Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Our new, consolidated Junos CLI Reference is now available.

close
external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
How to Configure the NFX350
Table of Contents Expand all
list Table of Contents
file_download PDF
keyboard_arrow_right

IP Security on NFX Devices

date_range 12-Mar-24

Overview

IPsec provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media. IPsec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. IPsec is standardized by International Engineering Task Force (IETF).

IPsec protects one or more paths between a pair of hosts or security gateways, or between a security gateway and a host. It achieves this by providing a secure way to authenticate senders/receivers and encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices.

The key concepts of IPsec include:

  • Security associations (SAs)—An SA is a set of IPsec specifications negotiated between devices that are establishing an IPsec relationship. These specifications include preferences for the type of authentication and encryption, and the IPsec protocol that is used to establish the IPsec connection. A security association is uniquely identified by a security parameter index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP). IPsec security associations are established either manually through configuration statements, or dynamically by IKE negotiation. For more information about SAs, see Security Associations.

  • IPsec key management—VPN tunnels are built using IPsec technology. Virtual private network (VPN) tunnels operate with three kinds of key creation mechanisms such as Manual Key, AutoKey Internet Key Exchange (IKE) , and Diffie-Hellman (DH) Exchange. NFX150 devices support IKEv1 and IKEv2. For more information about IPsec key management, see IPsec Key Management.

  • IPsec security protocols—IPsec uses two protocols to secure communications at the IP layer:

    • Authentication Header (AH)—A security protocol for authenticating the source of an IP packet and verifying the integrity of its content.

    • Encapsulating Security Payload (ESP)—A security protocol for encrypting the entire IP packet and authenticating its content.

    For more information about IPsec security protocols, see IPsec Security Protocols.

  • IPsec tunnel negotiation—To establish an IKE IPsec tunnel, two phases of negotiation are required:

    • In Phase 1, the participants establish a secure connection to negotiate the IPsec SAs.

    • In Phase 2, the participants negotiate the IPsec SAs for encrypting and authenticating the ensuing exchanges of user data.

    For more information about IPsec tunnel negotiation, see IPsec Tunnel Negotiation.

    Starting with Junos OS Release 19.4 R1, NFX350 devices support IKED by default.

    Starting with Junos OS Release 24.2R1, NFX150 devices and NFX250 devices support IKED.

    Note:

    NFX350 devices have IKED as the default daemon. Starting in Junos OS 24.2R1 IKED is the default daemon on NFX150 and NFX250 devices.

Table 1 lists the IPsec features supported on NFX Series devices.

Table 1: IPsec Features Supported on NFX Series Devices

Features

Reference

AutoVPN Spoke

Understanding Spoke Authentication in AutoVPN Deployments

Auto Discovery VPN (ADVPN) Partner

Note:

On NFX150 devices, you cannot configure ADVPN Suggester.

Understanding Auto Discovery VPN

Site-to-Site VPN and Dynamic Endpoints

Understanding IPsec VPNs with Dynamic Endpoints

Route-based VPN

Note:

NFX150 devices do not support policy-based VPNs.

Understanding Route-Based IPsec VPNs

NAT-T

Understanding NAT-T

Dead Peer Detection

Understanding VPN Monitoring

Configuring Security

On NFX150 devices, security is implemented by using IP security (IPsec). The configuration process of IP security (IPsec) includes the following tasks:

Configuring Interfaces

To enable IPsec on a LAN or WAN, you must configure interfaces to provide network connectivity and data flow.

Note:

To configure IPsec, use the FPC1 interface.

To configure interfaces, complete the following steps:

  1. Log in to the JCP CLI and enter configuration mode:
    content_copy zoom_out_map
    root@host% cli
    root@host> configure
  2. Enable VLAN tagging support on the logical interface:
    content_copy zoom_out_map
    root@host# set interfaces interface-name vlan-tagging
  3. Assign a VLAN ID to the logical interface:
    content_copy zoom_out_map
    root@host# set interfaces interface-name unit logical-interface-unit-number vlan-id vlan-id
  4. Assign an IPv4 address to the logical interface:
    content_copy zoom_out_map
    root@host# set interfaces interface-name unit logical-interface-unit-number family inet address interface-address
  5. Assign an IPv6 address to the logical interface:
    content_copy zoom_out_map
    root@host# set interfaces interface-name unit interface-logical-unit-number family inet6 address interface-address

Configuring Routing Options

Routing capabilities and features that are not specific to any particular routing protocol are collectively called protocol-independent routing properties. These features often interact with routing protocols. In many cases, you combine protocol-independent properties and routing policy to achieve a goal. For example, you define a static route using protocol-independent properties, and then you use a routing policy to re-distribute the static route into a routing protocol, such as BGP, OSPF, or IS-IS.

