Creating a Secure Logging Channel
This section describes how to place the device in an evaluated configuration to provide an encrypted communication channel over an IPsec VPN tunnel, between a device running Junos OS and a remote external storage server (syslog server).
The ssh-rsa authentication method is one of the allowed algorithms in FIPS mode.
Table 1 lists all the supported algorithms for the IPsec VPN tunnel.
Table 1: IPsec VPN Tunnel Supported Algorithms
IKE Phase1 Proposal | |||
|---|---|---|---|
Authentication Method | Authentication Algorithm | DH Group | Encryption Algorithm |
pre-shared-keys rsa-signatures-2048 ecdsa-signatures-256 ecdsa-signatures-384 | sha-256 sha-384 | group14 group19 group20 group24 | aes-128-cbc aes-128-gcm aes-192-cbc aes-256-cbc aes-256-gcm 3des-cbc |
IPSec Phase2 Proposal | |||
|---|---|---|---|
Authentication Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm |
hmac-sha1-96 hmac-sha-256-128 | group14 group19 group20 group24 | ESP | aes-128-cbc aes-128-gcm aes-192-cbc aes-192-gcm aes-256-cbc aes-256-gcm 3des-cbc |
Configuring a Trusted Path or Channel Between a Device Running Junos OS and a Remote External Storage Server
This section describes the configuration details required to provide an encrypted communication channel between a device running Junos OS and the remote external storage server through an IPsec VPN tunnel.
The remote external storage server is a Linux-based syslog server on which the IPsec VPN Tunnel is terminated at the outbound interface Eth1. The log data transferred from the device is sent to the syslog termination interface Eth2 and the StrongSwan application to provide the IPsec VPN capability.
Table 2 lists the IPsec VPN tunnel details used in this example.
Table 2: IPsec VPN Tunnel Information
Phase 1 Proposal (P1, IKE) | Phase 2 Proposal (P2, IPSec) | ||||||
|---|---|---|---|---|---|---|---|
Authenticat ion Method | Authenticat ion Algorithm | DH Group | Encryption Algorithm | Authenticat ion Algorithm | DH Group (PFS) | Encryption Method | Encryption Algorithm |
pre- shared-keys | sha-256 | group14 | aes-128-cbc | hmac-sha1 -96 | group14 | ESP | aes-128-cbc |
Figure 1 illustrates the encrypted communication channel between a device running Junos OS and a remote external storage server. An IPsec tunnel is established between a devices egress interface (Intf-1) and a remote syslog server outbound interface (Eth1). Data is then forwarded internally on the remote external storage server from its outbound interface Eth1; that is, the VPN endpoint to Eth2.
Table 3 provides the interface and IP configuration details used in this example.
Table 3: Interface and IP Configuration Details for the Trusted Path
Device Running Junos OS | Remote Storage Server |
|---|---|
IP Address: “Intf-2” interface: GE-0/0/1 – IP Address: 198.51.100.2 “Intf-1” interface: GE-0/0/2 - IP Address: 198.51.100.1 Enable: Syslog logging to remote syslog server | IP Address: Eth1: 198.51.100.3 Eth2: 203.0.113.1 Gateway Eth1: 198.51.100.1 Tools: SSH and Strongswan (for IPsec VPN) |
To configure the trusted path or channel between a device running Junos OS and a remote external storage server:
- Enable stream logging for traffic logs.[edit security]user@host#set log cacheuser@host#set log mode eventuser@host#set log source-address 198.51.100.2user@host#set log stream STREAM category alluser@host#set log stream STREAM host 203.0.113.1
Note 192.168.2.1 is the IP address of the syslog server outbound interface at which the IPsec VPN tunnel is terminated, and 20.20.20.2 is the IP address of the syslog server interface for which log data is destined.
- Enable syslog on the device.[edit system]user@host# set syslog user * any emergencyuser@host# set syslog host 203.0.113.1 any anyuser@host# set syslog file SYSLOG any anyuser@host# set syslog file SYSLOG_COMMANDS interactive-commands erroruser@host# set syslog file traffic-log any anyuser@host# set syslog file traffic-log match RT_FLOW_SESSIONuser@host# set syslog source-address 198.51.100.2
- Enable VPN on the device.
IKE setup: [edit security]user@host# set ike proposal IKE_Proposal authentication-method pre-shared-keysuser@host# set ike proposal IKE_Proposal dh-group group14user@host# set ike proposal IKE_Proposal authentication-algorithm sha-256user@host# set ike proposal IKE_Proposal encryption-algorithm aes-128-cbcuser@host# set ike policy IKE_Policy mode mainuser@host# set ike policy IKE_Policy proposals IKE_Proposaluser@host# prompt ike policy IKE_Policy pre-shared-key ascii-text 12345user@host# set ike gateway GW ike-policy IKE_Policyuser@host# set ike gateway GW address 198.51.100.3user@host# set ike gateway GW local-identity inet 198.51.100.1user@host# set ike gateway GW external-interface ge-0/0/2user@host# set ike gateway GW version v2-onlyIPsec setup: [edit security ipsec]user@host# set proposal IPsec_Proposal protocol esproot@host# set proposal IPsec_Proposal authentication-algorithm hmac-sha1-96root@host# set proposal IPsec_Proposal encryption-algorithm aes-128-cbcroot@host# set policy IPsec_Policy perfect-forward-secrecy keys group14root@host# set policy IPsec_Policy proposals IPsec_Proposalroot@host# set vpn VPN bind-interface st0.0root@host# set vpn VPN ike gateway GWroot@host# set vpn VPN ike ipsec-policy IPsec_Policyroot@host# set vpn VPN establish-tunnels immediately - Perform the following additional configurations on the
device.
IKE trace log: [edit security ike]root@host# set traceoptions file IKE_Traceroot@host# set traceoptions file size 10000000root@host# set ike traceoptions flag allFlow trace: [edit security flow ]root@host# set traceoptions file DEBUGroot@host# set traceoptions file size 1000000root@host# set traceoptions flag allRoute options: [edit ]root@host# set routing-options static route 203.0.113.2/24 qualified-next-hop st0.0 preference 1Address book configuration: [edit security address-book]root@host# set global address trustLAN 198.51.100.0/24root@host# set global address unTrustLAN 198.51.100.3/24Zone configuration: [edit security zones]root@host# set security-zone trustZone host-inbound-traffic system-services allroot@host# set security-zone trustZone host-inbound-traffic protocols allroot@host# set security-zone trustZone interfaces ge-0/0/1.0root@host# set security-zone unTrustZone host-inbound-traffic system-services allroot@host# set security-zone unTrustZone host-inbound-traffic protocols allroot@host# set security-zone unTrustZone interfaces st0.0root@host# set security-zone unTrustZone interfaces ge-0/0/2.0Policy configuration: [edit security policies]root@host# set from-zone trustZone to-zone unTrustZone policy Policy1 match source-address trustLANroot@host# set from-zone trustZone to-zone unTrustZone policy Policy1 match destination-address unTrustLANroot@host# set from-zone trustZone to-zone unTrustZone policy Policy1 match application anyroot@host# set from-zone trustZone to-zone unTrustZone policy Policy1 then permitroot@host# set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-initroot@host# set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-closeroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 match source-address unTrustLANroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 match destination-address trustLANroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 match application anyroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 then permitroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-initroot@host# set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-close