Quantum Safe IPsec VPN
SUMMARY Learn how to use and configure the out-of-band key retrieval mechanisms in the IKED process to negotiate with quantum secured IKE and IPsec SAs.
Quantum Safe IPsec VPN Overview
- Quantum Security
- Junos Key Manager Overview
- Use Key Profile for Quantum Safe IPsec VPN
- Quantum Key Distribution
Quantum Security
The IPsec communication channel relies on the Internet Key Exchange (IKE) protocol. The IKE maintains security parameters to protect the data traffic. The security parameters include encryption and authentication algorithms, and associated keys.
The security protocols rely on asymmetric cryptographic algorithms such as Diffie Hellman (DH) or Elliptic Curve Diffie Hellman (ECDH) to establish keys are vulnerable to attacks.
To avoid security attacks, the RFC8784 introduces a method out-of-band method. The out-of-band method adds a secret key at the initiator and the responder. The secret key is Post-quantum Pre-shared Key (PPK).
-
You can use the PPK in addition to the authentication method in IKEv2.
-
PPK provides quantum resistance to any child SAs in initial negotiated IPsec SAs and any subsequent reeked IPsec SAs.
-
With PPK and peer authentication key, initiator and responder can detect key mismatch.
Junos Key Manager Overview
You can use Junos Key Manager (JKM) to configure the static keys or dynamics keys to protect the data plane and control plane.
The JKM process acts as a key store and a proxy between the client or crypto application. The client or crypto application requires a key to establish an encrypted and authenticated quantum safe session with peer or application. The quantum safe uses the out-of-band key retrieval mechanism that lets two peers have the key. Different out-of-band mechanisms will have different protocols or methods to communicate. The JKM provides a common uniform interface for client or crypto applications to communicate.
Key Retrieval Mechanism
Two out-of-band key retrieval mechanisms in the IKED process to negotiate with quantum secured IKE and IPsec SAs.
-
Static Key—With static key profiles, you can configure a static key ID and a corresponding key. The same static key ID and key gets generated every time a request to JKM over a static key profile.
-
Quantum Key Manager—With quantum key manager key profiles, you can access the Quantum Key Distribution (QKD) devices and Quantum Network. The Quantum Network generates and exchange quantum keys between peers. Generates a different key ID and key every time on request to JKM over a quantum key manager key profile.
Use Key Profile for Quantum Safe IPsec VPN
With static key profiles, you can configure a static key ID and a corresponding key. To establish the quantum safe IPsec SAs, use the static key profile as Post-Quantum Pre-Shared Key (PPK) profile in the IPsec-VPN configuration. Uses the same key and key ID to re-authenticate existing IKE SA.
With quantum key manager key profile profiles, to access the Quantum Networks you need access to the QKD devices. The Quantum Network generates and exchanges quantum keys between peers. You can configure all the necessary parameters such as local SAE ID, URL to the QKD device, and so on. To establish IPsec SAs, use the quantum key manager key profile as Post-Quantum Pre-Shared Key (PPK) profile in the IPsec VPN configuration. Uses a different key and key ID to re-authenticate existing IKE SA.
Quantum Key Distribution
Quantum key distribution (QKD) is a secure key distribution method that uses quantum. Networks use quantum channels for generating the same key at both ends and monitor the quantum channel between the peers. These keys are dynamic, protects the data plane, and control plane.
Key Management Entity (KME) is the term we use to refer to the QKD devices on the management or control layer. QKD devices connect to each other through their quantum or QKD network. The KMEs connects over the public network through the secure channels for exchanging any control messages. The applications, Secure Application Entity (SAEs), and devices interact with KMEs through the secure channels as per ETSI specification. HTTPS combines with mutual TLS authentication and enables secure operations over the QKD network.
In the Figure 1, describes how the two devices interacting with their corresponding QKD devices to establish a quantum secured session
-
SAE A role is primary. SAE A acts as the initiator to establish a quantum secured session with SAE B.
-
The SAE B role is secondary. SAE B acts as the responder.
-
The SAE A request the KME A through the Get key API to generate and share a new quantum key with SAE B with target SAE ID.
-
The KME A performs the operation and responds to SAE A with the generated key ID and key material.
-
KME B receives the key material and the generated ID key over the QKD network.
-
The SAE A initiates secured session with SAE B directly using the same key and key ID.
-
An exchange of messages establishes a secure session with SAE B.
-
SAE A sends the key ID in plaintext or encrypted for the corresponding quantum key that is used to secure the session with SAE B.
-
Once SAE B receives the key ID, the SAE B contacts KME B through the Get key with IDs API to get the corresponding quantum-key for the given key ID and target SAE ID or SAE A.
-
After SAE B gets the key, a fully quantum secured session establishes between SAE A and SAE B.
Example: Configure Quantum-Secured IPsec AutoVPN Topology Using Quantum Key Manager Key Profile
SUMMARY Learn how to configure IPsec AutoVPN topology using quantum key manager key profile.
Use this example to configure quantum-secured IPsec AutoVPN using quantum key manager key profile. The quantum key manager key profile includes parameters that are required to communicate with a Key Management Entity (KME) or Quantum Key Distribution (QKD) device. These parameters are as per ETSI GS QKD 014 specification.
In this example, we use the following devices:
-
Hub as an IPsec VPN aggregator.
-
Spoke 1 and Spoke 2 as remote sites.
