 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
Dynamic secure remote access subscribers initiate connections to the E-series router by establishing an IPSec phase 1 security association (SA; also known as an IKE SA or P1) with the router.
After establishing a security association, the subscriber is instantiated in the IPSec software. Following this instantiation, the router initiates the extended authentication (Xauth) protocol exchange to invoke the user to enter a username and password. The router uses existing authentication, authorization, and accounting (AAA) functionality to authenticate the user data.
After granting access, the router instantiates an IP interface for the new subscriber as well as an access route for the IP address assigned to the subscriber on the terminating virtual router. The subscriber also obtains IP interface data (IP address, subnetwork mask, primary and secondary DNS address, primary and secondary WINS address, and so on) during a configuration exchange.
Once instantiated, an access router created, and the client successfully set with interface data parameters, the router can terminate the Xauth exchange and enable the IPSec layer and phase 2 SAs (IPSec SAs or P2s) can begin. Following these exchanges, the full data path is ready and subscribers can exchange packets with the VR on which they terminate.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |