Configuration Tasks

This section explains the steps to configure an IPSec license and IPSec parameters, create an IPSec tunnel, and define an ISAKMP/IKE policy. The next section contains configuration examples.

Configuring an IPSec License

By default, and with no IPSec tunnel license, you can configure up to 10 IPSec tunnels on an ERX router. However, you can purchase licenses that support the following IPSec tunnel maximums:

• 1000
• 2000
• 4000
• 8000
• 16000
• 32000

The number of additional tunnels is independent of the number of ISMs installed in the router. However, the router chassis enforces the following tunnel limits:

• SRP 10G – 10,000
• SRP 40G – 20,000

license ipsec-tunnels

• Use to specify an IPSec tunnel license.

  Note: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative.

• Example

  host1(config)#license ipsec-tunnels license string

• Use the no version to disable the license.
• See license ipsec-tunnels.

Configuring IPSec Parameters

To configure IPSec:

1. For each endpoint, create a transform set that provides the desired encryption and authentication.

   host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha

   host1(config)#ipsec transform-set customerBprotection ah-hmac-md5

2. Add a preshared key that the routers use to authenticate each other.

   host1(config)#ipsec key manual pre-share 5.2.0.1

   host1(config-manual-key)#key customerASecret

   After you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command.

   To see the masked form of the key:

   host1#show config

   ipsec key manual pre-share 10.10.1.1

   masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO”

   To enter the masked key:

   host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO

3. Define the local endpoint used for ISAKMP/IKE negotiations for all IPSec tunnels in the router.

   host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8

4. (Optional) Set the global (default) lifetime for all SAs on the router.

   host1(config)#ipsec lifetime kilobytes 42000000

ipsec key manual pre-share

• Use to specify that a peer use a preshared key for authentication during the tunnel establishment phase, and to display the prompt that lets you enter the preshared key. To enter a key, use the key command.
• Specify the peer by using its IP address or fully qualified domain name (FQDN).
  • FQDNs are supported only for signaled tunnels.
  • The router must be in aggressive mode to use FQDNs with preshared keys.
  • The identity string can include an optional user@ specification preceding the FQDN.
• You must enter this command in the virtual router context where the IP address of the peer is defined.
• Example 1—using an IP Address

  host1(config)#ipsec key manual pre-share ip address 10.10.1.1

  host1(config-manual-key)#

• Example 2—using an FQDN

  host1(config)#ipsec key manual pre-share identity branch245.customer77.isp.net

  host1(config-manual-key)#

• Example 3—using an FQDN with user@ specification

  host1(config)#ipsec key manual pre-share identity user4919@branch245.customer77.isp.net

  host1(config-manual-key)#

• Use the no version to delete a manually configured key from the router.
• See ipsec key manual pre-share.

ipsec lifetime

• Use to set the global (default) lifetime in seconds or volume of traffic in kilobytes. The IPSec lifetime applies to tunnels that do not have a tunnel lifetime defined. When either limit is reached, the SA is renegotiated.
• To set a lifetime for all SAs on a tunnel, use the tunnel lifetime command.
• To set a lifetime for a specific SA, use lifetime .
• Example 1

  host1(config)#ipsec lifetime kilobytes 42000000

• Example 2

  host1(config)#ipsec lifetime seconds 8600

• Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours).
• See ipsec lifetime.

ipsec local-endpoint

• Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPSec tunnels for a transport virtual router.
• You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined.
• Example

  host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router VR#8

• Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint.
• See ipsec local-endpoint.

ipsec transform-set

• Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality.
• Transform sets used for manually configured tunnels can have one transform.
• Transform sets used for signaled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer. Transforms are numbered in a priority sequence in the order in which you enter them.
• To display the names of the transforms that you can use in a transform set, issue the ipsec transform-set transformSetName ? command.
• Example

  host1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth

• Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set.
• See ipsec transform-set.

key

• Use to enter a manual preshared key.
• Preshared keys can have up to 256 ASCII alphanumeric characters. To include spaces in the key, enclose the key in quotation marks.
• Example 1

  host1(config-manual-key)#key dj5fe23owi8er49fdsa

• Example 2

  host1(config-manual-key)#key “ my key with spaces”

• There is no no version. To delete a key, use the no version of the ipsec key manual command.
• See key.

masked-key

• Use to enter the preshared key in masked form.
• For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it.
• To see the masked key, use the show config command.
• Example

  host1#show config

  ipsec key manual pre-share 10.10.1.1

  masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO”

  host1#configure terminal

  host1(config)#ipsec key manual pre-share 10.10.1.1

  host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO

• There is no no version. To delete a key, use the no version of the ipsec key manual command.
• See masked-key.