The Hub, Spoke 1, and Spoke 2 use quantum key manager key profiles to communicate with KME Hub, KME Spoke 1, and KME Spoke 2 to fetch the QKD keys and establish then IPsec VPN tunnels.
|
Reading Time |
Less than an hour. |
|
Configuration Time |
Less than an hour. |
- Example Prerequisites
- Before You Begin
- Functional Overview
- Topology Overview
- Topology Illustration
- Step-By-Step Configuration on Device-Under-Test (DUT)
- Verification
- Appendix 1: Set Commands on all Devices
Example Prerequisites
|
Hardware requirements |
Juniper Networks® SRX1500 Firewall or higher-numbered device models or Juniper Networks® vSRX Virtual Firewall (vSRX3.0). |
|
Software requirements |
Junos OS Release 22.4R1 or later with JUNOS ike and JUNOS Key Manager packages. |
Before You Begin
|
Benefits |
With quantum-secured IPsec AutoVPN , you can:
|
|
Know more |
|
|
Learn more |
Functional Overview
This section provides summary of the configuration components in this example.
|
Technologies used |
To establish the quantum-safe IPsec tunnel, you must configure the following:
|
|
Primary verification tasks |
Verify the IKE and IPsec SAs. Verify the established IKE and IPsec SAs are Quantum safe. Verify IPsec encryption and decryption statistics. Verify key profile statistics. Send data traffic from the host devices. |
| Feature | Name | Configuration Parameters |
|---|---|---|
| Interfaces | ge-0/0/2.0 | 172.18.10.1/24 |
| Interfaces | ge-0/0/1.0 | 192.168.80.1/24 |
| Interfaces | st0.1 (tunnel interface) | family inet |
| Security zones | trust |
The ge-0/0/1.0 interface is bound to this zone. |
| Security zones | untrust |
The ge-0/0/2.0 interface is bound to this zone. |
| Security zones | vpn |
The st0.1 interface is bound to this zone. |
| Security policy | from-zone trust to-zone vpn |
Match criteria:
Action: permit |
| Security policy | from-zone vpn to-zone trust |
Match criteria:
Action: permit |
| CA profile | Root-CA |
CA-identity: Root-CA URL: https://ca-server.juniper.net/certsrv/mscep/mscep.dll Revocation-check: disable |
| Key profile | SPOKE_1_KM_PROFILE_1 |
Key profile type: Quantum key manager URL: https://www.kme_spoke_1-qkd-server.net Local-sae-id: SAE_SPOKE_1 Local-certificate-id: SAE_SPOKE_1_CERT Trusted-cas: Root-CA |
| IKE Proposal | SPOKE_1_IKE_PROP |
Authentication method: rsa-signatures DH group: group14 Authentication algorithm: sha-256 Encryption algorithm: aes-256-cbc Lifetime: 3600 seconds |
| IKE Policy | SPOKE_1_IKE_POL |
Proposal reference: SPOKE_1_IKE_PROP Certificate reference: local-certificate SPOKE_1_CRT |
| IKE Gateway | SPOKE_1_IKE_GW |
IKE policy reference: SPOKE_1_IKE_POL External interface: ge-0/0/2.0 Remote gateway address: 172.18.10.1 Local gateway address: 172.18.10.2 Version: v2-only ppk-profile: SPOKE_1_KM_PROFILE_1 Local-identity: distinguished-name Remote-identity: distinguished-name |
| IPsec Proposal | SPOKE_1_IPSEC_PROP |
Protocol:esp Authentication-algorithm: hmac-sha-256-128 Encryption-algorithm: aes-256-cbc |
| IPsec Policy | IPSEC-POL | Proposal reference: SPOKE_1_IPSEC_PROP |
| IPsec VPN | VPN-to-HOST-2 |
IKE gateway reference: SPOKE_1_IKE_GW IPsec policy reference: SPOKE_1_IPSEC_POL Bind to interface: st0.1 Traffic-selector: ts1 and local-ip 192.168.80.0/24 remote-ip 192.168.90.0/24 |
| Feature | Name | Configuration Parameters |
|---|---|---|
| Interfaces | ge-0/0/2.0 | 172.18.10.3/24 |
| Interfaces | ge-0/0/1.0 | 192.168.70.1/24 |
| Interfaces | st0.1 (tunnel interface) | family inet |
| Security zones | trust |
The ge-0/0/1.0 interface is bound to this zone. |
| Security zones | untrust |
The ge-0/0/2.0 interface is bound to this zone. |
| Security zones | vpn |
The st0.2 interface is bound to this zone. |
| Security policy | from-zone trust to-zone vpn |
Match criteria:
Action: permit |
| Security policy | from-zone vpn to-zone trust |
Match criteria:
Action: permit |
| CA profile | Root-CA |
CA-identity: Root-CA URL: https://ca-server.juniper.net/certsrv/mscep/mscep.dll Revocation-check: disable |
| Key profile | SPOKE_2_KM_PROFILE_1 |
Key profile type: Quantum key manager URL: https://www.kme_spoke_1-qkd-server.net Local-sae-id: SAE_SPOKE_2 Local-certificate-id: SAE_SPOKE_2_CERT Trusted-cas: Root-CA |
| IKE Proposal | SPOKE_2_IKE_PROP |
Authentication method: rsa-signatures DH group: group14 Authentication algorithm: sha-256 Encryption algorithm: aes-256-cbc Lifetime: 3600 seconds |
| IKE Policy | SPOKE_2_IKE_POL |
Proposal reference: SPOKE_2_IKE_PROP Certificate reference: local-certificate SPOKE_2_CRT |
| IKE Gateway | SPOKE_2_IKE_GW |
IKE policy reference: SPOKE_2_IKE_POL External interface: ge-0/0/2.0 Remote gateway address: 172.18.10.1 Local gateway address: 172.18.10.3 Version: v2-only ppk-profile: SPOKE_2_KM_PROFILE_1 Local-identity: distinguished-name Remote-identity: distinguished-name |
