Chapter 7. IP Security (IPSec)

Previous page
Table of content
Next page

Configuring IPSec Global and Proposal Properties

Configuring Security Associations

Configuring Dynamic Security Associations

Configuring IKE

Configuring an IPSec Proposal

Configuring an IPSec Policy

The Internet Protocol Security (IPSec) architecture provides a security suite for the IPv4 and IPv6 network layers . The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPSec, the JUNOS software also supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations (SAs). IPSec also defines a security association and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities. IPSec provides secure tunnels between two peers.

To use IPSec security services, you create SAs between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPSec. There are two types of SAs:

  • Manual SAs ”Require no negotiation; all values, including the keys, are static and specified in the configuration. Manual SAs statically define the security parameter index values, algorithms, and keys to be used and require matching configurations on both end points of the tunnel. As a result, each peer must have the same configured options for communication to take place.

  • Dynamic SAs ”Require configuration. With dynamic SAs, you configure IKE first and then the SA. IKE creates dynamic security associations; it negotiates SAs for IPSec. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway. This secure connection is then used to dynamically agree on keys and other data used by the dynamic IPSec SA. The IKE SA is negotiated first and then used to protect the negotiations that determine the dynamic IPSec SAs.

The JUNOS implementation of IPSec supports two types of security: host to host and gateway to gateway. Host-to-host security protects BGP sessions with other routers. Any SA to be used with BGP must be configured manually and use transport mode. Static values must be configured on both ends of the security association. To apply host protection, you configure manual SAs in transport mode and then reference the SA by name at the [edit protocols bgp] hierarchy level to protect a session with a given peer.

Gateway-to-gateway security protects traffic traveling between two security gateways. It is most often used to encrypt virtual private network (VPN) traffic. Because of the high speeds of the transit interfaces, this functionality requires an ES PIC. To enable gateway-to-gateway protection, you must configure IKE (for dynamic SAs only), an SA, an ES PIC, and traffic parameters.

IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPSec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway. IKE negotiates and manages IKE and IPSec parameters, authenticates secure key exchange, provides mutual peer authentication by means of shared secrets (not passwords) and public keys, and provides identity protection (in main mode). IKE occurs over two phases. In the first phase, it negotiates security attributes and establishes shared secrets to form the bidirectional IKE SA. In the second phase, inbound and outbound IPSec SAs are established. The IKE SA secures the exchanges in the second phase. IKE also generates keying material, provides Perfect Forward Secrecy (PFS), and exchanges identities.

To configure security services, include the following statements: 

 [edit security]  ike {  numerous global IKE statements  proposal  ike-proposal-name  {     authentication-algorithm (md5  sha1);     authentication-method pre-shared-keys;     dh-group (group1  group2);     encryption-algorithm (3des-cbc  des-cbc);     lifetime-seconds  seconds;  }   policy  ike-peer-address  {     mode (aggressive  main);     proposal [  ike  -  proposal-names  ];     pre-shared-key (ascii-text  key  hexadecimal  key  );   } } ipsec {  numerous global ipsec statements  proposal  ipsec-proposal-name  {     authentication-algorithm (hmac-md5-96  hmac-sha1-96);     encryption-algorithm (3des-cbc  des-cbc);     lifetime-seconds  seconds;  protocol esp;   }   policy  ipsec-policy-name  {     perfect-forward-secrecy {       keys (group1  group2);     }     proposal [  ipsec-proposal-names  ];   }   security-association  name  {     mode (tunnel  transport);     replay-window-size (32  64);     manual {       direction (inbound  outbound  bi-directional) {         authentication {           algorithm (hmac-md5-96  hmac-sha1-96);           key (ascii-text  key  hexadecimal  key  );         }         encryption {           algorithm (des-cbc  3des-cbc);           key (ascii-text  key  hexadecimal  key  );         }         protocol (esp  ah);         spi  spi-value;  }     }     dynamic ipsec-policy  policy-name;  } }

The following is the minimum configuration for manual SAs: 

 [edit security ipsec]  security-association  name  {   manual {     direction (inbound  outbound  bi-directional) {       authentication {         algorithm (hmac-md5-96  hmac-sha1-96);         key (ascii-text  key  hexadecimal  key  );       }       encryption {         algorithm (des-cbc  3des-cbc);         key (ascii-text  key  hexadecimal  key  );       }       protocol (esp  ah);       spi  spi-value;  }   } }

The following is the minimum configuration for dynamic SAs: 

 [edit security]  ike {   proposal  ike-proposal-name  {     authentication-algorithm (md5  sha1);     authentication-method pre-shared-keys;     dh-group (group1  group2);     encryption-algorithm (3des-cbc  des-cbc);   }   policy  ike-peer-address  {     proposal [  ike  -  proposal-names  ];     pre-shared-key (ascii-text  key  hexadecimal  key  );   } } ipsec {   policy  ipsec-policy-name  {     proposal [  ipsec-proposal-names  ];   }   proposal  ipsec-proposal-name  {     authentication-algorithm (hmac-md5-96  hmac-sha1-96);     encryption-algorithm (3des-cbc  des-cbc);     protocol esp;   }   security-association  name  {     dynamic ipsec-policy  policy-name;  } }

Previous page
Table of content
Next page
Juniper Networks Field Guide and Reference
Juniper Networks Field Guide and Reference
ISBN: 0321122445
EAN: 2147483647
Year: 2002
Pages: 185
Authors: Aviva Garrett, Gary Drenan, Cris Morris, Juniperu00ae Networks
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
CISSP Exam Cram 2
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy