Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating a Secure Logging Channel

    This section describes how to place the device in an evaluated configuration to provide an encrypted communication channel over an IPsec VPN tunnel, between a device running Junos OS and a remote external storage server (syslog server).

    Table 1 lists all the supported algorithms for the IPsec VPN tunnel.

    Table 1: IPsec VPN Tunnel Supported Algorithms

    IKE Phase1 Proposal

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    pre-shared-keys

    sha1

    group14

    3des-cbc

    rsa-signatures-2048

    sha-256

    group19

    aes-128-cbc

    ecdsa-signatures-256

    sha-384

    group20

    aes-256-cbc

    ecdsa-signatures-384

     

    group24

     

    IPSec Phase2 Proposal

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    hmac-sha1-96

    sha1

    ESP

    3des-cbc

    hmac-sha256-128

    sha-256

     

    aes-128-cbc

    hmac-sha256-96

    sha-384

     

    aes-256-cbc

    ecdsa-signatures-384

      

    aes-128-gcm

       

    aes-256-gcm

    Configuring a Trusted Path or Channel Between a Device Running Junos OS and a Remote External Storage Server

    This section describes the configuration details required to provide an encrypted communication channel between a device running Junos OS and the remote external storage server through an IPsec VPN tunnel.

    Note: The remote external storage server is a Linux-based syslog server on which the IPsec VPN Tunnel is terminated at the outbound interface Eth1. The log data transferred from the device is sent to the syslog termination interface Eth2 and the StrongSwan application to provide the IPsec VPN capability.

    Table 2 lists the IPsec VPN tunnel details used in this example.

    Table 2: IPsec VPN Tunnel Information

    Phase 1 Proposal (P1, IKE)

    Phase 2 Proposal (P2, IPSec)

    Authentication Method

    Authentication Algorithm

    DH Group

    Encryption Algorithm

    Authentication Algorithm

    DH Group (PFS)

    Encryption Method

    Encryption Algorithm

    pre-shared-keys

    sha-256

    group14

    aes-128-cbc

    hmac-sha1-96

    group14

    ESP

    aes-128-cbc

    Figure 1 illustrates the encrypted communication channel between a device running Junos OS and a remote external storage server. An IPsec tunnel is established between a devices egress interface (Intf-1) and a remote syslog server outbound interface (Eth1). Data is then forwarded internally on the remote external storage server from its outbound interface Eth1; that is, the VPN endpoint to Eth2.

    Figure 1: IPsec VPN Tunnel

    IPsec VPN Tunnel

    Table 3 provides the interface and IP configuration details used in this example.

    Table 3: Interface and IP Configuration Details for the Trusted Path

    Device Running Junos OS

    Remote Storage Server

    IP Address:

    “Intf-2” interface: GE-0/0/1 – IP Address: 192.168.2.1

    “Intf-1” interface: GE-0/0/2 - IP Address: 192.168.1.1

    Enable: Syslog logging to remote syslog server

    IP Address:

    Eth1: 192.168.1.2

    Eth2: 20.20.20.2

    Gateway Eth1: 192.168.1.1

    Tools: SSH and Strongswan (for IPsec VPN)

    To configure the trusted path or channel between a device running Junos OS and a remote external storage server:

    1. Enable stream logging for traffic logs.
      [edit security]user@host#set log cacheuser@host#set log mode eventuser@host#set log source-address 192.168.2.1user@host#set log stream STREAM category alluser@host#set log stream STREAM host 20.20.20.2

      Note: 192.168.2.1 is the IP address of the syslog server outbound interface at which the IPsec VPN tunnel is terminated, and 20.20.20.2 is the IP address of the syslog server interface for which log data is destined.

    2. Enable syslog on the device.
      [edit system]user@host#set syslog user * any emergencyuser@host#set syslog host 20.20.20.2 any anyuser@host#set syslog file SYSLOG any anyuser@host#set syslog file SYSLOG authorization infouser@host#set syslog file SYSLOG_COMMANDS interactive-commands erroruser@host#set syslog file traffic-log any anyuser@host#set syslog file traffic-log match RT_FLOW_SESSIONuser@host#set syslog source-address 192.168.2.1
    3. Enable VPN on the device.
      IKE setup:[edit security]user@host#set ike proposal IKE_Proposal authentication-method pre-shared-keysuser@host#set ike proposal IKE_Proposal dh-group group14user@host#set ike proposal IKE_Proposal authentication-algorithm sha-256user@host#set ike proposal IKE_Proposal encryption-algorithm aes-128-cbc
      user@host#set ike policy IKE_Policy mode mainuser@host#set ike policy IKE_Policy proposals IKE_Proposaluser@host#set ike policy IKE_Policy pre-shared-key ascii-text 12345
      user@host#set ike gateway GW ike-policy IKE_Policyuser@host#set ike gateway GW address 192.168.1.2user@host#set ike gateway GW local-identity inet 192.168.1.1user@host#set ike gateway GW external-interface ge-0/0/2user@host#set ike gateway GW version v2-only
      IPsec setup:[edit security ipsec]user@host#set proposal IPsec_Proposal protocol esproot@host#set proposal IPsec_Proposal authentication-algorithm hmac-sha1-96root@host#set proposal IPsec_Proposal encryption-algorithm aes-128-cbcroot@host#set policy IPsec_Policy perfect-forward-secrecy keys group14root@host#set policy IPsec_Policy proposals IPsec_Proposalroot@host#set vpn VPN bind-interface st0.0root@host#set vpn VPN ike gateway GWroot@host#set vpn VPN ike ipsec-policy IPsec_Policyroot@host#set vpn VPN establish-tunnels immediately
    4. Perform the following additional configurations on the device.
      IKE trace log:[edit security ikeroot@host#set traceoptions file IKE_Traceroot@host#set traceoptions file size 10000000root@host#set ike traceoptions flag all
      Flow trace:[edit security flow ]root@host#set traceoptions file DEBUGroot@host#set traceoptions file size 1000000root@host#set traceoptions flag all
      Route options:[edit ]root@host#set routing-options static route 20.20.20.0/24 qualified-next-hop st0.0 preference 1
      Address book configuration:[edit security address-book]root@host#set global address trustLAN 192.168.2.0/24root@host#set global address unTrustLAN 192.168.1.0/24
      Zone configuration:[edit security zones]root@host#set trustZone host-inbound-traffic system-services allroot@host#set security-zone trustZone host-inbound-traffic protocols allroot@host#set security-zone trustZone interfaces ge-0/0/1.0
      root@host#set security-zone unTrustZone host-inbound-traffic system-services all root@host#set security-zone unTrustZone host-inbound-traffic protocols allroot@host#set security-zone unTrustZone interfaces st0.0root@host#set security-zone unTrustZone interfaces ge-0/0/2.0
      Policy configuration:[edit security policies]root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match source-address trustLAN root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match destination-address unTrustLAN root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 match application anyroot@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then permit root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-init root@host#set from-zone trustZone to-zone unTrustZone policy Policy1 then log session-close
      root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match source-address unTrustLAN root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match destination-address trustLAN root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 match application anyroot@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then permit root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-init root@host#set from-zone unTrustZone to-zone trustZone policy Policy1 then log session-close

    Modified: 2015-11-26