Table of Contents
Advertisement
Chapter 5: Configuring IPSec
Secure IP interfaces are a logical representation of a secure connection between two
security endpoints, one of which is the local system. The remote endpoint can be another
security gateway or a host.
RFC 2401 Compliance
RFC 2401 states that a security policy database (SPD) must exist for each physical
interface in the router, and an administrator must configure these SPDs to determine
which traffic must be IPSec-protected, not IPSec-protected, or denied. The ERX router
does not support a systemwide SPD. Instead, the router takes advantage of routing
policies that are applied to physical interfaces to describe which traffic to forward to a
single IPSec tunnel, which traffic to discard, and so on. The router also applies IPSec
selectors to traffic going into or coming out of a secure tunnel so that unwanted traffic
is not allowed inside the tunnel. Supported selectors include IP addresses, subnets, and
IP address ranges. An implementation that strictly follows RFC 2401 requires a separate
IPSec tunnel for each SPD entry.
IPSec Protocol Stack
Figure 12 on page 123 shows the protocol stack on a client, an IPSec gateway, and a server.
In the figure, HTTP and TCP are examples of higher-level protocols involved in the
end-to-end communication; other end-to-end communication protocols are also
supported. The layers where the data can be encrypted are shown in gray.
Figure 12: IPSec Tunneling Stack
Figure 13 on page 124 shows the packet encapsulation for IPSec tunneling.
Copyright © 2010, Juniper Networks, Inc.
123
Advertisement
Table of Contents
