JUNOSe 9.1.x IP Services Configuration Guide > Configuring Dynamic IPSec Subscribers > Configuring IPSec Tunnel Profiles

Configuring IPSec Tunnel Profiles

This sections explains how to configure the parameters that exist in the IPSec tunnel profile configuration mode.

Limiting Interface Instantiations on Each Profile

To define the maximum number of interfaces that the IPSec tunnel profile can instantiate, use the max-interfaces command. Once the profile reaches the maximum number of interfaces, the profile rejects any new interface instantiations and generates a warning-level log. The default value (using the no version of the command) specifies unlimited interface instantiation on a given profile.

max-interfaces

• Use to define the maximum number of interfaces that the IPSec tunnel profile can instantiate.
• Example

host1(config-ipsec-tunnel-profile)#max-interfaces 500

• Use the no version to return the maximum value to unlimited, indicating no limit to the number of interfaces that can be instantiated on this profile.

Specifying IKE Settings

This section describes how to define the IKE local identity and IKE peer identity values.

Setting the IKE Local Identity

To set the IKE local identity (phase 1 identity) used for IKE security association negotiations, use the ike local-identity command.

NOTE: The authentication algorithm for an IKE SA is associated with its identity. You must ensure that the client and server are set accordingly to successfully establish IKE security associations.

ike local-identity

• Use to set the IKE local identity used for IKE security association (SA) negotiations.
• Example

host1(config-ipsec-tunnel-profile)#ike local-identity domain-name domain1

• Use the no version to remove the specified IKE local identity.

Setting the IKE Peer Identity

To set the IKE peer identity values, use the ike peer-identity command. You can set the profile to accept logins from users that present one of the following:

• An asn1DN as an IKE identity type (an ASN.1-encoded distinguished name) and the user-provided IKE identity contains the substring configured for the profile.
• A userFQDN or FQDN as an IKE identity type and the domain name portion of the IKE identity matches the domain name setting for this profile. An empty string (default) means that IKE identity types of userFQDN and FQDN are not allowed for logins on this profile.

The IKE identity type of userFQDN also carries a domain name. Users presenting this identity must also pass any restrictions set for the peer domain name for this profile before they are able to log in.

• An IP address as an IKE identity type and the IP address resides within the specified network. The default of 0.0.0.0/0 allows any peer IP address to this profile.
• A userFQDN as an IKE identity type and the username portion of the IKE identity matches the username setting for this profile. An empty string (default) means that an IKE identity type of userFQDN is not allowed for logins on this profile.
  

  NOTE: You can also use the wildcard (*) for the username and domain name or as the first or last character in the username or domain name string.

  
  

ike peer-identity distinguished-name

    ike peer-identity domain-name

    ike peer-identity ip address

    ike peer-identity username

• Use to set the IKE peer identity used for IKE security association (SA) negotiations.
• Example

host1(config-ipsec-tunnel-profile)#ike peer-identity domain-name domain2

• Use the no version to remove the specified IKE peer identity.

Appending a Domain Suffix to a Username

The VPN to which a user is to be terminated is sometimes known from the IKE identities attached to the user. However, to assist in connecting users to the correct AAA domain for authentication, you can use the domain-suffix command to append a domain suffix to the username. Using the default, no domain suffix, passes usernames transparently to AAA.

domain-suffix

• Use to specify a domain suffix that you want to append to any usernames received on this profile.
• Example

host1(config-ipsec-tunnel-profile)#domain-suffix domain2

• Use the no version to restore the default value, no domain suffix, and usernames are passed transparently to AAA.

Overriding IPSec Local and Peer Identities for SA Negotiations

You can use the local ip identity and peer ip identity commands to override the local and peer identities used for SA negotiations (respectively).

local ip identity

• Use to override the local identity (phase 2 identity) used for IPSec security association negotiations. For IPSec negotiations to succeed, the local and peer identities at one end of the tunnel must match the peer and local identities at the other end (respectively).
• Example

host1(config-ipsec-tunnel-profile)#local ip identity range 10.30.11.1 10.30.11.50

• Use the no version to restore the default value, the internal IP address allocated for the subscriber.

peer ip identity

• Use to override the peer identity (phase 2 identity) used for IPSec security association negotiations. For IPSec negotiations to succeed, the local and peer identities at one end of the tunnel must match the peer and local identities at the other end (respectively).
• Example

host1(config-ipsec-tunnel-profile)#peer ip identity address 10.227.1.2

• Use the no version to restore the default value, the internal IP address allocated for the subscriber.

Specifying an IP Profile for IP Interface Instantiations

The ip profile command specifies the IP profile that is passed from the IPSec layer to the IP layer upon request for upper layer instantiation.

ip profile

• Use to specify the IP profile that the IPSec layer passes on to the IP layer upon request for upper-layer instantiation.
• Example

host1(config-ipsec-tunnel-profile)#ip profile ipProfile1

• Use the no version to remove the association with this profile.

Defining the Server IP Address

The local ip address command defines the specified local IP address as the server address. The router monitors UDP port 500 for incoming login requests (that is, IKE SA negotiations) from users.

