Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring VPN on a Device Running Junos OS

    This section describes sample configurations of an IPsec VPN on a Junos OS device using the following IKE authentication methods:

    Figure 1 illustrates the VPN topology used in all the examples described in this section. Here, H0 and H1 are the host PCs, R0 and R2 are the two endpoints of the IPsec VPN tunnel, and R1 is a router to route traffic between the two different networks.

    Note: The router R1 can be a Linux-based router, a Juniper Networks device, or any other vendor router.

    Figure 1: VPN Topology

    VPN Topology

    Table 1 provides a complete list of the supported IKE protocols, tunnel modes, Phase 1 negotiation mode, authentication method or algorithm, encryption algorithm, DH groups supported for the IKE authentication and encryption (Phase1, IKE Proposal), and for IPsec authentication and encryption (Phase2, IPsec Proposal). The listed protocols, modes, and algorithms are supported and required for 12.1X46-D20 Common Criteria.

    Table 1: VPN Combination Matrix

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 1 Proposal (P1, IKE)

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    IKEv1

    Main

    Route

    pre-shared-keys

    sha1

    group14

    3des-cbc

    IKEv2

      

    rsa-signatures-2048

    sha-256

    group19

    aes-128-cbc

       

    ecdsa-signatures-256

    sha-384

    group20

     
       

    ecdsa-signatures-384

     

    group24

    aes-256-cbc

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 2 Proposal (P2, IPsec)

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    IKEv1

    Main

    Route

    hmac-sha1-96

    group14

    ESP

    3des-cbc

    IKEv2

      

    hmac-sha256-128

    group19

     

    aes-128-cbc

       

    hmac-sha256-96

    group20

      
       

    No algorithm

    group24

     

    aes-256-cbc

          

    aes-128-gcm

          

    aes-192-gcm

          

    aes-256-gcm

    Note: The following sections provide sample configurations of IKEv1 IPsec VPN examples for selected algorithms. Authentication and encryption algorithms can be replaced in the configurations to accomplish the user’s desired configurations. Use set security ike gateway <gw-name> version v2-only command for IKEv2 IPsec VPN.

    Configuring an IPsec VPN with a Preshared Key for IKE Authentication

    In this section, you configure devices running Junos OS for IPsec VPN using a preshared key as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption is shown in Table 2

    Table 2: IKE or IPsec Authentication and Encryption

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 1 Proposal (P1, IKE)

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    IKEv1

    Main

    Route

    pre-shared-keys

    sha-256

    group14

    aes-256-cbc

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 2 Proposal (P2, IPsec)

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    IKEv1

    Main

    Route

    hmac-sha-256-128

    group14

    ESP

    aes-256-cbc

    Note: A device running Junos OS uses preshared keys for IPsec (no other protocols). TOE accepts ASCII preshared or bit-based keys up to 255 characters (and their binary equivalents) that contain uppercase and lowercase letters, numbers, and special characters such as !, @, #, $, %, ^, &, *, (, and ). The device accepts the preshared text keys and converts the text string into an authentication value as per RFC 2409 for IKEv1 or RFC 4306 for IKEv2, using the PRF that is configured as the hash algorithm for the IKE exchanges.

    Configuring IPsec VPN with Preshared Key as IKE Authentication on the Initiator

    To configure the IPsec VPN with preshared key IKE authentication on the initiator:

    1. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method pre-shared-keysuser@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha256user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc

      Note: Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

    2. Configure the IKE policy.
      [edit]user@host# set security ike policy ike-policy1 mode mainuser@host# set security ike policy ike-policy1 proposals ike-proposal1Here, ike-policy1 is the IKE policy name and ike-proposal1 is the IKE proposal name given by the authorized administrator.user@host# prompt security ike policy ike-policy1 pre-shared-key ascii-text New ascii-text (secret):Retype new ascii-text (secret):You must enter and reenter the preshared key when prompted. For example, the preshared key can be CertSqa@jnpr2014.The preshared key can alternatively be entered in hexadecimal format. For example:[edit]user@host# prompt security ike policy ike-policy1 hexadecimalNew hexadecimal (secret): Retype new hexadecimal (secret) (secret):Here, the hexadecimal preshared key can be cc2014bae9876543.
    3. Configure the IPsec proposal.
      [edit security ipsec]user@host# set security proposal ipsec-proposal1 protocol esp user@host# set security proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set security proposal ipsec-proposal1 encryption-algorithm aes-256-cbc

