Figure 15: Customer A's Corporate Frame Relay Network; Figure 16: Isp-X Uses Erx Routers To Connect Corporate Offices Over The - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Example 1
Copyright © 2010, Juniper Networks, Inc.
They filter traffic going into and coming out of the tunnels so that it is within the
specified range. If the configuration requires that only one IPSec tunnel exists between
two endpoints and no traffic filtering is required, you can omit the tunnel local-identity
and tunnel peer-identity commands.
In Figure 15 on page 153 customer A is using Frame Relay to connect its corporate offices
in three cities: Boston, Ottawa, and Boca.

Figure 15: Customer A's Corporate Frame Relay Network

Customer A hires ISP-X to provide a leased line replacement over an IP infrastructure
using IPSec. ISP-X can offer a replacement for long-haul Frame Relay links by creating
IPSec tunnels to carry customer A's traffic securely between the sites over the public or
ISP-provided IP network. This alternative costs only a fraction of the price of the Frame
Relay links. Figure 16 on page 153 shows the connectivity scheme.

Figure 16: ISP-X Uses ERX Routers to Connect Corporate Offices over the

Internet
To configure the connections as shown in Figure 16 on page 153:
On each ERX router, create a protection suite that provides 3DES encryption with
1.
SHA-1 authentication on every packet.
erx1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx2(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
erx3(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha
Chapter 5: Configuring IPSec
153