Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring IPSec-NM

 

Overview of IP Security

IP Security (IPSec) provides a secure way to authenticate senders and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices, such as routers and hosts. IPSec offers network administrators and their users the benefits of data confidentiality, data integrity, sender authentication, and anti-replay services. IPSec is increasingly becoming a critical component in today’s contemporary IP networks.

IPSec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). IPSec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. You can use IPSec to protect one or more paths between a pair of hosts, between a pair of security gateways (such as routers), or between a security gateway and a host.

The native IPSec virtual private network (VPN) supported on JUNOS is used in various Juniper products to provide secure VPN connectivity. To address certain use cases, the IPSec VPN functionality depends on various JUNOS components and interworks across the modules. With the emergence of advanced technologies such as software-defined networking (SDN), network functions virtualization (NFV), and cloud services, Juniper IPSec VPN needed to be flexible with more efficient security solutions. To address such use cases, Juniper Networks introduced containerized SRX (cSRX) support and IPSec is also added to cSRX. Additionally, Juniper Networks introduced IP Security Network Manager (IPSec-NM) , which offers a security management solution by using IPSec in cSRX to protect management traffic flowing into Juniper VM.

The following features are supported on IPSec:

  • Anti-replay services

  • Internet Key Exchange (IKE) gateway

  • Internet Key Exchange (IKE) v1 policy in Aggressive and Main mode with pre-shared key (PSK).

  • One IKE security associations (SA) with multiple IPSec SA based on traffic selector.

  • Traffic selector based tunnel establishment (not route based and no routing protocol over tunnel).

  • Xauth client with config mode for internal IP attribute.

  • key id, hostname, distinguished name, user@hostname, inet, and inet6 support as local and remote identity.

  • Initiator to establish IPSec VPN tunnels immediately.

  • IPv4 and IPv6 addresses for IPSec VPN tunnel source and destination.

  • Encryption algorithms such as DES, 3DES, AES-128, and AES-256.

  • Authentication algorithms such as MD5, SHA1, and SHA-256.

  • Diffie-Hellman groups (dh-groups) such as 2, 5, 14, and 19.

  • Dead peer detection (DPD)

  • Perfect Forward Secrecy (PFS)

  • NAT-T

  • Tunnel mode

  • Traffic selector based tunnel establishment

The terminology and components of IPSec can be intimidating to first-time users. However, if you learn a few key concepts, you can quickly master and deploy IPSec in your network. The main concepts you need to understand are as follows:

Configuring IP Security Network Manager

IP Security Network Manager (IPSec-NM) is a network management system that offers confidentiality, security, and authentication of data that is shared within a network. It provides data security at the IP layer of the network.

The following features are supported on IPSec-NM:

Configuring IPSec

IPSec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer. IPSec also provides methods for the manual and automatic negotiation of security associations (SAs) and key distribution, all the attributes for which are gathered in a domain of interpretation (DOI). The IPSec DOI is a document containing definitions for all the security parameters and attributes required for SA and IKE negotiations. See RFC 2407 and RFC 2408 for more information.

Ensure that connectivity to the host is not lost during the configuration process.

The ipsec-nm mode allows you to enable or disable the ipsec-nm VNF. To secure the management traffic using ipsec tunnel, you must enable the ipsec-nm mode and configure the tunnel appropriately. By default, this mode is enabled.

To enable ipsec-nm:

To disable ipsec-nm:

Note

CPU core 7 is available for use after you delete the ipsec-nm.

Note

Ensure that you reboot the system after enabling or disabling the ipsec-nm mode for the changes to take effect.

Configuring IPSec Proposals

An IPSec proposal lists protocols and algorithms or security services to be negotiated with the remote IPSec peer.

