ON THIS PAGE
IP Security on NFX Devices
Overview
IPsec provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media. IPsec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. IPsec is standardized by International Engineering Task Force (IETF).
IPsec protects one or more paths between a pair of hosts or security gateways, or between a security gateway and a host. It achieves this by providing a secure way to authenticate senders/receivers and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices.
The key concepts of IPsec include:
-
Security associations (SAs)—An SA is a set of IPsec specifications negotiated between devices that are establishing an IPsec relationship. These specifications include preferences for the type of authentication and encryption, and the IPsec protocol that is used to establish the IPsec connection. A security association is uniquely identified by a security parameter index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP). IPsec security associations are established either manually through configuration statements, or dynamically by IKE negotiation. For more information about SAs, see Security Associations.
-
IPsec key management—VPN tunnels are built using IPsec technology. Virtual private network (VPN) tunnels operate with three kinds of key creation mechanisms such as Manual Key, AutoKey Internet Key Exchange (IKE) , and Diffie-Hellman (DH) Exchange. NFX150 devices support IKEv1 and IKEv2. For more information about IPsec key management, see IPsec Key Management.
-
IPsec security protocols—IPsec uses two protocols to secure communications at the IP layer:
-
Authentication Header (AH)—A security protocol for authenticating the source of an IP packet and verifying the integrity of its content.
-
Encapsulating Security Payload (ESP)—A security protocol for encrypting the entire IP packet and authenticating its content.
For more information about IPsec security protocols, see IPsec Security Protocols.
-
-
IPsec tunnel negotiation—To establish an IKE IPsec tunnel, two phases of negotiation are required:
-
In Phase 1, the participants establish a secure connection to negotiate the IPsec SAs.
-
In Phase 2, the participants negotiate the IPsec SAs for encrypting and authenticating the ensuing exchanges of user data.
For more information about IPsec tunnel negotiation, see IPsec Tunnel Negotiation.
Starting with Junos OS Release 19.4 R1, NFX350 devices support IKED by default.
Starting with Junos OS Release 24.2R1, NFX150 devices and NFX250 devices support IKED.
Note:NFX350 devices have IKED as the default daemon. Starting in Junos OS 24.2R1 IKED is the default daemon on NFX150 and NFX250 devices.
-
Table 1 lists the IPsec features supported on NFX Series devices.
Features |
Reference |
---|---|
AutoVPN Spoke |
|
Auto Discovery VPN (ADVPN) Partner Note:
On NFX150 devices, you cannot configure ADVPN Suggester. |
|
Site-to-Site VPN and Dynamic Endpoints |
|
Route-based VPN Note:
NFX150 devices do not support policy-based VPNs. |
|
NAT-T |
|
Dead Peer Detection |
Configuring Security
On NFX150 devices, security is implemented by using IP security (IPsec). The configuration process of IP security (IPsec) includes the following tasks:
- Configuring Interfaces
- Configuring Routing Options
- Configuring Security IKE
- Configuring Security IPsec
- Configuring Security Policies
- Configuring Security Zones
Configuring Interfaces
To enable IPsec on a LAN or WAN, you must configure interfaces to provide network connectivity and data flow.
To configure IPsec, use the FPC1 interface.
To configure interfaces, complete the following steps:
Configuring Routing Options
Routing capabilities and features that are not specific to any particular routing protocol are collectively called protocol-independent routing properties. These features often interact with routing protocols. In many cases, you combine protocol-independent properties and routing policy to achieve a goal. For example, you define a static route using protocol-independent properties, and then you use a routing policy to re-distribute the static route into a routing protocol, such as BGP, OSPF, or IS-IS.
Protocol-independent routing properties include:
Static, aggregate, and generated routes
Global preference
Martian routes
Routing tables and routing information base (RIB) groups
To configure the routing table groups into which the interface routes are imported, complete the following steps:
Configuring Security IKE
IPsec uses the Internet Key Exchange (IKE) protocol to authenticate the IPsec peers, to negotiate the security association (SA) settings, and to exchange IPsec keys. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.
You can configure IKE traceoptions for debugging and managing the IPsec IKE.
To configure IKE traceoptions, complete the following steps:
You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.
