User manual JUNIPER NETWORKS JUNOSE 11.2.X IP SERVICES CONFIGURATION

[. . . ] JunosETM Software for E SeriesTM Broadband Services Routers IP Services Configuration Guide Release 11. 2. x Published: 2010-06-29 Copyright © 2010, Juniper Networks, Inc. Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www. juniper. net Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. [. . . ] See ipsec lifetime. · ipsec local-endpoint 140 Copyright © 2010, Juniper Networks, Inc. Chapter 5: Configuring IPSec · Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPSec tunnels for a transport virtual router. You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined. Example host1(config)#ipsec local-endpoint 10. 10. 1. 1 transport-virtual-router VR#8 · · · Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint. See ipsec local-endpoint. · ipsec transform-set · Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality. Transform sets used for manually configured tunnels can have one transform. Transform sets used for signaled tunnels can have up to six transforms. Transforms are numbered in a priority sequence in the order in which you enter them. To display the names of the transforms that you can use in a transform set, issue the ipsec transform-set transformSetName ?Example host1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth · · · · · Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set. See ipsec transform-set. · key · · Use to enter a manual preshared key. Example 1 host1(config-manual-key)#key dj5fe23owi8er49fdsa · · Example 2 host1(config-manual-key)#key " my key with spaces" · There is no no version. See key. · masked-key Copyright © 2010, Juniper Networks, Inc. 141 JunosE 11. 2. x IP Services Configuration Guide · · Use to enter the preshared key in masked form. For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it. Example host1#show config ipsec key manual pre-share 10. 10. 1. 1 masked-key " AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO" host1#configure terminal host1(config)#ipsec key manual pre-share 10. 10. 1. 1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO · · · There is no no version. See masked-key. · Creating an IPSec Tunnel To create an IPSec tunnel: 1. Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface. host1(config)#virtual-router vrA host1:vrA(config)# 2. Create an IPSec tunnel, and specify the transport VR. host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)# 3. Specify the IP address of this tunnel interface. host1:vrA(config-if)#ip address 10. 3. 0. 0 255. 255. 0. 0 4. Specify the transform set that ISAKMP uses for SA negotiations. host1:vrA(config-if)#tunnel transform-set customerAprotection 5. Configure the local endpoint of the tunnel. host1:vrA(config-if)#tunnel local-identity subnet 10. 1. 0. 0 255. 255. 0. 0 6. Configure the peer endpoint of the tunnel. host1:vrA(config-if)#tunnel peer-identity subnet 10. 3. 0. 0 255. 255. 0. 0 7. Specify an existing interface address that the tunnel uses as its source address. host1:vrA(config-if)#tunnel source 5. 1. 0. 1 8. Specify the address or identity of the tunnel destination endpoint. host1:vrA(config-if)#tunnel destination identity branch245. customer77. isp. net 142 Copyright © 2010, Juniper Networks, Inc. Chapter 5: Configuring IPSec host1:vrA(config-if)#exit NOTE: FQDNs are used when tunnel destination endpoints do not have a fixed address, as in cable and DSL environments. 9. For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs. host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b 10. (Optional) Configure PFS on this tunnel. host1:vrA(config-if)#tunnel pfs group 5 11. (Optional) Set the tunnel type to signaled or manual. The default is signaled. host1:vrA(config-if)#tunnel signaling isakmp 12. (Optional) Set the renegotiation time of the SAs in use by this tunnel. host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000 13. (Optional) Set the MTU size for the tunnel. host1(config-if)#tunnel mtu 2240 interface tunnel · · Use to create or configure an IPSec tunnel interface. Use the transport-virtual-router keyword to establish the tunnel on a virtual router other than the current virtual router context. [. . . ] See ip mobile secure host. · license mobile-ip home-agent · · Use to configure the license key to enable a home agent. Specify a name for the license key; up to a maximum of 16 alphanumeric characters. 312 Copyright © 2010, Juniper Networks, Inc. Chapter 13: Configuring the Mobile IP Home Agent · Example host1(config)#license mobile-ip home-agent demo · · Use the no version to delete the license key configuration. See license mobile-ip home-agent. Monitoring the Mobile IP Home Agent Use the commands described in this section to set a statistics baseline, remove the binding table, and verify the configuration of the Mobile IP home agent on a virtual router. baseline ip mobile home-agent · · Use to set a statistics baseline for a specified Mobile IP home agent. [. . . ]