Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring VPN on a Device Running Junos OS

This section describes sample configurations of an IPsec VPN on a Junos OS device using the following IKE authentication methods:

Configuring VPN on a Device Running Junos OS Overview

This section describes sample configurations of an IPsec VPN on a Junos OS device using the following IKE authentication methods:

Figure 1 illustrates the VPN topology used in all the examples described in this section. Here, H0 and H1 are the host PCs, R0 and R2 are the two endpoints of the IPsec VPN tunnel, and R1 is a router to route traffic between the two different networks.

Note:

The router R1 can be a Linux-based router, a Juniper Networks device, or any other vendor router.
Figure 1: VPN Topology VPN Topology

Table 1 provides a complete list of the supported IKE protocols, tunnel modes, Phase 1 negotiation mode, authentication method or algorithm, encryption algorithm, DH groups supported for the IKE authentication and encryption (Phase1, IKE Proposal), and for IPsec authentication and encryption (Phase2, IPsec Proposal). The listed protocols, modes, and algorithms are supported and required for 23.4R1 Common Criteria.

Table 1: VPN Combination Matrix

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 1 Proposal (P1, IKE)

Authentication Method

Authentication Algorithm

DH Group

Encryption Algorithm

IKEv1

Main

Route

rsa-signatures (with RSA key sizes 2048 or 4096)

ecdsa-signatures-256

ecdsa-signatures-384

sha-256

sha-384

group14

group19

group20

aes-128-cbc

aes-128-gcm

aes-192-cbc

aes-256-cbc

aes-256-gcm

IKEv2
 
 
 
 

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 2 Proposal (P2, IPsec)

Authentication Algorithm

DH Group (PFS)

Encryption Method

Encryption Algorithm

IKEv1

Main

Route

hmac-sha1-96

hmac-sha-256-128

group14

group19

group20

ESP

aes-128-cbc

aes-128-gcm

aes-192-cbc

aes-256-cbc

aes-256-gcm

IKEv2
 
 
 
 
 
Note:

Network Address Translation-Traversal (NAT-T) is not supported in IPsec VPN.
Note:

Juniper Networks devices always operate in tunnel mode for IPsec tunnels. No additional configuration is required for the TOE to operate in tunnel mode.
Note:

The following sections provide sample configurations of IKEv1 IPsec VPN examples for selected algorithms. Authentication and encryption algorithms can be replaced in the configurations to accomplish the user’s desired configurations. Use set security ike gateway <gw-name> version v1-only command for IKEv1 IPsec VPN and set security ike gateway <gw-name> version v2-only command for IKEv2 IPsec VPN.

The TOE supports the use of an IP address, Fully Qualified Domain Name (FQDN) or user FQDN in the SAN field of the certificate as reference identifiers, along with the Distinguished Name (DN). CN reference identifiers are not supported and contents of the field are disregarded, unless the DN reference identifier is being used. The TOE validates reference identifiers by comparing the configured identifier against the SAN or DN field of the presented peer certificate depending on the configured identifier. The connection is only accepted on an exact match between the two.

Configuring the Lifetime for an IPsec SA

In the evaluated configuration, the TOE permits configuration of the:

  • IKEv1 Phase 1 and IKEv2 SA lifetimes in terms of length of time (180 to 86,400 seconds i.e. 0.05 to 24 hours),

  • IKEv1 Phase 2 SA in terms of length of time (180 to 28,800 seconds i.e. 0.05 to 8 hours)

  • IKEv2 Child SA lifetimes in terms of kilobytes (64 to 4,294,967,294) and length of time (180 to 28,800 seconds i.e. 0.05 to 8 hours).

The TOE implements the following CLI commands to configure the Phase 1 lifetime in seconds:

set security ike proposal <name> lifetime-seconds <seconds>

Note:

A lifetime value of 23 hour 40 mins or less must be configured as the Phase 1 lifetime to ensure the rekey happening before the 24 hour mark.

Phase 2/Child SA lifetime is configured in seconds using the following command:

Note:

When configured with a Phase 2 lifetime of 8 hours (28800 seconds), the device initiates a rekey before reaching the lifetime to ensure continuous VPN connectivity. Instead of rekeying exactly at the lifetime expiration, the device triggers a rekey at around 98% of the configured value.

For example: when configured with a lifetime value of 8 hours (28800 seconds) the actual rekey happens at around the 7 hour 50 mins mark (28200 seconds).

To ensure rekeying happens on time, administrators should configure the Phase 2 lifetime values accordingly, knowing that the device will initiate rekeying before the full duration is reached.

