 |
Note: The E-series router does not support FQDN-to-IP address resolution by DNS. |
For signaled IPSec tunnels, you can use an FQDN instead of the IP address to specify tunnel endpoints. You typically use this feature to identify the tunnel destination in broadband and DSL environments in which the destination does not have a fixed IP address. The remote device uses the FQDN to establish and authenticate the IPSec connection, and then uses the actual IP address for rekeying and filtering operations.
The ERX router FQDN feature supports both preshared keys and digital certificates. If it uses preshared keys, the router must use IKE aggressive mode to support FQDNs.
An identity string can include an optional user@ specification that precedes the FQDN. The entire string can be a maximum of 80 characters. For example, both of the following are supported:
- branch245.customer77.isp.net
- user4919@branch245.customer77.isp.net
With preshared key authentication, and when using the user@fqdn format, the router searches for the key based on the entire identity string. If the router cannot find that string, the router strips off the user@ part and performs a second search based on the FQDN part of the string.
With digital certificates, the two sides of the tunnel must use the same identity format, with or without the user@ specification; no stripping operation and no second search occurs.
|
Note: The E-series router does not support FQDN-to-IP address resolution by DNS. |
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |