Overview

You can provide additional security to L2TP and IP tunnels by protecting them with an IPsec transport connection. Secure IP interfaces are virtual IP interfaces that are configured to provide confidentiality and authentication services for the traffic flowing through the interface; that traffic can be L2TP, GRE, and DVMRP tunnel traffic. See Configuring IPsec for detailed information about IPsec.

GRE, DVMRP, and L2TP over IPsec provide security only between tunnel endpoints; they do not provide end-to-end security. For end-to-end security, you need additional security for the connection beyond the router.

Tunnel Creation

ERX routers can have both unsecured GRE, DVMRP, and L2TP tunnels and tunnels that are secured by IPsec. However, unsecured L2TP tunnels are not allowed on the ISM. You use the following commands to create a secure tunnel:

• L2TP tunnels—Use the enable ipsec transport command in the L2TP destination profile
• GRE and DVMRP tunnels—Use the ipsec-transport keyword in the interface tunnel command

IPsec Secured-Tunnel Maximums

See JunosE Release Notes , Appendix A, System Maximums corresponding to your software release for information about the maximum number of GRE/IPsec, DVMRP/IPsec, and L2TP/IPsec connections supported on E Series routers.