Dynamic IPsec Subscribers Overview

You can use the E Series router to terminate users on multiple VPNs (that is, a private intranet where users can log in and access private servers). For the E Series router, VPNs appear as VRs or VRFs. Users that connect to the VPN terminate on the associated VR or VRF. The router contains a link between the VR or VRF and the private intranet containing the resources. This link can be a direct connection, or a tunnel (IPsec, IP-in-IP, GRE, or MPLS). Once establishing a connection, the router can pass traffic between the VPN and connected users.

The E Series router already supports termination of secure remote access subscribers using L2TP and IPsec. In this model, IPsec uses transport mode to “ protect” PPP subscribers that use L2TP tunnels as described in RFC 3193. However, because they are handled by the PPP and L2TP application, IPsec has no direct information about the subscribers. By terminating dynamic IPsec subscribers, the IPsec protocol manages the subscribers completely.

Dynamic Connection Setup

Dynamic secure remote access subscribers initiate connections to the E Series router by establishing an IPsec phase 1 security association (SA; also known as an IKE SA or P1) with the router.

After establishing a security association, the subscriber is instantiated in the IPsec software. Following this instantiation, the router initiates the extended authentication (Xauth) protocol exchange to invoke the user to enter a username and password. The router uses existing authentication, authorization, and accounting (AAA) functionality to authenticate the user data.

After granting access, the router instantiates an IP interface for the new subscriber as well as an access route for the IP address assigned to the subscriber on the terminating virtual router. The subscriber also obtains IP interface data (IP address, subnetwork mask, primary and secondary DNS address, primary and secondary WINS address, and so on) during a configuration exchange.

Once instantiated, an access router created, and the client successfully set with interface data parameters, the router can terminate the Xauth exchange and enable the IPsec layer and phase 2 SAs (IPsec SAs or P2s) can begin. Following these exchanges, the full data path is ready and subscribers can exchange packets with the VR on which they terminate.

Dynamic Connection Teardown

The following events can trigger the teardown of a dynamic IPsec subscriber connection:

Dynamic IPsec Subscriber Recognition

The E Series router expects to receive the Xauth vendor ID from the remote peer for dynamic interface instantiation. The expected Xauth vendor ID is 0x09002689DFD6B712.

Note: The E Series router does not initiate connections to new subscribers. Acceptable vendor IDs are global to the router and not user-configurable.

Phase 2 SAs intended for static tunnels and those intended for dynamic subscribers do not share the same phase 1 SA. This means that dynamic phase 1 SAs are only used to negotiate dynamic phase 2 SAs. Conversely, phase 1 SAs that are not recognized as dynamic are used only to negotiate phase 2 SA static tunnels.

Licensing Requirements

Each dynamic IPsec subscribers requires the use of two licenses:

If either license is unavailable, the router denies access to the subscriber.

Inherited Subscriber Functionality

Dynamic IPsec subscribers inherit much of the built-in AAA subscriber management functionality. This functionality includes the following:

For additional information on AAA functionality, see JunosE Broadband Access Configuration Guide.

Using IPsec Tunnel Profiles

IPsec tunnel profiles serve the following purposes in the configuration of dynamic IPsec subscribers:

New subscribers are mapped only to IPsec tunnel profiles after the initial IKE SA is established. Like IPsec tunnels, IKE policy rules are required to control IKE SA acceptance and denial.

Relocating Tunnel Interfaces

Unlike static IPsec tunnels interfaces, dynamic IPsec subscribers do not relocate if the IPsec server card becomes unavailable. If the IPsec server card becomes unavailable, all dynamic subscribers that are logged in and located on that server card are logged out and must log back in to connect.

User Authentication

For IPsec subscribers, user authentication occurs in two phases. The first phase is an IPsec-level authentication (phase 1 or IKE authentication). Sometimes referred to as “ machine” authentication, because the user PC is authenticated, the first authentication phase verifies private or preshared keys that reside on the PC. These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed.

Depending on the IKE phase 1 exchange, restrictions on the authentication type or the access network setup might exist. To avoid any usage problems, keep the following in mind:

After the IPsec-level authentication takes place, a user authentication occurs. Often considered a legacy form of authentication, the user authentication (like RADIUS) typically requires the user to enter information in the form of a username and password.

Related Documentation