| IPsec Proposal | SPOKE_2_IPSEC_PROP |
Protocol:esp Authentication-algorithm: hmac-sha-256-128 Encryption-algorithm: aes-256-cbc |
| IPsec Policy | SPOKE_2_IPSEC_POL | Proposal reference: SPOKE_2_IPSEC_PROP |
| IPsec VPN | SPOKE_2_IPSEC_VPN |
IKE gateway reference: SPOKE_2_IKE_GW IPsec policy reference: SPOKE_2_IPSEC_POL Bind to interface: st0.2 Traffic-selector: ts1 and local-ip 192.168.70.0/24 remote-ip 192.168.90.0/24 |
| Feature | Name | Configuration Parameters |
|---|---|---|
| Interfaces | ge-0/0/2.0 | 172.18.10.1/24 |
| Interfaces | ge-0/0/1.0 | 192.168.90.1/24 |
| Interfaces | st0.1 (tunnel interface) | family inet |
| Security zones | trust |
The ge-0/0/1.0 interface is bound to this zone. |
| Security zones | untrust |
The ge-0/0/2.0 interface is bound to this zone. |
| Security zones | vpn |
The st0.1 interface is bound to this zone. |
| Security policy | from-zone trust to-zone vpn |
Match criteria:
Action: permit |
| Security policy | From-zone vpn to-zone trust |
Match criteria:
Action: permit |
| CA profile | Root-CA |
CA-identity: Root-CA URL: https://ca-server.juniper.net/certsrv/mscep/mscep.dll Revocation-check: disable |
| Key profile | HUB_KM_PROFILE_1 |
Key profile type: Quantum key manager URL: https://www.kme_spoke_1-qkd-server.net Local-sae-id: SAE_HUB Local-certificate-id: SAE_HUB_CERT Trusted-cas: Root-CA |
| IKE Proposal | HUB_IKE_PROP |
Authentication method: rsa-signatures DH group: group14 Authentication algorithm: sha-256 Encryption algorithm: aes-256-cbc Lifetime: 3600 seconds |
| IKE Policy | HUB_IKE_POL |
Proposal reference: HUB_IKE_PROP Certificate reference: local-certificate HUB_CRT |
| IKE Gateway | HUB_IKE_GW |
IKE policy reference: HUB_IKE_POL External interface: ge-0/0/2.0 Local gateway address: 172.18.10.1 Version: v2-only ppk-profile: HUB_KM_PROFILE_1 Local-identity: distinguished-name Dynamic gateway:
|
| IPsec Proposal | HUB_IPSEC__PROP |
Protocol:esp Authentication-algorithm: hmac-sha-256-128 Encryption-algorithm: aes-256-cbc |
| IPsec Policy | HUB_IPSEC_POL | Proposal reference: HUB_IPSEC_PROP |
| IPsec VPN | HUB_IPSEC_VPN |
IKE gateway reference: HUB_IKE_GW IPsec policy reference: HUB_IPSEC_POL Bind to interface: st0.1 Traffic-selector: ts1 and local-ip 192.168.90.0/24 remote-ip 0.0.0.0/0 |
| Purpose | Name | Configuration Parameters |
|---|---|---|
| The security policy permits traffic from the trust zone to the VPN zone. | VPN-OUT | Match criteria:
Action: permit |
| The security policy permits traffic from the VPN zone to the trust zone. | VPN-IN | Match criteria:
Action: permit |
Topology Overview
In this example, Spoke 1 and Spoke 2 initiate the negotiation of Quantum-safe IPsec tunnels with the Hub using QKD keys from KME Spoke 1 and KME Spoke 2. The Hub responds to the requests by verifying Spoke 1 and Spoke 2 identities and keys from KME Hub to establish Quantum-safe IPsec VPN tunnels. After IPsec tunnels are established, the data traffic between Host 1 and Host 3, and that between Host 2 and Host 3 is Quantum secured.
|
Hostname |
Role |
Function |
|---|---|---|
HUB |
SRX Series Firewall capable of establishing IPsec tunnels | Responds to IKE or IPsec SA negotiation and establishes
Quantum-safe IPsec tunnels using QKD key from KME-HUB QKD device on
SPOKE-1 and SPOKE-2. |
SPOKE-1 |
SRX Series Firewall capable of establishing IPsec tunnels | Initiates IKE or IPsec SA negotiation and establishes
Quantum-safe IPsec tunnels with hub using QKD key from
KME-SPOKE-1 QKD device |
SPOKE-2 |
SRX Series Firewall capable of establishing IPsec tunnels | Initiates IKE or IPsec SA negotiation and establishes
Quantum-safe IPsec tunnels with hub using QKD key from
KME-SPOKE-2 QKD device |
HOST-1 |
Host inside the trusted zone or LAN side of SPOKE
1 |
Initiates client-side traffic towards
HOST-3 |
HOST-2 |
Host inside the trusted zone or LAN side of SPOKE
2 |
Initiates client-side traffic towards
HOST-3 |
HOST- 3 |
Host inside the trusted zone or LAN side of hub | Responds to client-side traffic from HOST-1 and
HOST-2 |
KME-HUB |
Third-party QKD device | Provides QKD keys in response to key requests from
HUB |
KME-SPOKE-1 |
Third-party QKD device | Provides QKD keys in response to key requests from
SPOKE-1 |
KME-SPOKE-2 |
Third-party QKD device | Provides QKD keys in response to key requests from
SPOKE-2 |
Topology Illustration
Step-By-Step Configuration on Device-Under-Test (DUT)
Configure Hub
-
Configure interfaces.
set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.90.1/24 set interfaces st0 unit 1 family inet
-
Configure security zones.
set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
-
Configure security policies.
set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit
-
Configure the CA profile and the CA certificate.
