[Contents] [Prev] [Next] [Index] [Report an Error]

Security Services Configuration Guidelines

To configure security services, include the following statements at the [edit security] hierarchy level: 

[edit security] 

certificates {

    cache-size bytes;

    cache-timeout-negative seconds; 

    certification-authority ca-profile-name {

        ca-name ca-identity;

        crl file-name;

        encoding (binary | pem);

        enrollment-url url-name;

        file certificate-filename;

        ldap-url url-name;

    }

    enrollment-retry attempts;

    local certificate-filename {

        certificate-key-string;

        load-key-file key-filename;

    }

    maximum-certificates number;

    path-length certificate-path-length; 

}

ike { 

    proposal ike-proposal-name {

        authentication-algorithm (md5 | sha1); 

        authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures); 

        description description;

        dh-group (group1 | group2); 

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

    }

    policy ike-peer-address {

        description description;

        encoding (binary | pem);

        identity identity-name;

        local-certificate certificate-filename;

        local-key-pair private-public-key-file;

        mode (aggressive | main);

        pre-shared-key (ascii-text key | hexadecimal key); 

        proposals [ proposal-names ]; 

    } 

}

ipsec { 

    proposal ipsec-proposal-name {

        authentication-algorithm (hmac-md5-96 | hmac-sha1-96); 

        description description;

        encryption-algorithm (3des-cbc | des-cbc); 

        lifetime-seconds seconds; 

        protocol (ah | esp | bundle); 

    } 

    policy ipsec-policy-name {

        description description;

        perfect-forward-secrecy {

            keys (group1 | group2); 

        }

        proposals [ proposal-names ]; 

    } 

    security-association sa-name {

        description description;

        dynamic {

            ipsec-policy policy-name; 

            replay-window-size (32 | 64);

        }

        manual {

            direction (inbound | outbound | bi-directional) {

                authentication {

                    algorithm (hmac-md5-96 | hmac-sha1-96); 

                    key (ascii-text key | hexadecimal key); 

                }

                auxiliary-spi auxiliary-spi;

                encryption {

                    algorithm (des-cbc | 3des-cbc); 

                    key (ascii-text key | hexadecimal key); 

                }

                protocol (ah | esp | bundle); 

                spi spi-value; 

            }

        }

        mode (tunnel | transport); 

    } 

}

traceoptions {

    file filename <files number> < size size>;

    flag all;

    flag database;

    flag general;

    flag ike;

    flag parse;

    flag policy-manager;

    flag routing-socket;

    flag timer;

}







   
NOTE: Most of the configuration statements do not have default values. If you do not specify an identifier for a statement that does not have a default value, you cannot commit the configuration.
 For information about IP Security (IPSec) monitoring and troubleshooting, see the JUNOS Protocols, Class of Service, and System Basics Command Reference.

This chapter describes the following tasks for configuring IPSec and Internet Key Exchange (IKE):

[Contents] [Prev] [Next] [Index] [Report an Error]