The Internet Protocol security architecture (IPSec) provides a security suite for the IPv4 and IPv6 network layers . The suite provides functionality such as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. It also defines mechanisms for key generation and exchange, management of security associations, and support for digital certificates. IPSec defines a security association (SA) and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities. To configure IPSec, your router must have an ES PIC. Secure traffic travels through tunnel interfaces between remote hosts . You configure each IPSec tunnel as a logical interface on the ES PIC. To specify the source and destination addresses, include the tunnel statement: [edit interfaces] es- fpc/pic/port { unit logical-unit-number { tunnel { source address ; destination address ; } } } IPSec runs in two modes: transport and tunnel. The ES PIC supports tunnel mode only. A security association is the set of properties that define the protocols for encrypting the Internet traffic. To configure encryption interfaces, specify the security association (SA) name associated with the interface by including the ipsec-sa statement: [edit interfaces es- fpc/pic/port unit logical-unit-number family inet] ipsec-sa sa-name ; You use firewall filters to configure traffic to flow through an IPsec tunnel. To configure inbound and outbound traffic for an IPsec tunnel, include the filter statement: [edit firewall] filter inbound-decrypt-filter ; filter outbound-encrypt-filter ; To ensure outbound traffic is transmitted on the appropriate interface, include the filter and output statements: [edit interfaces interface-name unit logical-unit-number family inet] filter { output outbound-encrypt-filter ; }
To ensure that inbound traffic is received on the appropriate interface, include the filter and input statements: [edit interfaces] interfaces interface-name { unit logical-unit-number { family inet { filter { input inbound-decrypt-filter ; } } } } The protocol MTU value for encryption interfaces must always be less than the default interface MTU value of 3,900 bytes; the configuration fails to commit if you select a greater value. To set the MTU value, include the mtu statement: [edit interfaces interface-name unit logical-unit-number family inet] mtu bytes ; |