Using IPSec Tunnel Profiles

IPSec tunnel profiles serve the following purposes in the configuration of dynamic IPSec subscribers:

• Controlling which connecting user, based on the IKE identification, belongs to a given profile. Profile settings falling in this category include the following:
  • IKE identities from peers that can use this profile. These identities include IP addresses, domain names, and E-mail addresses. In addition, distinguished names that use X.509 certificates are permitted.
  • The router IKE identity.
• Terminating extraneous security and IP profile settings that exist after a subscriber is mapped to an IPSec tunnel. These settings include the following:
  • Maximum number of subscribers that this profile can terminate
  • AAA domain suffix intended for the username (helping to bridge users from a given IPSec tunnel profile to an AAA domain map)
  • Phase 2 SA selectors for use in phase 2 SA exchanges
  • IP profiles intended for users logging in using this profile (helping to bridge users from a given IPSec tunnel profile to an IP profile)
  • Reachable networks on the VPN (allowing for split tunneling when supported by the client software)
  • Security parameters intended to protect user traffic (including IPSec encapsulating protocol, encryption algorithms, authentication algorithms, lifetime parameters, perfect forward secrecy, and DH group for key derivation)
• Setting the IP address the router monitors for remote subscribers.

New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is established. Like IPSec tunnels, IKE policy rules are required to control IKE SA acceptance and denial.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.