Configuring Security Associations

To configure an SA for IPSec, include the security-association statement, specifying a security association name :

 [edit security ipsec]  security-association  name;  

IPSec runs in two modes: transport and tunnel. By default, tunnel mode is enabled. Tunnel mode protects connections between security gateways. Tunnel mode requires the ES PIC. To configure transport mode, include the mode statement, specifying the transport option. In transport mode, the JUNOS software does not support AH and encapsulating security payload (ESP) header bundles.

 [edit security ipsec security-association  name  ]  mode transport; 

To set the replay window size to protect the receiver against replay attacks by rejecting old or duplicate packets, include the replay-window-size statement:

 [edit security ipsec security-association  name  ]  replay-window-size (32  64); 

Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place. To configure the manual IPSec security association, include the manual statement:

 [edit security ipsec security-association  name  ]  manual {   direction (inbound  outbound  bi-directional) {     authentication {       algorithm (hmac-md5-96  hmac-sha1-96);       key (ascii-text  key  hexadecimal  key  );     }     encryption {       algorithm (des-cbc  3des-cbc);       key (ascii-text  key  hexadecimal  key  );     }     spi  spi-value;  protocol (esp  ah);   } } 

The direction statement sets inbound and outbound IPSec processing. To define different algorithms, keys, or security parameter index (SPI) values for each direction, configure the inbound and outbound options. To have the same attributes in both directions, use the bidirectional option.

IPSec uses two protocols to protect IP traffic: encapsulation security header (ESP) and authentication header (AH). For transport mode SAs, both ESP and AH are supported. To configure the IPSec protocol, include the protocol statement.

An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. Each manual SA must have a unique SPI and protocol combination. To configure the SPI, include the spi statement.

To configure an authentication algorithm, include the authentication statement. The algorithm can be one of the following:

• hmac-md5-96 ” Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and 96-bit digest.

• hmac-sha1-96 ” Hash algorithm that authenticates packet data. It produces a 160-bit authenticator value and a 96-bit digest.

The key can be one of the following:

• ascii-text ” ASCII text key. With the hmac-md5-96 option, the key contains 16 ASCII characters . With the hmac-sha1-96 option, the key contains 20 ASCII characters.

• hexadecimal ” Hexadecimal key. With the hmac-md5-96 option, the key contains 32 hexadecimal characters. With the hmac-sha1-96 option, the key contains 40 hexadecimal characters.

To configure IPSec encryption, include the encryption statement. The algorithm can be one of the following:

• des-cbc ” Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits long.

• 3des-cbc ” Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long. For 3des-cbc , the first 8 bytes must not be the same as the second 8 bytes, and the second 8 bytes must not be the same as the third 8 bytes.

The key can be one of the following:

• ascii-text ” ASCII text key. With the des-cbc option, the key contains 8 ASCII characters. With the 3des-cbc option, the key contains 24 ASCII characters.

• hexadecimal ” Hexadecimal key. With the des-cbc option, the key contains 16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.

You cannot configure encryption when you use the AH protocol.