Configuration Tasks

This section explains the steps to configure an IPsec license and IPsec parameters, create an IPsec tunnel, and define an ISAKMP/IKE policy. The next section contains configuration examples.

Configuring an IPsec License

By default, and with no IPsec tunnel license, you can configure up to 10 IPsec tunnels on an ERX router. However, you can purchase licenses that support the following IPsec tunnel maximums:

1000
2000
4000
8000
16,000
32,000

The number of additional tunnels is independent of the number of ISMs installed in the router. However, the router chassis enforces the following tunnel limits:

SRP 10G – 10,000
SRP 40G – 20,000

license ipsec-tunnels

Use to specify an IPsec tunnel license.
Note: Acquire the license from Juniper Networks Customer Services and Support or from your Juniper Networks sales representative.
Example
host1(config)#license ipsec-tunnels license string
Use the no version to disable the license.
See license ipsec-tunnels.

Configuring IPsec Parameters

To configure IPsec:

For each endpoint, create a transform set that provides the desired encryption and authentication.
host1(config)#ipsec transform-set customerAprotection esp-3des-hmac-sha host1(config)#ipsec transform-set customerBprotection ah-hmac-md5
Add a preshared key that the routers use to authenticate each other.
host1(config)#ipsec key manual pre-share 5.2.0.1 host1(config-manual-key)#key customerASecret
After you enter a preshared key, the router encrypts the key and displays it in masked form to increase the security of the key. If you need to reenter the key, you can enter it in its masked form using this command.
To see the masked form of the key:
host1#show config ipsec key manual pre-share 10.10.1.1 masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO”
To enter the masked key:
host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
Define the local endpoint used for ISAKMP/IKE negotiations for all IPsec tunnels in the router.
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router vr#8
(Optional) Set the global (default) lifetime for all SAs on the router.
host1(config)#ipsec lifetime kilobytes 42000000

ipsec key manual pre-share

Use to specify that a peer use a preshared key for authentication during the tunnel establishment phase, and to display the prompt that lets you enter the preshared key. To enter a key, use the key command.
Specify the peer by using its IP address or fully qualified domain name (FQDN).
- FQDNs are supported only for signaled tunnels.
- The router must be in aggressive mode to use FQDNs with preshared keys.
- The identity string can include an optional user@ specification preceding the FQDN.
You must enter this command in the virtual router context where the IP address of the peer is defined.
Example 1—using an IP Address
host1(config)#ipsec key manual pre-share ip address 10.10.1.1 host1(config-manual-key)#
Example 2—using an FQDN
host1(config)#ipsec key manual pre-share identity branch245.customer77.isp.net host1(config-manual-key)#
Example 3—using an FQDN with user@ specification
host1(config)#ipsec key manual pre-share identity user4919@branch245.customer77.isp.net host1(config-manual-key)#
Use the no version to delete a manually configured key from the router.
See ipsec key manual pre-share.

ipsec lifetime

Use to set the global (default) lifetime in seconds or volume of traffic in kilobytes. The IPsec lifetime applies to tunnels that do not have a tunnel lifetime defined. When either limit is reached, the SA is renegotiated.
To set a lifetime for all SAs on a tunnel, use the tunnel lifetime command.
To set a lifetime for a specific SA, use lifetime .
Example 1
host1(config)#ipsec lifetime kilobytes 42000000
Example 2
host1(config)#ipsec lifetime seconds 8600
Use the no version to restore the default values of 4294967295 kilobytes and 28800 seconds (8 hours).
See ipsec lifetime.

ipsec local-endpoint

Use to define a default local endpoint for ISAKMP/IKE negotiations and all IPsec tunnels for a transport virtual router.
You must specify the IP address used as the local endpoint and the transport virtual router on which the IP address is defined.
Example
host1(config)#ipsec local-endpoint 10.10.1.1 transport-virtual-router VR#8
Use the no version to delete a local endpoint. You cannot remove an endpoint if a tunnel is referencing the endpoint.
See ipsec local-endpoint.

