monitoring Digital Certificates And Public Keys
See key-string. Monitoring Digital Certificates and Public Keys Use the following show commands to display information about IKE certificates, IKE configurations, CRLs, public keys, and peer public keys. show ipsec ca identity Copyright © 2010, Juniper Networks, Inc.
Page 255 Use to display the IKE certificates and CRLs on the router. Specify the type of certificate you want to display: all—All certificates configured on the router crl—Certificate revocation lists peer—Peer certificates Copyright © 2010, Juniper Networks, Inc.
Page 256 = 2004 Oct 21st, 16:24:42 GMT PublicKeyInfo = PublicKey = Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}} Modulus n (1024 bits) : 13409127965307061503054050053800642488356537668078160605242622661311625 19876607806686846822070359658649546374128540876213416858514288030584124 05896520823533525098960335493944208019747261524241389345208872551265097 58542773588125824612424422877870700028956172284401073039192457619002485 5366053321117704284702619 Exponent e ( 17 bits) : 65537 Extensions = Copyright © 2010, Juniper Networks, Inc.
Page 257 Fingerprints = MD5 = c4:c9:22:b6:19:07:4e:4f:ee:81:7a:9f:cb:f9:1f:7e SHA-1 = 58:ba:fb:0d:68:61:42:2a:52:7e:19:82:77:a4:55:4c:25:8c:c5:60 Example 2 host1# show ipsec certificates root-cas ---------- Root CAs: ---------- Ca Identity:[trustedca1]Certificate = SubjectName = <C=CA, ST=ON, L=Kanata, O=Juniper Networks, OU=VTS Group, CN=VTS Root CA> Copyright © 2010, Juniper Networks, Inc.
Page 258 No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected. SubjectKeyID = KeyId = 15:0a:17:4d:36:b6:49:96:fa:d5:be:df:51:3e:e4:90:51:a2:c0:95 Unknown 1.3.6.1.4.1.311.21.1 = 02:01:00 Fingerprints = MD5 = 8c:56:fb:a6:bd:ab:13:67:e6:13:09:c1:d0:de:1f:24 SHA-1 = 22:3d:84:6d:d4:5f:18:87:ae:2c:15:7d:2a:94:20:ff:c6:12:fb:6f See show ike certificates. See show ipsec certificates. show ipsec identity show ike identity Copyright © 2010, Juniper Networks, Inc.
Page 259 Ike identity—Information from your IKE identify configuration that the router uses to generate certificate requests CRL Check—Setting of the CRL check: optional, required, ignored Example host1#show ipsec ike-configuration Ike configuration: Ike identity: Domain Name :treverxsys2.juniper.net Copyright © 2010, Juniper Networks, Inc.
Page 260 FQDN mjones@sales.company_abc.com does not match a public key for FQDN sales.company_abc.com. For information about the format of an RSA public key, see “Public Key Format” on page 212 . Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 261 8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51 f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74 cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b 29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301 0001 See show ipsec key pubkey-chain rsa. Copyright © 2010, Juniper Networks, Inc.
Page 262 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 263: Configuring Ip Tunnels
Distance Vector Multicast Routing Protocol (DVMRP) tunnels, also known as IP-in-IP tunnels GRE Tunnels GRE encapsulates IP packets to enable data transmission through an IP tunnel. The resulting encapsulated packet contains a GRE header and a delivery header. Consequently, Copyright © 2010, Juniper Networks, Inc.
Page 264: Dvmrp Tunnels
I/O modules. However, you must assign interfaces on other line modules or loopback interfaces to act as source endpoints for the tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 265: E120 Router And E320 Router
RFC 1700—Assigned Numbers (October 1994) RFC 1701—Generic Routing Encapsulation (October 1994) RFC 1702—Generic Routing Encapsulation over IPv4 Networks (October 1994) RFC 2003—IP Encapsulation within IP (October 1996) RFC 2784—Generic Routing Encapsulation (GRE) (March 2000) Copyright © 2010, Juniper Networks, Inc.
Page 266: Configuration Tasks
For example, to delete interface tunnel dvmrp:boston-tunnel-1 transport-virtual-router No Router from the configuration, issue the command, no interface tunnel dvmrp:boston-tunnel-1. See interface tunnel. tunnel checksum Copyright © 2010, Juniper Networks, Inc.