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable
-
Bind the CA certificate to the CA profile.
request security pki ca-certificate enroll ca-profile Root-CA
-
Configure local certificates.
request security pki generate-key-pair certificate-id HUB_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id HUB_CRT challenge-password <password> domain-name hub.juniper.net email hub@juniper.net subject DC=juniper,CN=hub.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_HUB filename SAE_HUB.cert key SAE_HUB.key
-
Configure the quantum key manager key profile.
set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager url https://www.kme_hub-qkd-server.net set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_HUB set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_HUB_CERT set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA
-
Configure the IKE proposal.
set security ike proposal HUB_IKE_PROP authentication-method rsa-signatures set security ike proposal HUB_IKE_PROP dh-group group14 set security ike proposal HUB_IKE_PROP authentication-algorithm sha-256 set security ike proposal HUB_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal HUB_IKE_PROP lifetime-seconds 3600
-
Configure the IKE policy.
set security ike policy HUB_IKE_POL proposals HUB_IKE_PROP set security ike policy HUB_IKE_POL certificate local-certificate HUB_CRT
-
Configure the IKE gateway.
set security ike gateway HUB_IKE_GW local-address 172.18.10.1 set security ike gateway HUB_IKE_GW ike-policy HUB_IKE_POL set security ike gateway HUB_IKE_GW external-interface ge-0/0/2.0 set security ike gateway HUB_IKE_GW local-identity distinguished-name set security ike gateway HUB_IKE_GW dynamic ike-user-type group-ike-id set security ike gateway HUB_IKE_GW dynamic distinguished-name wildcard C=us,DC=juniper set security ike gateway HUB_IKE_GW version v2-only
-
Bind the quantum key manager key profile as the IKE gateway ppk-profile.
set security ike gateway HUB_IKE_GW ppk-profile HUB_KM_PROFILE_1
-
Configure the IPsec proposal.
set security ipsec proposal HUB_IPSEC_PROP protocol esp set security ipsec proposal HUB_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal HUB_IPSEC_PROP encryption-algorithm aes-256-cbc
-
Configure the IPsec policy.
set security ipsec policy HUB_IPSEC_POL proposals HUB_IPSEC_PROP
-
Configure the IPsec VPN.
set security ipsec vpn HUB_IPSEC_VPN bind-interface st0.1 set security ipsec vpn HUB_IPSEC_VPN ike gateway HUB_IKE_GW set security ipsec vpn HUB_IPSEC_VPN ike ipsec-policy HUB_IPSEC_POL set security ipsec vpn HUB_IPSEC_VPN traffic-selector ts1 local-ip 192.168.90.0/24 set security ipsec vpn HUB_IPSEC_VPN traffic-selector ts1 remote-ip 0.0.0.0/0
If you are done configuring the device, enter commit from
configuration mode.
Configure Spoke 1
-
Configure interfaces.
set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.2/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.80.1/24 set interfaces st0 unit 1 family inet
-
Configure security zones.
set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
-
Configure security policies.
set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit
-
Configure the CA profile and the CA certificate.
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable
-
Bind the CA certificate to the CA profile.
request security pki ca-certificate enroll ca-profile Root-CA
-
Configure local certificates.
request security pki generate-key-pair certificate-id SPOKE_1_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id SPOKE_1_CRT challenge-password <password> domain-name spoke_1.juniper.net email spoke_1@juniper.net subject DC=juniper,CN=spoke_1.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_SPOKE_1 filename SAE_SPOKE_1.cert key SAE_SPOKE_1.key
-
Configure the quantum key manager key profile.
set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager url https://www.kme_spoke_1-qkd-server.net set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_SPOKE_1 set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_SPOKE_1_CERT set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA
-
Configure the IKE proposal.
set security ike proposal SPOKE_1_IKE_PROP authentication-method rsa-signatures set security ike proposal SPOKE_1_IKE_PROP dh-group group14 set security ike proposal SPOKE_1_IKE_PROP authentication-algorithm sha-256 set security ike proposal SPOKE_1_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal SPOKE_1_IKE_PROP lifetime-seconds 3600
-
Configure the IKE policy.
set security ike policy SPOKE_1_IKE_POL proposals SPOKE_1_IKE_PROP set security ike policy SPOKE_1_IKE_POL certificate local-certificate SPOKE_1_CRT
-
Configure the IKE gateway.
set security ike gateway SPOKE_1_IKE_GW address 172.18.10.1 set security ike gateway SPOKE_1_IKE_GW local-address 172.18.10.2 set security ike gateway SPOKE_1_IKE_GW ike-policy SPOKE_1_IKE_POL set security ike gateway SPOKE_1_IKE_GW external-interface ge-0/0/2.0 set security ike gateway SPOKE_1_IKE_GW local-identity distinguished-name set security ike gateway SPOKE_1_IKE_GW remote-identity distinguished-name set security ike gateway SPOKE_1_IKE_GW version v2-only
-
Bind the quantum key manager key profile as the IKE gateway ppk-profile.
set security ike gateway SPOKE_1_IKE_GW ppk-profile SPOKE_1_KM_PROFILE_1
-
Configure the IPsec proposal.
set security ipsec proposal SPOKE_1_IPSEC_PROP protocol esp set security ipsec proposal SPOKE_1_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal SPOKE_1_IPSEC_PROP encryption-algorithm aes-256-cbc
-
Configure the IPsec policy.
set security ipsec policy SPOKE_1_IPSEC_POL proposals SPOKE_1_IPSEC_PROP
-
Configure the IPsec VPN.
set security ipsec vpn SPOKE_1_IPSEC_VPN bind-interface st0.1 set security ipsec vpn SPOKE_1_IPSEC_VPN ike gateway SPOKE_1_IKE_GW set security ipsec vpn SPOKE_1_IPSEC_VPN ike ipsec-policy SPOKE_1_IPSEC_POL set security ipsec vpn SPOKE_1_IPSEC_VPN traffic-selector ts1 local-ip 192.168.80.0/24 set security ipsec vpn SPOKE_1_IPSEC_VPN traffic-selector ts1 remote-ip 192.168.90.0/24
If you are done configuring the device, enter commit from
configuration mode.
