Security Services Configuration Guidelines

To configure security services, include statements at the [edit security] hierarchy level:

[edit security] 

certificates  {

    cache-size bytes;

    cache-timeout-negative seconds; 

    certification-authority ca-profile-name {

        ca-name  ca-identity;

        encoding (binary | pem);

        crl file-name;

        file certificate-file-name;

            enrollment-url url-name;

           ldap-url url-name;

       }

    enrollment-retry number;

    local certificate-name;

    maximum-certificates number;

    path-length bytes; 

}

ike { 

    proposal ike-proposal-name {

        authentication-algorithm (md5 | sha1); 

        authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); 

        dh-group (group1 | group2); 

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

    } 

    policy ike-peer-address {

        description policy-description;

        encoding (binary | pem);

        identity identity-name;

               local-certificate certificate-file-name;

               local-key-pair private-public-key-file;

        mode (aggressive | main);

        pre-shared-key (ascii-text key | hexadecimal key);  

        proposal [ike-proposal-names]; 

    } 

ipsec { 

    proposal ipsec-proposal-name {

        authentication-algorithm (hmac-md5-96 | hmac-sha1-96); 

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

        protocol (ah | esp | bundle); 

    } 

    policy ipsec-policy-name {

        perfect-forward-secrecy {

            keys (group1 | group2); 

        }

        proposal [ ipsec-proposal-names ]; 

    } 

    security-association name {

        mode (tunnel | transport); 

            manual {

            direction (inbound | outbound | bi-directional) {

            auxiliary-spi auxiliary-spi;

                spi spi-value; 

                protocol (ah | esp | bundle); 

                authentication {

                    algorithm (hmac-md5-96 | hmac-sha1-96); 

                    key (ascii-text key | hexadecimal key); 

                } 

                encryption {

                    algorithm (des-cbc | 3des-cbc); 

                    key (ascii-text key | hexadecimal key); 

                } 

            }                 

        dynamic {

            replay-window-size (32 | 64);

            ipsec-policy policy-name; 

    } 

traceoptions { 

        file filename <files number> < size size>;

        flag all;

        flag database;

        flag general;

        flag ike;

        flag parse;

        flag policy-manager;

        flag routing-socket;

        flag timer;

    }

}

 Most of the configuration statements do not have default values. If you do not specify an identifier for a statement that does not have a default value, you cannot commit the configuration.
 For information about IPSec monitoring and troubleshooting, see the JUNOS Internet Software Configuration Guide: Operational Mode Command Reference

This chapter describes the following tasks for configuring Internet Protocol Security (IPSec) and the Internet Key Exchange (IKE):

• Minimum Manual SA Configuration
• Minimum IKE Configuration
• Minimum Digital Certificates Configuration for IKE
• Configure Security Associations
• Configure an IKE Proposal (Dynamic SAs Only)
• Configure an IKE Policy for Preshared Keys
• Configure an IPSec Proposal
• Configure an IPSec Policy
• Digital Certificates Guidelines
• Configure Trace Options
• Configure the ES PIC
• Configure Traffic
• Configure an ES Tunnel Interface for a Layer 3 VPN
• JUNOScript XNM-SSL Service