Child SA lifetime is configured in kilobytes using the following command:

set security ipsec proposal <name> lifetime-kilobytes <kb>

Configuring an IPsec VPN with an RSA Signature for IKE Authentication

The following section provides an example to configure Junos OS devices for IPsec VPN using RSA Signature as IKE Authentication method, whereas, the algorithms used in IKE/IPsec authentication/encryption is as shown in the following table. In this section, the administrator can configure devices running Junos OS for IPsec VPN using an RSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption is shown in Table 2.

Table 2: IKE/IPsec Authentication and Encryption

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 1 Proposal (P1, IKE)

Authentication Method

Authentication Algorithm

DH Group

Encryption Algorithm

IKEv1

Main

Route

rsa-signatures (with RSA key size 2048)

sha-256

group19

aes-128-cbc

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 2 Proposal (P2, IPsec)

Authentication Algorithm

DH Group (PFS)

Encryption Method

Encryption Algorithm

IKEv1

Main

Route

hmac-sha-256-128

group19

ESP

aes-128-cbc

Generating or Deleting key-pair for IKE Endpoint Authentication

To generate a key-pair for IKE endpoint authentication, enter the following command:

For RSA:

For ECDSA:

Location of PKI Keys and Certificates:

  • Private Keys– Stored securely in the device’s internal key storage. The administrator don’t directly access the private key file; instead, they reference it by label or certificate name.

  • Public Keys / Certificates– Typically stored in the /var/db/certs/ directory or managed via the Junos configuration hierarchy under: /etc/ssl/certs/ /var/db/config/

CA Certificates– Loaded from external files and associated with a CA profile. These are referenced in the configuration, not manually browsed.

Format Details:

  • Key Format– RSA keys are most common, generated in PEM format.

  • Certificate Format– X.509 standard, also in PEM format.

  • CSR Format– PKCS#10, used when requesting certificates from a CA.

To delete a key-pair for IKE endpoint authentication, enter the following command:

Configuring IPsec VPN with RSA Signature as IKE Authentication on the Initiator or Responder

To configure the IPsec VPN with RSA signature IKE authentication on the initiator:

  1. Configure the PKI, generate and load the CA certificate, local certificate and Certificate Revocation List (CRL). See Managing the Trust Store (Certificates and Authorities).

  2. Generate the RSA key pair. See Generating or Deleting key-pair for IKE Endpoint Authentication.

  3. Configure the local identity and remote identity parameters.

    Syntax
    Hierarchy Level
    Options

    • distinguished-name—Specify identity as the distinguished name (DN) from the certificate. If there is more than one certificate on the device, use the security ike gateway gateway-name policy policy-name certificate local-certificate certificate-id.

      Optional container and wildcard strings can be specified:

      • container container-string—Specify a string for the container.

      • wildcard wildcard-string—Specify a string for the wildcard.

    • hostname hostname—Specify identity as a fully qualified domain name (FQDN).

    • inet ip-address—Specify identity as an IPv4 address.

    • user-at-hostname e-mail-address—Specify identity as an e-mail address.

    local-identity configuration options:

    IP-Address:

    remote-identity configuration options:

    IP-Address:

    FQDN:User FQDN:DN:

  4. Configure the IKE proposal.

    Note:

    Here, ike-proposal1 is the name given by the authorized administrator.

  5. Configure the IKE policy.

    Note:

    The mode can be configured as Aggressive, However, for Common Criteria compliance main mode must be used.

  6. Configure the IPsec proposal.

    Note:

    Here, ipsec-proposal1 is the name given by the authorized administrator.

  7. Configure the IPsec policy.

    Note:

    Here, ipsec-policy1 is the name given by the authorized administrator.

  8. Configure the IKE.

    Note:

    Here, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and fe-0/0/1 is the local outbound interface as VPN endpoint. The following configuration is also needed for IKEv1.

  9. Configure VPN.

    Note:

    Here, vpn1 is the VPN tunnel name given by the authorized administrator.

  10. Configure the outbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zone and trustLan and untrustLan are preconfigured network addresses.

  11. Configure the inbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

  12. Commit the configuration.

Configuring an IPsec VPN with an ECDSA Signature for IKE Authentication

In this section, the administrator configure devices running Junos OS for IPsec VPN using an ECDSA signature as the IKE authentication method. The algorithms used in IKE or IPsec authentication or encryption are shown in Table 3.

