User manual JUNIPER NETWORKS IP SERVICES CONFIGURATION GUIDE V 11.1.X

[. . . ] JUNOSeTM Software for E SeriesTM Broadband Services Routers IP Services Configuration Guide Release 11. 1. x Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www. juniper. net Published: 2010-04-04 Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. [. . . ] To configure the lifetime in amount of traffic, use the kilobytes keyword to specify the lifetime in the range 102400­4294967295. If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line. Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation. Example host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000 Use the no version to restore the default lifetime (28800 seconds) and an unlimited volume. See tunnel lifetime. tunnel local-identity Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords: address--Specifies an IP address as the local identity subnet--Specifies a subnet as the local identity range--Specifies a range of IP addresses as the local identity Example 1 host1(config-if)#tunnel local-identity range 10. 10. 1. 1 10. 10. 2. 1 Example 2 host1(config-if)#tunnel local-identity subnet 10. 10. 1. 1 255. 255. 255. 0 Use the no version to restore the default identity, which is subnet 0. 0. 0. 0 0. 0. 0. 0 See tunnel local-identity. Configuration Tasks 151 JUNOSe 11. 1. x IP Services Configuration Guide tunnel mtu Use to set the MTU size for the tunnel. Example host1(config-if)#tunnel mtu 2240 Use the no version to restore the default MTU (1440). See tunnel mtu. tunnel peer-identity Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords: address--Specifies an IP address as the peer identity subnet--Specifies a subnet as the peer identity range--Specifies a range of IP addresses as the peer identity Example 1 host1(config-if)#tunnel peer-identity range 10. 10. 1. 1 10. 10. 2. 2 Example 2 host1(config-if)#tunnel peer-identity subnet 130. 10. 1. 1 255. 255. 255. 0 Use the no version to remove the peer identity. See tunnel peer-identity. tunnel pfs group Use to configure perfect forward secrecy (PFS) on this tunnel. Assign a Diffie-Hellman prime modulus group using one of the following keywords: 1--768-bit group 2--1024-bit group 5--1536-bit group Example host1(config-if)#tunnel pfs group 5 Use the no version to remove PFS from this tunnel. See tunnel pfs group. tunnel session-key-inbound 152 Configuration Tasks Chapter 5: Configuring IPSec Use to manually configure the authentication or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual. If the algorithm set includes: DES, create an 8-byte key using 16 hexadecimal characters 3DES, create a 24-byte key using 48 hexadecimal characters MD5, create a 16-byte key using 32 hexadecimal characters SHA, create a 20-byte key using 40 hexadecimal characters Example host1(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 Use the no version to remove inbound session keys from a tunnel. See tunnel session-key-inbound. tunnel session-key-outbound Use to manually configure the authentication or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual. The SPI is a number in the range 256­4294967295 that identifies an SA. If the algorithm set includes: DES, create an 8-byte key using 16 hexadecimal characters 3DES, create a 24-byte key using 48 hexadecimal characters MD5, create a 16-byte key using 32 hexadecimal characters SHA, create a 20-byte key using 40 hexadecimal characters Example host1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b Use the no version to remove outbound session keys from a tunnel. See tunnel session-key-outbound. tunnel signaling Use to set the tunnel type to signaled (ISAKMP) or manual. Specify a keyword: isakmp--Specifies to use ISAKMP/IKE to negotiate SAs and to establish keys Configuration Tasks 153 JUNOSe 11. 1. x IP Services Configuration Guide manual--Specifies that security parameters and keys are configured manually Example host1(config-if)#tunnel signaling manual Use the no version to restore the default value, isakmp. See tunnel signaling. tunnel source Use to specify an existing interface address that serves as the tunnel's source address. For signaled IPSec tunnels in cable or DSL environments, you can optionally use an FQDN to identify the tunnel endpoint. [. . . ] Example host1(config)#license mobile-ip home-agent demo Use the no version to delete the license key configuration. See license mobile-ip home-agent. Monitoring the Mobile IP Home Agent Use the commands described in this section to set a statistics baseline, remove the binding table, and verify the configuration of the Mobile IP home agent on a virtual router. baseline ip mobile home-agent Use to set a statistics baseline for a specified Mobile IP home agent. Example host1#baseline ip mobile home-agent There is no no version. [. . . ]