Configure Spoke 2
-
Configure interfaces.
set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.3/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.70.1/24 set interfaces st0 unit 2 family inet
-
Configure security zones.
set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.2 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0
-
Configure security policies.
set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit
-
Configure the CA profile and the CA certificate.
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable
-
Bind the CA certificate to the CA profile.
request security pki ca-certificate enroll ca-profile Root-CA
-
Configure the local certificates.
request security pki generate-key-pair certificate-id SPOKE_2_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id SPOKE_2_CRT challenge-password <password> domain-name spoke_2.juniper.net email spoke_2@juniper.net subject DC=juniper,CN=spoke_2.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_SPOKE_2 filename SAE_SPOKE_2.cert key SAE_SPOKE_2.key
-
Configure the quantum key manager key profile.
set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager url https://www.kme_spoke_2-qkd-server.net set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_SPOKE_2 set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_SPOKE_2_CERT set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA
-
Configure the IKE proposal.
set security ike proposal SPOKE_2_IKE_PROP authentication-method rsa-signatures set security ike proposal SPOKE_2_IKE_PROP dh-group group14 set security ike proposal SPOKE_2_IKE_PROP authentication-algorithm sha-256 set security ike proposal SPOKE_2_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal SPOKE_2_IKE_PROP lifetime-seconds 3600
-
Configure the IKE policy.
set security ike policy SPOKE_2_IKE_POL proposals SPOKE_2_IKE_PROP set security ike policy SPOKE_2_IKE_POL certificate local-certificate SPOKE_2_CRT
-
Configure the IKE gateway.
set security ike gateway SPOKE_2_IKE_GW address 172.18.10.1 set security ike gateway SPOKE_2_IKE_GW local-address 172.18.10.3 set security ike gateway SPOKE_2_IKE_GW ike-policy SPOKE_2_IKE_POL set security ike gateway SPOKE_2_IKE_GW external-interface ge-0/0/2.0 set security ike gateway SPOKE_2_IKE_GW local-identity distinguished-name set security ike gateway SPOKE_2_IKE_GW remote-identity distinguished-name set security ike gateway SPOKE_2_IKE_GW version v2-only
-
Bind the quantum key manager key profile as the IKE gateway ppk-profile.
set security ike gateway SPOKE_2_IKE_GW ppk-profile SPOKE_2_KM_PROFILE_1
-
Configure the IPsec proposal.
set security ipsec proposal SPOKE_2_IPSEC_PROP protocol esp set security ipsec proposal SPOKE_2_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal SPOKE_2_IPSEC_PROP encryption-algorithm aes-256-cbc
-
Configure the IPsec policy.
set security ipsec policy SPOKE_2_IPSEC_POL proposals SPOKE_2_IPSEC_PROP
-
Configure the IPsec VPN.
set security ipsec vpn SPOKE_2_IPSEC_VPN bind-interface st0.2 set security ipsec vpn SPOKE_2_IPSEC_VPN ike gateway SPOKE_2_IKE_GW set security ipsec vpn SPOKE_2_IPSEC_VPN ike ipsec-policy SPOKE_2_IPSEC_POL set security ipsec vpn SPOKE_2_IPSEC_VPN traffic-selector ts1 local-ip 192.168.70.0/24 set security ipsec vpn SPOKE_2_IPSEC_VPN traffic-selector ts1 remote-ip 192.168.90.0/24
If you are done configuring the device, enter commit from
configuration mode.
Verification
This section provides a list of show commands that you can use to verify the feature in this example.
| Command | Verification Task |
|---|---|
ping 192.168.90.20 source 192.168.80.20 count
4 |
Ping from Host-1 to Host 3. |
ping 192.168.90.20 source 192.168.70.20 count
4 |
Ping from Host 2 to Host 3. |
show security ike security-associations
detail |
Verify the IKE SAs. |
show security ipsec security-associations
detail |
Verify the IPsec SAs. |
show security ipsec statistics |
Verify IPsec encryption and decryption statistics. |
show security key-manager profiles detail
|
Verify key profile statistics. |
- Ping from Host 1 to Host 3
- Ping from Host 2 to Host 3
- Verify IKE SAs
- Verify IPsec SAs
- Verify IPsec Statistics
- Verify Key Manager Profile
Ping from Host 1 to Host 3
Purpose
Verify the connectivity from Host 1 to Host 3.
Action
From operational mode, enter the ping 192.168.90.20 source
192.168.80.20 count 5 to view the connectivity from Host 1 to
Host 3.
user@host1# ping 192.168.90.20 source 192.168.80.20 count 5 PING 192.168.90.20 (192.168.90.20): 56 data bytes 64 bytes from 192.168.90.20: icmp_seq=0 ttl=64 time=2.151 ms 64 bytes from 192.168.90.20: icmp_seq=1 ttl=64 time=1.710 ms 64 bytes from 192.168.90.20: icmp_seq=2 ttl=64 time=1.349 ms 64 bytes from 192.168.90.20: icmp_seq=3 ttl=64 time=1.597 ms 64 bytes from 192.168.90.20: icmp_seq=4 ttl=64 time=1.515 ms --- 192.168.90.20 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.349/1.702/2.151/0.290 ms Data traffic is successfully flowing between the HOSTs
Meaning
The sample output confirms the connectivity from Host 1 to Host 3.