Table 3: IKE or IPsec Authentication and Encryption

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 1 Proposal (P1, IKE)

Authentication Method

Authentication Algorithm

DH Group

Encryption Algorithm

IKEv1

Main

Route

ecdsa-signatures-256

sha-384

group14

aes-256-cbc

IKE Protocol

Tunnel Mode

Phase1 Negotiation Mode

Phase 2 Proposal (P2, IPsec)

Authentication Algorithm

DH Group (PFS)

Encryption Method

Encryption Algorithm

IKEv1

Main

Route

No Algorithm

group14

ESP

aes-256-gcm

Configuring IPsec VPN with ECDSA signature IKE authentication on the Initiator

To configure the IPsec VPN with ECDSA signature IKE authentication on the initiator:

  1. Configure the PKI, generate and load the CA certificate, local certificate and Certificate Revocation List (CRL). See Managing the Trust Store (Certificates and Authorities).

  2. Generate the RSA key pair. See Generating or Deleting key-pair for IKE Endpoint Authentication.

  3. Configure the local identity and remote identity parameters.

    Syntax
    Hierarchy Level
    Options

    • distinguished-name—Specify identity as the distinguished name (DN) from the certificate. If there is more than one certificate on the device, use the security ike gateway gateway-name policy policy-name certificate local-certificate certificate-id.

      Optional container and wildcard strings can be specified:

      • container container-string—Specify a string for the container.

      • wildcard wildcard-string—Specify a string for the wildcard.

    • hostname hostname—Specify identity as a fully qualified domain name (FQDN).

    • inet ip-address—Specify identity as an IPv4 address.

    • user-at-hostname e-mail-address—Specify identity as an e-mail address.

    local-identity configuration options:

    IP-Address:

    remote-identity configuration options:

    IP-Address:

    FQDN:User FQDN:DN:

  4. Configure the IKE proposal.

    Note:

    Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

  5. Configure the IKE policy.

    The mode can be configured as Aggressive. However, for Common Criteria compliance main mode must be used.

  6. Configure the IPsec proposal.

    Note:

    Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

  7. Configure the IPsec policy.

    Note:

    Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

  8. Configure IKE.

    Note:

    Here, gw1 is an IKE gateway name, 192.0.2.8 is the peer VPN endpoint IP, 192.0.2.5 is the local VPN endpoint IP, and ge-0/0/2 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv1.

  9. Configure the VPN.

    Note:

    Here, vpn1 is the VPN tunnel name given by the authorized administrator.

  10. Configure the outbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

  11. Configure the inbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

  12. Commit the configuration.

Configuring IPsec VPN with ECDSA signature IKE authentication on the Responder

To configure IPsec VPN with ECDSA signature IKE authentication on the responder:

  1. Configure the PKI, generate and load the CA certificate, local certificate and Certificate Revocation List (CRL). See Managing the Trust Store (Certificates and Authorities).

  2. Generate the RSA key pair. See Generating or Deleting key-pair for IKE Endpoint Authentication.

  3. Configure the local identity and remote identity parameters.

    Syntax
    Hierarchy Level
    Options

    • distinguished-name—Specify identity as the distinguished name (DN) from the certificate. If there is more than one certificate on the device, use the security ike gateway gateway-name policy policy-name certificate local-certificate certificate-id.

      Optional container and wildcard strings can be specified:

      • container container-string—Specify a string for the container.

      • wildcard wildcard-string—Specify a string for the wildcard.

    • hostname hostname—Specify identity as a fully qualified domain name (FQDN).

    • inet ip-address—Specify identity as an IPv4 address.

    • user-at-hostname e-mail-address—Specify identity as an e-mail address.

    local-identity configuration options:

    IP-Address:

    remote-identity configuration options:

    IP-Address:

    FQDN:User FQDN:DN:

  4. Configure the IKE proposal.

    Note:

    Here, ike-proposal1 is the IKE proposal name given by the authorized administrator.

  5. Configure the IKE policy.

  6. Configure the IPsec proposal.

    Note:

    Here, ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

  7. Configure the IPsec policy.

    Note:

    Here, ipsec-policy1 is the IPsec policy name and ipsec-proposal1 is the IPsec proposal name given by the authorized administrator.

  8. Configure the IKE.

    Note:

    Here, gw1 is an IKE gateway name, 192.0.2.5 is the peer VPN endpoint IP, 192.0.2.8 is the local VPN endpoint IP, and ge-0/0/1 is a local outbound interface as the VPN endpoint. The following configuration is also needed for IKEv1.

  9. Configure the VPN.

    Note:

    Here, vpn1 is the VPN tunnel name given by the authorized administrator.

  10. Configure the outbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

  11. Configure the inbound flow policies.

    Note:

    Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.

  12. Commit the configuration.

For more information about troubleshooting IPSec VPN, see the following:

See Also