Securing L2TP and IP Tunnels with IPsec Overview

You can provide additional security to L2TP and IP tunnels by protecting them with an IPsec transport connection. Secure IP interfaces are virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface; that traffic can be L2TP, GRE, and DVMRP tunnel traffic. For detailed information about IPsec, see Configuring IPsec.

The GRE, DVMRP, and L2TP over IPsec provide security only between tunnel endpoints; they do not provide end-to-end security. For end-to-end security, you need additional security for the connection beyond the router.

This section describes the following:

• Tunnel Creation
• IPsec Secured-Tunnel Maximums

Tunnel Creation

The ERX routers can have both unsecured GRE, DVMRP, and L2TP tunnels and tunnels that are secured by IPsec. However, unsecured L2TP tunnels are not allowed on the IPsec Service module (ISM). You can use the following commands to create a secure tunnel:

• L2TP tunnels—Use the enable ipsec-transport command in the L2TP destination profile. For more information about enabling IPsec transport mode, see Enabling IPsec Transport Mode.
• GRE and DVMRP tunnels—Use the ipsec-transport keyword in the interface tunnel command. For more information about enabling IPsec support for GRE and DVMRP tunnels, see Enabling IPsec Support for GRE and DVMRP Tunnels.

IPsec Secured-Tunnel Maximums

For information about the maximum number of GRE/IPsec, DVMRP/IPsec, and L2TP/IPsec connections supported on E Series routers, see the JunosE Release Notes, Appendix A, System Maximums corresponding to your software release.

Related Documentation

• Securing L2TP and IP Tunnels with IPsec Platform Considerations
• Securing L2TP and IP Tunnels with IPsec References
• L2TP/IPsec Tunnels Overview
• GRE/IPsec and DVMRP/IPsec Tunnels Overview
• Using a System Event Log to Troubleshoot IPsec-Secured L2TP and IP Tunnels