Creating an IPSec Tunnel

To create an IPSec tunnel:

1. Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface.

   host1(config)#virtual-router vrA

   host1:vrA(config)#

2. Create an IPSec tunnel, and specify the transport VR.

   host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default

   host1:vrA(config-if)#

3. Specify the IP address of this tunnel interface.

   host1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0

4. Specify the transform set that ISAKMP uses for SA negotiations.

   host1:vrA(config-if)#tunnel transform-set customerAprotection

5. Configure the local endpoint of the tunnel.

   host1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0

6. Configure the peer endpoint of the tunnel.

   host1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0

7. Specify an existing interface address that the tunnel uses as its source address.

   host1:vrA(config-if)#tunnel source 5.1.0.1

8. Specify the address or identity of the tunnel destination endpoint.

   host1:vrA(config-if)#tunnel destination identity branch245.customer77.isp.net

   host1:vrA(config-if)#exit

   Note: FQDNs are used when tunnel destination endpoints do not have a fixed address, as in cable and DSL environments.

9. For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.

   host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678

   host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b

10. (Optional) Configure PFS on this tunnel.

    host1:vrA(config-if)#tunnel pfs group 5

11. (Optional) Set the tunnel type to signaled or manual. The default is signaled.

    host1:vrA(config-if)#tunnel signaling isakmp

12. (Optional) Set the renegotiation time of the SAs in use by this tunnel.

    host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000

13. (Optional) Set the MTU size for the tunnel.

    host1(config-if)#tunnel mtu 2240

interface tunnel

• Use to create or configure an IPSec tunnel interface.
• Use the transport-virtual-router keyword to establish the tunnel on a virtual router other than the current virtual router context.
• Example

  host1(config)#interface tunnel ipsec:jak transport-virtual-router tvr041

  host1(config-if)#

• Use the no version to remove the tunnel.
• See interface tunnel.

tunnel destination

• Use to set the address or identity of the remote tunnel endpoint.
  • For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify the remote tunnel endpoint, which does not have a fixed IP address.
  • The identity string can include an optional user@ specification preceding the FQDN.
• Example 1

  host1(config-if)#tunnel destination 10.10.11.12

• Example 2

  host1(config-if)#tunnel destination identity branch245.customer77.isp.net

• Example 3

  host1(config-if)#tunnel destination identity user4919@branch245.customer77.isp.net

• Use the no version to remove the address.
• See tunnel destination.

tunnel lifetime

• Use to set the renegotiation time of the SAs in use by this tunnel.
• To configure the lifetime in number of seconds, use the seconds keyword to specify the lifetime in the range 1800–864000.The default value is 28800 seconds.
• To configure the lifetime in amount of traffic, use the kilobytes keyword to specify the lifetime in the range 102400–4294967295. The default is an unlimited volume.
• If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line.
• Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation.
• Example

  host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000

• Use the no version to restore the default lifetime (28800 seconds) and an unlimited volume.
• See tunnel lifetime.

tunnel local-identity

• Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords:
  • address—Specifies an IP address as the local identity
  • subnet—Specifies a subnet as the local identity
  • range—Specifies a range of IP addresses as the local identity
• Example 1

  host1(config-if)#tunnel local-identity range 10.10.1.1 10.10.2.1

• Example 2

  host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0

• Use the no version to restore the default identity, which is subnet 0.0.0.0
  0.0.0.0
• See tunnel local-identity.

tunnel mtu

• Use to set the MTU size for the tunnel.
• Example

  host1(config-if)#tunnel mtu 2240

• Use the no version to restore the default MTU (1440).
• See tunnel mtu.

tunnel peer-identity

• Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords:
  • address—Specifies an IP address as the peer identity
  • subnet—Specifies a subnet as the peer identity
  • range—Specifies a range of IP addresses as the peer identity
• Example 1

  host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2

• Example 2

  host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0

• Use the no version to remove the peer identity.
• See tunnel peer-identity.

tunnel pfs group

• Use to configure perfect forward secrecy (PFS) on this tunnel.
• Assign a Diffie-Hellman prime modulus group using one of the following keywords:
  • 1—768-bit group
  • 2—1024-bit group
  • 5—1536-bit group
• Example

  host1(config-if)#tunnel pfs group 5

• Use the no version to remove PFS from this tunnel.
• See tunnel pfs group.

tunnel session-key-inbound

• Use to manually configure the authentication or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
• Use the online Help to see a list of available algorithm sets.
• Each key is an arbitrary hexadecimal string. If the algorithm set includes:
  • DES, create an 8-byte key using 16 hexadecimal characters
  • 3DES, create a 24-byte key using 48 hexadecimal characters
  • MD5, create a 16-byte key using 32 hexadecimal characters
  • SHA, create a 20-byte key using 40 hexadecimal characters
• Example

  host1(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678

• Use the no version to remove inbound session keys from a tunnel.
• See tunnel session-key-inbound.

