 |
Note: Tunnel mode requires the ES PIC. The JUNOS software supports both both BGP and OSPFv3 in transport mode. |
You use tunnel mode when you use preshared keys with IKE to authenticate peers, or digital certificates with IKE to authenticate peers. In tunnel mode, encryption services are performed on an ES PIC.
When you use preshared keys, you manually configure a preshared key, which must match that of its peer. With digital certificates, each router is dynamically or manually enrolled with a certificate authority (CA). When a tunnel is established, the public keys used for IPsec are dynamically obtained through IKE and validated against the CA certificate. This avoids the manual configuration of keys on routers within the topology. Adding a new router to the topology does not require any security configuration changes to existing routers.
To configure the IPSec in tunnel mode, include the mode statement with the tunnel option at the edit security ipsec security-association sa-name] hierarchy level:
- [edit security ipsec security-association sa-name]
-
mode tunnel;
|
Note: Tunnel mode requires the ES PIC. The JUNOS software supports both both BGP and OSPFv3 in transport mode. |
To enable tunnel mode, follow the steps in these sections:
For more information about the ES PIC, see the JUNOS Services Interfaces Configuration Guide.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |