JUNOSe 9.1.x IP Services Configuration Guide > Securing L2TP and IP Tunnels with IPSec > Configuring IPSec Transport Profiles

Configuring IPSec Transport Profiles

To configure an IPSec transport profile that will be used to secure DVMRP, GRE, or L2TP tunnels:

1. Create the profile.

host1(config)#ipsec transport profile secureGre virtual-router default ip address 
5.5.5.5 

host1(config-ipsec-transport-profile)# 

2. Specify one or more types of application that the profile secures.

host1(config-ipsec-transport-profile)#application gre dvmrp l2tp

You can then set any of the following parameters for the profile:

• Set a lifetime range for the IPSec connection in volume of traffic or seconds.

host1(config-ipsec-transport-profile)#lifetime seconds 3600 28800 kilobytes 
102400 4294967295

• Configure Perfect Forward Secrecy (PFS) for connections created with this IPSec transport profile.

host1(config-ipsec-transport-profile)#pfs group 5

• Specify one or more transform sets that an IPSec transport connection uses to negotiate a transform algorithm.

host1(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha 
esp-3des-hmac-md5

To display the available transform sets, issue the transform-set ? command.

• Specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection, and enter Local IPSec Transport Profile mode.

host1(config-ipsec-transport-profile)#local ip address 10.10.1.1

host1(config-ipsec-transport-profile-local)#

• (Optional) Configure a key for IKE negotiations. For example:

Enter the unencrypted key. The router encrypts the key and stores it in encrypted form. You can no longer retrieve the unencrypted key.

host1(config-ipsec-transport-profile-local)#pre-share secretforGre

application

• Use to specify the types of application secured by connections created with this IPSec transport profile. You can specify multiple applications on the same command line:

• dvmrp—Secures DVMRP tunnel traffic
• gre—Secures GRE tunnel traffic
• l2tp—Secures L2TP traffic
• l2tp-nat-passthrough—Secures L2TP traffic and also allows clients to connect from behind NAT devices that support IPSec passthrough. To allow these clients to connect, the router:

• Does not generate or verify UDP checksums. This does not compromise security, because IPSec protects UDP packets with an authentication algorithm far stronger than UDP checksums.
• Provides IPSec filtering based on the received IP address (the NAT public IP address), rather than filtering based on the negotiated IKE identities.

• Example

host1(config-ipsec-transport-profile)#application gre dvmrp l2tp

• Use the no version to return to the default application type, L2TP.

ipsec transport profile

• Use to create an IPSec transport profile and to enter IPSec Transport Profile Configuration mode. To create a new profile, you must include the following keywords:

• virtual-router—Name of the virtual router on which you want to create the profile
• ip address—Remote endpoint for the IPSec transport connection.

For L2TP/IPSec connections, you can enter a fixed IP address or the wildcard address, 0.0.0.0. If you use the wildcard address, the profile accepts any remote client connection, which is a typical scenario for secure remote access.

For GRE/IPSec and DVMRP/IPSec connections, you must enter a fixed address; the 0.0.0.0 wildcard address is not accepted and will return an error.

• Example

host1(config)#ipsec transport profile secureL2tp virtual-router default ip address 
5.5.5.5 

host1(config-ipsec-transport-profile)# 

• Use the no version to delete the profile.

lifetime

• Use to set a lifetime range for the IPSec connection in volume of traffic or in seconds or both.
• If the PC client offers a lifetime within this range, the router accepts the offer. If the PC client offers a lifetime outside this range, the router rejects the connection.
• Example

host1(config-ipsec-transport-profile)#lifetime seconds 900 86400 kilobytes 
100000 4294967295

• Use the no version to restore the default values, 100000–4294967295 KB and 900–86400 seconds (0.25–24 hours).

local ip address

• Use to specify the local endpoint (for L2TP, the LNS address) of the IPSec transport connection and to enter Local IPSec Transport Profile Configuration mode.
• You can enter this command multiple times in an IPSec transport profile.
• You can enter a fixed IP address or the wildcard address, 0.0.0.0. The wildcard address has a lower precedence than a fixed IP address.
  

  CAUTION: We recommend that you do not use address 0.0.0.0, because it allows any address to accept IKE calls, and it creates a group preshared key, which is not fully secure.

  
  
• Example

host1(config-ipsec-transport-profile)#local ip address 192.168.1.2 

host1(config-ipsec-transport-profile-local)#

• Use the no version to delete the IP address.

pfs group

• Use to configure perfect forward secrecy for connections created with this IPSec transport profile.
• Assign a Diffie-Hellman prime modulus group using one of the following keywords:

• 1—768-bit group
• 2—1024-bit group
• 5—1536-bit group

• Example

host1(config-ipsec-transport-profile)#pfs group 5

• Use the no version to remove PFS from this profile, which is the default setting.

pre-share

• Use to configure an unencrypted (red) preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for the local IP address. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
  

  CAUTION: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes where the missed security does not pose a risk to the provider.

  
  
• To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode.
• Example

host1(config-ipsec-transport-profile-local)#pre-share secretforL2tp

• Use the no version to remove the key.
  

  NOTE: After you enter a preshared key, the original (unencrypted) key cannot be retrieved. If you need to reenter the original key (for example, the system goes to factory default and you have only the show config output) you can: Use the show config command to see the encrypted (masked) form of the key. Use the pre-shared-masked command to enter the masked key. The system will behave the same as when you entered the first pre-share key command.

  
  

pre-share-masked

• Use to specify an encrypted preshared key. To obtain this key, you enter an unencrypted key using the pre-share command. You then run the show config command, and the router displays the preshared key in encrypted form. You enter the encrypted key using the pre-share-masked command.
• The router uses the preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for any local IP address specified for this transport profile. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.
  

  CAUTION: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider.

  
  
• To have preshared key authentication take place, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode.
• Example

host1(config-ipsec-transport-profile-local)#pre-share-masked 
AAAAGAAAAAcAAAACZquq4ABieTUBuNBELSY8b/L3CX/RcPX7

• There is no no version. To remove a key, use the no pre-share command.

transform-set

• Use to specify the transform set(s) that an IPSec transport connection can use to negotiate a transform algorithm. Each transform in the set provides a different combination of data authentication and confidentiality.
• To display the available transform sets, issue the transform-set ? command.
• Example

host1(config-ipsec-transport-profile)#transform-set esp-3des-hmac-sha

• Use the no version to reset the transform to the default, esp-3des-hmac-sha.