Configuring Encryption

To configure IPSec encryption, include the encryption statement and specify an algorithm and key at the [edit services ipsec-vpn rule rule-name term term-name then manual direction direction] hierarchy level:

The algorithm can be one of the following:

• des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits long.
• 3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
• aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption algorithm.
• aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption algorithm.
• aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption algorithm.

Note: For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409, The Internet Key Exchange (IKE). The AES encryption algorithms use a software implementation that has much lower throughput, so DES remains the recommended option. For reference information on AES encryption, see RFC 3602, The AES-CBC Cipher Algorithm and Its Use with IPsec. For 3des-cbc, the first 8 bytes should differ from the second 8 bytes, and the second 8 bytes should be the same as the third 8 bytes. If you configure an authentication proposal but do not include the encryption statement, the result is NULL encryption. Certain applications expect this result. If you configure no specific authentication or encryption values, the JUNOS software uses the default values of sha1 for the authentication and 3des-cbc for the encryption.

The key can be one of the following:

• ascii-text—ASCII text key. With the des-cbc option, the key contains 8 ASCII characters. With the 3des-cbc option, the key contains 24 ASCII characters.
• hexadecimal—Hexadecimal key. With the des-cbc option, the key contains 16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.

  Note: You cannot configure encryption when you use the AH protocol.