Configure IPsec VPN in FIPS mode
SUMMARY This section provides configuration commands for configuring IPsec in FIPS mode.
IPsec tunnel provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. Figure 1 shows the IPsec VPN tunnel topology.
Figure 1: IPsec VPN Tunnel Topology
Configure IPsec VPN Service on Router 1
In this section, you configure Router 1 running Junos OS for IPsec VPN.
Configure IPsec VPN Service on Router 2
In this section, you configure Router 2 running Junos OS for IPsec VPN.
Verification
Confirm that the configuration is working properly.
Purpose
Verify that IPsec VPN tunnel is created.
Action
crypto-officer@hostname:fips> show services ipsec-vpn ike
security-associations detail
IKE peer 10.0.1.2 Role: Initiator, State: Matured Initiator cookie: 5d73349e49090ae8, Responder cookie: 40f88e192c6538e1 Exchange type: IKEv2, Authentication method: Pre-shared-keys Local: 10.0.1.1, Remote: 10.0.1.2 Lifetime: Expires in 3578 seconds Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : 20 Traffic statistics: Input bytes : 496 Output bytes : 496 Input packets: 2 Output packets: 2 Flags: IKE SA created IPSec security associations: 2 created, 0 deleted
crypto-officer@hostname:fips> show services ipsec-vpn ipsec
security-associations detail
Service set: ss1, IKE Routing-instance: default Rule: rule1, Term: term1, Tunnel index: 1 Local gateway: 10.0.1.1, Remote gateway: 10.0.1.2 IPSec inside interface: ms-4/0/0.1, Tunnel MTU: 1500 UDP encapsulate: Disabled, UDP Destination port: 0 Local identity: ipv4_subnet(any:0,[0..7]=172.16.0.0/16) Remote identity: ipv4_subnet(any:0,[0..7]=192.168.0.0/16) NATT Detection: Not Detected, NATT keepalive interval: 0 Direction: inbound, SPI: 3546616983, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-cbc (256 bits) Soft lifetime: Expires in 27960 seconds Hard lifetime: Expires in 28766 seconds Anti-replay service: Enabled, Replay window size: 4096 Copy ToS: Enabled Copy TTL: Disabled, TTL value: 64 Direction: outbound, SPI: 4136721180, AUX-SPI: 0 Mode: tunnel, Type: dynamic, State: Installed Protocol: ESP, Authentication: hmac-sha-256-128, Encryption: aes-cbc (256 bits) Soft lifetime: Expires in 27960 seconds Hard lifetime: Expires in 28766 seconds Anti-replay service: Enabled, Replay window size: 4096 Copy ToS: Enabled Copy TTL: Disabled, TTL value: 64