To configure an SA for IPSec, include the security-association statement, specifying a security association name : [edit security ipsec] security-association name; IPSec runs in two modes: transport and tunnel. By default, tunnel mode is enabled. Tunnel mode protects connections between security gateways. Tunnel mode requires the ES PIC. To configure transport mode, include the mode statement, specifying the transport option. In transport mode, the JUNOS software does not support AH and encapsulating security payload (ESP) header bundles. [edit security ipsec security-association name ] mode transport; To set the replay window size to protect the receiver against replay attacks by rejecting old or duplicate packets, include the replay-window-size statement: [edit security ipsec security-association name ] replay-window-size (32 64); Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place. To configure the manual IPSec security association, include the manual statement: [edit security ipsec security-association name ] manual { direction (inbound outbound bi-directional) { authentication { algorithm (hmac-md5-96 hmac-sha1-96); key (ascii-text key hexadecimal key ); } encryption { algorithm (des-cbc 3des-cbc); key (ascii-text key hexadecimal key ); } spi spi-value; protocol (esp ah); } } The direction statement sets inbound and outbound IPSec processing. To define different algorithms, keys, or security parameter index (SPI) values for each direction, configure the inbound and outbound options. To have the same attributes in both directions, use the bidirectional option. IPSec uses two protocols to protect IP traffic: encapsulation security header (ESP) and authentication header (AH). For transport mode SAs, both ESP and AH are supported. To configure the IPSec protocol, include the protocol statement. An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets. Each manual SA must have a unique SPI and protocol combination. To configure the SPI, include the spi statement. To configure an authentication algorithm, include the authentication statement. The algorithm can be one of the following:
The key can be one of the following:
To configure IPSec encryption, include the encryption statement. The algorithm can be one of the following:
The key can be one of the following:
You cannot configure encryption when you use the AH protocol. |