Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

What's Changed

Learn about what changed in this release for vSRX.

VPNs

  • Enhancements to fix the digest option functionality for key pair generated with DSA and ECDSA (SRX Series and vSRX 3.0)–In earlier releases, when you generated local self-signed certificates using sha-256 digest and DSA or ECDSA encryption using request security pki generate-key-pair certificate-id certificate-id-name size size type (dsa | ecdsa) and request security pki local-certificate generate-self-signed certificate-id certificate-id-name digest sha-256 domain-name domain-name subject subject-distinguished-name commands, the generated signature always used sha1 digest. Starting this release, the specified digest, sha-256, is used for the signature digest. You can verify using show security pki local-certificate certificate-id certificate-id-name detail

  • Enhancement to the output of clear and regenerate key pair commands (vSRX 3.0)–We've modified the output of the following commands when you clear and regenerate the same key pair to manage the secure data using hardware security module (HSM).

    Starting in Junos OS 23.4R1 release, the command:

    • clear security pki key-pair certificate-id certificate-id-name displays the message Key pair deleted successfully from the device. Key pair will be purged from the keyvault based on it's own preferences, as opposed to the message Key pair deleted successfully displayed in previous releases.
    • request security pki generate-key-pair certificate-id certificate-id-name displays the message error:Failed to generate key pair. If the keypair was created and deleted before, please ensure that the keypair has been purged from the keyvault as opposed to the message error: Failed to generate key pair displayed in previous releases.

    We made these changes to align with the cloud provider's restriction on key pair deletion, if any.

  • Enhancements to the help string description for the threshold and interval options for VPN monitoring options (SRX Series and vSRX 3.0)–We've enhanced the help string description of the threshold and interval options available in the configuration statement [set security ipsec vpn-monitor-options] to include the default values. You'll see the following description with the default values:

    [See ipsec (Security).]

  • Enhancements to the output of show security ipsec security-associations detail command (SRX Series and vSRX 3.0)–We've enhanced the output of show security ipsec security-associations detail when you enable vpn-monitor at the [edit security ipsec vpn vpn-name] hierarchy level, when your firewall runs IPsec VPN services with the new iked process. The output displays threshold and interval values in the command output. Starting in Junos OS Release 23.4R1, you'll notice these changes.

    [See show security ipsec security-associations.]

  • Reauthentication frequency recommendation for IPsec VPN with PPK (SRX Series and vSRX 3.0)—For IPsec VPN, including the Auto Discovery VPN (ADVPN), with post-quantum pre-shared key (PPK) encryption, when the IKE security association is negotiated with the quantum keys, the iked process performs rekeying after 4 seconds to secure the channel. If you set the reauthentication frequency to 1, rekeying doesn't happen after 4 seconds. So we recommend you to set the reauthentication frequency to more than 1 as the first reauthentication count is used by the PPK default rekey.

    [See Quantum Safe IPsec VPN.]