To configure IPSec proposals, complete the following steps:

  1. Define an IPSec proposal and protocol for the proposal:
    root@ipsec-nm# set security ipsec proposal ipsec-proposal-name protocol esp
  2. Define an authentication algorithm for the IPSec proposal:
    root@ipsec-nm# set security ipsec proposal ipsec-proposal-name authentication-algorithm hmac-sha1-96
  3. Define an encryption algorithm for the IPSec proposal:
    root@ipsec-nm# set security ipsec proposal ipsec-proposal-name encryption-algorithm aes-256-cbc
  4. Set a lifetime for the IPSec proposal in seconds:
    root@ipsec-nm# set security ipsec proposal ipsec-proposal-name lifetime-seconds 180..86400 seconds

Configuring IPSec Policies

An IPSec policy defines a combination of security parameters (IPSec proposals) used during IPSec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPSec negotiation, IPSec searches for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

A match is made when both policies from both the peers have a proposal that contains the same configured attributes. If the lifetime is not identical, the shorter lifetime between the two policies (from the host and peer) is used.

You can create multiple, prioritized IPSec proposals at each peer to ensure that at least one proposal matches the proposal of the remote peer.

Initially, you must configure one or more IPSec proposals and then associate these proposals with an IPSec policy. You can prioritize a list of proposals used by IPSec in the policy statement by listing the proposals you want to use, from first to last.

To configure IPSec policies, complete the following steps:

  1. Define an IPSec policy, a perfect forward secrecy, and a Diffie-Hellman group for the policy:
    root@ipsec-nm# set security ipsec policy ipsec-policy-name perfect-forward-secrecy keys group2
  2. Define a set of IPSec proposals for the policy:
    root@ipsec-nm# set security ipsec policy ipsec-policy-name proposals proposal-name

Configuring IPSec Virtual Private Network

A virtual private network (VPN) provides a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IP Security (IPsec) tunnel. For more information, see IPsec VPN Overview.

To configure IPSec VPN, complete the following steps:

  1. Define an IKE-keyed IPSec VPN:
    root@ipsec-nm# set security ipsec vpn vpn-name ike gateway remote-gateway-name
  2. Define an IPSec policy for the IPSec VPN:
    root@ipsec-nm# set security ipsec vpn vpn-name ike ipsec-policy ipsec-policy-name
  3. Define a local traffic selector for the IPSec VPN:
    root@ipsec-nm# set security ipsec vpn vpn-name traffic-selector traffic-selector-name local-ip local-traffic-selector-ip-address
  4. Define a remote traffic selector for the IPSec VPN:
    root@ipsec-nm# set security ipsec vpn vpn-name traffic-selector traffic-selector-name remote-ip remote-traffic-selector-ip-address
  5. Define a criteria to establish IPSec VPN tunnels:
    root@ipsec-nm# set security ipsec vpn vpn-name establish-tunnels immediately
  6. Configure default action and permit all traffic if the user-defined policy does not match:
    root@ipsec-nm# set security policies default-policy permit-all

Configuring IPSec-NM Interfaces

To enable IPSec-NM on a LAN or WAN, you must configure interfaces to provide network connectivity and data flow.

Note

Ensure that connectivity to the host is not lost during the configuration process.

To configure IPSec-NM interface, complete the following steps:

  1. Create a logical interface with a VLAN ID:
    root@ipsec-nm# set interfaces interface-name unit interface-logical-unit-number vlan-id vlan-id
  2. Assign an IPv4 address to the logical interface:
    root@ipsec-nm# set interfaces interface-name unit interface-logical-unit-number family inet address interface-address
  3. Assign an IPv6 address to the logical interface:
    root@ipsec-nm# set interfaces interface-name unit interface-logical-unit-number family inet6 address interface-address
  4. Enable VLAN tagging support on the logical interface:
    root@ipsec-nm# set interfaces interface-name vlan-tagging

Configuring AutoKey Internet Key Exchange

IPSec-NM supports the automated generation and negotiation of keys and security associations (SAs) using the Internet Key Exchange (IKE) protocol. This automation is termed as AutoKey IKE. Juniper Networks supports AutoKey IKE with pre-shared keys and certificates.