      Note: Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    4. Configure the IPsec policy.
      [edit security ipsec]user@host# set security policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set security policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    5. Configure the IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 5.5.5.1user@host# set gateway gw1 local-identity inet 4.4.4.1user@host# set gateway gw1 external-interface ge-0/0/2

      Note: Here, gw1 is an IKE gateway name, 5.5.5.1 is the peer VPN endpoint IP, 4.4.4.1 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following additional configuration is also needed in the case of IKEv2

      [edit security ike] user@host# set gw1 version v2-only
    6. Configure the VPN.
      [edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 6.6.6.0/24 qualified-next-hop st0.0 preference 1

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

    7. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    8. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    9. Commit your configuration.
      user@host# commit

    Configuring IPsec VPN with Preshared Key as IKE Authentication on the Responder

    To configure the IPsec VPN with preshared key IKE authentication on the responder:

    1. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method pre-shared-keysuser@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha256user@host# set proposal ike-proposal1 encryption-algorithm 3des-cbc

      Note: Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

    2. Configure the IKE policy.
      [edit]user@host# set security ike policy ike-policy1 mode mainuser@host# set security ike policy ike-policy1 proposals ike-proposal1Here, ike-policy1 is the IKE policy name and ike-proposal1 is the IKE proposal name given by the authorized administrator.user@host# prompt security ike policy ike-policy1 pre-shared-key ascii-text New ascii-text (secret):Retype new ascii-text (secret):You must enter and reenter the preshared key when prompted. For example, the preshared key can be CertSqa@jnpr2014.The pre-share key could alternatively be entered in hexadecimal format. For example,user@host# prompt security ike policy ike-policy1 hexadecimalNew hexadecimal (secret): Retype new hexadecimal (secret) (secret):Here, the hexadecimal preshared key can be cc2014bae9876543.
    3. Configure the IPsec proposal.
      [edit security ipsec]user@host# set proposal ipsec-proposal1 protocol esp user@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set proposal ipsec-proposal1 encryption-algorithm 3des-cbc

      Note: Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    4. Configure the IPsec policy.
      [edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    5. Configure the IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 4.4.4.1user@host# set gateway gw1 local-identity inet 5.5.5.1user@host# set gateway gw1 external-interface ge-0/0/2

      Note: Here, gw1 is an IKE gateway name, 4.4.4.1 is the peer VPN endpoint IP, 5.5.5.1 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following additional configuration is also needed in the case of IKEv2.

      [edit security ike] user@host# set gw1 version v2-only
    6. Configure the VPN.
      [edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 5.5.5.0/24 qualified-next-hop st0.0 preference 1

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

    7. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    8. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    9. Commit your configuration.
      user@host# commit

    Configuring an IPsec VPN with an RSA Signature for IKE Authentication

    The following section provides an example to configure Junos OS devices for IPsec VPN using RSA Signature as IKE Authentication method, whereas, the algorithms used in IKE/IPsec authentication/encryption is as shown in the following table. In this section, you configure devices running Junos OS for IPsec VPN using an RSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption is shown in Table 3.

    Table 3: IKE/IPsec Authentication and Encryption

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 1 Proposal (P1, IKE)

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    IKEv1

    Main

    Route

    rsa-signatures-2048

    sha-256

    group14

    aes-128-cbc

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 2 Proposal (P2, IPsec)

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    IKEv1

    Main

    Route

    hmac-sha-256-128

    group19

    ESP

    aes-128-cbc

    Configuring IPsec VPN with RSA Signature as IKE Authentication on the Initiator

    To configure the IPsec VPN with RSA signature IKE authentication on the initiator:

    1. Configure the PKI. See Example: Configuring PKI.
    2. Generate the RSA key pair. See Example: Generating a Public-Private Key Pair.
    3. Generate and load the CA certificate. See Example: Loading CA and Local Certificates Manually.
    4. Load the CRL. See Example: Manually Loading a CRL onto the Device .
    5. Generate and load a local certificate. See Example: Loading CA and Local Certificates Manually.
    6. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method rsa-signaturesuser@host# set proposal ike-proposal1 dh-group group19user@host# set proposal ike-proposal1 authentication-algorithm sha-256user@host# set proposal ike-proposal1 encryption-algorithm aes-128-cbc

      Note: Here, ike-proposal1 is the name given by the authorized administrator.

