tunnel transform-set
Configuring DPD and IPSec Tunnel Failover
ipsec option dpd
Copyright © 2010, Juniper Networks, Inc.
Use to specify an existing interface address that serves as the tunnel's source address.
For signaled IPSec tunnels in cable or DSL environments, you can optionally use an
FQDN to identify the tunnel endpoint.
Example
host1(config-if)#tunnel source 10.10.2.8
Use the no version to remove the tunnel source.
See tunnel source.
Use to specify the transform set that ISAKMP uses during SA negotiations on this
tunnel. You create transform sets using "ipsec transform-set" on page 141 .
Example
host1(config-if)#tunnel transform-set espSet
Use the no version to remove the transform set from a tunnel.
See tunnel transform-set.
You can use the ipsec option dpd command to enable dead peer detection (DPD) on
the router. DPD is also known as IKE keepalive. If an IPSec tunnel destination backup is
configured, the router redirects traffic to the alternate destination when DPD detects a
disconnection between the E Series router and the regular tunnel destination. See "tunnel
destination backup" on page 148 .
To enable DPD and create an alternate IPSec tunnel destination for failover:
Enable DPD on the router.
1.
host1(config)#ipsec option dpd
Enter virtual router mode. Specify the VR that contains the source and destination
2.
addresses assigned to the tunnel interface (that is, the transport virtual router context).
host1(config)#virtual-router vrA
host1:vrA(config)#
Create an IPSec tunnel, and specify the transport VR.
3.
host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router
default
host1:vrA(config-if)#
Specify the address or identity of the tunnel destination backup endpoint.
4.
host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net
Chapter 5: Configuring IPSec
147