Overview
You can use the E-series router to terminate users on multiple VPNs (that is, a private intranet where users can log in and access private servers). For the E-series router, VPNs appear as VRs or VRFs. Users that connect to the VPN terminate on the associated VR or VRF. The router contains a link between the VR or VRF and the private intranet containing the resources. This link can be a direct connection, or a tunnel (IPSec, IP-in-IP, GRE, or MPLS). Once establishing a connection, the router can pass traffic between the VPN and connected users.
The E-series router already supports termination of secure remote access subscribers using L2TP and IPSec. In this model, IPSec uses transport mode to "protect" PPP subscribers that use L2TP tunnels as described in RFC 3193. However, because they are handled by the PPP and L2TP application, IPSec has no direct information about the subscribers. By terminating dynamic IPSec subscribers, the IPSec protocol manages the subscribers completely.
Dynamic Connection Setup
Dynamic secure remote access subscribers initiate connections to the E-series router by establishing an IPSec phase 1 security association (SA; also known as an IKE SA or P1) with the router.
After establishing a security association, the subscriber is instantiated in the IPSec software. Following this instantiation, the router initiates the extended authentication (Xauth) protocol exchange to invoke the user to enter a username and password. The router uses existing authentication, authorization, and accounting (AAA) functionality to authenticate the user data.
After granting access, the router instantiates an IP interface for the new subscriber as well as an access route for the IP address assigned to the subscriber on the terminating virtual router. The subscriber also obtains IP interface data (IP address, subnetwork mask, primary and secondary DNS address, primary and secondary WINS address, and so on) during a configuration exchange.
Once instantiated, an access router created, and the client successfully set with interface data parameters, the router can terminate the Xauth exchange and enable the IPSec layer and phase 2 SAs (IPSec SAs or P2s) can begin. Following these exchanges, the full data path is ready and subscribers can exchange packets with the VR on which they terminate.
Dynamic Connection Teardown
The following events can trigger the teardown of a dynamic IPSec subscriber connection:
- All phase 1 and phase 2 SA deleted by a remote peer and no rekeying activity occurs for one minute
- Administrative logout
- IPSec card terminating the user becoming unavailable (for example, the card is reloading, disabled, or disconnected)
- Dead peer detection (DPD) reporting the phase 1 SA is unreachable
- Authentication, authorization, and accounting session or idle timeout values expire
Dynamic IPSec Subscriber Recognition
The E-series router expects to receive the Xauth vendor ID from the remote peer for dynamic interface instantiation. The expected Xauth vendor ID is 0x09002689DFD6B712.
 |
NOTE: The E-series router does not initiate connections to new subscribers. Acceptable vendor IDs are global to the router and not user-configurable. |
Phase 2 SAs intended for static tunnels and those intended for dynamic subscribers do not share the same phase 1 SA. This means that dynamic phase 1 SAs are only used to negotiate dynamic phase 2 SAs. Conversely, phase 1 SAs that are not recognized as dynamic are used only to negotiate phase 2 SA static tunnels.
Licensing Requirements
Each dynamic IPSec subscribers requires the use of two licenses:
If either license is unavailable, the router denies access to the subscriber.
Inherited Subscriber Functionality
Dynamic IPSec subscribers inherit much of the built-in AAA subscriber management functionality. This functionality includes the following:
- AAAA subscriber management commands
- DNS (primary and secondary)
- WINS (primary and secondary)
- Session timeout
- Accounting features (interval, duplication, immediate update, broadcasting, Acct-stop)
- Duplicate address checking
- IP address pools
- Per virtual-router subscriber limit
- Policies
- Packet mirroring
For additional information on AAA functionality, see JUNOSe Broadband Access Configuration Guide, Chapter 1, Configuring Remote Access.
Using IPSec Tunnel Profiles
IPSec tunnel profiles serve the following purposes in the configuration of dynamic IPSec subscribers:
- Controlling which connecting user, based on the IKE identification, belongs to a given profile. Profile settings falling in this category include the following:
- IKE identities from peers that can use this profile. These identities include IP addresses, domain names, and E-mail addresses. In addition, distinguished names that use X.509 certificates are permitted.
- The router IKE identity.
- Terminating extraneous security and IP profile settings that exist after a subscriber is mapped to an IPSec tunnel. These settings include the following:
- Maximum number of subscribers that this profile can terminate
- AAA domain suffix intended for the username (helping to bridge users from a given IPSec tunnel profile to an AAA domain map)
- Phase 2 SA selectors for use in phase 2 SA exchanges
- IP profiles intended for users logging in using this profile (helping to bridge users from a given IPSec tunnel profile to an IP profile)
- Reachable networks on the VPN (allowing for split tunneling when supported by the client software)
- Security parameters intended to protect user traffic (including IPSec encapsulating protocol, encryption algorithms, authentication algorithms, lifetime parameters, perfect forward secrecy, and DH group for key derivation)
New subscribers are mapped only to IPSec tunnel profiles after the initial IKE SA is established. Like IPSec tunnels, IKE policy rules are required to control IKE SA acceptance and denial.
Relocating Tunnel Interfaces
Unlike static IPSec tunnels interfaces, dynamic IPSec subscribers do not relocate if the IPSec server card becomes unavailable. If the IPSec server card becomes unavailable, all dynamic subscribers that are logged in and located on that server card are logged out and must log back in to connect.
User Authentication
For IPSec subscribers, user authentication occurs in two phases. The first phase is an IPSec-level authentication (phase 1 or IKE authentication). Sometimes referred to as "machine" authentication, because the user PC is authenticated, the first authentication phase verifies private or preshared keys that reside on the PC. These keys are not easily moved from one PC to another and do not require user entry each time authentication is performed.
Depending on the IKE phase 1 exchange, restrictions on the authentication type or the access network setup might exist. To avoid any usage problems, keep the following in mind:
- If you are configuring a VPN where users perform preshared key IPSec authentication and use the IKE main mode exchange for phase 1, you must setup the access network such that the VPN has an exclusive local IP address.
- If you want to share a single server address on the access network for more than one VPN, you must either set the clients to use IKE aggressive mode or use a public and private key pair for authentication. This authentication type includes X.509v3 certificates).
After the IPSec-level authentication takes place, a user authentication occurs. Often considered a legacy form of authentication, the user authentication (like RADIUS) typically requires the user to enter information in the form of a username and password.