Page 267 Use to configure the source of the tunnel. Specify either the primary IP address or the type and specifier of an interface. Do not specify an unnumbered interface. Example 1—Primary IP address Copyright © 2010, Juniper Networks, Inc.
Page 268: Configuration Example
Configure the source and destination points of the tunnel interface. host1:boston(config-if)#tunnel source 10.5.5.5 host1:boston(config-if)#tunnel destination 10.6.6.6 c. Set the MTU for the tunnel. host1:boston(config-if)#tunnel mtu 8000 d. Configure the IP address of the tunnel interface. host1:boston(config-if)#ip address 10.7.7.7 255.255.255.0 Copyright © 2010, Juniper Networks, Inc.
Page 269: Configuring Ip Tunnels To Forward Ip Frames
For example, you can configure static IP routes or enable routing protocols on the tunnel interface. The IP configurations you apply to the tunnels control how traffic travels through the network. Copyright © 2010, Juniper Networks, Inc.
Page 270: Preventing Recursive Tunnels
To view the number of tunnels in a specific state, specify the state keyword and the state of the tunnel (disabled, down, enabled, lower-down, not-present, up). To view the state of a specific tunnel, specify a tunnel name. Copyright © 2010, Juniper Networks, Inc.
Page 271 Errors—Number of packets with errors received or transmitted by the tunnel Data rx—Received data Data tx—Transmitted data Number of tunnels found—Total number of DVMRP tunnels found Number of static tunnels—Number of tunnels created statically Example 1 Copyright © 2010, Juniper Networks, Inc.
Page 272 Tunnel transport virtual router is v1 Tunnel up/down trap is enabled Tunnel-server location is 13/0/0 Tunnel administrative state is Up Statistics packets octets discards errors Data rx Data tx See show dvmrp tunnel. show dvmrp tunnel summary Copyright © 2010, Juniper Networks, Inc.
Page 273 Tunnel destination address—IP address of the destination of the tunnel Tunnel transport virtual router—Name of the virtual router associated with the tunnel Tunnel mdt—State of the tunnel MDT Tunnel checksum option—State of the checksum feature: enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 274 Tunnel server location is 4/0 Tunnel administrative state is up Statistics packets octets discards errors Data rx Data tx Tunnel operational configuration Tunnel name is 'default' Tunnel mtu is '10240' Tunnel source address is '10.0.0.1' Copyright © 2010, Juniper Networks, Inc.
Page 275 Tunnel transport virtual router is default Tunnel checksum option is disabled Tunnel sequence number option is disabled Tunnel up/down trap is enabled Tunnel-server location is 1/0/0 Tunnel administrative state is Up Statistics packets octets discards errors Copyright © 2010, Juniper Networks, Inc.
Page 276 (such as a line module) supporting the tunnel is inaccessible Example host1#show gre tunnel summary Administrative status enabled disabled Operational status down not-present See show gre tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 277: Configuring Dynamic Ip Tunnels
IP tunnel. The application can automatically create an upper layer IPv4 interface over the GRE or DVMRP interface by using the IP characteristics defined in a profile referenced in the GRE or DVMRP destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 278: Data Mdt For Multicast Vpns And Dynamic Ip Tunnels
IP header. The Mobile IP home agent uses the dynamic IP tunnel for routing loop detection. The home agent examines packets that are intercepted by the home agent and destined for Copyright © 2010, Juniper Networks, Inc.
Page 279: Configuring Dynamic Ip Tunnels
Platform Considerations For information about modules that support IP tunnels on the ERX7xx models, ERX14xx models, and the ERX310 Broadband Services Router: See ERX Module Guide, Table 1, Module Combinations for detailed module specifications. Copyright © 2010, Juniper Networks, Inc.
Page 280: Module Requirements
ES2 4G line module or an ES2 10G ADV line module (LM) with an ES2-S1 Service I/O adapter (IOA), or an IOA that supports the use of shared tunnel-server ports. For information about installing modules in these routers, see the E120 and E320 Hardware Guide. Copyright © 2010, Juniper Networks, Inc.
Page 281: Redundancy And Tunnel Distribution
By default, the data MDT application is disabled in the default destination profiles. The Mobile IP application can use the default destination profile. You can modify the configuration of the default destination profiles. Copyright © 2010, Juniper Networks, Inc.