Dynamic SAs require IKE configuration. With dynamic SAs, you can configure IKE and then the SA. IKE creates the dynamic SAs and negotiates them for IPSec. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.

Note
  • Ensure that connectivity to the host is not lost during the configuration process.

  • Ensure that the IPSec-NM interfaces are configured.

Configuring IKE Proposals

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.

To configure IKE proposal, complete the following steps:

  1. Define an IKE proposal:
    root@ipsec-nm# set security ike proposal ike-proposal-name authentication-method pre-shared-keys
  2. Define a Diffie-Hellman group (dh-group) for the IKE proposal:
    root@ipsec-nm# set security ike proposal ike-proposal-name dh-group group2
  3. Define an authentication algorithm for the IKE proposal:
    root@ipsec-nm# set security ike proposal ike-proposal-name authentication-algorithm sha1
  4. Define an encryption algorithm for the IKE proposal:
    root@ipsec-nm# set security ike proposal ike-proposal-name encryption-algorithm aes-192-cbc
  5. Set a lifetime for the IKE proposal in seconds:
    root@ipsec-nm# set security ike proposal ike-proposal-name lifetime-seconds 180 to 86400 seconds

Configuring IKE Policies

An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

A match is made when both policies from the two peers have a proposal that contains the same configured attributes. If the lifetimes are not identical, the shorter lifetime between the two policies (from the host and peer) is used. The configured preshared key must also match its peer.

The key management process (kmd) daemon determines which version of IKE is used in a negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the configured version for negotiations. If kmd is the IKE responder, it accepts connections from IKEv1.

You can create multiple, prioritized proposals at each peer to ensure that at least one proposal matches the proposal of a remote peer.

Initially, you must configure one or more IKE proposals and associate these proposals with an IKE policy. You can also prioritize a list of proposals used by IKE in the policy statement by listing the proposals you want to use, from first to last.

To configure IKE policy, complete the following steps:

  1. Define an IKE policy with first phase mode:
    root@ipsec-nm# set security ike policy ike-policy-name mode aggressive
  2. Define a set of IKE proposals:
    root@ipsec-nm# set security ike policy ike-policy-name proposals proposal-name
  3. Define a pre-shared key for IKE:
    root@ipsec-nm# set security ike policy ike-policy-name pre-shared-key ascii-text text-format

Configuring IKE Gateway

An IKE gateway initiates and terminates network connections between a firewall and a security device.

To configure IKE gateway, complete the following steps:

  1. Configure an IKE gateway with an IKE policy:
    root@host# set security ike gateway gateway-name ike-policy ike-policy-name
  2. Configure an IKE gateway with an address or hostname of the peer:
    root@host# set security ike gateway gateway-name address address-or-hostname-of-peer
  3. Enable dead peer detection (DPD) feature to send DPD messages periodically:
    root@host# set security ike gateway gateway-name dead-peer-detection always-send
  4. Configure username of the xauth client:
    root@ipsec-nm# set security ike gateway gateway-name xauth client username xauth-client-username
  5. Configure password of the xauth client:
    root@ipsec-nm# set security ike gateway gateway-name xauth client password xauth-client-password
  6. Enable dead peer detection (DPD) feature to send DPD messages at a regular interval:
    root@ipsec-nm# set security ike gateway gateway-name dead-peer-detection interval 10-to-60-seconds
  7. Configure the maximum number of DPD retransmissions:
    root@ipsec-nm# set security ike gateway gateway-name dead-peer-detection threshold 1-to-5
  8. Configure an external interface for IKE negotiations:
    root@ipsec-nm# set security ike gateway gateway-name external-interface ge-0/0/2
  9. Configure the local IKE address:
    root@ipsec-nm# set security ike gateway gateway-name local-address local-address
  10. Configure the local IKE identity:
    root@ipsec-nm# set security ike gateway gateway-name local-identity <inet | inet6 | key-id | hostname | user-at-hostname | distinguished-name>
  11. Set the version of the IKE protocol:
    root@ipsec-nm# set security ike gateway gateway-name version v1-only

Configuring IKE Trace Options

Trace options is used for debugging and managing the IPSec IKE.

