Configuring And Monitoring Nat-T; Single-Shot Tunnels; Table 17: Configuration And Monitoring Tasks For Nat-T - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Single-Shot Tunnels

Copyright © 2010, Juniper Networks, Inc.

Configuring and Monitoring NAT-T

For instructions on configuring and monitoring NAT-T, see the sections listed in Table 17
on page 283.

Table 17: Configuration and Monitoring Tasks for NAT-T

Task
Enabling and disabling NAT-T on a
virtual router
Displaying information about the
current NAT-T setting on a virtual
router
Displaying information about the IKE
SA negotiation when NAT-T is
enabled
You can use the single-shot-tunnel command in L2TP Destination Profile Host
Configuration mode to configure a single-shot L2TP tunnel. Although configuration of
single-shot tunnels is more typically used with secure L2TP/IPSec tunnels, as described
in this chapter, you can also configure single-shot tunnels for nonsecure L2TP tunnels
that do not run over an IPSec connection.
A single-shot tunnel has the following characteristics:
The L2TP tunnel can carry no more than a single L2TP session for the duration of its
existence.
The router ignores the idle timeout period for single-shot tunnels. This means that as
soon a single-shot tunnel's session is removed, the single-shot tunnel proceeds to
disconnect.
The following characteristics apply only to secure L2TP/IPSec single-shot tunnels:
The underlying IPSec connection for a single-shot tunnel can carry no more than a
single L2TP tunnel for the duration of its existence.
The router disconnects the underlying IPSec transport connection for a single-shot
tunnel at the beginning of the destruct timeout period instead of waiting until the
destruct timeout period expires.
For L2TP/IPSec single-shot tunnels, as soon as the tunnel or its single session fails
negotiations or disconnects, the router prevents any further L2TP tunnels or L2TP sessions
from connecting, and requires that a new IPSec connection be established for any
subsequent connection attempts.
Table 18 on page 284 describes the differences between how the router handles the idle
timeout period (configured with the l2tp tunnel idle-timeout command) and the destruct
timeout period (configured with the l2tp destruct-timeout command) for standard
Chapter 12: Securing L2TP and IP Tunnels with IPSec
Command See Section
ipsec option nat-t "Configuring NAT-T" on page 286
show ipsec option "Monitoring DVMRP/IPSec,
GRE/IPSec, and L2TP/IPSec
Tunnels" on page 294
show ipsec ike-sa "Monitoring DVMRP/IPSec,
GRE/IPSec, and L2TP/IPSec
Tunnels" on page 294
283