ipsec transform-set

Use to create a transform set. Each transform in a set provides a different combination of data authentication and confidentiality.
Transform sets used for manually configured tunnels can have one transform.
Transform sets used for signaled tunnels can have up to six transforms. The actual transform used on the tunnel is negotiated with the peer. Transforms are numbered in a priority sequence in the order in which you enter them.
To display the names of the transforms that you can use in a transform set, issue the ipsec transform-set transformSetName ? command.
Example
host1(config)#ipsec transform-set espSet esp-3des-hmac-md5 esp-3des-null-auth
Use the no version to delete a transform set. You cannot remove a transform set if a tunnel is referencing the transform set.
See ipsec transform-set.

key

Use to enter a manual preshared key.
Preshared keys can have up to 256 ASCII alphanumeric characters. To include spaces in the key, enclose the key in quotation marks.
Example 1
host1(config-manual-key)#key dj5fe23owi8er49fdsa
Example 2
host1(config-manual-key)#key “ my key with spaces”
There is no no version. To delete a key, use the no version of the ipsec key manual command.
See key.

masked-key

Use to enter the preshared key in masked form.
For security purposes, the router displays the key only in masked form. If you delete the key or reboot the router to factory defaults, you can use this command to reenter the key in its masked form so that the key is not visible while you enter it.
To see the masked key, use the show config command.
Example
host1#show config ipsec key manual pre-share 10.10.1.1 masked-key “ AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO” host1#configure terminal host1(config)#ipsec key manual pre-share 10.10.1.1 host1(config-manual-key)#masked-key AAAAGAAAAAcAAAACfd+SAsaVQ6Qeopt2rJOP6LDg+0hX5cMO
There is no no version. To delete a key, use the no version of the ipsec key manual command.
See masked-key.

Creating an IPsec Tunnel

To create an IPsec tunnel:

Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface.
host1(config)#virtual-router vrA host1:vrA(config)#
Create an IPsec tunnel, and specify the transport VR.
host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#
Specify the IP address of this tunnel interface.
host1:vrA(config-if)#ip address 10.3.0.0 255.255.0.0
Specify the transform set that ISAKMP uses for SA negotiations.
host1:vrA(config-if)#tunnel transform-set customerAprotection
Configure the local endpoint of the tunnel.
host1:vrA(config-if)#tunnel local-identity subnet 10.1.0.0 255.255.0.0
Configure the peer endpoint of the tunnel.
host1:vrA(config-if)#tunnel peer-identity subnet 10.3.0.0 255.255.0.0
Specify an existing interface address that the tunnel uses as its source address.
host1:vrA(config-if)#tunnel source 5.1.0.1
Specify the address or identity of the tunnel destination endpoint.
host1:vrA(config-if)#tunnel destination identity branch245.customer77.isp.net host1:vrA(config-if)#exit
Note: FQDNs are used when tunnel destination endpoints do not have a fixed address, as in cable and DSL environments.
For manual tunnels, specify the algorithm sets and the session key used for inbound SAs and for outbound SAs.
host1:vrA(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678 host1:vrA(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b
(Optional) Configure PFS on this tunnel.
host1:vrA(config-if)#tunnel pfs group 5
(Optional) Set the tunnel type to signaled or manual. The default is signaled.
host1:vrA(config-if)#tunnel signaling isakmp
(Optional) Set the renegotiation time of the SAs in use by this tunnel.
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
(Optional) Set the MTU size for the tunnel.
host1(config-if)#tunnel mtu 2240

interface tunnel

Use to create or configure an IPsec tunnel interface.
Use the transport-virtual-router keyword to establish the tunnel on a virtual router other than the current virtual router context.
Example
host1(config)#interface tunnel ipsec:jak transport-virtual-router tvr041 host1(config-if)#
Use the no version to remove the tunnel.
See interface tunnel.

tunnel destination

Use to set the address or identity of the remote tunnel endpoint.
- For signaled IPsec tunnels in cable or DSL environments, use the FQDN to identify the remote tunnel endpoint, which does not have a fixed IP address.
- The identity string can include an optional user@ specification preceding the FQDN.
Example 1
host1(config-if)#tunnel destination 10.10.11.12
Example 2
host1(config-if)#tunnel destination identity branch245.customer77.isp.net
Example 3
host1(config-if)#tunnel destination identity user4919@branch245.customer77.isp.net
Use the no version to remove the address.
See tunnel destination.

