1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE...
  6. Configuration manual

Inbound And Outbound Sas; Transform Sets - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Software for e series broadband services routers ip services configuration guide
Hide thumbs
Table of Contents

Advertisement

Copyright © 2010, Juniper Networks, Inc.
To set the global (default) lifetime, use the ipsec lifetime command.

Inbound and Outbound SAs

SA parameters are the actual session parameters used to secure a specific data flow
associated with a specific secure IP interface. How SA parameters are set depends on
how the IP interfaces are secured:
For manual secure IP interfaces, the system administrator sets SA parameters. Manually
setting SA parameters allows provisioning of IP security to destinations that do not
support SA negotiation via IKE.
For signaled secure IP interfaces, the two security gateway peers negotiate SA
parameters; the system administrator is not allowed to set any of the parameters. In
fact, for some of these parameters, such as session keys, the system administrator is
not even granted read access.
Similarly to IPSec SAs, SA parameters are unidirectional. Therefore, for a two-way data
flow, two SAs need to be established—one for inbound traffic and another for outbound
traffic. For each direction, SA parameters must be set for each transform associated with
a secure IP interface. Therefore, two sets of SA parameters exist for each secure IP
interface, one being the inbound SA parameters and the other the outbound SA
parameters.
The following parameters form each set of SA parameters:
SPI—The SPI is a unique identifier that is applied to the SA when securing a flow. An
SPI is unique for a given destination IP address and protocol tuple. The destination IP
address is either the remote secure IP interface endpoint for the outbound direction
or the local secure IP interface endpoint for the inbound direction.
Encapsulation—The encapsulation options include both an encapsulating protocol
and an encapsulating mode. The protocol can be either ESP or AH. The mode is tunnel
mode.
Transforms—The allowed transforms for given SA parameters depend on the
encapsulation protocol. See "Transform Sets" on page 129 for more information.
Keys—The session key is used for the respective SA transform. The key length depends
on the SA transform to which it applies, and is as follows:
DES—8 bytes
3DES—24 bytes
MD5—16 bytes
SHA—20 bytes

Transform Sets

Transform sets are composed of security parameters that provide a required security
level to a particular data flow. Transform sets are used during user SA negotiation to find
common agreement between the local and the remote security gateway on how to
protect that specific data flow.
Chapter 5: Configuring IPSec
129

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01

Related Content for Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01

This manual is also suitable for:

Junose 11.3

Table of Contents