Page 282: Modifying The Configuration Of The Default Destination Profile
(Optional) Enable IPSec transport mode. host1(config-dest-profile)#enable ipsec-transport (Optional) Create a multicast VPN tunnel. host1(config-dest-profile)#tunnel mdt profile kanata-mdt Creating a Destination Profile for DVMRP Tunnels To configure a destination profile for dynamic DVMRP tunnels: Copyright © 2010, Juniper Networks, Inc.
Page 283 This command is supported in the destination profile only when you have installed an ISM on ERX routers. Example host1(config-dest-profile)#enable ipsec-transport Use the no version to disable IPSec transport mode. See enable ipsec-transport. gre destination profile Copyright © 2010, Juniper Networks, Inc.
Page 284 Use the range keyword to configure the first IP address and the last IP address of the destination interface range Example 1—Specifies an IP address and mask for the destination interface host1(config-dest-profile)#tunnel destination subnet 192.13.7.1 255.0.0.0 Example 2—Specifies a range of IP addresses for the destination interface Copyright © 2010, Juniper Networks, Inc.
Page 285: Monitoring Dynamic Ip Tunnels
Use the no version to remove the source of a tunnel. See tunnel source. Monitoring Dynamic IP Tunnels You can monitor dynamic DVMRP and GRE tunnels by using the following commands. show dvmrp destination profile Copyright © 2010, Juniper Networks, Inc.
Page 286 10.0.0.0 255.0.0.0 tunnel source 1.1.1.1 tunnel source 1.1.1.2 tunnel source 1.1.1.3 See show dvmrp destination profile. show dvmrp tunnel Copyright © 2010, Juniper Networks, Inc.
Page 287 Tunnel administrative state—Configured state of the tunnel: Up or Down Statistics—Details of packets received or transmitted by the tunnel packets—Number of packets received or transmitted by the tunnel octets—Number of octets received or transmitted by the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 288 Application is Mobile-IP Tunnel operational configuration Tunnel mtu is '5000' Tunnel source address is '6.6.6.6' Tunnel destination address is '3.3.3.3' Tunnel transport virtual router is vr1 Tunnel mdt is disabled Tunnel checksum option is disabled Copyright © 2010, Juniper Networks, Inc.
Page 289 GRE destination profiles configured on the system tunnel checksum—Status of tunnel checksum configuration; enabled or disabled tunnel sequence-datagrams—Status of tunnel sequence datagrams configuration; enabled or disabled Copyright © 2010, Juniper Networks, Inc.
Page 290 10240 ipsec transport mode disabled tunnel mdt profile kanata-mdt profile kanata virtual router vr2 tunnel destination subnet 224.0.0.0 255.0.0.0 tunnel source 1.1.1.1 tunnel source 1.1.1.2 tunnel source 1.1.1.3 See show gre destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 291 E320 routers). Tunnel is secured by ipsec transport interface—IPSec interface that secures the tunnel. Tunnel administrative state—Configured state of the tunnel: up or down Statistics—Details of packets received or transmitted by the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 292 Example 3—Displays the detail of a dynamically created GRE tunnel for the Mobile IP application host1:vr12#show gre tunnel detail mobileIp-dynamic-1 GRE tunnel mobileIp-dynamic-1 is Up tunnel is dynamic Application is Mobile-IP Tunnel operational configuration Copyright © 2010, Juniper Networks, Inc.
Page 293 (such as a line module) supporting the tunnel is inaccessible Example host1#show gre tunnel summary Administrative status enabled disabled Operational status down not-present See show gre tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 294 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 295: Ip Reassembly For Tunnels
Router D must reassemble the packets before tunnel egress processing and de-encapsulation are performed. For more information about configuring tunnel-service interfaces, see Managing Tunnel Service and IPSec Service Interfaces in JunosE Physical Layer Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 296: Platform Considerations
Unlike other line modules, SMs, and ISMs do not pair with corresponding I/O modules that contain ingress and egress ports. Instead, they receive data from and transmit data to other line modules with access to ingress and egress ports on their own associated I/O modules. Copyright © 2010, Juniper Networks, Inc.
