Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Similar documents
Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Virtual Private Networks

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Virtual Private Network

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

IPSec. Overview. Overview. Levente Buttyán

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

CSCE 715: Network Systems Security

Table of Contents 1 IKE 1-1

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Junos Security. Chapter 3: Zones Juniper Networks, Inc. All rights reserved. Worldwide Education Services

The EN-4000 in Virtual Private Networks

Presenter John Baker

The IPsec protocols. Overview

Network Configuration Example

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Firewalls, Tunnels, and Network Intrusion Detection

Configuration of an IPSec VPN Server on RV130 and RV130W

CSC 6575: Internet Security Fall 2017

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

IKE and Load Balancing

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

VPN Ports and LAN-to-LAN Tunnels

VPN Overview. VPN Types

J Series / SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Configuring IPsec and ISAKMP

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

IPSec Transform Set Configuration Mode Commands

Configuring Security for VPNs with IPsec

IP Security. Have a range of application specific security mechanisms

VPNs and VPN Technologies

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Sample excerpt. Virtual Private Networks. Contents

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Firepower Threat Defense Site-to-site VPNs

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

IP Security IK2218/EP2120

Virtual Tunnel Interface

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Network Configuration Example

Virtual Tunnel Interface

IPSec Transform Set Configuration Mode Commands

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Network Configuration Example

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Service Managed Gateway TM. Configuring IPSec VPN

CSC 4900 Computer Networks: Security Protocols (2)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Index. Numerics 3DES (triple data encryption standard), 21

IP Security II. Overview

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Configuring Dynamic VPN

Site-to-Site VPN. VPN Basics

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Network Security: IPsec. Tuomas Aura

Cryptography and Network Security. Sixth Edition by William Stallings

Internet security and privacy

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

The IPSec Security Architecture for the Internet Protocol

Lecture 12 Page 1. Lecture 12 Page 3

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Chapter 6/8. IP Security

Chapter 5: Network Layer Security

Lecture 13 Page 1. Lecture 13 Page 3

VPN Option Guide for Site-to-Site VPNs

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Configuring LAN-to-LAN IPsec VPNs

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuring a Hub & Spoke VPN in AOS

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

BCRAN. Section 9. Cable and DSL Technologies

Defining IPsec Networks and Customers

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Abstract. Avaya Solution & Interoperability Test Lab

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuring IPSec tunnels on Vocality units

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Virtual Private Network. Network User Guide. Issue 05 Date

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

Virtual Private Networks (VPN)

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Transcription:

Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services

Chapter Objectives After successfully completing this chapter, you will be able to: Identify various types of VPNs Define three major security concerns Describe IPsec VPNs and their functionality Configure IPsec VPNs using policy-based and route-based methods Monitor IPsec VPNs www.juniper.net 8-2

Agenda: IPsec VPNs VPN Types Secure VPN Requirements IPsec Details Configuration of IPsec VPNs IPsec VPN Monitoring www.juniper.net 8-3

Defining VPNs Historically, VPN is a broad term Generally defined as a means for transporting a subset of network traffic over a separate network Performed through tunneling, separating, or securing different types of traffic Types of VPNs today: Clear-text VPNs Layer 3 VPNs, Layer 2 VPNs, or VPLS Secure VPNs IPsec Combination of clear-text and secure VPNs www.juniper.net 8-4

Focus of this Chapter: Secure VPNs Provide secure tunnels across the Internet Encryption Payload verification Authentication Public 1.1.1.1 Public 2.2.2.1 Private 10.1.20.1 10.1.20.3 10.1.20.4 IP Packet Encrypted Packet Private 10.0.0.254 10.0.0.5 10.0.0.6 IP Packet www.juniper.net 8-5

Agenda: IPsec VPNs VPN Types Secure VPN Requirements IPsec Details Configuration of IPsec VPNs IPsec VPN Monitoring www.juniper.net 8-6

Security Concerns Three major concerns: Confidentiality Keep data secure and hidden Integrity Ensure that data remains unchanged Authentication Confirm that the data came from the advertised source www.juniper.net 8-7

Confidentiality Data Encryption Data encryption details: Provides data confidentiality Encrypted and decrypted using keys Symmetric (secret) key Asymmetric (public and private) key A reversible process www.juniper.net 8-8

Confidentiality Symmetric Key Encryption Basic form of encryption: Symmetric keys are faster at bulk data encryption Typical key sizes range from 40 1024 bits Examples: DES, 3DES, AES Sender Receiver 1 Original data Key Encrypted data + + Key 2 Encrypted data 3 Original data www.juniper.net 8-9

Confidentiality Public Key Encryption Widely used form of strong encryption Slow when used for bulk data encryption Typical sizes range from 512 2048 bits Examples: RSA and DH Sender Receiver 1 Public Public Original data + Public Encrypted data + Private 2 4 Encrypted data 3 Original data www.juniper.net 8-10

Integrity Hash functions provide integrity services One-way hashing algorithm cannot determine original data from hash value Fixed-length output (depending on algorithm) Examples: MD5 and SHA MD5 provides 128-bit output SHA1 provides 160-bit output SHA2 provides variable outputs www.juniper.net 8-11

