Lns Change Of Port; Group Preshared Key; Nat Passthrough Mode; Nat Traversal - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

JunosE 11.3.x IP Services Configuration Guide

NAT Passthrough Mode

NAT Traversal

280

LNS Change of Port

In the L2TP world, the LNS is allowed to change its port number; this functionality is
currently not supported in ERX routers. IPSec allows only port 1701 to be used for
L2TP/IPSec tunnels. However, the LAC is allowed to use any source port it desires.

Group Preshared Key

Group preshared keys allow the provisioning of secure remote access by means of
L2TP/IPSec to networks that do not use a certificate authority (CA) to issue certificates.
A group preshared key is associated with a local IP address in the E Series router and is
used to authenticate L2TP/IPSec clients that target this IP address as their VPN server
address.
CAUTION: Group preshared keys are not fully secure, and we recommend
that you use digital certificates in place of group preshared keys. Group
preshared keys are open to man-in-the-middle attacks. To reduce this risk,
the ERX routers accept only IPSec connections that specify L2TP traffic
selectors for security associations (SAs) that are negotiated over IKE
connections authenticated with group preshared keys.
NAT devices can change the IP address and port number of a traversing IP packet.
Encrypted frames, in which an ESP header follows the IP header, may or may not get
through the NAT device.
You can set up the router to run in NAT passthrough mode, which causes the router to
not check UDP checksums. The reason is that a NAT device may change the IP address
while the UDP header is encrypted. In this case, the UDP checksum cannot be recalculated.
Not checking UDP checksums does not compromise security, because IPSec protects
UDP with an authentication algorithm far stronger than UDP checksums. To set up the
router to run in NAT passthrough mode, use the application l2tp-nat-passthrough
command.
We recommend that you configure the router to use NAT passthrough mode when the
NAT device provides a feature commonly known as IPSec passthrough.
For information about configuring NAT passthrough mode as part of an IPSec transport
profile, see "Configuring IPSec Transport Profiles" on page 289 .
Using NAT passthrough mode is an adequate solution when a single remote user located
behind a NAT device needs secure access to an E Series router. However, NAT passthrough
mode does not support secure access to the router by multiple remote users at locations
such as hotels or airports where a NAT device resides between the router and the remote
users. In addition, NAT passthrough mode does not provide secure access for groups of
remote users at corporate locations where a NAT device resides between the company's
intranet and the public IP network.
Copyright © 2010, Juniper Networks, Inc.