Page 297: E120 Router And E320 Router
Example—Enables reassembly for virtual router vr12 and disables reassembly for virtual router vr8 host1:vr12(config)#ip tunnel reassembly host1:vr12(config)#virtual-router vr8 host1:vr8(config)#no ip tunnel reassembly Use the no version to return IP tunnel reassembly to the default, disabled. See ip tunnel reassembly. Copyright © 2010, Juniper Networks, Inc.
Page 298: Monitoring Ip Reassembly
You can display statistics for a single virtual router or for all virtual routers. You can also display statistics relative to a baseline. Copyright © 2010, Juniper Networks, Inc.
Page 299 Example 2—Shows detailed reassembly statistics for the default virtual router host1#show ip tunnel reassembly statistics detail Tunnel IP Reassembly Statistics for Virtual Router: default Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: L2TP: GRE: IPSec: Control/Other: Copyright © 2010, Juniper Networks, Inc.
Page 300 Tunnel IP Reassembly Statistics for Virtual Router: vr2 Tunnel IP Reassembly enabled Total Fragments Received: Total Packets Reassembled: Reassembly Errors: Reassembly Discards: See show ip tunnel reassembly statistics. Copyright © 2010, Juniper Networks, Inc.
Page 301: Securing L2Tp And Ip Tunnels With Ipsec
IPSec. However, unsecured L2TP tunnels are not allowed on the ISM. You use the following commands to create a secure tunnel: L2TP tunnels—Use the enable ipsec transport command in the L2TP destination profile GRE and DVMRP tunnels—Use the ipsec-transport keyword in the interface tunnel command Copyright © 2010, Juniper Networks, Inc.
Page 302: Ipsec Secured-Tunnel Maximums
RFC 2401—Security Architecture for the Internet Protocol (November 1998) RFC 2661—Layer Two Tunneling Protocol “ L2TP” (August 1999) RFC 3193—Securing L2TP using IPSec (November 2001) RFC 3715—IPsec-Network Address Transation (NAT) Compatibility Requirements (March 2004) Copyright © 2010, Juniper Networks, Inc.
Page 303: Securing L2Tp And Ip Tunnels With Ipsec
L2TP tunnel to the same L2TP/IPSec gateway, which provides the client with another IP interface to access the private network it is connecting to. The L2TP tunnel is completely protected by the IPSec connection established earlier. Copyright © 2010, Juniper Networks, Inc.
Page 304: Setting Up The Secure L2Tp Connection
L2TP and IPSec define control and data messages used for L2TP/IPSec. Figure 24 on page 279 shows an L2TP control frame encapsulated by IPSec. The shaded area shows the encrypted portion of the frame. Copyright © 2010, Juniper Networks, Inc.
Page 305: Compatibility And Requirements
PPP defines the Compression Control Protocol (CCP) and the Encryption Control Protocol (ECP) modes. These modes are currently not supported in the E Series router. There is no interaction related to encryption directives between IPSec and PPP. Copyright © 2010, Juniper Networks, Inc.
Page 306: Lns Change Of Port
NAT device resides between the router and the remote users. In addition, NAT passthrough mode does not provide secure access for groups of remote users at corporate locations where a NAT device resides between the company's intranet and the public IP network. Copyright © 2010, Juniper Networks, Inc.
Page 307: How Nat-T Works
Figure 26 on page 281 shows an L2TP control frame encapsulated with a NAT-T UDP header. The shaded area shows the portion of the frame that is encrypted by IPSec. Figure 26: L2TP Control Frame with NAT-T UDP Encapsulation Copyright © 2010, Juniper Networks, Inc.
Page 308: Udp Statistics
If the router receives NAT keepalive messages as part of the L2TP/IPSec traffic flow, it discards these messages at the ingress line module on which the messages were received. Copyright © 2010, Juniper Networks, Inc.
Page 309: Configuring And Monitoring Nat-T
Table 18 on page 284 describes the differences between how the router handles the idle timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct timeout period (configured with the l2tp destruct-timeout command) for standard Copyright © 2010, Juniper Networks, Inc.
