Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IP Security on NFX Devices

Overview

IPsec provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media. IPsec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. IPsec is standardized by International Engineering Task Force (IETF).

IPsec protects one or more paths between a pair of hosts or security gateways, or between a security gateway and a host. It achieves this by providing a secure way to authenticate senders/receivers and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices.

The key concepts of IPsec include:

  • Security associations (SAs)—An SA is a set of IPsec specifications negotiated between devices that are establishing an IPsec relationship. These specifications include preferences for the type of authentication and encryption, and the IPsec protocol that is used to establish the IPsec connection. A security association is uniquely identified by a security parameter index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP). IPsec security associations are established either manually through configuration statements, or dynamically by IKE negotiation. For more information about SAs, see Security Associations.

  • IPsec key management—VPN tunnels are built using IPsec technology. Virtual private network (VPN) tunnels operate with three kinds of key creation mechanisms such as Manual Key, AutoKey Internet Key Exchange (IKE) , and Diffie-Hellman (DH) Exchange. NFX150 devices support IKEv1 and IKEv2. For more information about IPsec key management, see IPsec Key Management.

  • IPsec security protocols—IPsec uses two protocols to secure communications at the IP layer:

    • Authentication Header (AH)—A security protocol for authenticating the source of an IP packet and verifying the integrity of its content.

    • Encapsulating Security Payload (ESP)—A security protocol for encrypting the entire IP packet and authenticating its content.

    For more information about IPsec security protocols, see IPsec Security Protocols.

  • IPsec tunnel negotiation—To establish an IKE IPsec tunnel, two phases of negotiation are required:

    • In Phase 1, the participants establish a secure connection to negotiate the IPsec SAs.

    • In Phase 2, the participants negotiate the IPsec SAs for encrypting and authenticating the ensuing exchanges of user data.

    For more information about IPsec tunnel negotiation, see IPsec Tunnel Negotiation.

    Starting with Junos OS Release 19.4 R1, NFX350 devices support IKED by default.

    Starting with Junos OS Release 24.2R1, NFX150 devices and NFX250 devices support IKED.

    Note:

    NFX350 devices have IKED as the default daemon. Starting in Junos OS 24.2R1 IKED is the default daemon on NFX150 and NFX250 devices.

Table 1 lists the IPsec features supported on NFX Series devices.

Table 1: IPsec Features Supported on NFX Series Devices

Features

Reference

AutoVPN Spoke

Understanding Spoke Authentication in AutoVPN Deployments

Auto Discovery VPN (ADVPN) Partner

Note:

On NFX150 devices, you cannot configure ADVPN Suggester.

Understanding Auto Discovery VPN

Site-to-Site VPN and Dynamic Endpoints

Understanding IPsec VPNs with Dynamic Endpoints

Route-based VPN

Note:

NFX150 devices do not support policy-based VPNs.

Understanding Route-Based IPsec VPNs

NAT-T

Understanding NAT-T

Dead Peer Detection

Understanding VPN Monitoring

Configuring Security

On NFX150 devices, security is implemented by using IP security (IPsec). The configuration process of IP security (IPsec) includes the following tasks:

Configuring Interfaces

To enable IPsec on a LAN or WAN, you must configure interfaces to provide network connectivity and data flow.

Note:

To configure IPsec, use the FPC1 interface.

To configure interfaces, complete the following steps:

  1. Log in to the JCP CLI and enter configuration mode:
  2. Enable VLAN tagging support on the logical interface:
  3. Assign a VLAN ID to the logical interface:
  4. Assign an IPv4 address to the logical interface:
  5. Assign an IPv6 address to the logical interface:

Configuring Routing Options

Routing capabilities and features that are not specific to any particular routing protocol are collectively called protocol-independent routing properties. These features often interact with routing protocols. In many cases, you combine protocol-independent properties and routing policy to achieve a goal. For example, you define a static route using protocol-independent properties, and then you use a routing policy to re-distribute the static route into a routing protocol, such as BGP, OSPF, or IS-IS.

