Chapter 6 Configuring Dynamic Ipsec Subscribers; Overview; Dynamic Connection Setup - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

CHAPTER 6
Configuring Dynamic IPSec Subscribers

Overview

Dynamic Connection Setup

Copyright © 2010, Juniper Networks, Inc.
This chapter describes how to securely terminate IPSec remote access subscribers. These
subscribers can reside on different VPNs and the router can support many VPNs
simultaneously. It contains the following sections:
Overview on page 169
Platform Considerations on page 172
References on page 173
Creating an IPSec Tunnel Profile on page 173
Configuring IPSec Tunnel Profiles on page 174
Defining IKE Policy Rules for IPSec Tunnels on page 180
Monitoring IPSec Tunnel Profiles on page 182
You can use the E Series router to terminate users on multiple VPNs (that is, a private
intranet where users can log in and access private servers). For the E Series router, VPNs
appear as VRs or VRFs. Users that connect to the VPN terminate on the associated VR
or VRF. The router contains a link between the VR or VRF and the private intranet
containing the resources. This link can be a direct connection, or a tunnel (IPSec, IP-in-IP,
GRE, or MPLS). Once establishing a connection, the router can pass traffic between the
VPN and connected users.
The E Series router already supports termination of secure remote access subscribers
using L2TP and IPSec. In this model, IPSec uses transport mode to " protect" PPP
subscribers that use L2TP tunnels as described in RFC 3193. However, because they are
handled by the PPP and L2TP application, IPSec has no direct information about the
subscribers. By terminating dynamic IPSec subscribers, the IPSec protocol manages the
subscribers completely.
Dynamic secure remote access subscribers initiate connections to the E Series router by
establishing an IPSec phase 1 security association (SA; also known as an IKE SA or P1)
with the router.
169