Protocol-independent routing properties include:

  • Static, aggregate, and generated routes

  • Global preference

  • Martian routes

  • Routing tables and routing information base (RIB) groups

To configure the routing table groups into which the interface routes are imported, complete the following steps:

  1. Configure RIB and static route:
    content_copy zoom_out_map
    root@host# set routing-options rib rib-name static route ip-address/prefix-length next-hop ip-address
  2. Configure static route:
    content_copy zoom_out_map
    root@host# set routing-options static route ip-address/prefix-length next-hop ip-address

Configuring Security IKE

IPsec uses the Internet Key Exchange (IKE) protocol to authenticate the IPsec peers, to negotiate the security association (SA) settings, and to exchange IPsec keys. The IKE configuration defines the algorithms and keys used to establish the secure IKE connection with the peer security gateway.

You can configure IKE traceoptions for debugging and managing the IPsec IKE.

To configure IKE traceoptions, complete the following steps:

  1. Specify the maximum size of the trace file:
    content_copy zoom_out_map
    root@host# set security ike traceoptions file size file-size 
  2. Specify the parameters to trace information for IKE:
    content_copy zoom_out_map
    root@host# set security ike traceoptions flag all
  3. Specify the level of trace information for IKE:
    content_copy zoom_out_map
    root@host# set security ike traceoptions level level 7-15

You can configure one or more IKE proposals. Each proposal is a list of IKE attributes to protect the IKE connection between the IKE host and its peer.

To configure IKE proposal, complete the following steps:

  1. Configure pre-shared-keys as an authentication method for the IPsec IKE proposal:

    Note:

    When you configure IPsec for secure communications in the network, the peer devices in the network must have at least one common authentication method. Only one authentication method can be used between a pair of devices, regardless of the number of authentication methods configured.

    content_copy zoom_out_map
    root@host# set security ike proposal ike-proposal-name authentication-method pre-shared-keys
  2. Define a Diffie-Hellman group (dh-group) for the IKE proposal:

    content_copy zoom_out_map
    root@host# set security ike proposal ike-proposal-name dh-group group14
  3. Configure an authentication algorithm for the IKE proposal:

    content_copy zoom_out_map
    root@host# set security ike proposal ike-proposal-name authentication-algorithm sha-256
  4. Define an encryption algorithm for the IKE proposal:

    content_copy zoom_out_map
    root@host# set security ike proposal ike-proposal-name encryption-algorithm aes-256-cbc
  5. Set a lifetime for the IKE proposal in seconds:

    content_copy zoom_out_map
    root@host# set security ike proposal ike-proposal-name lifetime-seconds 180 to 86400 seconds

After configuring one or more IKE proposals, you must associate these proposals with an IKE policy. An IKE policy defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. Depending on which authentication method is used, it defines the preshared key for the given peer. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

To configure IKE policy, complete the following steps:

  1. Define an IKE policy with first phase mode:

    content_copy zoom_out_map
    root@host# set security ike policy ike-policy-name mode aggressive
  2. Define a set of IKE proposals:

    content_copy zoom_out_map
    root@host# set security ike policy ike-policy-name proposals proposal-name
  3. Define a pre-shared key for IKE:

    content_copy zoom_out_map
    root@host# set security ike policy ike-policy-name pre-shared-key ascii-text text-format

Configure an IKE gateway to initiate and terminate network connections between a firewall and a security device.

To configure IKE gateway, complete the following steps:

  1. Configure an IKE gateway with an IKE policy:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name ike-policy ike-policy-name 
  2. Configure an IKE gateway with an address or hostname of the peer:

    Note:

    Multiple IKE gateway address redundancy is not supported on NFX350 devices if the deamon is IKED daemon. Only KMD daemon supports this functionality.

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name address address-or-hostname-of-peer 
  3. Enable dead peer detection (DPD) feature to send DPD messages periodically:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name dead-peer-detection always-send 
  4. Configure the local IKE identity:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name local-identity <inet | inet6 | key-id | hostname | user-at-hostname | distinguished-name>
  5. Configure the remote IKE identity:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name remote-identity <inet | inet6 | key-id | hostname | user-at-hostname | distinguished-name>
  6. Configure an external interface for IKE negotiations:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name external-interface ge-1/0/1.0
  7. Configure username of the client:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name client username client-username 
  8. Configure password of the client:

    content_copy zoom_out_map
    root@host# set security ike gateway gateway-name client password client-password 

Configuring Security IPsec

IPsec is a suite of related protocols that provides network-level data integrity, data confidentiality, data origin authentication, and protection from replay. IPsec can protect any protocol running over IP on any medium or a mixture of application protocols running on a complex combination of media.