Protocol-independent routing properties include:

  • Static, aggregate, and generated routes

  • Global preference

  • Martian routes

  • Routing tables and routing information base (RIB) groups

To configure the routing table groups into which the interface routes are imported, complete the following steps:

  1. Configure RIB and static route:
  2. Configure static route:

Configuring Security IKE

IPsec uses the Internet Key Exchange (IKE) protocol to authenticate the IPsec peers, to negotiate the security association (SA) settings, and to exchange IPsec keys. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.

You can configure IKE traceoptions for debugging and managing the IPsec IKE.

To configure IKE traceoptions, complete the following steps:

  1. Specify the maximum size of the trace file:
  2. Specify the parameters to trace information for IKE:
  3. Specify the level of trace information for IKE:

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.

To configure IKE proposal, complete the following steps:

  1. Configure pre-shared-keys as an authentication method for the IPsec IKE proposal:

    Note:

    When you configure IPsec for secure communications in the network, the peer devices in the network must have at least one common authentication method. Only one authentication method can be used between a pair of devices, regardless of the number of authentication methods configured.

  2. Define a Diffie-Hellman group (dh-group) for the IKE proposal:

  3. Configure an authentication algorithm for the IKE proposal:

  4. Define an encryption algorithm for the IKE proposal:

  5. Set a lifetime for the IKE proposal in seconds:

After configuring one or more IKE proposals, you must associate these proposals with an IKE policy. An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

To configure IKE policy, complete the following steps:

  1. Define an IKE policy with first phase mode:

  2. Define a set of IKE proposals:

  3. Define a pre-shared key for IKE:

Configure an IKE gateway to initiate and terminate network connections between a firewall and a security device.

To configure IKE gateway, complete the following steps:

  1. Configure an IKE gateway with an IKE policy:

  2. Configure an IKE gateway with an address or hostname of the peer:

    Note:

    Multiple IKE gateway address redundancy is not supported on NFX350 devices if the deamon is IKED daemon. Only KMD daemon supports this functionality.

  3. Enable dead peer detection (DPD) feature to send DPD messages periodically:

  4. Configure the local IKE identity:

  5. Configure the remote IKE identity:

  6. Configure an external interface for IKE negotiations:

  7. Configure username of the client:

  8. Configure password of the client:

Configuring Security IPsec

IPsec is a suite of related protocols that provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media.

Configure an IPsec proposal, which lists protocols and algorithms or security services to be negotiated with the remote IPsec peer.

To configure an IPsec proposal, complete the following steps:

  1. Define an IPsec proposal and protocol for the proposal:
  2. Define an authentication algorithm for the IPsec proposal:
  3. Define an encryption algorithm for the IPsec proposal:
  4. Set a lifetime for the IPsec proposal in seconds:

After configuring one or more IPsec proposals, you must associate these proposals with an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec searches for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

To configure IPsec policies, complete the following steps:

  1. Define an IPsec policy, a perfect forward secrecy, and a Diffie-Hellman group for the policy:

  2. Define a set of IPsec proposals for the policy:

Configure an IPsec virtual private network (VPN) to provide a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IPsec tunnel. For more information, see IPsec VPN Overview.

To configure IPsec VPN, complete the following steps:

  1. Define an IKE gateway for the IPsec VPN:

  2. Define an IPsec policy for the IPsec VPN:

  3. Define a local traffic selector for the IPsec VPN:

  4. Define a remote traffic selector for the IPsec VPN:

  5. Define a criteria to establish IPsec VPN tunnels:

Configuring Security Policies

A security policy controls the traffic flow from one zone to another zone by defining the kind of traffic permitted from specified IP sources to specified IP destinations at scheduled times. Policies allow you to deny, permit, reject, encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another. You can decide which users and what data can enter and exit, and when and where they can go.

To configure security policies, complete the following steps:

  1. Configure security policy match criteria for the source address:
  2. Configure security policy match criteria for the destination address:
  3. Configure security policy application:
  4. Set security policy match criteria:

Configuring Security Zones

Security zones are the building blocks for policies. They are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. For information, see Understanding Security Zones.

To configure security zones, complete the following steps:

  1. Configure security zones with system services:
  2. Define protocols for security zones:
  3. Configure interfaces for security zones: