Example: Configuring the Device as a Junos OS Enforcer Using IPsec (CLI)

To configure an SRX Series or J Series device to act as a Junos OS Enforcer using IPsec:

1. Set system and syslog information using the following configuration statements:
   system {host-name test_host; domain-name test.juniper.net;host-name test_host;root-authentication {encrypted-password "$1$uhqXoD0T$6h26f0xXExOqkPHQLvaTF0";}services {ftp;ssh;telnet;web-management { http {interface ge-0/0/0.0;}}}syslog { user * {any emergency;}file messages { any critical; authorization info;} file interactive-commands {interactive-commands error;}} max-configurations-on-flash 5; max-configuration-rollbacks 5;license {autoupdate {url https://ae1.juniper.net/junos/key_retrieval;}}ntp {boot-server 1.2.3.4;server 1.2.3.4;}}
2. Configure the interfaces using the following configuration statements:
   interfaces { ge-0/0/0 { unit 0 { family inet {address 10.64.75.135/16;}}} ge-0/0/1 { unit 0 { family inet {address 10.100.54.1/16;}}} ge-0/0/2 { unit 0 { family inet {10.101.54.1/16;}}}
3. Configure routing options using the following configuration statements:
   routing-options {static {route 0.0.0.0/0 next-hop 10.64.0.1;route 10.11.0.0/16 next-hop 10.64.0.1;route 172.0.0.0/8 next-hop 10.64.0.1;route 10.64.0.0/16 next-hop 10.64.0.1;}}
4. Configure security options using the following configuration statements:
   security { ike {traceoptions {file ike;flag all;}proposal prop1 {authentication-method pre-shared-keys;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy pol1 {mode aggressive;proposals prop1;pre-shared-key ascii-text "$9$YS4ZjmPQ6CuTz6Au0cSvWLxNbiHm";}gateway gateway1 {ike-policy pol1;dynamic {hostname gateway1.juniper.net;connections-limit 1000;ike-user-type group-ike-id;}external-interface ge-0/0/0;xauth access-profile infranet;}gateway gateway2 { ike-policy pol1;dynamic {hostname gateway2.juniper.net;connections-limit 1000;ike-user-type group-ike-id;}external-interface ge-0/0/0; xauth access-profile infranet;}}
5. Configure IPsec parameters using the following configuration statements:
   ipsec {proposal prop1 {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 86400;}policy pol1 {proposals prop1;}vpn vpn1 {ike {gateway gateway1;ipsec-policy pol1;}establish-tunnels immediately;}vpn vpn2 {ike {gateway gateway2;ipsec-policy pol1;}establish-tunnels immediately;}}
6. Configure screen options using the following configuration statements:
   screen {ids-option untrust-screen {icmp {ping-death;} ip {source-route-option;tear-drop;}tcp {syn-flood {alarm-threshold 1024;attack-threshold 200;source-threshold 1024;destination-threshold 2048;queue-size 2000;timeout 20;}land;}}}
7. Configure zones using the following configuration statements:
   zones {security-zone trust {tcp-rst; host-inbound-traffic {system-services {all;}protocols {all;}}interfaces { ge-0/0/0.0;}}security-zone untrust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {ge-0/0/1.0;}}security-zone zone101 {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {ge-0/0/2.0;}}}
8. Configure policies for UAC using the following configuration statements:
   policies {inactive: from-zone trust to-zone trust {policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone trust to-zone untrust {inactive: policy default-permit {match {source-address any;destination-address any;application any;}then {permit;}}inactive: policy default-deny {match {source-address any;destination-address any;application any;}then {permit;}}policy pol1 {match {source-address any;destination-address any;application any;}then {permit { tunnel { ipsec-vpn vpn1;}application-services {uac-policy;}}log {session-init;session-close;}}}}from-zone untrust to-zone trust {policy pol1 {match {source-address any;destination-address any;application any;}then {permit;log {session-init;session-close;}}}}from-zone trust to-zone zone101 {policy pol1 {match {source-address any;destination-address any;application any;}then {permit {tunnel {ipsec-vpn vpn2;}application-services {uac-policy;}}log {session-init;session-close;}}}policy test {match {source-address any;destination-address any;application any;}then {permit;}}}default-policy {deny-all;}}}
9. Configure RADIUS server authentication access using the following configuration statements:
   access {profile infranet {authentication-order radius;radius-server {10.64.160.120 secret "$9$KBoWX-YgJHqfVwqfTzCAvWL";}}}
10. Configure services for UAC using the following configuration statements:
    services {unified-access-control {inactive: infranet-controller IC27 {address 3.23.1.2;interface ge-0/0/0.0;password "$9$Wjl8X-Vb2GDkev4aGUHkuOB";}infranet-controller prabaIC {address 10.64.160.120;interface ge-0/0/0.0;password "$9$jdkmT69pRhrz3hrev7Nik.";}traceoptions {flag all;}}}

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding Junos OS Enforcer Implementations Using IPsec