Configuring IPsec Security Associations
Configuring Manual IPsec Security Associations for an ES PIC
To use IPsec security services, you create security associations (SAs) between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. There are two types of SAs: manual and dynamic.
Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, peers can communicate only when they all share the same configured options.
To configure the manual IPsec SA for an ES PIC, include the manual statement at the edit security ipsec security-association sa-name] hierarchy level:
[edit security ipsec security-association sa-name]
manual {
direction (inbound | outbound | bi-directional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spiauxiliary-spi-value;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | esp | bundle);
spi spi-value;
}
}
Tasks to configure a manual SA are:
- Configuring the Processing Direction
- Configuring the Protocol for a Manual SA
- Configuring the Security Parameter Index
- Configuring the Auxiliary Security Parameter Index
- Configuring the Authentication Algorithm and Key
- Configuring the Encryption Algorithm and Key
Configuring the Processing Direction
The direction statement sets inbound and outbound IPsec processing. If you want to define different algorithms, keys, or security parameter index (SPI) values for each direction, you configure the inbound and outbound options. If you want the same attributes in both directions, use the bidirectional option.
To configure the direction of IPsec processing, include the direction statement and specify the direction at the [edit security ipsec security-association sa-name manual] hierarchy level:
[edit security ipsec security-association sa-name manual] direction (inbound | outbound | bidirectional);
The following example shows how to define different algorithms, keys, and security parameter index values for inbound and outbound processing directions:
[edit security ipsec security-association sa-name]
manual {
direction inbound {
encryption {
algorithm 3des-cbc;
key ascii-text 23456789012345678901234;
}
protocol esp;
spi 16384;
}
direction outbound {
encryption {
algorithm 3des-cbc;
key ascii-text 12345678901234567890abcd;
}
protocol esp;
spi 24576;
}
}
The following example shows how to define the same algorithms, keys, and security parameter index values for bidirectional processing:
[edit security ipsec security-association sa-name manual]
direction bidirectional {
authentication {
algorithm hmac-md5-96;
key ascii-text 123456789012abcd;
}
protocol ah;
spi 20001;
}
Configuring the Protocol for a Manual SA
IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). For transport mode SAs, both ESP and AH are supported. The AH protocol is used for strong authentication. The bundle option uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets.
The AH protocol is supported only on M Series routers.
To configure the IPsec protocol on an ES PIC, include the protocol statement at the edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] hierarchy level and specify the ah, bundle, or esp option:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] protocol (ah | bundle | esp);
Configuring the Security Parameter Index
An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets.
Each manual SA must have a unique SPI and protocol combination.
Use the auxiliary SPI when you configure the protocol statement to use the bundle option.
To configure the SPI on an ES PIC, include the spi statement and specify a value (256 through 16,639) at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] spi spi-value;
Configuring the Auxiliary Security Parameter Index
When you configure the protocol statement to use the bundle option, the Junos OS uses the auxiliary SPI for the ESP and the SPI for the AH.
Each manual SA must have a unique SPI and protocol combination.
To configure the auxiliary SPI, include the auxiliary-spi statement at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level and set the value to an integer between 256 and 16,639:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] auxiliary-spi auxiliary-spi-value;
Configuring the Authentication Algorithm and Key
To configure an authentication algorithm and key, include the authentication statement at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)]
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
The algorithm can be one of the following:
hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and 96-bit digest.
hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit authenticator value and a 96-bit digest.
The key can be one of the following:
ascii-text key—ASCII text key. With the hmac-md5-96 option, the key contains
16 ASCII characters. With the hmac-sha1-96 option, the key contains 20 ASCII characters.
hexadecimal key—Hexadecimal key. With the hmac-md5-96 option, the key contains 32 hexadecimal characters. With the hmac-sha1-96 option, the key contains 40 hexadecimal characters.
Configuring the Encryption Algorithm and Key
To configure IPsec encryption, include the encryption statement and specify an algorithm and key at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)]
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
The algorithm can be one of the following:
des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits long.
3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
Note:For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409. For 3des-cbc, we recommend that the first 8 bytes not be the same as the second 8 bytes, and that the second 8 bytes be the same as the third 8 bytes.
The key can be one of the following:
ascii-text—ASCII text key. With the des-cbc option, the key contains 8 ASCII characters. With the 3des-cbc option, the key contains 24 ASCII characters.
hexadecimal—Hexadecimal key. With the des-cbc option, the key contains 16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.
Note:You cannot configure encryption when you use the AH protocol.
See Also
Configuring Dynamic IPsec Security Associations
You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and do not need to be specified in the configuration. The dynamic SA includes one or more proposals, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer.
To configure a dynamic SA, include the dynamic statement at the [edit security ipsec security-association sa-name] hierarchy level. Specify an IPsec policy name, and optionally, a 32-packet or 64-packet replay window size.
[edit security ipsec security-association sa-name]
dynamic {
ipsec-policy policy-name;
replay-window-size (32 | 64);
}