Gre/Ipsec And Dvmrp/Ipsec Tunnels; Setting Up The Secure Gre Or Dvmrp Connection; Configuration Tasks - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

JunosE 11.3.x IP Services Configuration Guide

GRE/IPSec and DVMRP/IPSec Tunnels

Setting Up the Secure GRE or DVMRP Connection

Configuration Tasks

288
behavior provides better protection against a brute force attack that makes multiple,
simultaneous authentication attempts.
Example
host1(config-l2tp-dest-profile-host)#single-shot-tunnel
Use the no version to restore the default behavior for L2TP/IPSec tunnels, which
disables the single-shot attribute.
See single-shot-tunnel.
In GRE/IPSec or DVMRP/IPSec connections, E Series routers can act as source and
destination endpoints of the secure tunnel. Both sides of the connection run IPSec in
transport mode with Encapsulating Security Payload (ESP) encryption and authentication.
In a GRE/IPSec or DVMRP/IPSec connection, the E Series router initiates an IPSec
connection with a remote router. After establishing the IPSec connection, the E Series
router establishes a GRE or DVMRP tunnel to the remote router. The tunnel is completely
protected by the IPSec connection.
In Figure 29 on page 288, a secure GRE/IPSec connection is set up between two E Series
routers. To set up the secure connection:
Set up the IPSec connection between the two routers. IKE signals a security association
1.
(SA) between the two IPSec tunnel endpoints.
Two unidirectional SAs are established to secure data traffic.
Set up a GRE tunnel between the two routers.
2.
The GRE tunnel now runs over the SAs that IKE established.
Figure 29: GRE/IPSec Connection
The main configuration tasks for setting up GRE or DVMRP over IPSec on E Series routers
are:
Copyright © 2010, Juniper Networks, Inc.