Security Services Configuration Guidelines

To configure security services, include the following statements at the [edit security] hierarchy level:

[edit security] 

certificates {

    cache-size bytes;

    cache-timeout-negative seconds; 

    certification-authority ca-profile-name {

        ca-name  ca-identity;

        encoding (binary | pem);

        crl file-name;

        file certificate-file-name;

            enrollment-url url-name;

           ldap-url url-name;

       }

    enrollment-retry number;

    local certificate-name;

    maximum-certificates number;

    path-length bytes; 

}

ike { 

    proposal ike-proposal-name {

        authentication-algorithm (md5 | sha1); 

        authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); 

        dh-group (group1 | group2); 

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

    } 

    policy ike-peer-address {

        description policy-description;

        encoding (binary | pem);

        identity identity-name;

               local-certificate certificate-file-name;

               local-key-pair private-public-key-file;

        mode (aggressive | main);

        pre-shared-key (ascii-text key | hexadecimal key);  

        proposal [ike-proposal-names]; 

    } 

ipsec { 

    proposal ipsec-proposal-name {

        authentication-algorithm (hmac-md5-96 | hmac-sha1-96); 

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

        protocol (ah | esp | bundle); 

    } 

    policy ipsec-policy-name {

        perfect-forward-secrecy {

            keys (group1 | group2); 

        }

        proposal [ ipsec-proposal-names ]; 

    } 

    security-association name {

        mode (tunnel | transport); 

            manual {

            direction (inbound | outbound | bi-directional) {

            auxiliary-spi auxiliary-spi;

                spi spi-value; 

                protocol (ah | esp | bundle); 

                authentication {

                    algorithm (hmac-md5-96 | hmac-sha1-96); 

                    key (ascii-text key | hexadecimal key); 

                } 

                encryption {

                    algorithm (des-cbc | 3des-cbc); 

                    key (ascii-text key | hexadecimal key); 

                } 

            }                 

        dynamic {

            replay-window-size (32 | 64);

            ipsec-policy policy-name; 

    } 

traceoptions { 

        file filename <files number> < size size>;

        flag all;

        flag database;

        flag general;

        flag ike;

        flag parse;

        flag policy-manager;

        flag routing-socket;

        flag timer;

    }

}

   
NOTE: Most of the configuration statements do not have default values. If you do not specify an identifier for a statement that does not have a default value, you cannot commit the configuration.
 For information about IPSec monitoring and troubleshooting, see the JUNOS Internet Software Protocols, Class of Service, Chassis, and Management Command Reference.



 

This chapter describes the following tasks for configuring Internet Protocol Security (IPSec) and the Internet Key Exchange (IKE):

• Minimum Manual SA Configuration
• Minimum IKE Configuration
• Minimum Digital Certificates Configuration for IKE
• Configure Security Associations
• Configure an IKE Proposal (Dynamic SAs Only)
• Configure an IKE Policy for Preshared Keys
• Configure an IPSec Proposal
• Configure the IPSec Policy
• Digital Certificates Guidelines
• Configure Trace Options
• Configure the ES PIC
• Configure Traffic
• Configure an ES Tunnel Interface for a Layer 3 VPN
• JUNOScript XNM-SSL Service