To configure IPSec IKE trace options, complete the following steps:

  1. Provide the name of the file in which trace information has to be written:
    root@ipsec-nm# set security ike traceoptions file file-name
  2. Specify the maximum size of the trace file:
    root@ipsec-nm# set security ike traceoptions file size file-size
  3. Specify the parameters to trace information for IKE:
    root@ipsec-nm# set security ike traceoptions flag all

Example: Configuring IKE, IPSec, and Security Zones

The master administrator is responsible for assigning an interface to a user logical system and configuring IKE, IPSec SAs, and security zones. This example shows how to assign an interface to a user logical system and configure IKE, IPSec SAs, and security zone parameters.

Requirements

Before you begin:

Overview

In this example you configure IKE, IPSec SAs, and security zones. This example configures the parameters that are described in Table 1.

Table 1: IKE, IPSec SAs, and Security Zones Configuration

Feature

Name

Configuration Parameters

IKE traceoptions

ike traceoptions

  • file kmd

  • file size 10m

  • flag all

  • level 15

IKE proposal

IKE_PROP

  • authentication-method pre-shared-keys

  • dh-group group14

  • authentication-algorithm sha-256

  • authentication-algorithm sha-256

  • lifetime-seconds 3600

IKE policy

IKE_POL

  • mode aggressive

  • proposals IKE_PROP

  • pre-shared-key ascii-text <enter psk>

IKE gateway

GW1

  • ike-policy IKE_POL

  • address 2.2.2.2

  • local-identity user-at-hostname "r0r2_store1@juniper.net"

  • external-interface ge-0/0/0

  • local-address 3.3.3.2

  • version v1-only

IPSec traceoptions

ipsec traceoptions

flag all

IPSec proposal

IPSEC_PROP

  • protocol esp

  • authentication-algorithm hmac-sha-256-128

  • encryption-algorithm aes-256-cbc

  • lifetime-seconds 2600

IPSec policy

IPSEC_POL

  • perfect-forward-secrecy keys group14l

  • proposals IPSEC_PROP

IPSec VPN

VPN1

  • ike gateway GW1

  • ike ipsec-policy IPSEC_POL

  • traffic-selector VPN1_TS1 local-ip 51.0.1.0/24

  • traffic-selector VPN1_TS1 remote-ip 41.0.1.0/24

  • establish-tunnels immediately

flow

tcp-mss

all-tcp mss 1300

policies

default-policy

permit-all

zones

security-zone

  • trust

  • untrust

interfaces

ge-0/0/0

  • unit 0 vlan-id 100

  • unit 0 family inet address 3.3.3.2/24

  • unit 0 family inet6 address 3000::1/64

  • vlan-tagging

ge-0/0/1

  • unit 0 vlan-id 4088

  • unit 0 family inet address 51.0.1.1/24

  • unit 0 family inet6 address 5000::1/64

  • vlan-tagging

Routing options

routing-options

static route 2.2.2.0/24 next-hop 21.1.1.2

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IKE, IPSec SAs, and security zones:

  1. Log in to an IPSec-NM device and enter configuration mode.
  2. Configure IKE traceoptions:
  3. Configure an IKE proposal:
  4. Configure an IKE policy:
  5. Configure an IKE gateway.
  6. Configure IPSec traceoptions:
  7. Configure an IPSec proposal.
  8. Configure an IPSec policy.
  9. Configure the IPSec VPN.
  10. Configure security flow:
  11. Configure security policies:
  12. Configure security zones:
  13. Configure interfaces for IPSec-NM:
  14. Configure routing options:

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Configuration

Purpose

Verify that the IKE, IPSec SA, and security zones configuration is correct.

Action

From operational mode, enter the show security ike, show security ipsec, show security flow, show security policies, show security zones, show interfaces, and show routing-options commands.

Related Documentation