Ping from Host 2 to Host 3
Purpose
Verify the connectivity from Host 2 to Host 3.
Action
From operational mode, enter the ping 192.168.90.20 source
192.168.80.20 count 5 command to view the connectivity from
Host 2 to Host 3.
user@host2# ping 192.168.90.20 source 192.168.70.20 count 5 PING 192.168.90.20 (192.168.90.20): 56 data bytes 64 bytes from 192.168.90.20: icmp_seq=0 ttl=64 time=2.151 ms 64 bytes from 192.168.90.20: icmp_seq=1 ttl=64 time=1.710 ms 64 bytes from 192.168.90.20: icmp_seq=2 ttl=64 time=1.349 ms 64 bytes from 192.168.90.20: icmp_seq=3 ttl=64 time=1.597 ms 64 bytes from 192.168.90.20: icmp_seq=4 ttl=64 time=1.759 ms --- 192.168.90.20 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.349/1.702/2.151/0.290 ms Data traffic is successfully flowing between the HOSTs
Meaning
The sample output confirms the connectivity from Host 2 to Host 3.
Verify IKE SAs
Purpose
Verify the IKE SAs.
Action
From operational mode, enter the show security ike
security-associations detail command to view the IKE SAs.
user@hub> show security ike security-associations detail
IKE peer 172.18.10.3, Index 2161, Gateway Name: HUB_IKE_GW
Role: Responder, State: UP
Initiator cookie: bccc74c70f0b81b9, Responder cookie: 872d364f15b29c28
Exchange type: IKEv2, Authentication method: RSA-signatures
Local gateway interface: ge-0/0/2.0
Routing instance: default
Local: 172.18.10.1:500, Remote: 172.18.10.3:500
Lifetime: Expires in 3464 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Unknown Client
Peer ike-id: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=spoke_2.juniper.net
AAA assigned IP: 0.0.0.0
PPK-profile: HUB_KM_PROFILE_1
Optional: No
State : Used
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-14
Traffic statistics:
Input bytes : 2661
Output bytes : 2586
Input packets: 5
Output packets: 5
Input fragmented packets: 4
Output fragmented packets: 4
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1
IPSec Tunnel IDs: 500446
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 172.18.10.1:500, Remote: 172.18.10.3:500
Local identity: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=hub.juniper.net
Remote identity: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=spoke_2.juniper.net
Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
Initiator stats: Responder stats:
Request Out : 0 Request In : 0
Response In : 0 Response Out : 0
No Proposal Chosen In : 0 No Proposal Chosen Out : 0
Invalid KE In : 0 Invalid KE Out : 0
TS Unacceptable In : 0 TS Unacceptable Out : 0
Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0
Res Verify SA Fail : 0
Res Verify DH Group Fail: 0
Res Verify TS Fail : 0
IKE peer 172.18.10.2, Index 2162, Gateway Name: HUB_IKE_GW
Role: Responder, State: UP
Initiator cookie: 5e17d5924c619788, Responder cookie: 15f1e3c4252ba6f8
Exchange type: IKEv2, Authentication method: RSA-signatures
Local gateway interface: ge-0/0/2.0
Routing instance: default
Local: 172.18.10.1:500, Remote: 172.18.10.2:500
Lifetime: Expires in 3464 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Unknown Client
Peer ike-id: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=spoke.juniper.net
AAA assigned IP: 0.0.0.0
PPK-profile: HUB_KM_PROFILE_1
Optional: No
State : Used
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-14
Traffic statistics:
Input bytes : 2645
Output bytes : 2586
Input packets: 5
Output packets: 5
Input fragmented packets: 4
Output fragmented packets: 4
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1
IPSec Tunnel IDs: 500447
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 172.18.10.1:500, Remote: 172.18.10.2:500
Local identity: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=hub.juniper.net
Remote identity: C=us, DC=juniper, ST=california, L=sunnyvale, O=juniper, OU=security, CN=spoke.juniper.net
Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
Initiator stats: Responder stats:
Request Out : 0 Request In : 0
Response In : 0 Response Out : 0
No Proposal Chosen In : 0 No Proposal Chosen Out : 0
Invalid KE In : 0 Invalid KE Out : 0
TS Unacceptable In : 0 TS Unacceptable Out : 0
Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0
Res Verify SA Fail : 0
Res Verify DH Group Fail: 0
Res Verify TS Fail : 0 Meaning
The sample output confirms the IKE SAs.
Verify IPsec SAs
Purpose
Verify the IPsec SAs.
Action
From operational mode, enter the show security ipsec
security-associations detail command to view the IPsec SAs.
user@hub> show security ipsec security-associations detail
ID: 500446 Virtual-system: root, VPN Name: HUB_IPSEC_VPN
Local Gateway: 172.18.10.1, Remote Gateway: 172.18.10.3
Traffic Selector Name: ts1
Local Identity: ipv4(192.168.90.0-192.168.90.255)
Remote Identity: ipv4(192.168.70.0-192.168.70.255)
TS Type: traffic-selector
Version: IKEv2
Quantum Secured: Yes
PFS group: N/A
Passive mode tunneling: Disabled
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: HUB_IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Tunnel events:
Fri Jul 21 2023 00:31:08: IPsec SA negotiation succeeds (1 times)
Location: FPC 0, PIC 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: 0xcf48c0c9, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3464 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2778 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 2161
Direction: outbound, SPI: 0x86c9ba76, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3464 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2778 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 2161
ID: 500447 Virtual-system: root, VPN Name: HUB_IPSEC_VPN
Local Gateway: 172.18.10.1, Remote Gateway: 172.18.10.2
Traffic Selector Name: ts1
Local Identity: ipv4(192.168.90.0-192.168.90.255)
Remote Identity: ipv4(192.168.80.0-192.168.80.255)
TS Type: traffic-selector
Version: IKEv2
Quantum Secured: Yes
PFS group: N/A
Passive mode tunneling: Disabled
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: HUB_IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Tunnel events:
Fri Jul 21 2023 00:31:08: IPsec SA negotiation succeeds (1 times)
Location: FPC 0, PIC 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x4275d756, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3464 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2772 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 2162
Direction: outbound, SPI: 0xe37b5568, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3464 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2772 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 2162Meaning
The sample output confirms the IPsec SAs.