tunnel lifetime

Use to set the renegotiation time of the SAs in use by this tunnel.
To configure the lifetime in number of seconds, use the seconds keyword to specify the lifetime in the range 1800–864000.The default value is 28800 seconds.
To configure the lifetime in amount of traffic, use the kilobytes keyword to specify the lifetime in the range 102400–4294967295. The default is an unlimited volume.
If you include the seconds keyword as the first keyword on the command line, you can also include the kilobytes keyword on the same line.
Before either the volume of traffic or number of seconds limit is reached, the SA is renegotiated, which ensures that the tunnel does not go down during renegotiation.
Example
host1(config-if)#tunnel lifetime seconds 48000 kilobytes 249000
Use the no version to restore the default lifetime (28800 seconds) and an unlimited volume.
See tunnel lifetime.

tunnel local-identity

Use to configure the local identity (selector) of the tunnel. Specify the identity using one of the following keywords:
- address—Specifies an IP address as the local identity
- subnet—Specifies a subnet as the local identity
- range—Specifies a range of IP addresses as the local identity
Example 1
host1(config-if)#tunnel local-identity range 10.10.1.1 10.10.2.1
Example 2
host1(config-if)#tunnel local-identity subnet 10.10.1.1 255.255.255.0
Use the no version to restore the default identity, which is subnet 0.0.0.00.0.0.0
See tunnel local-identity.

tunnel mtu

Use to set the MTU size for the tunnel.
Example
host1(config-if)#tunnel mtu 2240
Use the no version to restore the default MTU (1440).
See tunnel mtu.

tunnel peer-identity

Use to configure the peer identity (selector) that ISAKMP uses. Specify the identity using one of the following keywords:
- address—Specifies an IP address as the peer identity
- subnet—Specifies a subnet as the peer identity
- range—Specifies a range of IP addresses as the peer identity
Example 1
host1(config-if)#tunnel peer-identity range 10.10.1.1 10.10.2.2
Example 2
host1(config-if)#tunnel peer-identity subnet 130.10.1.1 255.255.255.0
Use the no version to remove the peer identity.
See tunnel peer-identity.

tunnel pfs group

Use to configure perfect forward secrecy (PFS) on this tunnel.
Assign a Diffie-Hellman prime modulus group using one of the following keywords:
- 1—768-bit group
- 2—1024-bit group
- 5—1536-bit group
Example
host1(config-if)#tunnel pfs group 5
Use the no version to remove PFS from this tunnel.
See tunnel pfs group.

tunnel session-key-inbound

Use to manually configure the authentication or encryption algorithm sets and session keys for inbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
Use the online Help to see a list of available algorithm sets.
Each key is an arbitrary hexadecimal string. If the algorithm set includes:
- DES, create an 8-byte key using 16 hexadecimal characters
- 3DES, create a 24-byte key using 48 hexadecimal characters
- MD5, create a 16-byte key using 32 hexadecimal characters
- SHA, create a 20-byte key using 40 hexadecimal characters
Example
host1(config-if)#tunnel session-key-inbound esp-des-hmac-md5 a7bd567917bd5679 bd5678a7bd567917bd567917bd567678
Use the no version to remove inbound session keys from a tunnel.
See tunnel session-key-inbound.

tunnel session-key-outbound

Use to manually configure the authentication or encryption algorithm sets, SPI, and session keys for outbound SAs on a tunnel. You can enter this command only on tunnels that have tunnel signaling set to manual.
Use the online Help to see a list of available algorithm sets.
The SPI is a number in the range 256–4294967295 that identifies an SA.
Each key is an arbitrary hexadecimal string. If the algorithm set includes:
- DES, create an 8-byte key using 16 hexadecimal characters
- 3DES, create a 24-byte key using 48 hexadecimal characters
- MD5, create a 16-byte key using 32 hexadecimal characters
- SHA, create a 20-byte key using 40 hexadecimal characters
Example
host1(config-if)#tunnel session-key-outbound esp-3des-hmac-md5 421 567917bd567917bd567917bd545a17bd567917bd56784a7b fda183bef567917bd567917bd567917b
Use the no version to remove outbound session keys from a tunnel.
See tunnel session-key-outbound.

