Configuring Single-Shot Tunnels

To configure a single-shot L2TP/IPSec tunnel:

1. Create an L2TP destination profile, which defines the location of the LAC. The l2tp destination profile command accesses L2TP Destination Profile Configuration mode.

   host1(config)#l2tp destination profile boston4 ip address 0.0.0.0

   host1(config-l2tp-dest-profile)#

2. Create an L2TP host profile, which defines the attributes that the router, acting as the LNS, uses when communicating with the LAC. The remote host command accesses L2TP Destination Profile Host Configuration mode.

   host1(config-l2tp-dest-profile)#remote host default

   host1(config-l2tp-dest-profile-host)#

3. Specify that, for L2TP tunnels associated with this host profile, the router accept only tunnels protected by IPSec.

   host1(config-l2tp-dest-profile-host)#enable ipsec-transport

4. Specify that the L2TP tunnels associated with this host profile are single-shot tunnels.

   host1(config-l2tp-dest-profile-host)#single-shot-tunnel

5. (Optional) Configure other attributes for the L2TP host profile.
6. (Optional) Use the show l2tp destination profile command to verify configuration of the single-shot tunnel for a particular L2TP host profile.

   For information about how to use this command, see show l2tp destination profile .

For information about the other commands you can use to configure L2TP destination profiles and L2TP host profiles, see LNS Configuration Prerequisites.

single-shot-tunnel

• Use to configure the L2TP/IPSec tunnels associated with a particular L2TP host profile as single-shot tunnels.
• A single-shot tunnel can carry no more than a single L2TP session for the duration of its existence.
• The router ignores the idle timeout period for single-shot tunnels.
• The following characteristics apply only to secure L2TP/IPSec single-shot tunnels:
  • The underlying IPSec connection for a single-shot tunnel can carry no more than a single L2TP tunnel for the duration of its existence.
  • The router disconnects the underlying IPSec transport connection for a single-shot tunnel at the beginning of the destruct timeout period instead of waiting until the destruct timeout period expires.
• A single-shot tunnel does not persist beyond its last connected L2TP session. As a result, using single-shot L2TP/IPSec tunnels instead of the default (standard) tunnel behavior provides better protection against a brute force attack that makes multiple, simultaneous authentication attempts.
• Example

  host1(config-l2tp-dest-profile-host)#single-shot-tunnel

• Use the no version to restore the default behavior for L2TP/IPSec tunnels, which disables the single-shot attribute.
• See single-shot-tunnel.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.