Verify IPsec Statistics
Purpose
Verify the IPsec statistics.
Action
From operational mode, enter the show security ipsec
statistics command to view the IPsec statistics.
user@hub> show security ipsec statistics ESP Statistics: Encrypted bytes: 1560 Decrypted bytes: 1560 Encrypted packets: 10 Decrypted packets: 10 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Invalid SPI: 0, TS check fail: 0 Exceeds tunnel MTU: 0 Discarded: 0
Meaning
The sample output confirms the IPsec statistics.
Verify Key Manager Profile
Purpose
Verify the key manager profile.
Action
From operational mode, enter the show security key-manager profiles
detail command to view the quantum key manager profile.
user@hub> show security key-manager profiles detail
Name: HUB_KM_PROFILE_1, Index: 6, Type: Quantum-key-manager
Configured-at: 21.07.23 (00:14:00)
Time-elapsed: 0 hrs 19 mins 24 secs
Url: https://kme.juniper.net:8080
Local-sae-id: SAE_HUB
Local-certificate-id: SAE_HUB_CERT
Trusted-cas: [ ROOT_CA_CERT ]
Peer-sae-ids: N/A
Default-key-size: N/A
Request stats:
Received: 2
In-progress: 0
Success: 2
Failed: 0
Meaning
The sample output confirms the quantum key manager profile.
Appendix 1: Set Commands on all Devices
Set command output on all devices.
Set Commands on Hub
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable request security pki ca-certificate enroll ca-profile Root-CA request security pki generate-key-pair certificate-id HUB_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id HUB_CRT challenge-password <password> domain-name hub.juniper.net email hub@juniper.net subject DC=juniper,CN=hub.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_HUB filename SAE_HUB.cert key SAE_HUB.key set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager url https://www.kme_hub-qkd-server.net set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_HUB set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_HUB_CERT set security key-manager profiles HUB_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA set security ike proposal HUB_IKE_PROP authentication-method rsa-signatures set security ike proposal HUB_IKE_PROP dh-group group14 set security ike proposal HUB_IKE_PROP authentication-algorithm sha-256 set security ike proposal HUB_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal HUB_IKE_PROP lifetime-seconds 3600 set security ike policy HUB_IKE_POL proposals HUB_IKE_PROP set security ike policy HUB_IKE_POL certificate local-certificate HUB_CRT set security ike gateway HUB_IKE_GW local-address 172.18.10.1 set security ike gateway HUB_IKE_GW ike-policy HUB_IKE_POL set security ike gateway HUB_IKE_GW external-interface ge-0/0/2.0 set security ike gateway HUB_IKE_GW local-identity distinguished-name set security ike gateway HUB_IKE_GW dynamic ike-user-type group-ike-id set security ike gateway HUB_IKE_GW dynamic distinguished-name wildcard C=us,DC=juniper set security ike gateway HUB_IKE_GW ppk-profile HUB_KM_PROFILE_1 set security ike gateway HUB_IKE_GW version v2-only set security ipsec proposal HUB_IPSEC_PROP protocol esp set security ipsec proposal HUB_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal HUB_IPSEC_PROP encryption-algorithm aes-256-cbc set security ipsec policy HUB_IPSEC_POL proposals HUB_IPSEC_PROP set security ipsec vpn HUB_IPSEC_VPN bind-interface st0.1 set security ipsec vpn HUB_IPSEC_VPN ike gateway HUB_IKE_GW set security ipsec vpn HUB_IPSEC_VPN ike ipsec-policy HUB_IPSEC_POL set security ipsec vpn HUB_IPSEC_VPN traffic-selector ts1 local-ip 192.168.90.0/24 set security ipsec vpn HUB_IPSEC_VPN traffic-selector ts1 remote-ip 0.0.0.0/0 set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.90.1/24 set interfaces st0 unit 1 family inet set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit
Set Commands on Spoke 1
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable request security pki ca-certificate enroll ca-profile Root-CA request security pki generate-key-pair certificate-id SPOKE_1_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id SPOKE_1_CRT challenge-password <password> domain-name spoke_1.juniper.net email spoke_1@juniper.net subject DC=juniper,CN=spoke_1.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_SPOKE_1 filename SAE_SPOKE_1.cert key SAE_SPOKE_1.key set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager url https://www.kme_spoke_1-qkd-server.net set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_SPOKE_1 set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_SPOKE_1_CERT set security key-manager profiles SPOKE_1_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA set security ike proposal SPOKE_1_IKE_PROP authentication-method rsa-signatures set security ike proposal SPOKE_1_IKE_PROP dh-group group14 set security ike proposal SPOKE_1_IKE_PROP authentication-algorithm sha-256 set security ike proposal SPOKE_1_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal SPOKE_1_IKE_PROP lifetime-seconds 3600 set security ike policy SPOKE_1_IKE_POL proposals SPOKE_1_IKE_PROP set security ike policy SPOKE_1_IKE_POL certificate local-certificate SPOKE_1_CRT set security ike gateway SPOKE_1_IKE_GW address 172.18.10.1 