Page 310: Configuration Tasks For Client Pc
To set up preshared keys, see “Configuring IPSec Parameters” on page 139 in “Configuring IPSec” on page 119. Create IPSec policies. See “Defining an IKE Policy” on page 148 in “Configuring IPSec” on page 119. Configure RADIUS authentication and accounting. See JunosE Broadband Access Configuration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 311: Enabling Ipsec Support For L2Tp
Use to specify that the router accept only L2TP tunnels protected by an IPSec transport connection. Example host1(config-l2tp-dest-profile-host)#enable ipsec-transport Use the no version to disable IPSec transport mode. See enable ipsec-transport. l2tp destination profile Copyright © 2010, Juniper Networks, Inc.
Page 312: Configuring Nat-T
Use the no version to disable NAT-T for the current virtual router. Use the default version to restore the default NAT-T setting on the virtual router, enabled. See ipsec option nat-t. Copyright © 2010, Juniper Networks, Inc.
Page 313: Configuring Single-Shot Tunnels
A single-shot tunnel does not persist beyond its last connected L2TP session. As a result, using single-shot L2TP/IPSec tunnels instead of the default (standard) tunnel Copyright © 2010, Juniper Networks, Inc.
Page 314: Gre/Ipsec And Dvmrp/Ipsec Tunnels
The GRE tunnel now runs over the SAs that IKE established. Figure 29: GRE/IPSec Connection Configuration Tasks The main configuration tasks for setting up GRE or DVMRP over IPSec on E Series routers are: Copyright © 2010, Juniper Networks, Inc.
Page 315: Enabling Ipsec Support For Gre And Dvmrp Tunnels
See interface tunnel. Configuring IPSec Transport Profiles To configure an IPSec transport profile that will be used to secure DVMRP, GRE, or L2TP tunnels: Create the profile. host1(config)#ipsec transport profile secureGre virtual-router default ip address 5.5.5.5 Copyright © 2010, Juniper Networks, Inc.
Page 316 NAT devices that support IPSec passthrough. To allow these clients to connect, the router: Does not generate or verify UDP checksums. This does not compromise security, because IPSec protects UDP packets with an authentication algorithm far stronger than UDP checksums. Copyright © 2010, Juniper Networks, Inc.
Page 317 Example host1(config-ipsec-transport-profile)#lifetime seconds 900 86400 kilobytes 100000 4294967295 Use the no version to restore the default values, 100000–4294967295 KB and 900–86400 seconds (0.25–24 hours). See lifetime. local ip address Copyright © 2010, Juniper Networks, Inc.
Page 318 Assign a Diffie-Hellman prime modulus group using one of the following keywords: 1—768-bit group 2—1024-bit group 5—1536-bit group Example host1(config-ipsec-transport-profile)#pfs group 5 Use the no version to remove PFS from this profile, which is the default setting. See pfs group. pre-share Copyright © 2010, Juniper Networks, Inc.
Page 319 CAUTION: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider. Copyright © 2010, Juniper Networks, Inc.
Page 320: Monitoring Dvmrp/Ipsec, Gre/Ipsec, And L2Tp/Ipsec Tunnels
If the tunnel is protected by IPSec, the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface. The line is not shown for unsecured tunnels. The following is a partial display. See “Monitoring IP Copyright © 2010, Juniper Networks, Inc.
Page 321 Possible states are: AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator AM_FINAL_I—Initiator has finished aggressive mode negotiation Copyright © 2010, Juniper Networks, Inc.
Page 322 Use to display whether NAT-T is enabled or disabled on the current virtual router. The show ipsec option command also displays the status of dead peer detection (DPD) on the virtual router. For information about configuring and monitoring DPD, see “Configuring IPSec” on page 119. Example Copyright © 2010, Juniper Networks, Inc.
Page 323 InUserPackets—Number of user packets received InUserOctets—Number of octets received from user packets InAccPackets—Number of encapsulated packets received InAccOctets—Number of octets received in encapsulated packets InAuthErrors—Number of authentication errors received InReplyErrors—Number of reply errors in received traffic Copyright © 2010, Juniper Networks, Inc.
Page 324 Remote identity is subnet 10.255.0.62 255.255.255.255, proto 47, port Inbound spi 0x15c30204 Inbound transform transport-esp-3des-sha1 Inbound lifetime 900 seconds 102400 kilobytes Outbound spi is 0x16a10205 Outbound transform transport-esp-3des-sha1 Outbound lifetime 900 seconds 102400 kilobytes Copyright © 2010, Juniper Networks, Inc.