tunnel signaling

Use to set the tunnel type to signaled (ISAKMP) or manual. Specify a keyword:
- isakmp—Specifies to use ISAKMP/IKE to negotiate SAs and to establish keys
- manual—Specifies that security parameters and keys are configured manually
Example
host1(config-if)#tunnel signaling manual
Use the no version to restore the default value, isakmp.
See tunnel signaling.

tunnel source

Use to specify an existing interface address that serves as the tunnel's source address.
For signaled IPsec tunnels in cable or DSL environments, you can optionally use an FQDN to identify the tunnel endpoint.
Example
host1(config-if)#tunnel source 10.10.2.8
Use the no version to remove the tunnel source.
See tunnel source.

tunnel transform-set

Use to specify the transform set that ISAKMP uses during SA negotiations on this tunnel. You create transform sets using ipsec transform-set .
Example
host1(config-if)#tunnel transform-set espSet
Use the no version to remove the transform set from a tunnel.
See tunnel transform-set.

Configuring DPD and IPsec Tunnel Failover

You can use the ipsec option dpd command to enable dead peer detection (DPD) on the router. DPD is also known as IKE keepalive. If an IPsec tunnel destination backup is configured, the router redirects traffic to the alternate destination when DPD detects a disconnection between the E Series router and the regular tunnel destination. See tunnel destination backup .

To enable DPD and create an alternate IPsec tunnel destination for failover:

Enable DPD on the router.
host1(config)#ipsec option dpd
Enter virtual router mode. Specify the VR that contains the source and destination addresses assigned to the tunnel interface (that is, the transport virtual router context).
host1(config)#virtual-router vrA host1:vrA(config)#
Create an IPsec tunnel, and specify the transport VR.
host1:vrA(config)#interface tunnel ipsec:Aottawa2boston transport-virtual-router default host1:vrA(config-if)#
Specify the address or identity of the tunnel destination backup endpoint.
host1:vrA(config-if)#tunnel destination backup identity branch500.customer77.isp.net

ipsec option dpd

Use to enable dead peer detection (DPD) on the router. DPD is also known as IKE keepalive.
You configure DPD on a per-virtual router basis.
Both peers must support DPD.
Example
host1(config)#ipsec option dpd
Use the no version to restore the default, which disables DPD.
See ipsec option dpd.

tunnel destination backup

Use to specify the address or identity of the remote IPsec tunnel endpoint that is a backup tunnel destination. When DPD detects a disconnection between the E Series router and the regular IPsec tunnel destination, the router redirects traffic to the tunnel destination backup, and vice versa.
You can use either the IP address or fully qualified domain name (FQDN) to identify the backup IPsec tunnel, however you must use the same type of identity that is used to specify the regular tunnel destination.
- For signaled IPsec tunnels in cable or DSL environments, use the FQDN to identify the tunnel destination backup, which does not have a fixed IP address.
- The identity string can include an optional user@ specification preceding the FQDN (this is also known as a user FQDN).
  Note: If you use a FQDN to specify the IPsec tunnel destination backup, the tunnel is not initiated by the ERX router. However, the router does respond to negotiations for this backup tunnel.
Examples
host1(config-if)#tunnel destination backup 10.10.11.15 host1(config-if)#tunnel destination backup identity branch245.customer88.isp.net host1(config-if)#tunnel destination backup identity user4925@branch245.customer88.isp.net
Use the no version to restore the default in which the regular tunnel destination is also the backup tunnel destination.
See tunnel destination backup.

Defining an IKE Policy

IKE policies define parameters that the router uses during IKE phase 1 negotiation.

To create an IKE policy:

host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#

You can then set the following parameters, or use the default settings:

Allow aggressive mode negotiation.
host1(config-ike-policy)#aggressive-mode
Specify the authentication method.
host1(config-ike-policy)#authentication pre-share
Specify the encryption algorithm.
host1(config-ike-policy)#encryption 3des
Assign a Diffie-Hellman group.
host1(config-ike-policy)#group 5
Set the hash algorithm.
host1(config-ike-policy)#hash md5
Specify the lifetime of IKE SAs created using this policy.
host1(config-ike-policy)#lifetime 360

aggressive-mode

Use to enable aggressive mode negotiation for the tunnel.
If you specify aggressive mode negotiation, the tunnel proposes aggressive mode to the peer in connections that the policy initiates.
If the peer initiates a negotiation, the tunnel accepts the negotiation if the mode matches this policy.
Use the accepted keyword to accept aggressive mode when proposed by peers
Use the requested keyword to request aggressive mode when negotiating with peers
Use the required keyword to only request and accept aggressive mode when negotiating with peers.
Example
host1(config-ike-policy)#aggressive-mode accepted
Use the no version to set the negotiation mode to main mode.
See aggressive-mode.

