Configuring Security Associations
Configuring Security Associations
The first IPsec configuration step is to select a type of security association (SA) for your IPsec connection. You must statically configure all specifications for manual SAs, but you can rely on some defaults when you configure an IKE dynamic SA. To configure a security association, see the following sections.
Configuring Manual SAs
On the ES PIC, you configure a manual security
association at the [edit security ipsec security-association name] hierarchy level. Include your choices for
authentication, encryption, direction, mode, protocol, and SPI. Be
sure that these choices are configured exactly the same way on the
remote IPsec gateway.
[edit security]
ipsec {
security-association sa-name {
description description;
manual {
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi auxiliary-spi;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | esp | bundle);
spi spi-value;
}
}
mode (tunnel | transport);
}
}
On the AS and MultiServices PICs, you configure
a manual security association at the [edit services ipsec-vpn
rule rule-name] hierarchy level. Include
your choices for authentication, encryption, direction, protocol,
and SPI. Be sure that these choices are configured exactly the same
way on the remote IPsec gateway.
[edit services ipsec-vpn]
rule rule-name {
match-direction (input | output);
term term-name {
from {
destination-address address;
source-address address;
}
then {
backup-remote-gateway address;
clear-dont-fragment-bit;
manual {
direction (inbound | outbound | bidirectional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spi spi-value;
encryption {
algorithm algorithm; # This can be aes-128-cbc, aes-192-cbc,
# aes-256-cbc, des-cbc, or 3des-cbc.
key (ascii-text key | hexadecimal key);
}
protocol (ah | bundle | esp);
spi spi-value;
}
}
no-anti-replay;
remote-gateway address;
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}
Configuring IKE Dynamic SAs
On the ES PIC, you configure an IKE dynamic SA
at the [edit security ike] and [edit security ipsec] hierarchy levels. Include your choices for IKE policies and proposals,
which include options for authentication algorithms, authentication
methods, Diffie-Hellman groups, encryption, IKE modes, and preshared
keys. The IKE policy must use the IP address of the remote end of
the IPsec tunnel as the policy name. Also, include your choices for
IPsec policies and proposals, which include options for authentication,
encryption, protocols, Perfect Forward Secrecy (PFS), and IPsec modes.
Be sure that these choices are configured exactly the same way on
the remote IPsec gateway.
[edit security]
ike {
proposal ike-proposal-name {
authentication-algorithm (md5 | sha1 |sha-256 |sha-384);
authentication-method (dsa-signatures | pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2);
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
lifetime-seconds seconds;
}
policy ike-peer-address {
description description;
encoding (binary | pem);
identity identity-name;
local-certificate certificate-filename;
local-key-pair private-public-key-file;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
}
}
ipsec {
proposal ipsec-proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96 | hmac-sha-256-128);
description description;
encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc);
lifetime-seconds seconds;
protocol (ah | esp | bundle);
}
policy ipsec-policy-name {
description description;
perfect-forward-secrecy {
keys (group1 | group2);
}
proposals [ proposal-names ];
}
security-association sa-name {
description description;
dynamic {
ipsec-policy policy-name;
replay-window-size (32 | 64);
}
mode (tunnel | transport);
}
}
On the AS and MultiServices PICs, you configure
an IKE dynamic security association at the [edit services ipsec-vpn
ike], [edit services ipsec-vpn ipsec], and [edit
services ipsec-vpn rule rule-name] hierarchy
levels. Include your choices for IKE policies and proposals, which
include options for authentication algorithms, authentication methods,
Diffie-Hellman groups, encryption, IKE modes, and preshared keys.
Also, include your choices for IPsec policies and proposals, which
include options for authentication, encryption, protocols, PFS, and
IPsec modes. Be sure that these choices are configured exactly the
same way on the remote IPsec gateway.
If you choose not to explicitly configure IKE and IPsec policies and proposals on the AS and MultiServices PICs, your configuration can default to some preset values. These default values are shown in Table 1.
IKE Policy Statement |
Default Value |
|---|---|
mode |
main |
proposals |
default |
| IKE Proposal Statement | Default Value |
authentication-algorithm |
sha1 |
authentication-method |
pre-shared-keys |
dh-group |
group2 |
encryption-algorithm |
3des-cbc |
lifetime-seconds |
3600 (seconds) |
| IPsec Policy Statement | Default Value |
perfect-forward-secrecy keys |
group2 |
proposals |
default |
| IPsec Proposal Statement | Default Value |
authentication-algorithm |
hmac-sha1-96 |
encryption-algorithm |
3des-cbc |
lifetime-seconds |
28800 (seconds) |
protocol |
esp |
If you use the default IKE and IPsec policy and proposal values preset within the AS and MultiServices PICs, you must explicitly configure an IKE policy and include a preshared key. This is because the pre-shared-keys authentication method is one of the preset values in the default IKE proposal.
Starting in Junos OS release
14.2, in an environment in which Juniper Networks MX Series routers
interoperate with Cisco ASA devices, IKE security associations (SAs)
and IPsec SAs are deleted immediately on the Cisco ASA devices, but
they are retained on the MX Series routers.As a result, 100 percent traffic loss occurs on the MX routers when
traffic is initiated from either the MX Series routers or Cisco ASA
devices. This problem of excessive traffic loss occurs when a service
PIC is restarted on MX Series routers, a line card is restarted on
MX series routers, or when a shutdown/no shutdown command sequence
or a change in speed setting is performed on the Cisco ASA devices.
To prevent this problem of the preservation of IKE and IPsec SAs
in such a deployment, you must manually delete the IPsec and IKE SAs
by entering the clear ipsec security-associations and clear ike security-associations commands respectively.
If you decide to configure values manually, the following information shows the complete statement hierarchy and options for dynamic IKE SAs on the AS and MultiServices PICs:
[edit services ipsec-vpn]
ike {
proposal proposal-name {
authentication-algorithm (md5 | sha1 | sha256);
authentication-method (pre-shared-keys | rsa-signatures);
description description;
dh-group (group1 | group2);
encryption-algorithm algorithm; # This can be aes-128-cbc, aes-192-cbc,
# aes-256-cbc, des-cbc, or 3des-cbc.
lifetime-seconds seconds;
}
policy policy-name {
description description;
local-id {
ipv4_addr [ values ];
key_id [ values ];
}
local-certificate certificate-id-name;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
remote-id {
ipv4_addr [ values ];
key_id [ values ];
}
}
}
ipsec {
proposal proposal-name {
authentication-algorithm (hmac-md5-96 | hmac-sha1-96);
description description;
encryption-algorithm algorithm; # This can be aes-128-cbc, aes-192-cbc,
# aes-256-cbc, des-cbc, or 3des-cbc.
lifetime-seconds seconds;
protocol (ah | esp | bundle);
}
policy policy-name {
description description;
perfect-forward-secrecy {
keys (group1 | group2);
}
proposals [ proposal-names ];
}
}
rule rule-name {
match-direction (input | output);
term term-name {
from {
destination-address address;
source-address address;
}
then {
backup-remote-gateway address;
clear-dont-fragment-bit;
dynamic {
ike-policy policy-name;
ipsec-policy policy-name;
}
no-anti-replay;
remote-gateway address;
syslog;
}
}
}
rule-set rule-set-name {
[ rule rule-names ];
}