Specifying Ipsec Security Association Pfs And Dh Group Parameters; Defining The Tunnel Mtu; Defining Ike Policy Rules For Ipsec Tunnels; Specifying A Virtual Router For An Ike Policy Rule - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

JunosE 11.3.x IP Services Configuration Guide

Specifying IPSec Security Association PFS and DH Group Parameters

pfs group

Defining the Tunnel MTU

tunnel mtu

Defining IKE Policy Rules for IPSec Tunnels

Specifying a Virtual Router for an IKE Policy Rule

180
The pfs group command specifies the IPSec SA perfect forward secrecy (PFS) option
and Diffie-Hellman prime modulus group that IPSec SA negotiations can use for this
profile.
NOTE: When the client initiates the IPSec negotiation, the router can accept
Diffie-Hellman prime modulus groups that are higher than those configured.
For additional information about PFS, see "Configuring IPSec" on page 119.
Use to configure perfect forward secrecy for connections created with this IPSec tunnel
configuration profile by assigning a Diffie-Hellman prime modulus group.
Example
host1(config-ipsec-tunnel-profile)#pfs group 5
Use the no version to remove PFS from the profile.
See pfs group.
The tunnel mtu command configures the maximum transmission unit size for the tunnel.
Use to configure the maximum transmission unit size for the tunnel.
Example
host1(config-ipsec-tunnel-profile)#tunnel mtu 3000
Use the no version to restores the default value, an MTU size of 1400 bytes.
See tunnel mtu.
This section describes enhancements to some IKE policy rule commands to support
dynamic IPSec subscribers.
The ip address virtual-router command enables an IKE policy rule to limit its scope to
a specific local IP address on a specific virtual router. When enabled, this limitation
ensures that this policy rule is evaluated for IKE security association evaluations for only
the specified IP address and virtual router.
Copyright © 2010, Juniper Networks, Inc.