Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Security Associations

    To use Internet Protocol Security (IPsec) services, you create a Security Association (SA) between hosts.

    This section includes the following topics:

    Note: Both OSPFv2 and OSPFv3 support IPsec authentication. However, dynamic or tunnel mode IPsec SAs are not supported for OSPFv3. If you add SAs into OSPFv3 by including the ipsec-sa statement at the [edit protocols ospf3 area area-number interface interface-name] hierarchy level, your configuration fails to commit. For more information about OSPF authentication and other OSPF properties, see the Junos OS Routing Protocols Library.

    Security Associations Overview

    A security association (SA) is set of security parameters that dictates how IPsec processes a packet. The SA defines what rules to use for authentication and encryption algorithms, key exchange mechanisms, and secure communications between two parties. A single secure tunnel uses multiple SAs. SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. You can configure two types of SAs:

    • Manual—Requires no negotiation; all values, including the keys, are static and specified in the configuration. Manual SAs statically define the Security Parameter Index (SPI) values, algorithms, and keys to be used, and require matching configurations on both ends of the tunnel. As a result, each peer must have the same configured options for communication to take place.

      In IPsec, SPI is a numeric identifier, which is used with the destination address and security protocol to identify an SA. When IKE is used to establish an SA, the SPI is randomly derived. When manual configuration is used for an SA, the SPI must be entered as a parameter.

      For information about how to configure a manual SA, see Configuring Manual Security Associations.

    • Dynamic—Specifies proposals to be negotiated with the tunnel peer. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. Dynamic SAs require additional configuration. The dynamic SA includes one or more proposal statements, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer. With dynamic SAs, you configure Internet Exchange Key (IKE) first and then the SA. IKE is a part of IPsec that provides ways to exchange keys for encryption and authentication securely over an unsecured medium such as the Internet.

      IKE employs Diffie-Hellman methods and is optional in IPsec (the shared keys can be entered manually at the endpoints). IKE creates dynamic security associations; it negotiates SAs for IPsec. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. This connection is then used to dynamically agree upon keys and other data used by the dynamic IPsec SA. The IKE SA is negotiated first and then used to protect the negotiations that determine the dynamic IPsec SAs. IKE enables a pair of security gateways to:

      • Dynamically establish a secure tunnel over which security gateways can exchange tunnel and key information.
      • Set up user-level tunnels or SAs, including tunnel attribute negotiations and key management. These tunnels can also be refreshed and terminated on top of the same secure channel.

      For information about how to configure a dynamic SA, see Configuring Dynamic Security Associations.

    Note: In an environment in which Juniper Networks MX Series routers interoperate with Cisco ASA devices, IKE security associations (SAs) and IPSec SAs are deleted immediately on the Cisco ASA devices, but they are retained on the MX Series routers. As a result, 100 percent traffic loss occurs on the MX routers when traffic is initiated from either the MX Series routers or Cisco ASA devices. This problem of excessive traffic loss occurs when a service PIC is restarted on MX Series routers, a line card is restarted on MX series routers, or when a shutdown/no shutdown command sequence or a change in speed setting is performed on the Cisco ASA devices. To prevent this problem of the preservation of IKE and IPsec SAs in such a deployment, you must manually delete the IPsec and IKE SAs by entering the clear ipsec security-associations and clear ike security-associations commands respectively.

    For more information on Security Associations, see Security Associations Overview

    Configuring Manual Security Associations

    Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place.

    To configure a manual IPsec security association, include statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual]
    direction (inbound | outbound | bidirectional) {
    algorithm (hmac-md5-96 | hmac-sha1-96);
    key (ascii-text key | hexadecimal key);
    }
    auxiliary-spi auxiliary-spi-value;
    algorithm algorithm;
    key (ascii-text key | hexadecimal key);
    }
    protocol (ah | esp | bundle);
    spi spi-value;
    }

    To configure manual SA statements, do the following:

    Configuring the Direction for IPsec Processing

    The direction statement specifies inbound or outbound IPsec processing. If you want to define different algorithms, keys, or security parameter index (SPI) values for each direction, you configure the inbound and outbound options. If you want the same attributes in both directions, use the bidirectional option.

