 |
Note: You do not configure this rule; it is created by the key management process (kmd). |
After successful negotiation with the dynamic peer, the key management process (kmd) creates a dynamic rule for the accepted phase 2 proxy and applies it on the local AS or MultiServices PIC. The source and destination addresses are specified by the accepted proxy. This rule is used to encrypt traffic directed to one of the end hosts in the phase 2 proxy identity.
The dynamic rule includes an ipsec-inside-interface value, which is the interface name assigned to the dynamic tunnel. The source-address and destination-address values are accepted from the proxy ID. The match-direction value is input for next-hop-style service sets.
|
Note: You do not configure this rule; it is created by the key management process (kmd). |
Rule lookup for static tunnels is unaffected by the presence of a dynamic rule; it is performed in the order configured. When a packet is received for a service set, static rules are always matched first.
Dynamic rules are matched after the rule match for static rules has failed.
Response to dead peer detection (DPD) hello messages takes place the same way with dynamic peers as with static peers. Initiating DPD hello messages from dynamic peers is not supported. For more information on DPD, see Configuring the Remote Address and Backup Remote Address.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |