Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
Juniper Networks, Inc.
1194 North Mathilda AvenueSunnyvale, CA 94089USA408-745-2000
www.juniper.net
Concepts & ExamplesScreenOS Reference Guide
Volume5:VirtualPrivateNetworks
 Release 6.2.0, Rev. 02
 
ii
Copyright Notice
Copyright © 2010 Juniper Networks, Inc. All rights reserved.Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc.in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for anyobligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicationwithout notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class Adigital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when theequipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed andused in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residentialarea is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequencyenergy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception.This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCCrules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is noguarantee that interference will not occur in a particular installation.If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the useris encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Consult the dealer or an experienced radio/TV technician for help.
Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution:
Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPEDWITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITEDWARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
 
Table of Contents
iii
Table of Contents
About This Volume
vii
Document Conventions.................................................................................viiiWeb User Interface Conventions ...........................................................viiiCommand Line Interface Conventions ...................................................viiiNaming Conventions and Character Types ..............................................ixIllustration Conventions ............................................................................xRequesting Technical Support..........................................................................xSelf-Help Online Tools and Resources.......................................................xiOpening a Case with JTAC........................................................................xiDocument Feedback.......................................................................................xi
Chapter1Internet Protocol Security
1
Introduction to Virtual Private Networks..........................................................2IPsec Concepts.................................................................................................3Modes........................................................................................................4Transport Mode..................................................................................4Tunnel Mode.......................................................................................4Protocols...................................................................................................5Authentication Header........................................................................6Encapsulating Security Payload...........................................................6Key Management......................................................................................7Manual Key.........................................................................................7AutoKey IKE........................................................................................7Key Protection....................................................................................8Security Associations.................................................................................8Tunnel Negotiation...........................................................................................9Phase1......................................................................................................9Main and Aggressive Modes..............................................................10Diffie-Hellman Exchange...................................................................11Phase2....................................................................................................11Perfect Forward Secrecy...................................................................12Replay Protection..............................................................................12IKE and IPsec Packets....................................................................................13IKE Packets.............................................................................................13IPsec Packets...........................................................................................16IKE Version 2...........................................................................................18Initial Exchanges...............................................................................18CREATE_CHILD_SA Exchange..........................................................20Informational Exchanges..................................................................20Enabling IKEv2 on a Security Device.......................................................20Example: Configuring an IKEv2 Gateway..........................................21Authentication Using Extensible Authentication Protocol..................25IKEv2 EAP Passthrough...........................................................................26
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more