Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
126
Table 10: Security Parameters per IPSec Policy Type
Security Parameter
Operational VR
Transport VR
Perfect forward secrecy
Lifetime
Inbound and outbound SAs
Transform set
Operational Virtual Router
The operational VR for a secure IP tunnel is the VR in which a secure IP tunnel exists.
The IP address and mask associated with a secure IP interface exist only within the
operational VR under which the interface is declared. The VR defines the network prefix,
which is reachable through the logical IP interface.
A secure IP tunnel is always a member of one and only one operational VR. Therefore,
the operational VR attributes are mandatory for any secure tunnel. These attributes
include:
IP address and mask
Virtual router on which the secure IP interface exists
Transport Virtual Router
The transport VR for a secure IP tunnel is the VR in which both of the secure tunnel
endpoints, the source and destination, are routable addresses. Normally, the transport
VR is the default ISP routing infrastructure on top of which VPNs are provisioned.
The IPSec Service module (ISM) is a security gateway and, as such, is one of the endpoints
for secure tunnels. The tunnel endpoints are the tunnel source and the tunnel destination
IP addresses. For IKE signaled IPSec tunnels, you can use the fully qualified domain name
(FQDN) instead of the IP address to identify the tunnel endpoints. You typically use this
feature to identify the tunnel destination endpoint in DSL and broadband environments.
See "Transport VR Definitions with an FQDN" on page 127 in this section.
The tunnel source IP address must be one of the local IP addresses configured on the
router.
The tunnel destination address must be a routable IP address within the transport VR
routing tables.
Manual
Signaled
Required
Required
Required
Required
Optional
Optional
Optional
Optional
Required
Not applicable
Required
Required
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