Page 325 Peer address—Remote endpoint address Application—Type(s) of application that this profile is protecting Lifetime range in seconds—Lifetime range in seconds configured for the profile Lifetime range in kilobytes—Lifetime range in kilobytes configured for the profile Copyright © 2010, Juniper Networks, Inc.
Page 326 Destination profile maximum sessions—Maximum number of sessions allowed for the destination profile Destination profile current session count—Number of current sessions for the destination profile Host profile attributes: Remote host is—Name of the remote host Tunnel password is—Password for the tunnel Copyright © 2010, Juniper Networks, Inc.
Page 327 Interface profile is tunneled-user Local host name is lns-1 Ipsec transport is enabled Disconnect-cause avp is enabled Tunnels are single-shot Statistics Current session count is 1 1 L2TP host profile found See show l2tp destination profile. Copyright © 2010, Juniper Networks, Inc.
Page 328 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 329: Configuring The Mobile Ip Home Agent
IP address, which is referred to as the care-of address (CoA). The mobile node registers this CoA with the home agent. The home agent then establishes a tunnel to the CoA if the tunnel is not established earlier. Copyright © 2010, Juniper Networks, Inc.
Page 330: Mobile Ip Agent Discovery
Home address allocation is done by one of the existing AAA back-end address mechanisms, such as: By RADIUS From an address pool returned by RADIUS From a local pool By the DHCP server Copyright © 2010, Juniper Networks, Inc.
Page 331: Configuring The Mobile Ip Home Agent
AAA. The authentication algorithm and security key are retrieved by AAA based on its configuration, depending on the SPI provided in the registration request. If the aaa keyword is absent, then the home agent Copyright © 2010, Juniper Networks, Inc.
Page 332: Subscriber Management
Juniper Networks vendor-specific attributes (VSAs) to provide the appropriate authentication algorithm and secure key for the authentication request. For information about the specific Juniper Networks VSAs used for Mobile IP RADIUS-based authentication, see JunosE Broadband Access Configuration Guide and RADIUS IETF Attributes...
Page 333: Mobile Ip Platform Considerations
Before you can configure the Mobile IP home agent on a virtual router, perform the following tasks: Create a virtual router to enable the Mobile IP license. (Optional) Configure the access list for filtering foreign agents. Copyright © 2010, Juniper Networks, Inc.
Page 334: Configuring The Mobile Ip Home Agent
RADIUS accounting servers, see the JunosE Broadband Access Configuration Guide. Configuring the Mobile IP Home Agent To configure the Mobile IP home agent on a virtual router: Configure a license for the Mobile IP home agent. Configure the Mobile IP home agent settings. Copyright © 2010, Juniper Networks, Inc.
Page 335 Example host1(config)#ip mobile home-agent care-of-access acl lifetime 2000 replay 255 reverse-tunnel-off Use the no version to disable the home agent service on the virtual router. Copyright © 2010, Juniper Networks, Inc.
Page 336 @yahoo.com aaa care-of-access acl2 host1(config)#ip mobile host nai bob@msn.net aaa lifetime 400 Use the no version to delete the configuration of the mobile node on the virtual router. See ip mobile host. ip mobile profile Copyright © 2010, Juniper Networks, Inc.
Page 337 See ip mobile secure foreign-agent. ip mobile secure host Use to configure the security associations for a mobile node. You must configure security associations only for mobile nodes on which local authentication is configured. Copyright © 2010, Juniper Networks, Inc.
Page 338 @amazon.net spi 0x100 key ascii pD4En algorithm keyed-md5 replay timestamp within 100 Use the no version to delete the security associations for the specified host on the virtual router. See ip mobile secure host. license mobile-ip home-agent Copyright © 2010, Juniper Networks, Inc.
Page 339: Monitoring The Mobile Ip Home Agent
AAA-NAI—Network access identifier returned from the AAA server in user@realm, @realm, or @ format Home IP address—IP address of the mobile node Home agent address—IP address of the home agent Care-of-address—IP address of the foreign agent care-of address or co-located care-of address Copyright © 2010, Juniper Networks, Inc.
Page 340 Reverse tunnel—Whether reverse tunneling is enabled or disabled Example host1#show ip mobile home-agent Home Agent Parameters Access list name Registration lifetime (in seconds) 36000 Replay protection time (in seconds) Reverse tunnel enabled See show ip mobile home-agent. show ip mobile host Copyright © 2010, Juniper Networks, Inc.
