Configuring Internal IPsec for Junos-FIPS
In a Junos-FIPS environment, routers with two Routing Engines must use IPsec for internal communication between the Routing Engines. You configure internal IPsec after you install Junos-FIPS. You must be a Crypto Officer to configure internal IPsec.
To configure internal IPsec, include the security-association statement at the [edit security] hierarchy level:
Tasks for configuring internal IPsec for Junos-FIPS are:
Configuring the SA Direction
To configure the IPsec SA direction, include the direction statement at the [edit security ipsec internal security-association manual] hierarchy level:
The value can be one of the following:
- bidirectional—Apply the same SA values in both directions between Routing Engines.
- inbound—Apply these SA properties only to the inbound IPsec tunnel.
- outbound—Apply these SA properties only to the outbound IPsec tunnel.
If you do not configure the SA to be bidirectional, you must configure SA parameters for IPsec tunnels in both directions. The following example uses an inbound and outbound IPsec tunnel:
Configuring the IPsec SPI
A security parameter index (SPI) is a 32-bit index identifying a security context between a pair of Routing Engines. To configure the IPsec Security Parameter Index (SPI) value, include the spi statement at the [edit security ipsec internal security-association manual direction] hierarchy level:
The value must be from 256 through 16639.
Configuring the IPsec Key
To configure the ASCII text key, include the key statement at the [edit security ipsec internal security-association manual direction encryption] hierarchy level:
The value must be from 256 through 16639. You must enter the key ASCII value twice and the strings entered must match, or the key will not be set. The ASCII text key is never displayed in plain text.