authentication

Use to specify the authentication method the router uses in the IKE policy: preshared keys or RSA signature.
Example
host1(config-ike-policy)#authentication pre-share
Use the no version to restore the default, preshared keys.
See authentication.

encryption

Use to specify one of the following encryption algorithms to use in the IKE policy:
- 3des—168-bit 3DES-CBC
- des—56-bit DES-CBC
Example
host1(config-ike-policy)#encryption 3des
Use the no version to restore the default encryption algorithm, 3DES.
See encryption.

group

Use to assign a Diffie-Hellman group to the IKE policy. Specify:
- 1—768-bit group
- 2—1024-bit group
- 5—1536-bit group
Example
host1(config-ike-policy)#group 5
Use the no version to restore the default.
See group.

hash

Use to set the hash algorithm for the IKE policy:
- md5—MD5 (HMAC variant)
- sha—SHA-1 (HMAC variant)
Example
host1(config-ike-policy)#hash md5
Use the no version to restore the default, sha.
See hash.

ipsec ike-policy-rule

ipsec isakmp-policy-rule

Note: The command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.

Use to define an IKE policy.
When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
You can add up to 10 IKE policies per router.
Example
host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
See ipsec ike-policy-rule.
See ipsec isakmp-policy-rule.

lifetime

Use to specify the lifetime of IKE SAs.
The range is 60–86400 seconds.
host1(config-ike-policy)#lifetime 360
Use the no version to reset the SA lifetime to the default, 28800 seconds.
See lifetime.

Refreshing SAs

To refresh ISAKMP/IKE or IPsec SAs:

host1(config)#ipsec clear sa tunnel ipsec:Aottawa2boca phase 2

ipsec clear sa

Use to refresh ISAKMP/IKE or IPsec SAs.
To reinitialize all SAs, use the all keyword.
To reinitialize SAs on a specific tunnel, use the tunnel keyword.
To reinitialize SAs on tunnels that are in a specific state, use the state keyword.
To specify the type of SA to be reinitialized, ISAKMP/IKE or IPSEC, use the phase keyword.
Example
host1(config)#ipsec clear sa all phase 2
There is no no version.
See ipsec clear sa.

Enabling Notification of Invalid Cookies

The IKE protocol enables peers to exchange informational messages. The payload of these messages can be a notify type or a delete type. These messages are expected to be protected (encrypted) by the keys negotiated by the peers when they establish a security association as a result of the IKE phase 1 exchange.

If a responder peer does not recognize the initiator-responder cookie pair, it can send an invalid cookie notification message to the initiator. The responder might fail to recognize the cookie pair because it has lost the cookie, or because it deleted the cookie and then the peer lost the delete notification. Upon receipt of the invalid cookie notification, the initiator peer can delete the phase 1 state.

The ability to send the invalid cookie message is disabled by default. You can issue the ipsec option tx-invalid-cookie command to enable the feature on a per-transport-VR basis.

Even when you configure this feature, the E Series router does not respond when it receives an invalid cookie notification. These notifications are unprotected by a phase 1 key exchange and therefore are subject to denial-of-service (DOS) attacks. Instead, the E Series router can determine when a phase 1 relationship has gone stale by timeouts or use of dead peer detection (DPD). For this reason, this feature is useful only when the E Series router is a responding peer for non–E Series devices that cannot detect when the phase 1 relationship goes stale.

ipsec option tx-invalid-cookie

Use to enable the router to send an invalid cookie notification to an IKE peer when the router does not recognize the initiator-responder cookie pair.
Example
host1(config)#ipsec option tx-invalid-cookie
Use the no version to restore the default, disabling the ability to send an invalid cookie notification.
See ipsec option tx-invalid-cookie.