NOTE: This address is typically made public to all users trying to connect to a VPN on this router.

This command enables you to optionally set a global preshared key for the specified server address. When using global preshared keys, keep the following in mind:

• Global preshared keys enable a group of users to share a single authentication key, simplifying the administrative job of setting up keys for multiple users.
• Specific keys for individual users have higher priority than global keys. If both individual and global keys are configured, the individual that also has a specific key must use that key or authentication fails.
• More than one profile can specify the same local endpoint and virtual router. Because the last value set overrides the other, we recommend that you avoid this type of configuration.

local ip address

• Use to specify the given local IP address as a server address.
• Example

host1(config-ipsec-tunnel-profile)#local ip address 192.2.52.12

• Use the no version to stop the router from monitoring UDP port 500 for user requests and remove any preshared key associations with the local IP address.

Specifying Local Networks

The local ip network command enables you to specify local, reachable networks through the IPSec tunnel. This type of "split tunneling" enables a remote station to separate VPN traffic from Internet traffic. For example a client connecting to a corporate Intranet could use split-tunneling to send all traffic destined to 10.0.0.0/8 through the secure tunnel and reach the VPN. Other traffic (for example, Web browsing) would travel directly to the Internet through the local service provider without passing through the tunnel.

NOTE: Split tunneling functions only when supported by the client software. It is up to the client to modify its routing table with the network information for split tunneling to occur

local ip network

• Use to specify networks that are reachable through the IPSec tunnel. You can configure up to 16 networks for this method of "split-tunneling."
• Example

host1(config-ipsec-tunnel-profile)#local ip network 10.0.0.0 255.255.255.252

• Use the no version to remove the specified network from the reachable list.

Defining IPSec Security Association Lifetime Parameters

The lifetime command defines the IPSec SA lifetime parameters the tunnel profile can use for IPSec SA negotiations. These parameters include the phase 2 lifetime as a range in seconds or traffic volume.

lifetime

• Use to specify the IPSec lifetime parameters used on IPSec SA lifetime negotiations.
• Example

host1(config-ipsec-tunnel-profile)#lifetime seconds 5000 25000

• Use the no version to return the lifetime to its default value, 28800 seconds (8 hours) and no traffic volume limit.

Defining User Reauthentication Protocol Values

The extended-authentication command specifies the extended user authentication protocol for use during the extended user authentication protocol exchange.

The re-authenticate keyword enables the reauthentication option (a subsequent authentication procedure). When this option is enabled, rekeying of IKE SAs uses the initial authentication protocol to reauthenticate the user. When this option is disabled, authentication is only performed at the first IKE SA establishment. Subsequent IKE SAs rekey operations inherit the initial authentication and do not reauthenticate users.

NOTE: For maximum security, enable reauthentication.

The skip-peer-config keyword disables the router from configuring peer IP characteristics.

extended-authentication

• Use to specify the extended user authentication protocol for use during the extended user authentication protocol exchange. This command can also enable or disable the reauthentication option (a subsequent authentication procedure).
• The re-authenticate keyword enables the reauthentication option (a subsequent authentication procedure).
• The skip-peer-config keyword disables the router from configuring peer IP characteristics.
• Example

host1(config-ipsec-tunnel-profile)#extended-authentication chap

• Use the no version to reset the extended authentication to the default protocol, pap.

Specifying IPSEC Security Association Transforms

The transform command specifies the IPSec transforms that IPSec SA negotiations can use for this profile. The router accepts the first transform proposed by a client that matches one of the transforms specified by this command. During an IPSec SA exchange with a client, the router proposes all transforms specified by this command and one is accepted by the client.

NOTE: You can specify up to six transform algorithms for this profile.

For additional information about transforms and transform sets, see Chapter 6, Configuring IPSec.

transform

• Use to specify the eligible transforms for this profile for IPSec security association negotiations.
• Example

host1(config-ipsec-tunnel-profile)#transform ah-hmac-md5

• Use the no version to reset the transform to the default, esp-3des-sha1.

Specifying IPSec Security Association PFS and DH Group Parameters

The pfs group command specifies the IPSec SA perfect forward secrecy (PFS) option and Diffie-Hellman prime modulus group that IPSec SA negotiations can use for this profile.

NOTE: When the client initiates the IPSec negotiation, the router can accept Diffie-Hellman prime modulus groups that are higher than those configured.

For additional information about PFS, see Chapter 6, Configuring IPSec.

pfs group

• Use to configure perfect forward secrecy for connections created with this IPSec tunnel configuration profile by assigning a Diffie-Hellman prime modulus group.
• Example

host1(config-ipsec-tunnel-profile)#pfs group 5

• Use the no version to remove PFS from the profile.

Defining the Tunnel MTU

The tunnel mtu command configures the maximum transmission unit size for the tunnel.

tunnel mtu

• Use to configure the maximum transmission unit size for the tunnel.
• Example

host1(config-ipsec-tunnel-profile)#tunnel mtu 3000

• Use the no version to restores the default value, an MTU size of 1400 bytes.