tunnel session-key-outbound

• Use to manually configure the authentication or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
• Use the online Help to see a list of available algorithm sets.
• The SPI is a number in the range 256–4294967295 that identifies an SA.
• Each key is an arbitrary hexadecimal string. If the algorithm set includes:
  • DES, create an 8-byte key using 16 hexadecimal characters
  • 3DES, create a 24-byte key using 48 hexadecimal characters
  • MD5, create a 16-byte key using 32 hexadecimal characters
  • SHA, create a 20-byte key using 40 hexadecimal characters
• Example

  host1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b

• Use the no version to remove outbound session keys from a tunnel.
• See tunnel session-key-outbound.

tunnel signaling

• Use to set the tunnel type to signaled (ISAKMP) or manual. Specify a keyword:
  • isakmp—Specifies to use ISAKMP/IKE to negotiate SAs and to establish keys
  • manual—Specifies that security parameters and keys are configured manually
• Example

  host1(config-if)#tunnel signaling manual

• Use the no version to restore the default value, isakmp.
• See tunnel signaling.

tunnel source

• Use to specify an existing interface address that serves as the tunnel's source address.
• For signaled IPSec tunnels in cable or DSL environments, you can optionally use an FQDN to identify the tunnel endpoint.
• Example

  host1(config-if)#tunnel source 10.10.2.8

• Use the no version to remove the tunnel source.
• See tunnel source.

tunnel transform-set

• Use to specify the transform set that ISAKMP uses during SA negotiations on this tunnel. You create transform sets using ipsec transform-set .
• Example

  host1(config-if)#tunnel transform-set espSet

• Use the no version to remove the transform set from a tunnel.
• See tunnel transform-set.

Configuring DPD and IPSec Tunnel Failover

You can use the ipsec option dpd command to enable dead peer detection (DPD) on the router. DPD is also known as IKE keepalive. If an IPSec tunnel destination backup is configured, the router redirects traffic to the alternate destination when DPD detects a disconnection between the E Series router and the regular tunnel destination. See tunnel destination backup .

To enable DPD and create an alternate IPSec tunnel destination for failover:

1. Enable DPD on the router.

   host1(config)#ipsec option dpd

2. Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface (that is, the transport virtual router context).

   host1(config)#virtual-router vrA

   host1:vrA(config)#

3. Create an IPSec tunnel, and specify the transport VR.

   host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default

   host1:vrA(config-if)#

4. Specify the address or identity of the tunnel destination backup endpoint.

   host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net

ipsec option dpd

• Use to enable dead peer detection (DPD) on the router. DPD is also known as IKE keepalive.
• You configure DPD on a per-virtual router basis.
• Both peers must support DPD.
• Example

  host1(config)#ipsec option dpd

• Use the no version to restore the default, which disables DPD.
• See ipsec option dpd.

tunnel destination backup

• Use to specify the address or identity of the remote IPSec tunnel endpoint that is a backup tunnel destination. When DPD detects a disconnection between the E Series router and the regular IPSec tunnel destination, the router redirects traffic to the tunnel destination backup, and vice versa.
• You can use either the IP address or fully qualified domain name (FQDN) to identify the backup IPSec tunnel, however you must use the same type of identity that is used to specify the regular tunnel destination.
  • For signaled IPSec tunnels in cable or DSL environments, use the FQDN to identify the tunnel destination backup, which does not have a fixed IP address.
  • The identity string can include an optional user@ specification preceding the FQDN (this is also known as a user FQDN).

    Note: If you use a FQDN to specify the IPSec tunnel destination backup, the tunnel is not initiated by the ERX router. However, the router does respond to negotiations for this backup tunnel.

• Examples

  host1(config-if)#tunnel destination backup 10.10.11.15

  host1(config-if)#tunnel destination backup identity branch245.customer88.isp.net

  host1(config-if)#tunnel destination backup identity user4925@branch245.customer88.isp.net

• Use the no version to restore the default in which the regular tunnel destination is also the backup tunnel destination.
• See tunnel destination backup.

Defining an IKE Policy

IKE policies define parameters that the router uses during IKE phase 1 negotiation.

