Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
tunnel destination backup
Defining an IKE Policy
148
Use to enable dead peer detection (DPD) on the router. DPD is also known as IKE
keepalive.
You configure DPD on a per-virtual router basis.
Both peers must support DPD.
Example
host1(config)#ipsec option dpd
Use the no version to restore the default, which disables DPD.
See ipsec option dpd.
Use to specify the address or identity of the remote IPSec tunnel endpoint that is a
backup tunnel destination. When DPD detects a disconnection between the E Series
router and the regular IPSec tunnel destination, the router redirects traffic to the tunnel
destination backup, and vice versa.
You can use either the IP address or fully qualified domain name (FQDN) to identify
the backup IPSec tunnel, however you must use the same type of identity that is used
to specify the regular tunnel destination.
For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify
the tunnel destination backup, which does not have a fixed IP address.
The identity string can include an optional user@ specification preceding the FQDN
(this is also known as a user FQDN).
NOTE: If you use a FQDN to specify the IPSec tunnel destination backup,
the tunnel is not initiated by the ERX router. However, the router does
respond to negotiations for this backup tunnel.
Examples
host1(config-if)#tunnel destination backup 10.10.11.15
host1(config-if)#tunnel destination backup identity branch245.customer88.isp.net
host1(config-if)#tunnel destination backup identity
user4925@branch245.customer88.isp.net
Use the no version to restore the default in which the regular tunnel destination is also
the backup tunnel destination.
See tunnel destination backup.
IKE policies define parameters that the router uses during IKE phase 1 negotiation.
To create an IKE policy:
host1(config)#ipsec ike-policy-rule 3
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