    7. Configure the IKE policy.
      [edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1

      Note: Here, ike-policy1 IKE policy name given by the authorized administrator.

    8. Configure the IPsec proposal.
      [edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set ipsec-proposal1 encryption-algorithm aes-128-cbc

      Note: Here, ipsec-proposal1 is the name given by the authorized administrator.

    9. Configure the IPsec policy.
      [edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group19user@host# set policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the name given by the authorized administrator.

    10. Configure the IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 5.5.5.1user@host# set gateway gw1 local-identity inet 4.4.4.1user@host# set gateway gw1 external-interface fe-0/0/1

      Note: Here, 5.5.5.1 is the peer VPN endpoint IP, 4.4.4.1 is the local VPN endpoint IP, and fe-0/0/1 is the local outbound interface as VPN endpoint. The following configuration is also needed for IKEv2.

      [edit security ike] user@host# set gw1 version v2-only
    11. Configure VPN.
      [edit security ipsec]user@host# vpn vpn1 ike gateway gw1user@host# vpn vpn1 ike ipsec-policy ipsec-policy1user@host# vpn vpn1 bind-interface st0.0

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

      user@host# set routing-options static route 6.6.6.0/24 qualified-next-hop st0.0 preference 1
    12. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zone and trustLan and untrustLan are preconfigured network addresses.

    13. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    14. Commit the configuration.
      [edit]user@host# commit

    Configuring IPsec VPN with RSA Signature as IKE Authentication on the Responder

    To configure the IPsec VPN with the RSA signature IKE authentication on the responder:

    1. Configure the PKI. See Example: Configuring PKI.
    2. Generate the RSA key pair. See Example: Generating a Public-Private Key Pair.
    3. Generate and load CA certificate. See Example: Loading CA and Local Certificates Manually.
    4. Load the CRL. See Example: Manually Loading a CRL onto the Device .
    5. Generate and load a local certificate. See Example: Loading CA and Local Certificates Manually.
    6. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method rsa-signaturesuser@host# set proposal ike-proposal1 dh-group group19user@host# set proposal ike-proposal1 authentication-algorithm sha-256user@host# set proposal ike-proposal1 encryption-algorithm aes-128-cbc

      Note: Here, ike-proposal1 is the name given by the authorized administrator.

    7. Configure the IKE policy.
      [edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1

      Note: Here, ike-policy1 IKE policy name given by the authorized administrator.

    8. Configure the IPsec proposal.
      [edit security ipsec]user@host# set proposal ipsec-proposal1 protocol espuser@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128user@host# set ipsec-proposal1 encryption-algorithm aes-128-cbc

      Note: Here, ipsec-proposal1 is the name given by the authorized administrator.

    9. Configure the IPsec policy.
      [edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group19user@host# set policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the name given by the authorized administrator.

    10. Configure IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 4.4.4.1user@host# set gateway gw1 local-identity inet 5.5.5.1user@host# set gateway gw1 external-interface ge-0/0/2

      Note: Here, 4.4.4.1 is the peer VPN endpoint IP, 5.5.5.1 is the local VPN endpoint IP, and ge-0/0/2 is the local outbound interface as VPN endpoint. The following configuration is also needed for IKEv2.

      [edit security ike] user@host# set gw1 version v2-only
    11. Configure VPN.
      [edit security ipsec]user@host# vpn vpn1 ike gateway gw1user@host# vpn vpn1 ike ipsec-policy ipsec-policy1user@host# vpn vpn1 bind-interface st0.0

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

      user@host# set routing-options static route 3.3.3.0/24 qualified-next-hop st0.0 preference 1
    12. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are network addresses.

    13. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    14. Commit the configuration.
      [edit]user@host# commit

    Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication

    In this section, you configure devices running Junos OS for IPsec VPN using an ECDSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption are shown in Table 4.