To configure IKE proposal, complete the following steps:
Configure pre-shared-keys as an authentication method for the IPsec IKE proposal:
Note:When you configure IPsec for secure communications in the network, the peer devices in the network must have at least one common authentication method. Only one authentication method can be used between a pair of devices, regardless of the number of authentication methods configured.
root@host# set security ike proposal ike-proposal-name authentication-method pre-shared-keys
Define a Diffie-Hellman group (dh-group) for the IKE proposal:
root@host# set security ike proposal ike-proposal-name dh-group group14
Configure an authentication algorithm for the IKE proposal:
root@host# set security ike proposal ike-proposal-name authentication-algorithm sha-256
Define an encryption algorithm for the IKE proposal:
root@host# set security ike proposal ike-proposal-name encryption-algorithm aes-256-cbc
Set a lifetime for the IKE proposal in seconds:
root@host# set security ike proposal ike-proposal-name lifetime-seconds 180 to 86400 seconds
After configuring one or more IKE proposals, you must associate these proposals with an IKE policy. An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
To configure IKE policy, complete the following steps:
Define an IKE policy with first phase mode:
root@host# set security ike policy ike-policy-name mode aggressive
Define a set of IKE proposals:
root@host# set security ike policy ike-policy-name proposals proposal-name
Define a pre-shared key for IKE:
root@host# set security ike policy ike-policy-name pre-shared-key ascii-text text-format
Configure an IKE gateway to initiate and terminate network connections between a firewall and a security device.
To configure IKE gateway, complete the following steps:
Configure an IKE gateway with an IKE policy:
root@host# set security ike gateway gateway-name ike-policy ike-policy-name
Configure an IKE gateway with an address or hostname of the peer:
Note:Multiple IKE gateway address redundancy is not supported on NFX350 devices if the deamon is IKED daemon. Only KMD daemon supports this functionality.
root@host# set security ike gateway gateway-name address address-or-hostname-of-peer
Enable dead peer detection (DPD) feature to send DPD messages periodically:
root@host# set security ike gateway gateway-name dead-peer-detection always-send
Configure the local IKE identity:
root@host# set security ike gateway gateway-name local-identity <inet | inet6 | key-id | hostname | user-at-hostname | distinguished-name>
Configure the remote IKE identity:
root@host# set security ike gateway gateway-name remote-identity <inet | inet6 | key-id | hostname | user-at-hostname | distinguished-name>
Configure an external interface for IKE negotiations:
root@host# set security ike gateway gateway-name external-interface ge-1/0/1.0
Configure username of the client:
root@host# set security ike gateway gateway-name client username client-username
Configure password of the client:
root@host# set security ike gateway gateway-name client password client-password
Configuring Security IPsec
IPsec is a suite of related protocols that provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media.
Configure an IPsec proposal, which lists protocols and algorithms or security services to be negotiated with the remote IPsec peer.
To configure an IPsec proposal, complete the following steps:
After configuring one or more IPsec proposals, you must associate these proposals with an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec searches for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
To configure IPsec policies, complete the following steps:
Define an IPsec policy, a perfect forward secrecy, and a Diffie-Hellman group for the policy:
root@host# set security ipsec policy ipsec-policy-name perfect-forward-secrecy keys group14
Define a set of IPsec proposals for the policy:
root@host# set security ipsec policy ipsec-policy-name proposals proposal-name
Configure an IPsec virtual private network (VPN) to provide a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IPsec tunnel. For more information, see IPsec VPN Overview.
To configure IPsec VPN, complete the following steps:
Define an IKE gateway for the IPsec VPN:
root@host# set security ipsec vpn vpn-name ike gateway remote-gateway-name
Define an IPsec policy for the IPsec VPN:
root@host# set security ipsec vpn vpn-name ike ipsec-policy ipsec-policy-name
Define a local traffic selector for the IPsec VPN:
root@host# set security ipsec vpn vpn-name traffic-selector traffic-selector-name local-ip local-traffic-selector-ip-address
Define a remote traffic selector for the IPsec VPN:
root@host# set security ipsec vpn vpn-name traffic-selector traffic-selector-name remote-ip remote-traffic-selector-ip-address
Define a criteria to establish IPsec VPN tunnels:
root@host# set security ipsec vpn vpn-name establish-tunnels on-traffic
Configuring Security Policies
A security policy controls the traffic flow from one zone to another zone by defining the kind of traffic permitted from specified IP sources to specified IP destinations at scheduled times. Policies allow you to deny, permit, reject, encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another. You can decide which users and what data can enter and exit, and when and where they can go.
To configure security policies, complete the following steps:
Configuring Security Zones
Security zones are the building blocks for policies. They are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. For information, see Understanding Security Zones.
To configure security zones, complete the following steps: