VPNs
-
Multiple certificate types support on IKEv2 (MX240, MX480, and MX960 in USF mode, SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0 running IKED process)—Starting in Junos OS Release 22.4R1, you can establish the IKEv2 and IPsec SA tunnels irrespective of the type of certificate used on an initiator and a responder.
To support the multiple certificate types, configure the authentication method as certificates using the
certificates
option at the[security ike proposal proposal-name authentication-method]
hierarchy.[See proposal (Security IKE).]
-
ACME protocol (SRX Series and vSRX)—Starting in Junos OS release 22.4R1, we support Automated Certificate Management Environment (ACME) protocol. The ACME protocol allows the enrollment of certificates from Let’s Encrypt server or PKI servers.
The SRX Series devices allows usage of certificates issued by Let’s Encrypt server or PKI server using ACME.
[See Understanding Certificate Enrollment with CMPv2, Enroll a CA Certificate, Certificate-Based Validation Using EAP-TLS Authentication, and ACME Protocol.]
-
Post-quantum Pre-shared Key (SRX1500, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Starting in Junos OS Release 22.4R1, we support Post-quantum Pre-shared Key (PPK), as defined in the RFC 8784.
The RFC 8784 defines Mixing Pre-shared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for post quantum security support in the IKED process through the junos-ike package to negotiate quantum secured IKE and IPsec SAs.
The Junos Key Manager (JKM) is introduced to manage different types of quantum keys or PPKs for client applications to make respective infrastructure quantum secured. The IKED process uses the JKM to provide support for quantum secured SAs.
Two out-of-band key retrieval mechanisms are supported to get PPKs:
-
Pre shared key: You can configure static keys on concerned gateways and do not need share static keys over the Internet.
-
Quantum Key Distribution: A secure key distribution method based on Quantum Key Distribution (QKD) to generate and distribute keys that are quantum safe. These keys are dynamic.
[See IPsec VPN Overview.]
-