Configuring Encryption Interfaces

Previous page
Table of content
Next page

IPSec is discussed in detail in Chapter 7, "IP Security (IPSec)," on page 287.

The Internet Protocol security architecture (IPSec) provides a security suite for the IPv4 and IPv6 network layers . The suite provides functionality such as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. It also defines mechanisms for key generation and exchange, management of security associations, and support for digital certificates. IPSec defines a security association (SA) and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities.

To configure IPSec, your router must have an ES PIC.

Secure traffic travels through tunnel interfaces between remote hosts . You configure each IPSec tunnel as a logical interface on the ES PIC. To specify the source and destination addresses, include the tunnel statement: 

 [edit interfaces]  es-  fpc/pic/port  {   unit  logical-unit-number  {     tunnel {       source  address  ;       destination  address  ;     }   } }

IPSec runs in two modes: transport and tunnel. The ES PIC supports tunnel mode only.

A security association is the set of properties that define the protocols for encrypting the Internet traffic. To configure encryption interfaces, specify the security association (SA) name associated with the interface by including the ipsec-sa statement: 

 [edit interfaces es-  fpc/pic/port  unit  logical-unit-number  family inet] ipsec-sa  sa-name  ;

You use firewall filters to configure traffic to flow through an IPsec tunnel. To configure inbound and outbound traffic for an IPsec tunnel, include the filter statement: 

 [edit firewall]  filter  inbound-decrypt-filter  ; filter  outbound-encrypt-filter  ;

To ensure outbound traffic is transmitted on the appropriate interface, include the filter and output statements: 

 [edit interfaces  interface-name  unit  logical-unit-number  family inet] filter {   output  outbound-encrypt-filter  ; }

See Chapter 8, "Routing Policy and Firewall Filters," on page 301.

To ensure that inbound traffic is received on the appropriate interface, include the filter and input statements: 

 [edit interfaces]  interfaces  interface-name  {   unit  logical-unit-number  {     family inet {       filter {         input  inbound-decrypt-filter  ;       }     }   } }

The protocol MTU value for encryption interfaces must always be less than the default interface MTU value of 3,900 bytes; the configuration fails to commit if you select a greater value. To set the MTU value, include the mtu statement: 

 [edit interfaces  interface-name  unit  logical-unit-number  family inet] mtu  bytes  ;

Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy