Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual page 171

tunnel peer-identity
tunnel pfs group
tunnel session-key-inbound
Copyright © 2010, Juniper Networks, Inc.
host1(config-if)#tunnel mtu 2240
Use the no version to restore the default MTU (1440).
See tunnel mtu.
Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity
using one of the following keywords:
address—Specifies an IP address as the peer identity
subnet—Specifies a subnet as the peer identity
range—Specifies a range of IP addresses as the peer identity
Example 1
host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2
Example 2
host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0
Use the no version to remove the peer identity.
See tunnel peer-identity.
Use to configure perfect forward secrecy (PFS) on this tunnel.
Assign a Diffie-Hellman prime modulus group using one of the following keywords:
1—768-bit group
2—1024-bit group
5—1536-bit group
Example
host1(config-if)#tunnel pfs group 5
Use the no version to remove PFS from this tunnel.
See tunnel pfs group.
Use to manually configure the authentication or encryption algorithm sets and session
keys for inbound SAs on a tunnel. You can enter this command only on tunnels that
have tunnel signaling set to manual.
Use the online Help to see a list of available algorithm sets.
Each key is an arbitrary hexadecimal string. If the algorithm set includes:
DES, create an 8-byte key using 16 hexadecimal characters
3DES, create a 24-byte key using 48 hexadecimal characters
Chapter 5: Configuring IPSec
145