close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
play_arrow Configuring Administrative Credentials and Privileges
- Overview of Associated Password Rules for an Authorized Administrator
play_arrow Configuring Roles and Authentication Methods
play_arrow Configuring SSH and Console Connection
- Configure SSH on the Evaluated Configuration for FIPS
play_arrow Configuring MACsec
- Understanding Media Access Control Security (MACsec) in FIPS mode
- Configuring MACsec
play_arrow Configuring Event Logging
play_arrow Configuring IPsec VPN
- Configure IPsec VPN in FIPS mode
play_arrow Performing Self-Tests on a Device
- Understanding FIPS Self-Tests
- Example: Configure FIPS Self-Tests
play_arrow Operational Commands
- request system zeroize
- request vmhost zeroize no-forwarding

list Table of Contents

English

Configure IPsec VPN in FIPS mode

date_range 07-Dec-21

arrow_backward

arrow_forward

SUMMARY This section provides configuration commands for configuring IPsec in FIPS mode.

IPsec tunnel provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. Figure 1 shows the IPsec VPN tunnel topology.

Figure 1: IPsec VPN Tunnel Topology

Configure IPsec VPN Service on Router 1

In this section, you configure Router 1 running Junos OS for IPsec VPN.

Configure service set and VPN rules on Router 1.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set services service-set ss1 next-hop-service inside-service-interface ms-4/0/0.1
crypto-officer@hostname:fips# set services service-set ss1 next-hop-service outside-service-interface ms-4/0/0.2
crypto-officer@hostname:fips# set services service-set ss1 ipsec-vpn-options local-gateway 10.0.1.1
crypto-officer@hostname:fips# set services service-set ss1 ipsec-vpn-rules rule1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 from source-address 172.16.0.0/16
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 from destination-address 192.168.0.0/16
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then remote-gateway 10.0.1.2
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then dynamic ike-policy ike_policy1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then dynamic ipsec-policy ipsec_policy1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then anti-replay-window-size 4096
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 match-direction input
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 protocol esp
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 authentication-algorithm hmac-sha-256-128
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 encryption-algorithm aes-256-cbc
crypto-officer@hostname:fips# set services ipsec-vpn ipsec policy ipsec_policy1 perfect-forward-secrecy keys group20
crypto-officer@hostname:fips# set services ipsec-vpn ipsec policy ipsec_policy1 proposals ipsec_proposal1
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 authentication-method pre-shared-keys
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 dh-group group20
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 authentication-algorithm sha-256
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 encryption-algorithm aes-256-cbc
crypto-officer@hostname:fips# set services ipsec-vpn ike policy ike_policy1 version 2
crypto-officer@hostname:fips# set services ipsec-vpn ike policy ike_policy1 proposals ike_proposal1
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions file ipsec_1
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions level all
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions flag all
crypto-officer@hostname:fips# set services ipsec-vpn establish-tunnels immediately
crypto-officer@hostname:fips# prompt services ipsec-vpn ike policy ike_policy1 pre-shared-key ascii-text
     
     New ascii-text (secret):
     Retype new ascii-text (secret):
	 
	 

Note:

In FIPS mode, use prompt command for setting pre-shared-key. Type-in pre-shared-key in ASCII format when prompted for secret as below.

prompt services ipsec-vpn ike policy ike_policy1 pre-shared-key ascii-text

content_copy zoom_out_map
New ascii-text (secret): xxxxxxxxxxxx
Retype new ascii-text (secret): xxxxxxxxxxxx

Configure interfaces on Router 1.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set interfaces ms-4/0/0 unit 0 family inet
crypto-officer@hostname:fips# set interfaces ms-4/0/0 unit 1 family inet
crypto-officer@hostname:fips# set iinterfaces ms-4/0/0 unit 1 service-domain inside
crypto-officer@hostname:fips# set interfaces ms-4/0/0 unit 2 family inet
crypto-officer@hostname:fips# set interfaces ms-4/0/0 unit 2 service-domain outside
crypto-officer@hostname:fips# set interfaces xe-0/2/0 unit 0 family inet address 10.0.1.1/30
crypto-officer@hostname:fips# set interfaces lo0 unit 0 family inet address 172.16.0.1/16

Configure routing options on Router 1.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set routing-options static route 192.168.0.0/16 next-hop ms-4/0/0.1

Configure IPsec VPN Service on Router 2

In this section, you configure Router 2 running Junos OS for IPsec VPN.

