Dynamic Connection Teardown; Dynamic Ipsec Subscriber Recognition; Licensing Requirements - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

JunosE 11.3.x IP Services Configuration Guide

Dynamic Connection Teardown

Dynamic IPSec Subscriber Recognition

Licensing Requirements

170
After establishing a security association, the subscriber is instantiated in the IPSec
software. Following this instantiation, the router initiates the extended authentication
(Xauth) protocol exchange to invoke the user to enter a username and password. The
router uses existing authentication, authorization, and accounting (AAA) functionality
to authenticate the user data.
After granting access, the router instantiates an IP interface for the new subscriber as
well as an access route for the IP address assigned to the subscriber on the terminating
virtual router. The subscriber also obtains IP interface data (IP address, subnetwork mask,
primary and secondary DNS address, primary and secondary WINS address, and so on)
during a configuration exchange.
Once instantiated, an access router created, and the client successfully set with interface
data parameters, the router can terminate the Xauth exchange and enable the IPSec
layer and phase 2 SAs (IPSec SAs or P2s) can begin. Following these exchanges, the full
data path is ready and subscribers can exchange packets with the VR on which they
terminate.
The following events can trigger the teardown of a dynamic IPSec subscriber connection:
All phase 1 and phase 2 SA deleted by a remote peer and no rekeying activity occurs
for one minute
Administrative logout
IPSec card terminating the user becoming unavailable (for example, the card is
reloading, disabled, or disconnected)
Dead peer detection (DPD) reporting the phase 1 SA is unreachable
Authentication, authorization, and accounting session or idle timeout values expire
The E Series router expects to receive the Xauth vendor ID from the remote peer for
dynamic interface instantiation. The expected Xauth vendor ID is 0x09002689DFD6B712.
NOTE: The E Series router does not initiate connections to new subscribers.
Acceptable vendor IDs are global to the router and not user-configurable.
Phase 2 SAs intended for static tunnels and those intended for dynamic subscribers do
not share the same phase 1 SA. This means that dynamic phase 1 SAs are only used to
negotiate dynamic phase 2 SAs. Conversely, phase 1 SAs that are not recognized as
dynamic are used only to negotiate phase 2 SA static tunnels.
Each dynamic IPSec subscribers requires the use of two licenses:
One B-RAS license
Copyright © 2010, Juniper Networks, Inc.