Configure an IPsec proposal, which lists protocols and algorithms or security services to be negotiated with the remote IPsec peer.

To configure an IPsec proposal, complete the following steps:

  1. Define an IPsec proposal and protocol for the proposal:
    content_copy zoom_out_map
    root@host# set security ipsec proposal ipsec-proposal-name protocol esp
  2. Define an authentication algorithm for the IPsec proposal:
    content_copy zoom_out_map
    root@host# set security ipsec proposal ipsec-proposal-name authentication-algorithm hmac-sha-256-128
  3. Define an encryption algorithm for the IPsec proposal:
    content_copy zoom_out_map
    root@host# set security ipsec proposal ipsec-proposal-name encryption-algorithm aes-256-cbc
  4. Set a lifetime for the IPsec proposal in seconds:
    content_copy zoom_out_map
    root@host# set security ipsec proposal ipsec-proposal-name lifetime-seconds 180..86400 seconds

After configuring one or more IPsec proposals, you must associate these proposals with an IPsec policy. An IPsec policy defines a combination of security parameters (IPsec proposals) used during IPsec negotiation. It defines Perfect Forward Secrecy (PFS) and the proposals needed for the connection. During the IPsec negotiation, IPsec searches for a proposal that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.

To configure IPsec policies, complete the following steps:

  1. Define an IPsec policy, a perfect forward secrecy, and a Diffie-Hellman group for the policy:

    content_copy zoom_out_map
    root@host# set security ipsec policy ipsec-policy-name perfect-forward-secrecy keys group14
  2. Define a set of IPsec proposals for the policy:

    content_copy zoom_out_map
    root@host# set security ipsec policy ipsec-policy-name proposals proposal-name

Configure an IPsec virtual private network (VPN) to provide a means for securely communicating among remote computers across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IPsec tunnel. For more information, see IPsec VPN Overview.

To configure IPsec VPN, complete the following steps:

  1. Define an IKE gateway for the IPsec VPN:

    content_copy zoom_out_map
    root@host# set security ipsec vpn vpn-name ike gateway remote-gateway-name
  2. Define an IPsec policy for the IPsec VPN:

    content_copy zoom_out_map
    root@host# set security ipsec vpn vpn-name ike ipsec-policy ipsec-policy-name
  3. Define a local traffic selector for the IPsec VPN:

    content_copy zoom_out_map
    root@host# set security ipsec vpn vpn-name traffic-selector traffic-selector-name local-ip local-traffic-selector-ip-address
  4. Define a remote traffic selector for the IPsec VPN:

    content_copy zoom_out_map
    root@host# set security ipsec vpn vpn-name traffic-selector traffic-selector-name remote-ip remote-traffic-selector-ip-address
  5. Define a criteria to establish IPsec VPN tunnels:

    content_copy zoom_out_map
    root@host# set security ipsec vpn vpn-name establish-tunnels on-traffic

Configuring Security Policies

A security policy controls the traffic flow from one zone to another zone by defining the kind of traffic permitted from specified IP sources to specified IP destinations at scheduled times. Policies allow you to deny, permit, reject, encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitor the traffic attempting to cross from one security zone to another. You can decide which users and what data can enter and exit, and when and where they can go.

To configure security policies, complete the following steps:

  1. Configure security policy match criteria for the source address:
    content_copy zoom_out_map
    root@host# set security policies from-zone from-zone-name to-zone to-zone-name policy policy-name match source-address any
  2. Configure security policy match criteria for the destination address:
    content_copy zoom_out_map
    root@host# set security policies from-zone from-zone-name to-zone to-zone-name policy policy-name match destination-address any
  3. Configure security policy application:
    content_copy zoom_out_map
    root@host# set security policies from-zone from-zone-name to-zone to-zone-name policy policy-name match application any
  4. Set security policy match criteria:
    content_copy zoom_out_map
    root@host# set security policies from-zone from-zone-name to-zone to-zone-name policy policy-name match then permit

Configuring Security Zones

Security zones are the building blocks for policies. They are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them. For information, see Understanding Security Zones.

To configure security zones, complete the following steps:

  1. Configure security zones with system services:
    content_copy zoom_out_map
    root@host# set security zones security-zone zone-name host-inbound-traffic system-services all
  2. Define protocols for security zones:
    content_copy zoom_out_map
    root@host# set security zones security-zone zone-name host-inbound-traffic protocols all
  3. Configure interfaces for security zones:
    content_copy zoom_out_map
    root@host# set security zones security-zone zone-name interfaces interface-name
external-footer-nav