    Table 4: IKE or IPsec Authentication and Encryption

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 1 Proposal (P1, IKE)

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    IKEv1

    Main

    Route

    ecdsa-signatures-256

    sha-384

    group14

    aes-256-cbc

    IKE Protocol

    Tunnel Mode

    Phase1 Negotiation Mode

    Phase 2 Proposal (P2, IPsec)

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    IKEv1

    Main

    Route

    hmac-sha-256-128

    group14

    ESP

    aes-256-gcm

    Configuring IPsec VPN with ECDSA signature IKE authentication on the Initiator

    To configure the IPsec VPN with ECDSA signature IKE authentication on the initiator:

    1. Configure the PKI. See, Example: Configuring PKI.
    2. Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair.
    3. Generate and load CA certificate. See Example: Loading CA and Local Certificates Manually.
    4. Load CRL. See Example: Manually Loading a CRL onto the Device .
    5. Generate and load a local certificate. See Example: Loading CA and Local Certificates Manually.
    6. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method ecdsa-signatures-256user@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha-384user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc

      Note: Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

    7. Configure the IKE policy.
      [edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1
    8. Configure the IPsec proposal.
      [edit security ipsec]user@host# set proposal ipsec-proposal1 protocol esp user@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128 user@host# set proposal ipsec-proposal1 encryption-algorithm aes-256-gcm

      Note: Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    9. Configure the IPsec policy.
      [edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    10. Configure IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 5.5.5.1user@host# set gateway gw1 local-identity inet 4.4.4.1user@host# set gateway gw1 external-interface ge-0/0/2

      Note: Here, gw1 is an IKE gateway name, 5.5.5.1 is the peer VPN endpoint IP, 4.4.4.1 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv2.

      [edit security ike] user@host# set gw1 version v2-only
    11. Configure the VPN.
      [edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 6.6.6.0/24 qualified-next-hop st0.0 preference 1

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

    12. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    13. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    14. Commit your configuration.
      user@host# commit

    Configuring IPsec VPN with ECDSA signature IKE authentication on the Responder

    To configure IPsec VPN with ECDSA signature IKE authentication on the responder:

    1. Configure the PKI. See Example: Configuring PKI.
    2. Generate the ECDSA key pair. See Example: Generating a Public-Private Key Pair.
    3. Generate and load the CA certificate. See Example: Loading CA and Local Certificates Manually.
    4. Load the CRL. See Example: Manually Loading a CRL onto the Device.
    5. Configure the IKE proposal.
      [edit security ike]user@host# set proposal ike-proposal1 authentication-method ecdsa-signatures-256user@host# set proposal ike-proposal1 dh-group group14user@host# set proposal ike-proposal1 authentication-algorithm sha-384user@host# set proposal ike-proposal1 encryption-algorithm aes-256-cbc

      Note: Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

    6. Configure the IKE policy.
      [edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposals ike-proposal1user@host# set policy ike-policy1 certificate local-certificate cert1
    7. Configure the IPsec proposal.
      [edit security ipsec]user@host# set proposal ipsec-proposal1 protocol esp user@host# set proposal ipsec-proposal1 authentication-algorithm hmac-sha-256-128 user@host# set proposal ipsec-proposal1 encryption-algorithm aes-256-gcm

      Note: Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    8. Configure the IPsec policy.
      [edit security ipsec]user@host# set policy ipsec-policy1 perfect-forward-secrecy keys group14user@host# set policy ipsec-policy1 proposals ipsec-proposal1

      Note: Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

    9. Configure the IKE.
      [edit security ike]user@host# set gateway gw1 ike-policy ike-policy1user@host# set gateway gw1 address 4.4.4.1user@host# set gateway gw1 local-identity inet 5.5.5.1user@host# set gateway gw1 external-interface ge-0/0/1

      Note: Here, gw1 is an IKE gateway name, 4.4.4.1 is the peer VPN endpoint IP, 5.5.5.1 is the local VPN endpoint IP, and ge-0/0/1 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv2.

      [edit security ike] user@host# set gw1 version v2-only
    10. Configure the VPN.
      [edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 3.3.3.0/24 qualified-next-hop st0.0 preference 1

      Note: Here, vpn1 is the VPN tunnel name given by the authorized administrator.

    11. Configure the outbound flow policies.
      [edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    12. Configure the inbound flow policies.
      [edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application anyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then permituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-close

      Note: Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

    13. Commit your configuration.
      user@host# commit

    Modified: 2015-02-03