Configure service set and VPN rules on Router 2.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set services service-set ss1 next-hop-service inside-service-interface ms-1/0/0.1
crypto-officer@hostname:fips# set services service-set ss1 next-hop-service outside-service-interface ms-1/0/0.2
crypto-officer@hostname:fips# set services service-set ss1 ipsec-vpn-options local-gateway 10.0.1.2
crypto-officer@hostname:fips# set services service-set ss1 ipsec-vpn-rules rule1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 from source-address 192.168.0.0/16
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 from destination-address 172.16.0.0/16
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then remote-gateway 10.0.1.1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then dynamic ike-policy ike_policy1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then dynamic ipsec-policy ipsec_policy1
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 term term1 then anti-replay-window-size 4096
crypto-officer@hostname:fips# set services ipsec-vpn rule rule1 match-direction input
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 protocol esp
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 authentication-algorithm hmac-sha-256-128
crypto-officer@hostname:fips# set services ipsec-vpn ipsec proposal ipsec_proposal1 encryption-algorithm aes-256-cbc
crypto-officer@hostname:fips# set services ipsec-vpn ipsec policy ipsec_policy1 perfect-forward-secrecy keys group20
crypto-officer@hostname:fips# set services ipsec-vpn ipsec policy ipsec_policy1 proposals ipsec_proposal1
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 authentication-method pre-shared-keys
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 dh-group group20
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 authentication-algorithm sha-256
crypto-officer@hostname:fips# set services ipsec-vpn ike proposal ike_proposal1 encryption-algorithm aes-256-cbc
crypto-officer@hostname:fips# set services ipsec-vpn ike policy ike_policy1 version 2
crypto-officer@hostname:fips# set services ipsec-vpn ike policy ike_policy1 proposals ike_proposal1
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions file ipsec_1
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions level all
crypto-officer@hostname:fips# set services ipsec-vpn traceoptions flag all
crypto-officer@hostname:fips# set services ipsec-vpn establish-tunnels immediately
crypto-officer@hostname:fips# prompt services ipsec-vpn ike policy ike_policy1 pre-shared-key ascii-text

     New ascii-text (secret):
     Retype new ascii-text (secret):
	 
	 

Configure interfaces on Router 2.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set interfaces ms-1/0/0 unit 0 family inet
crypto-officer@hostname:fips# set interfaces ms-1/0/0 unit 1 family inet
crypto-officer@hostname:fips# set interfaces ms-1/0/0 unit 1 service-domain inside
crypto-officer@hostname:fips# set interfaces ms-1/0/0 unit 2 family inet
crypto-officer@hostname:fips# set interfaces ms-1/0/0 unit 2 service-domain outside
crypto-officer@hostname:fips# set interfaces ge-2/0/0 unit 0 family inet address 10.0.1.2/30
crypto-officer@hostname:fips# set interfaces lo0 unit 0 family inet address 192.168.0.1/16

Configure routing options on Router 2.

content_copy zoom_out_map
[edit]
crypto-officer@hostname:fips# set routing-options static route 172.16.0.0/16 next-hop ms-1/0/0.1

Verification

Confirm that the configuration is working properly.

Purpose
Action

Purpose

Verify that IPsec VPN tunnel is created.

Action

crypto-officer@hostname:fips> show services ipsec-vpn ike security-associations detail

content_copy zoom_out_map
IKE peer 10.0.1.2
  Role: Initiator, State: Matured
  Initiator cookie: 5d73349e49090ae8, Responder cookie: 40f88e192c6538e1
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local: 10.0.1.1, Remote: 10.0.1.2
  Lifetime: Expires in 3578 seconds
   Algorithms:
   Authentication : hmac-sha256-128
   Encryption : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group : 20
  Traffic statistics:
   Input bytes : 496
   Output bytes : 496
   Input packets: 2
   Output packets: 2
 Flags: IKE SA created
 IPSec security associations: 2 created, 0 deleted

crypto-officer@hostname:fips> show services ipsec-vpn ipsec security-associations detail

content_copy zoom_out_map
Service set: ss1, IKE Routing-instance: default
  Rule: rule1, Term: term1, Tunnel index: 1
  Local gateway: 10.0.1.1, Remote gateway: 10.0.1.2
  IPSec inside interface: ms-4/0/0.1, Tunnel MTU: 1500
  UDP encapsulate: Disabled, UDP Destination port: 0
  Local identity: ipv4_subnet(any:0,[0..7]=172.16.0.0/16)
  Remote identity: ipv4_subnet(any:0,[0..7]=192.168.0.0/16)
  NATT Detection: Not Detected, NATT keepalive interval: 0
  
   Direction: inbound, SPI: 3546616983, AUX-SPI: 0
   Mode: tunnel, Type: dynamic, State: Installed
   Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-cbc (256 bits)
   Soft lifetime: Expires in 27960 seconds
   Hard lifetime: Expires in 28766 seconds
   Anti-replay service: Enabled, Replay window size: 4096
   Copy ToS: Enabled
   Copy TTL: Disabled, TTL value: 64
   
   Direction: outbound, SPI: 4136721180, AUX-SPI: 0
   Mode: tunnel, Type: dynamic, State: Installed
   Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-cbc (256 bits)
   
   Soft lifetime: Expires in 27960 seconds
   Hard lifetime: Expires in 28766 seconds
   Anti-replay service: Enabled, Replay window size: 4096
   Copy ToS: Enabled
   Copy TTL: Disabled, TTL value: 64

arrow_backward PREVIOUS Logging of Audit Startup

NEXT arrow_forward Understanding FIPS Self-Tests

FIPS Evaluated Configuration Guide for MX240, MX480, and MX960 Devices

ON THIS PAGE