The Internet Protocol Security (IPSec) architecture provides a security suite for the IPv4 and IPv6 network layers . The suite provides such functionality as authentication of origin, data integrity, confidentiality, replay protection, and nonrepudiation of source. In addition to IPSec, the JUNOS software also supports the Internet Key Exchange (IKE), which defines mechanisms for key generation and exchange, and manages security associations (SAs). IPSec also defines a security association and key management framework that can be used with any network layer protocol. The SA specifies what protection policy to apply to traffic between two IP-layer entities. IPSec provides secure tunnels between two peers. To use IPSec security services, you create SAs between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPSec. There are two types of SAs:
The JUNOS implementation of IPSec supports two types of security: host to host and gateway to gateway. Host-to-host security protects BGP sessions with other routers. Any SA to be used with BGP must be configured manually and use transport mode. Static values must be configured on both ends of the security association. To apply host protection, you configure manual SAs in transport mode and then reference the SA by name at the [edit protocols bgp] hierarchy level to protect a session with a given peer. Gateway-to-gateway security protects traffic traveling between two security gateways. It is most often used to encrypt virtual private network (VPN) traffic. Because of the high speeds of the transit interfaces, this functionality requires an ES PIC. To enable gateway-to-gateway protection, you must configure IKE (for dynamic SAs only), an SA, an ES PIC, and traffic parameters. IKE is a key management protocol that creates dynamic SAs; it negotiates SAs for IPSec. An IKE configuration defines the algorithms and keys used to establish a secure connection with a peer security gateway. IKE negotiates and manages IKE and IPSec parameters, authenticates secure key exchange, provides mutual peer authentication by means of shared secrets (not passwords) and public keys, and provides identity protection (in main mode). IKE occurs over two phases. In the first phase, it negotiates security attributes and establishes shared secrets to form the bidirectional IKE SA. In the second phase, inbound and outbound IPSec SAs are established. The IKE SA secures the exchanges in the second phase. IKE also generates keying material, provides Perfect Forward Secrecy (PFS), and exchanges identities. To configure security services, include the following statements: [edit security] ike { numerous global IKE statements proposal ike-proposal-name { authentication-algorithm (md5 sha1); authentication-method pre-shared-keys; dh-group (group1 group2); encryption-algorithm (3des-cbc des-cbc); lifetime-seconds seconds; } policy ike-peer-address { mode (aggressive main); proposal [ ike - proposal-names ]; pre-shared-key (ascii-text key hexadecimal key ); } } ipsec { numerous global ipsec statements proposal ipsec-proposal-name { authentication-algorithm (hmac-md5-96 hmac-sha1-96); encryption-algorithm (3des-cbc des-cbc); lifetime-seconds seconds; protocol esp; } policy ipsec-policy-name { perfect-forward-secrecy { keys (group1 group2); } proposal [ ipsec-proposal-names ]; } security-association name { mode (tunnel transport); replay-window-size (32 64); manual { direction (inbound outbound bi-directional) { authentication { algorithm (hmac-md5-96 hmac-sha1-96); key (ascii-text key hexadecimal key ); } encryption { algorithm (des-cbc 3des-cbc); key (ascii-text key hexadecimal key ); } protocol (esp ah); spi spi-value; } } dynamic ipsec-policy policy-name; } } The following is the minimum configuration for manual SAs: [edit security ipsec] security-association name { manual { direction (inbound outbound bi-directional) { authentication { algorithm (hmac-md5-96 hmac-sha1-96); key (ascii-text key hexadecimal key ); } encryption { algorithm (des-cbc 3des-cbc); key (ascii-text key hexadecimal key ); } protocol (esp ah); spi spi-value; } } } The following is the minimum configuration for dynamic SAs: [edit security] ike { proposal ike-proposal-name { authentication-algorithm (md5 sha1); authentication-method pre-shared-keys; dh-group (group1 group2); encryption-algorithm (3des-cbc des-cbc); } policy ike-peer-address { proposal [ ike - proposal-names ]; pre-shared-key (ascii-text key hexadecimal key ); } } ipsec { policy ipsec-policy-name { proposal [ ipsec-proposal-names ]; } proposal ipsec-proposal-name { authentication-algorithm (hmac-md5-96 hmac-sha1-96); encryption-algorithm (3des-cbc des-cbc); protocol esp; } security-association name { dynamic ipsec-policy policy-name; } } |