Page 341 Mobile IP profile is: mobileIpProfile See show ip mobile profile. show ip mobile secure foreign-agent Use to display the security associations configured for all foreign agents on the virtual router. Field descriptions Copyright © 2010, Juniper Networks, Inc.
Page 342 Home IP MN-NAI address Algorithm Replay ----------- ------- -------------- --------- ------ ---- @warner.com 288 ( 0x120 ) hmac-md5 time See show ip mobile secure host. show ip mobile traffic Copyright © 2010, Juniper Networks, Inc.
Page 343 Bad request form—Number of registration requests rejected because of a malformed request Unavailable encapsulation—Number of registration requests rejected because of unsupported encapsulation No reverse tunnel—Number of registration requests rejected because reverse tunneling is disabled Copyright © 2010, Juniper Networks, Inc.
Page 344 Mobile IP license is—Mobile IP license key associated with the home agent and the maximum number of users allowed by this license Example host1#show license mobile-ip home-agent Mobile IP license is PcZJ93Mt17 which allows 48000 users See show license mobile-ip home-agent. Copyright © 2010, Juniper Networks, Inc.
Page 345: Index
PART 2 Index Index on page 321 Copyright © 2010, Juniper Networks, Inc.
Page 346 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.
Page 347: Index
AS-path attribute..............22 clear ip commands authentication clear ip prefix-list............32 Mobile IP home agent..........303 clear ip prefix-tree............35 authentication commands clear ip routes..............47 authentication............219, 225 clearing L2C neighbors............192 communities, BGP..............37 Copyright © 2010, Juniper Networks, Inc.
Page 348 DVMRP (Distance Vector Multicast Routing tunnels................237 Protocol) gre destination profile command........258 reassembly of tunnel packets........270 GRE with IPSec tunnels................238 how it works..............288 dvmrp destination profile command......257 setting up secure connection.........288 Copyright © 2010, Juniper Networks, Inc.
Page 349 AH processing..............132 invalid cookies, IPSec............151 concepts................122 configuration managing the routing table........47 examples..............152 IP addresses tasks.................138 prefix lists................32 configuring prefix trees................35 IKE policy..............148 ip commands IPSec parameters..........139 ip as-path access-list...........22 tunnels..............141 ip bgp-community new-format.......38 digital certificates............205 Copyright © 2010, Juniper Networks, Inc.
Page 350 222 pfs group................289 ipsec lifetime..............139 transform-set...............289 ipsec local-endpoint............141 See also show ipsec transport commands ipsec option dpd............143 IPSec tunnel profile commands ipsec option nat-t............286 domain-suffix..............174 ipsec option tx-invalid-cookie........151 extended-authentication...........174 Copyright © 2010, Juniper Networks, Inc.
Page 351 L2TP (Layer 2 Tunneling Protocol) match extcommunity..........10, 41 reassembly of tunnel packets........270 match ip address........11, 32, 35, 36 l2tp commands match ip next-hop...........32, 35, 36 l2tp destination profile..........285 match level................12 l2tp ignore-receive-data-sequencing....271 match metric..............12 match metric-type............12 match policy-list..............12 Copyright © 2010, Juniper Networks, Inc.
Page 352 OSPF (Open Shortest Path First) creating................73 clearing IP routing table..........47 interfaces, specifying inside and outside.....69 reinstalling routes in IP routing table......47 license................68 monitoring................85 NAT-T ................280 overview................61 Copyright © 2010, Juniper Networks, Inc.
Page 353 254, 270 Copyright © 2010, Juniper Networks, Inc.
Page 354 238, 254 show ip nat commands monitoring parameters..........244 show ip nat inside rule..........85 redundancy............239, 255 show ip nat outside rule..........85 source, tunnel.................237 show ip nat statistics............85 static routes..............49, 244 show ip nat translations..........85 static tunnels................237 Copyright © 2010, Juniper Networks, Inc.
Page 355 254, 270 tunnels, IP DVMRP................251 DVMRP (IP in IP)............238 dynamic................251 endpoints................237 Copyright © 2010, Juniper Networks, Inc.
Page 356 JunosE 11.3.x IP Services Configuration Guide Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Junose 11.3