How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as Cryptographic Officer, can enable and configure, Junos OS in FIPS mode of operation on your device. Before you begin enabling and configuring FIPS mode of operation on the device:
Verify the secure delivery of your device. See Identifying Secure Delivery.
Apply tamper-evident seals. See Applying Tamper-Evident Seals to the Cryptographic Module.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
Zeroize the device before enabling FIPS mode of operation
user@host> request system zeriozeEnable the FIPS mode on the device.
user@host# set system fips level 2Remove the CSPs on commit check and reboot the device.
user@host# commitRun integrity and self-tests on powering on the device when the module is operating in FIPS mode.
Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: 3des-cbc 3DES-CBC encryption algorithm aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm ? Possible completions: 3des-cbc 3DES-CBC encryption algorithm aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-192-gcm AES-GCM 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshotcommand.
The show configuration security ike and show configuration security ipsec commands display the approved
and configured IKE/IPsec configuration for the device operating in
FIPS-approved mode.
user@host:fips> show version Hostname: host-srx380 Model: srx380-poe-ac Junos: 20.2R1 JUNOS Software Release [20.2R1]
The fips keyword next to the hostname in the output indicates
that the module is operating in FIPS mode for Junos Software Release 20.2R1.
user@host:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}user@host:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;
}
}