set security ike gateway SPOKE_1_IKE_GW local-address 172.18.10.2 set security ike gateway SPOKE_1_IKE_GW ike-policy SPOKE_1_IKE_POL set security ike gateway SPOKE_1_IKE_GW external-interface ge-0/0/2.0 set security ike gateway SPOKE_1_IKE_GW local-identity distinguished-name set security ike gateway SPOKE_1_IKE_GW remote-identity distinguished-name set security ike gateway SPOKE_1_IKE_GW ppk-profile SPOKE_1_KM_PROFILE_1 set security ike gateway SPOKE_1_IKE_GW version v2-only set security ipsec proposal SPOKE_1_IPSEC_PROP protocol esp set security ipsec proposal SPOKE_1_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal SPOKE_1_IPSEC_PROP encryption-algorithm aes-256-cbc set security ipsec policy SPOKE_1_IPSEC_POL proposals SPOKE_1_IPSEC_PROP set security ipsec vpn SPOKE_1_IPSEC_VPN bind-interface st0.1 set security ipsec vpn SPOKE_1_IPSEC_VPN ike gateway SPOKE_1_IKE_GW set security ipsec vpn SPOKE_1_IPSEC_VPN ike ipsec-policy SPOKE_1_IPSEC_POL set security ipsec vpn SPOKE_1_IPSEC_VPN traffic-selector ts1 local-ip 192.168.80.0/24 set security ipsec vpn SPOKE_1_IPSEC_VPN traffic-selector ts1 remote-ip 192.168.90.0/24 set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.2/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.80.1/24 set interfaces st0 unit 1 family inet set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit
Set Commands on Spoke 2
set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url https://ca-server.juniper.net/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable request security pki ca-certificate enroll ca-profile Root-CA request security pki generate-key-pair certificate-id SPOKE_2_CRT size 2048 type rsa request security pki local-certificate enroll certificate-id SPOKE_2_CRT challenge-password <password> domain-name spoke_2.juniper.net email spoke_2@juniper.net subject DC=juniper,CN=spoke_2.juniper.net,OU=security,O=juniper,L=sunnyvale,ST=california,C=us ca-profile Root-CA request security pki local-certificate load certificate-id SAE_SPOKE_2 filename SAE_SPOKE_2.cert key SAE_SPOKE_2.key set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager url https://www.kme_spoke_2-qkd-server.net set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager local-sae-id SAE_SPOKE_2 set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager local-certificate-id SAE_SPOKE_2_CERT set security key-manager profiles SPOKE_2_KM_PROFILE_1 quantum-key-manager trusted-cas Root-CA set security ike proposal SPOKE_2_IKE_PROP authentication-method rsa-signatures set security ike proposal SPOKE_2_IKE_PROP dh-group group14 set security ike proposal SPOKE_2_IKE_PROP authentication-algorithm sha-256 set security ike proposal SPOKE_2_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal SPOKE_2_IKE_PROP lifetime-seconds 3600 set security ike policy SPOKE_2_IKE_POL proposals SPOKE_IKE_PROP set security ike policy SPOKE_2_IKE_POL certificate local-certificate SPOKE_2_CRT set security ike gateway SPOKE_2_IKE_GW address 172.18.10.1 set security ike gateway SPOKE_2_IKE_GW local-address 172.18.10.3 set security ike gateway SPOKE_2_IKE_GW ike-policy SPOKE_2_IKE_POL set security ike gateway SPOKE_2_IKE_GW external-interface ge-0/0/2.0 set security ike gateway SPOKE_2_IKE_GW local-identity distinguished-name set security ike gateway SPOKE_2_IKE_GW remote-identity distinguished-name set security ike gateway SPOKE_2_IKE_GW ppk-profile SPOKE_2_KM_PROFILE_1 set security ike gateway SPOKE_2_IKE_GW version v2-only set security ipsec proposal SPOKE_2_IPSEC_PROP protocol esp set security ipsec proposal SPOKE_2_IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal SPOKE_2_IPSEC_PROP encryption-algorithm aes-256-cbc set security ipsec policy SPOKE_2_IPSEC_POL proposals SPOKE_2_IPSEC_PROP set security ipsec vpn SPOKE_2_IPSEC_VPN bind-interface st0.2 set security ipsec vpn SPOKE_2_IPSEC_VPN ike gateway SPOKE_2_IKE_GW set security ipsec vpn SPOKE_2_IPSEC_VPN ike ipsec-policy SPOKE_2_IPSEC_POL set security ipsec vpn SPOKE_2_IPSEC_VPN traffic-selector ts1 local-ip 192.168.70.0/24 set security ipsec vpn SPOKE_2_IPSEC_VPN traffic-selector ts1 remote-ip 192.168.90.0/24 set interfaces ge-0/0/2 unit 0 family inet address 172.18.10.3/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.70.1/24 set interfaces st0 unit 2 family inet set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/2.0 set security zones security-zone vpn interfaces st0.2 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security policies from-zone trust to-zone vpn policy vpn_out match source-address any set security policies from-zone trust to-zone vpn policy vpn_out match destination-address any set security policies from-zone trust to-zone vpn policy vpn_out match application any set security policies from-zone trust to-zone vpn policy vpn_out then permit set security policies from-zone vpn to-zone trust policy vpn_in match source-address any set security policies from-zone vpn to-zone trust policy vpn_in match destination-address any set security policies from-zone vpn to-zone trust policy vpn_in match application any set security policies from-zone vpn to-zone trust policy vpn_in then permit