To create an IKE policy:

You can then set the following parameters, or use the default settings:

• Allow aggressive mode negotiation.

  host1(config-ike-policy)#aggressive-mode

• Specify the authentication method.

  host1(config-ike-policy)#authentication pre-share

• Specify the encryption algorithm.

  host1(config-ike-policy)#encryption 3des

• Assign a Diffie-Hellman group.

  host1(config-ike-policy)#group 5

• Set the hash algorithm.

  host1(config-ike-policy)#hash md5

• Specify the lifetime of IKE SAs created using this policy.

  host1(config-ike-policy)#lifetime 360

aggressive-mode

• Use to enable aggressive mode negotiation for the tunnel.
• If you specify aggressive mode negotiation, the tunnel proposes aggressive mode to the peer in connections that the policy initiates.
• If the peer initiates a negotiation, the tunnel accepts the negotiation if the mode matches this policy.
• Use the accepted keyword to accept aggressive mode when proposed by peers
• Use the requested keyword to request aggressive mode when negotiating with peers
• Use the required keyword to only request and accept aggressive mode when negotiating with peers.
• Example

  host1(config-ike-policy)#aggressive-mode accepted

• Use the no version to set the negotiation mode to main mode.
• See aggressive-mode.

authentication

• Use to specify the authentication method the router uses in the IKE policy: preshared keys or RSA signature.
• Example

  host1(config-ike-policy)#authentication pre-share

• Use the no version to restore the default, preshared keys.
• See authentication.

encryption

• Use to specify one of the following encryption algorithms to use in the IKE policy:
  • 3des—168-bit 3DES-CBC
  • des—56-bit DES-CBC
• Example

  host1(config-ike-policy)#encryption 3des

• Use the no version to restore the default encryption algorithm, 3DES.
• See encryption.

group

• Use to assign a Diffie-Hellman group to the IKE policy. Specify:
  • 1—768-bit group
  • 2—1024-bit group
  • 5—1536-bit group
• Example

  host1(config-ike-policy)#group 5

• Use the no version to restore the default.
• See group.

hash

• Use to set the hash algorithm for the IKE policy:
  • md5—MD5 (HMAC variant)
  • sha—SHA-1 (HMAC variant)
• Example

  host1(config-ike-policy)#hash md5

• Use the no version to restore the default, sha.
• See hash.

ipsec ike-policy-rule

ipsec isakmp-policy-rule

Note: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.

• Use to define an IKE policy.
• When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
• You can add up to 10 IKE policies per router.
• Example

  host1(config)#ipsec ike-policy-rule 3

  host1(config-ike-policy)#

• Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
• See ipsec ike-policy-rule.
• See ipsec isakmp-policy-rule.

lifetime

• Use to specify the lifetime of IKE SAs.
• The range is 60–86400 seconds.

  host1(config-ike-policy)#lifetime 360

• Use the no version to reset the SA lifetime to the default, 28800 seconds.
• See lifetime.

Refreshing SAs

To refresh ISAKMP/IKE or IPSec SAs:

ipsec clear sa

• Use to refresh ISAKMP/IKE or IPSec SAs.
• To reinitialize all SAs, use the all keyword.
• To reinitialize SAs on a specific tunnel, use the tunnel keyword.
• To reinitialize SAs on tunnels that are in a specific state, use the state keyword.
• To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword.
• Example

  host1(config)#ipsec clear sa all phase 2

• There is no no version.
• See ipsec clear sa.

Enabling Notification of Invalid Cookies

The IKE protocol enables peers to exchange informational messages. The payload of these messages can be a notify type or a delete type. These messages are expected to be protected (encrypted) by the keys negotiated by the peers when they establish a security association as a result of the IKE phase 1 exchange.

If a responder peer does not recognize the initiator-responder cookie pair, it can send an invalid cookie notification message to the initiator. The responder might fail to recognize the cookie pair because it has lost the cookie, or because it deleted the cookie and then the peer lost the delete notification. Upon receipt of the invalid cookie notification, the initiator peer can delete the phase 1 state.

The ability to send the invalid cookie message is disabled by default. You can issue the ipsec option tx-invalid-cookie command to enable the feature on a per-transport-VR basis.

Even when you configure this feature, the E Series router does not respond when it receives an invalid cookie notification. These notifications are unprotected by a phase 1 key exchange and therefore are subject to denial-of-service (DOS) attacks. Instead, the E Series router can determine when a phase 1 relationship has gone stale by timeouts or use of dead peer detection (DPD). For this reason, this feature is useful only when the E Series router is a responding peer for non–E Series devices that cannot detect when the phase 1 relationship goes stale.

ipsec option tx-invalid-cookie

• Use to enable the router to send an invalid cookie notification to an IKE peer when the router does not recognize the initiator-responder cookie pair.
• Example

  host1(config)#ipsec option tx-invalid-cookie

• Use the no version to restore the default, disabling the ability to send an invalid cookie notification.
• See ipsec option tx-invalid-cookie.