- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring IPsec Security Associations
Configuring Manual IPsec Security Associations for an ES PIC
To use IPsec security services, you create security associations (SAs) between hosts. An SA is a simplex connection that allows two hosts to communicate with each other securely by means of IPsec. There are two types of SAs: manual and dynamic.
Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, peers can communicate only when they all share the same configured options.
To configure the manual IPsec SA for an ES PIC, include the manual statement at the edit security ipsec security-association sa-name] hierarchy level:
[edit security ipsec security-association sa-name]
manual {
direction (inbound | outbound | bi-directional) {
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
auxiliary-spiauxiliary-spi-value;
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
protocol (ah | esp | bundle);
spi spi-value;
}
}
Tasks to configure a manual SA are:
- Configuring the Processing Direction
- Configuring the Protocol for a Manual SA
- Configuring the Security Parameter Index
- Configuring the Auxiliary Security Parameter Index
- Configuring the Authentication Algorithm and Key
- Configuring the Encryption Algorithm and Key
Configuring the Processing Direction
The direction statement sets inbound and outbound IPsec processing. If you want to define different algorithms, keys, or security parameter index (SPI) values for each direction, you configure the inbound and outbound options. If you want the same attributes in both directions, use the bidirectional option.
To configure the direction of IPsec processing, include the direction statement and specify the direction at the [edit security ipsec security-association sa-name manual] hierarchy level:
[edit security ipsec security-association sa-name manual] direction (inbound | outbound | bidirectional);
The following example shows how to define different algorithms, keys, and security parameter index values for inbound and outbound processing directions:
[edit security ipsec security-association sa-name]
manual {
direction inbound {
encryption {
algorithm 3des-cbc;
key ascii-text 23456789012345678901234;
}
protocol esp;
spi 16384;
}
direction outbound {
encryption {
algorithm 3des-cbc;
key ascii-text 12345678901234567890abcd;
}
protocol esp;
spi 24576;
}
}
The following example shows how to define the same algorithms, keys, and security parameter index values for bidirectional processing:
[edit security ipsec security-association sa-name manual]
direction bidirectional {
authentication {
algorithm hmac-md5-96;
key ascii-text 123456789012abcd;
}
protocol ah;
spi 20001;
}
Configuring the Protocol for a Manual SA
IPsec uses two protocols to protect IP traffic: Encapsulating Security Payload (ESP) and authentication header (AH). For transport mode SAs, both ESP and AH are supported. The AH protocol is used for strong authentication. The bundle option uses AH authentication and ESP encryption; it does not use ESP authentication because AH provides stronger authentication of IP packets.
The AH protocol is supported only on M Series routers.
To configure the IPsec protocol on an ES PIC, include the protocol statement at the edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] hierarchy level and specify the ah, bundle, or esp option:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] protocol (ah | bundle | esp);
Configuring the Security Parameter Index
An SPI is an arbitrary value that uniquely identifies which SA to use at the receiving host. The sending host uses the SPI to identify and select which SA to use to secure every packet. The receiving host uses the SPI to identify and select the encryption algorithm and key used to decrypt packets.
Each manual SA must have a unique SPI and protocol combination.
Use the auxiliary SPI when you configure the protocol statement to use the bundle option.
To configure the SPI on an ES PIC, include the spi statement and specify a value (256 through 16,639) at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] spi spi-value;
Configuring the Auxiliary Security Parameter Index
When you configure the protocol statement to use the bundle option, the Junos OS uses the auxiliary SPI for the ESP and the SPI for the AH.
Each manual SA must have a unique SPI and protocol combination.
To configure the auxiliary SPI, include the auxiliary-spi statement at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level and set the value to an integer between 256 and 16,639:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)] auxiliary-spi auxiliary-spi-value;
Configuring the Authentication Algorithm and Key
To configure an authentication algorithm and key, include the authentication statement at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bidirectional)]
authentication {
algorithm (hmac-md5-96 | hmac-sha1-96);
key (ascii-text key | hexadecimal key);
}
The algorithm can be one of the following:
hmac-md5-96—Hash algorithm that authenticates packet data. It produces a 128-bit authenticator value and 96-bit digest.
hmac-sha1-96—Hash algorithm that authenticates packet data. It produces a 160-bit authenticator value and a 96-bit digest.
The key can be one of the following:
ascii-text key—ASCII text key. With the hmac-md5-96 option, the key contains
16 ASCII characters. With the hmac-sha1-96 option, the key contains 20 ASCII characters.
hexadecimal key—Hexadecimal key. With the hmac-md5-96 option, the key contains 32 hexadecimal characters. With the hmac-sha1-96 option, the key contains 40 hexadecimal characters.
Configuring the Encryption Algorithm and Key
To configure IPsec encryption, include the encryption statement and specify an algorithm and key at the [edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)] hierarchy level:
[edit security ipsec security-association sa-name manual direction (inbound | outbound | bi-directional)]
encryption {
algorithm (des-cbc | 3des-cbc);
key (ascii-text key | hexadecimal key);
}
The algorithm can be one of the following:
des-cbc—Encryption algorithm that has a block size of 8 bytes; its key size is 64 bits long.
3des-cbc—Encryption algorithm that has a block size of 24 bytes; its key size is 192 bits long.
Note:For a list of Data Encryption Standard (DES) encryption algorithm weak and semiweak keys, see RFC 2409. For 3des-cbc, we recommend that the first 8 bytes not be the same as the second 8 bytes, and that the second 8 bytes be the same as the third 8 bytes.
The key can be one of the following:
ascii-text—ASCII text key. With the des-cbc option, the key contains 8 ASCII characters. With the 3des-cbc option, the key contains 24 ASCII characters.
hexadecimal—Hexadecimal key. With the des-cbc option, the key contains 16 hexadecimal characters. With the 3des-cbc option, the key contains 48 hexadecimal characters.
Note:You cannot configure encryption when you use the AH protocol.
See Also
Configuring Dynamic IPsec Security Associations
You configure dynamic SAs with a set of proposals that are negotiated by the security gateways. The keys are generated as part of the negotiation and do not need to be specified in the configuration. The dynamic SA includes one or more proposals, which allow you to prioritize a list of protocols and algorithms to be negotiated with the peer.
To configure a dynamic SA, include the dynamic statement at the [edit security ipsec security-association sa-name] hierarchy level. Specify an IPsec policy name, and optionally, a 32-packet or 64-packet replay window size.
[edit security ipsec security-association sa-name]
dynamic {
ipsec-policy policy-name;
replay-window-size (32 | 64);
}
