Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
Generating Private and Public Key Pairs
Configuration Tasks
Configuring an IPSec License
138
successfully negotiated. Again, the lifetime is negotiated to the lesser of the two lifetimes,
and failures are logged.
When any of the public key methods for authenticating remote security gateways is used,
the system must have at least one valid pair of public or private keys. Therefore, the
system provides a facility by which it can generate public and private key pairs for itself.
The private key is used only by the system itself. It is never exchanged with any other
nodes. When generated, the private key is securely stored internally to the system in
nonvolatile memory. Access to the private key is never given, not even to a system
administrator or to a network management system.
The public key is used in either of the following scenarios:
A network administration system or system administrator can retrieve it so that it can
be entered into remote security gateways with which the system needs to establish
an IKE SA.
It can be given to CAs so that they can properly sign it. From there, the public key is
distributed to remote security gateways that can handle a PKI.
The public/private key pair as provided by the system supports the RSA standard (512,
1024, or 2048 bits).
The public/private key pair is a global system attribute, regardless of how many ISMs
exist in the system. Only one set of keys is available at any given time.
This section explains the steps to configure an IPSec license and IPSec parameters,
create an IPSec tunnel, and define an ISAKMP/IKE policy. The next section contains
configuration examples.
By default, and with no IPSec tunnel license, you can configure up to 10 IPSec tunnels
on an ERX router. However, you can purchase licenses that support the following IPSec
tunnel maximums:
1000
2000
4000
8000
16,000
32,000
The number of additional tunnels is independent of the number of ISMs installed in the
router. However, the router chassis enforces the following tunnel limits:
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 and is the answer not in the manual?