How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as Cryptographic Officer, can enable and configure Junos OS in FIPS mode of operation on your device. Before you begin enabling and configuring FIPS mode of operation on the device:
Verify the secure delivery of your device. See How to Enable and Configure Junos OS in FIPS Mode of Operation.
Apply tamper-evident seals. See Applying Tamper-Evident Seals to the Cryptographic Module.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
- Enable the FIPS mode on the device.
user@host# set system fips level 2
- Commit and reboot the device.
user@host# commit
- Run integrity and self-tests on powering on the device when the module is operating in FIPS mode.
- Configure IKEv2 when AES-GCM is used for encryption of
IKE and/or IPSec.
Note Use of AES-GCM is only FIPS-approved when it is configured for use along with IKEv2.
root@host# set security ike proposal <ike_proposal_name> encryption-algorithm ?Possible completions:3des-cbc 3DES-CBC encryption algorithmaes-128-cbc AES-CBC 128-bit encryption algorithmaes-128-gcm AES-GCM 128-bit encryption algorithmaes-192-cbc AES-CBC 192-bit encryption algorithmaes-256-cbc AES-CBC 256-bit encryption algorithmaes-256-gcm AES-GCM 256-bit encryption algorithmroot@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcmroot@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm ?Possible completions:3des-cbc 3DES-CBC encryption algorithmaes-128-cbc AES-CBC 128-bit encryption algorithmaes-128-gcm AES-GCM 128-bit encryption algorithmaes-192-cbc AES-CBC 192-bit encryption algorithmaes-192-gcm AES-GCM 192-bit encryption algorithmaes-256-cbc AES-CBC 256-bit encryption algorithmaes-256-gcm AES-GCM 256-bit encryption algorithmroot@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcmroot@host# set security ike gateway <gateway_name> version ?Possible completions:v1-only The connection must be initiated using IKE version 1v2-only The connection must be initiated using IKE version 2root@host# set security ike gateway <gateway_name> version v2-onlyroot@host# commitcommit complete - Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the request system snapshot command.
The show configuration security ike and show configuration security ipsec commands display the approved and configured IKE/IPsec configuration for the device operating in FIPS-approved mode.
user@host-srx5400-04:fips> show version Hostname: fipscc-srx5400-03 Model: srx5400 Junos: 15.1X49-D75.5 JUNOS Software Release [15.1X49-D75.5]
The fips keyword next to the hostname in the output indicates that the module is operating in FIPS mode for Junos Software Release 15.1X49-D75.
user@host-srx5400:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$RARcrKX7V4aUM8aUjH5TRhSrM8xNdsgo"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}user@host-srx5400:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;
}
}