 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The remote (dynamic peer) initiates the negotiations with the local (Juniper Networks) router. The local router uses the default IKE and IPSec policies to match the proposals sent by the remote peer to negotiate the SA values. Implicit proposals contain a list of all the supported transforms that the local router expects from all the dynamic peers.
If preshared key authentication is used, the preshared key is global for a service set. When seeking the preshared key for the peer, the local router matches the peer’s source address against any explicitly configured preshared keys in that service set. If a match is not found, the local router uses the global preshared key for authentication. This key is the one configured in the IKE access profile referenced by the service set.
Phase 2 of the authentication matches the proxy identities of the protected hosts and networks sent by the peer against a list of configured proxy identities. The accepted proxy identity is used to create the dynamic rules for encrypting the traffic. You can configure proxy identities by including the allowed-proxy-pair statement in the IKE access profile. If no entry matches, the negotiation is rejected.
If you do not configure the allowed-proxy-pair statement, the default value “ ANY(0.0.0.0/0)-ANY” is applied, and the local router accepts any proxy identities sent by the peer. Both IPv4 and IPv6 addresses are accepted, but you must configure all IPv6 addresses manually.
Once the phase 2 negotiation completes successfully, the router builds the dynamic rules and inserts the reverse route into the routing table using the accepted proxy identity.
| Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |