[Contents] [Prev] [Next] [Index] [Report an Error]

Security Services Configuration Guidelines

To configure security services, include the following statements at the [edit security] hierarchy level:

[edit security]
authentication-key-chains {
key-chain key-chain-name {
key key {
secret secret-data;
start-time yyyy-mm-dd.hh:mm:ss;
}
}
}
certificates {
cache-size bytes;
cache-timeout-negative seconds;
certification-authority ca-profile-name {
ca-name ca-identity;
crl file-name;
encoding (binary | pem);
enrollment-url url-name;
file certificate-filename;
ldap-url url-name;
}
enrollment-retry attempts ;
local certificate-filename {
certificate-key-string;
load-key-file key-file-name;
}
maximum-certificates number;
path-length certificate-path-length;
}
ike {
proposal ike-proposal-name {
authentication-algorithm (md5 | sha1);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2);
encryption-algorithm (3des-cbc | des-cbc | ase-128-cbc | ase-192-cbc | ase-256-cbc);
lifetime-seconds seconds;
}
policy ike-peer-address {
description description;
encoding (binary | pem);
identity identity-name;
local-certificate certificate-filename;
local-key-pair private-public-key-file;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
}
}
ipsec {
security-association {
manual {
direction (bidirectional | inbound | outbound) {
protocol esp;
spi spi-value;
encryption {
algorithm 3des-cbc;
key ascii-text ascii-text-string;
}
}
}
}
proposal ipsec-proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
description description;
encryption-algorithm (3des-cbc | des-cbc);
lifetime-seconds seconds;
protocol (ah | esp | bundle);
}
policy ipsec-policy-name {
description description;
perfect-forward-secrecy {
keys (group1 | group2);
}
proposals [ proposal-names ];
}
security-association sa-name {
description description;
dynamic {
ipsec-policy policy-name;
replay-window-size (32 | 64);
}
manual {
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi auxiliary-spi;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key );
}
protocol (ah | esp | bundle);
spi spi-value ;
}
}
mode (tunnel | transport);
}
}
pki {
ca-profile ca-profile-name {
ca-identity ca-identity;
enrollment {
url url-name;
retry number-of-attempts;
retry-interval seconds;
}
revocation-check {
disable;
crl {
disable on-download-failure;
refresh-interval number-of-hours;
url {
url-name;
password;
}
}
}
}
}
ssh-known-hosts {
host {
dsa-key key ;
rsa-key key ;
rsa1-key key ;
}
}
traceoptions {
file filename <files number> < size size>;
flag all;
flag database;
flag general;
flag ike;
flag parse;
flag policy-manager;
flag routing-socket;
flag timer;
}

Note: Most of the configuration statements do not have default values. If you do not specify an identifier for a statement that does not have a default value, you cannot commit the configuration.

For information about IP Security (IPSec) monitoring and troubleshooting, see the JUNOS System Basics and Services Command Reference.

This chapter describes how to configure IPSec for the ES PIC, IPSec digital certificates for adaptive services interfaces, and internal IPSec for JUNOS-FIPS. It also describes how to configure miscellaneous security services, including authentication key updates for Border Gateway Protocol (BGP) and Label Distribution Protocol (LDP), SSH host keys for secure copy, and Secure Sockets Layer (SSL) for JUNOScript client applications:

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.