[Contents] [Prev] [Next] [Index] [Report an Error]

Defining the IPsec Protocols

The Security Policy area appears on the right, and the Authentication (Phase 1) icon and Key Exchange (Phase 2) icon appear in the Network Security Policy list, as shown in Figure 128.

Figure 128: Security Policy

Image enable_sec_policy.gif

 

Figure 129 shows the Algorithims Area page.

Figure 129: Algorithms Area

Image proposal1.gif

 

Figure 130: IPsec Protocols Area

Image phase2.gif

 

To define the Internet Protocol Security (IPsec) protocols for securing the VPN tunnel:

  1. Double-click Security Policy in the Network Security Policy list.
  2. Select Aggressive Mode in the Security Policy area.
  3. Select Enable Perfect Forward Secrecy (PFS). PFS allows generation of a new encryption key that is independent from and unrelated to the preceding key.
  4. In the PFS Key Group drop-down list, select Diffie-Hellman Group 2.
  5. In the Security Policy List (left panel), select Authentication (Phase 1). Proposal 1 appears below the Authentication (Phase 1) icon.
  6. Select Proposal 1 to display the Authentication Method and Algorithms area, as shown in Figure 126.
  7. Select Pre-Shared Key; Extended Authentication from the Authentication Method. This allows you to use XAuth.

    Note: XAuth must also be enabled on the J-series router running JUNOS software. XAuth allows password-prompt authentication in addition to a preshared key. If enabled, you are prompted for a password when initiating a VPN. See Configuring an Access Profile for XAuth and Configuring an IKE Gateway for more information on configuring XAuth.

  8. In the Authentication and Algorithms area, define the Encryption Algorithm AES-128 and the Hash Algorithm SHA-1. See Table 75 for brief descriptions of these protocols.
  9. From the Key Group drop-down list, select Diffie-Hellman Group 2.
  10. In the left panel, double-click the Key Exchange Phase (2) icon. Proposal 1 appears below the icon.
  11. Select Proposal 1 to display the IPsec Protocols area as shown in Figure 130.
  12. In the IPsec Protocols area, define the SA Life (the lifetime of the security association) in either seconds or bytes, or leave it as Unspecified.

    Note: Unspecified lifetimes (Phase I and II) cause the NetScreen-Remote client to accept the values proposed by the router.

  13. Select Encapsulation Protocol (ESP). ESP provides encryption, authentication, and an integrity check for IP datagrams.
  14. Select the encryption algorithm AES-128, the hash algorithm SHA-1, and Tunnel.for the encapsulation

    Note: If you select the Connect using Secure Gateway Tunnel check box when defining Remote Party Identity and Addressing, the encapsulation method must be Tunnel—no other option is available.

  15. Click Save in the toolbar, or choose Save Changes from the File menu.

    The configuration for the NetScreen-Remote end of an eventual VPN tunnel using a preshared key is complete.

    Table 75: Encryption and Hash Algorithms

    DES

    Data Encryption Standard. A cryptographic block algorithm with a 56-bit key.

    Triple DES

    A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key.

    AES protocols

    Advanced encryption standard. These protocols provide maximum security for the key. The higher the AES value, the more secure the key is. AES values can be AES-128, the least secure, AES-192, medium security, and AES-256, the most secure.

    MD5

    Message Digest version 5. An algorithm that produces a 128-bit message digest or hash from a message of arbitrary length. The resulting hash is used, like a fingerprint of the input, to verify authenticity.

    SHA-1

    Secure Hash Algorithm-1. An algorithm that produces a 160-bit hash from a message of arbitrary length. SHA-1 is generally regarded as more secure than MD5 because of the larger hashes it produces.
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.