close
keyboard_arrow_left
Table of Contents
- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
list Table of Contents
Example: Dynamic Endpoint Tunneling Configuration
date_range
24-Nov-23
Figure 1: IPSec Dynamic Endpoint Tunneling Topology Diagram
Figure 1 shows a local network N-1 located behind security gateway SG-1. SG-1 is a Juniper Networks router terminating dynamic peer endpoints. The tunnel termination address on SG-1 is 10.7.7.2 and the local network address is 172.16.1.0/24.
A remote peer router obtains addresses from an ISP pool and runs RFC-compliant IKE. Remote network N-2 has address 172.16.2.0/24 and is located behind security gateway SG-2 with tunnel termination address 10.7.7.1.
On Router SG-1, configure an IKE access profile to accept proposals from SG-2. Apply the interface identifier from the access profile to the inside services interface and apply the IKE access profile itself to the IPSec next-hop style service set.
Router SG-1
content_copy zoom_out_map
[edit]
access {
profile ike_access {
client * { # Accepts proposals from specified peers that use the preshared key.
ike {
allowed-proxy-pair local 10.255.14.63/32 remote 10.255.14.64/32;
pre-shared-key ascii-text "$ABC123"; # SECRET-DATA
interface-id test_id; # Apply this ID to the inside services interfaces.
}
}
}
}
interfaces {
fe-0/0/0 {
description "Connection to the local network";
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
so-1/0/0 {
description "Connection to SG-2";
no-keepalives;
encapsulation cisco-hdlc;
unit 0 {
family inet {
address 10.7.7.2/30;
}
}
}
sp-3/3/0 {
unit 0 {
family inet;
}
unit 3 {
dial-options {
ipsec-interface-id test_id; # Accepts dynamic endpoint tunnels.
shared;
}
service-domain inside;
}
unit 4 {
family inet;
service-domain outside;
}
}
}
services {
service-set dynamic_nh_ss { # Create a next-hop service set
next-hop-service { # for the dynamic endpoint tunnels.
inside-service-interface sp-3/3/0.3;
outside-service-interface sp-3/3/0.4;
}
ipsec-vpn-options {
local-gateway 10.7.7.2;
ike-access-profile ike_access; # Apply the IKE access profile here.
}
}
}
Verifying Your Work
To verify proper operation of a dynamic endpoint tunnel configured on the AS PIC, use the following command:
content_copy zoom_out_map
show services ipsec-vpn ipsec security-associations (detail)
The following section shows output from this command used with the configuration example. The dynamically created rule _junos_ appears in the output, as well as the establishment of the inbound and outbound dynamically created tunnels.
content_copy zoom_out_map
user@router> show services ipsec-vpn ipsec security-associations detail
Service set: dynamic_nh_ss
Rule: _junos_ , Term: tunnel4, Tunnel index: 4
Local gateway: 10.7.7.2, Remote gateway: 10.7.7.1
Local identity: ipv4(any:0,[0..3]=10.255.14.63)
Remote identity: ipv4(any:0,[0..3]=10.255.14.64)
Direction: inbound , SPI: 428111023, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 27660 seconds
Hard lifetime: Expires in 27750 seconds
Anti-replay service: Enabled, Replay window size: 64
Direction: outbound , SPI: 4035429231, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 27660 seconds
Hard lifetime: Expires in 27750 seconds
Anti-replay service: Enabled, Replay window size: 64