    To configure the direction of IPsec processing, include the direction statement at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual]
    direction (inbound | outbound | bidirectional) {
    ...
    }

    Example: Using Different Configuration for the Inbound and Outbound Directions

    Define different algorithms, keys, and security parameter index values for each direction:

    [edit services ipsec-vpn rule rule-name term term-name then manual]
    direction inbound {
    protocol esp;
    spi 16384;
    encryption {
    algorithm 3des-cbc;
    key ascii-text 23456789012345678901234;
    }
    }
    direction outbound {
    protocol esp;
    spi 24576;
    encryption {
    algorithm 3des-cbc;
    key ascii-text 12345678901234567890abcd;
    }
    }

    Example: Using the Same Configuration for the Inbound and Outbound Directions

    Define one set of algorithms, keys, and security parameter index values that is valid in both directions:

    [edit services ipsec-vpn rule rule-name term term-name then manual]
    direction bidirectional {
    protocol ah;
    spi 20001;
    authentication {
    algorithm hmac-md5-96;
    key ascii-text 123456789012abcd;
    }
    }

    Configuring the Protocol for a Manual IPsec SA

    IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). The AH protocol is used for strong authentication. A third option, bundle, uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets.

    To configure the IPsec protocol, include the protocol statement and specify the ah, esp, or bundle option at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]
    protocol (ah | bundle | esp);

    Configuring the Security Parameter Index

    An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets.

    Note: Each manual SA must have a unique SPI and protocol combination. Use the auxiliary SPI when you configure the protocol statement to use the bundle option.

    To configure the SPI, include the spi statement and specify a value (from 256 through 16,639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]
    spi spi-value;

    Configuring the Auxiliary Security Parameter Index

    Use the auxiliary SPI when you configure the protocol statement to use the bundle option.

    Note: Each manual SA must have a unique SPI and protocol combination.

    To configure the auxiliary SPI, include the auxiliary-spi statement and specify a value (from 256 through 16,639) at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]
    auxiliary-spi auxiliary-spi-value;

    Configuring Authentication for a Manual IPsec SA

    To configure an authentication algorithm, include the authentication statement and specify an authentication algorithm and a key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]
    algorithm (hmac-md5-96 | hmac-sha1-96);
    key (ascii-text key | hexadecimal key);
    }

    The algorithm can be one of the following:

    • hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and a 96-bit digest.
    • hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit authenticator value and a 96-bit digest.

    The key can be one of the following:

    • ascii-text—ASCII text key. With the hmac-md5-96 option, the key contains 16 ASCII characters. With the hmac-sha1-96 option, the key contains 20 ASCII characters.
    • hexadecimal—Hexadecimal key. With the hmac-md5-96 option, the key contains 32 hexadecimal characters. With the hmac-sha1-96 option, the key contains 40 hexadecimal characters.

    Configuring Encryption for a Manual IPsec SA

    To configure IPsec encryption, include the encryption statement and specify an algorithm and key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

    [edit services ipsec-vpn rule rule-name term term-name then manual direction direction]
    algorithm algorithm;
    key (ascii-text key | hexadecimal key);
    }

    The algorithm can be one of the following:

    • des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits long.
    • 3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
    • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.
    • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

    Note: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option. For reference information on AES encryption, see RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec.

    For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes.

    If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the Junos OS uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

    The key can be one of the following:

    • ascii-text—ASCII text key. With the des-cbc option, the key contains 8 ASCII characters. With the 3des-cbc option, the key contains 24 ASCII characters.
    • hexadecimal—Hexadecimal key. With the des-cbc option, the key contains 16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.

      Note: You cannot configure encryption when you use the AH protocol.

    Configuring Dynamic Security Associations

    You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and therefore do not need to be specified in the configuration. The dynamic SA includes one or more proposals, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer.

    To enable a dynamic SA, follow these steps:

    1. Configure Internet Key Exchange (IKE) proposals and IKE policies associated with these proposals.
    2. Configure IPsec proposals and an IPsec policy associated with these proposals.
    3. Associate an SA with an IPsec policy by configuring the dynamic statement.

    To configure a dynamic SA, include the dynamic statement and specify an IPsec policy name at the [edit services ipsec-vpn rule rule-name term term-name then] hierarchy level. The ike-policy statement is optional unless you use the preshared key authentication method.

    [edit services ipsec-vpn rule rule-name term term-name then]
    ike-policy policy-name;
    ipsec-policy policy-name;
    }

    Note: If you want to establish a dynamic SA, the attributes in at least one configured IPsec and IKE proposal must match those of its peer.

    Clearing Security Associations

    You can set up the router software to clear IKE or IPsec SAs automatically when the corresponding services PIC restarts or is taken offline. To configure this property, include the clear-ike-sas-on-pic-restart or clear-ipsec-sas-on-pic-restart statement at the [edit services ipsec-vpn] hierarchy level:

    After you add this statement to the configuration, all the IKE or IPsec SAs corresponding to the tunnels in the PIC will be cleared when the PIC restarts or goes offline.

    Modified: 2017-10-05