Integrity One-Way Hash Algorithms Example of a modulus operation: 7 r3 80mod11 = 11 80 = 3 77 3 Given the value 3, what was the original data? 80mod11 = 3 13mod5 = 3 203mod10 = 3 11mod8 = 3 100mod97 = 3 Hash functions can use the modulus operation in the hash creation process www.juniper.net 8-12

Integrity The Hash Process Sender Data Receiver Data 3 HASH 1 2 Data HASH 4 Data HASH HASH 5 HASH If If the hash values match, the data is good www.juniper.net 8-13

Source Authentication Validates datagrams by verifying that they came from the proper source Authentication process uses HMAC Adds a secret preshared key to the hashing process www.juniper.net 8-14

Authentication with HMAC Sender Receiver Data + Hash key Data 3 HASH 1 2 Data + Hash key HASH 4 Data HASH HASH 5 HASH If the hash If values the hash match, values the data is good match, and the the source data is valid good www.juniper.net 8-15

How Are Keys Exchanged? Encryption and hashing both rely on keys Manual configuration: Prone to configuration errors Rarely changed Automatic exchange: Uses public connections how do you secure the key exchange? The solution: Diffie-Hellman key exchange algorithm First published standard for public key cryptography Solves the key distribution problem through the use of public and private key pairs Only the public key travels across the network www.juniper.net 8-16

Diffie-Hellman Groups Five sets of very large prime numbers (and a generator) serve as the modulus for the Diffie-Hellman algorithm Juniper Networks supports Groups 1, 2, and 5 Group 1 uses a 768-bit prime Group 2 uses a 1024-bit prime Group 5 uses a 1536-bit prime www.juniper.net 8-17

The DH Key Exchange Process Internet Each device generates a public and private key pair PubA PrivA PubB PrivB Public keys exchange PubB PrivA PubA PrivB Local private and remote public keys are used in DH to form a common session key SESSION KEY Same session key, two different places SESSION KEY www.juniper.net 8-18

Agenda: IPsec VPNs VPN Types Secure VPN Requirements IPsec Details Configuration of IPsec VPNs IPsec VPN Monitoring www.juniper.net 8-19

IPsec Overview IPsec is an industry standard for providing IP data security and integrity services Works at the IP Layer Supports unicast and multicast traffic According to RFC 2401, IPsec provides security services at the IP Layer by enabling a system to select required security protocols, determine the algorithms to use for the services, and put in place any cryptographic keys required to provide the requested services. www.juniper.net 8-20

IPsec: A Two-Step Process IPsec VPNs consist of two major steps: 1. Tunnel establishment: Establishes a secure tunnel and parameters that define secure traffic Manual: Set all parameters manually Dynamic: Uses IKE 2. IPsec traffic processing: Protects traffic between the two tunnel endpoints by using security parameters defined in the tunnel establishment step www.juniper.net 8-21

Step 1: Tunnel Establishment Using IKE IKE provides increased functionality in secure environments Uses UDP, Port 500 Establishes: Security parameters (security associations) for creating IPsec VPN tunnels Negotiates proposals containing encryption and authentication algorithms Creates encryption and authentication keys automatically, which provides the ability to rekey frequently Provides gateway identity function www.juniper.net 8-22

Security Associations SAs are a set of policies and keys used to protect information between two peers An SA is uniquely identified by: The SPI, which is an internal index number A destination IP address A security protocol IKE SAs are: Established during IKE Phase 1 negotiations Bidirectional IPsec SAs are: Established during IKE Phase 2 negotiations Unidirectional www.juniper.net 8-23

SA Database 10.0.0.5 Remote Office Untrust 1.1.8.1 Internet Trust 10.10.0.1 10.10.0.5 10.0.0.6 Trust 10.0.0.1 Untrust 2.2.8.1 Corporate Office 10.10.0.6 Security Database Name: VPNtoCorporate Gateway IP address: 2.2.8.1 SPI: Local: 3001, Remote: 3002 Security protocol: ESP Encryption algorithm: 3DES Encryption key: xxxxyyyyzzzz Authentication algorithm: SHA Authentication key: aaabbbccc Security Database Name: VPNtoRemote Gateway IP address: 1.1.8.1 SPI: Local: 3002, Remote: 3001 Security Protocol: ESP Encryption algorithm: 3DES Encryption key: xxxxyyyyzzzz Authentication algorithm: SHA Authentication key: aaabbbccc www.juniper.net 8-24

IKE Phases IKE tunnel establishment: Phase 1: Two peers establish a secure, authenticated channel with which to communicate DH key exchange algorithm is used to generate a symmetric key common to the communicating gateways Main mode: Used when both tunnel peers have static IP addresses Aggressive mode: Used when one tunnel peer has a dynamically assigned IP address Phase 2: IPsec SAs are negotiated using a Phase 1 secure channel Proxy ID is used to identify which SA is referenced for VPN Diffie-Hellman key exchange algorithm can be used (again) to create PFS Phase 2 mode is called quick mode www.juniper.net 8-25

IKE Phase 1: Main Mode Remote Corporate Internet 10.1.10.5 ge-0/0/0: ge-0/0/1: 10.1.10.1 1.1.8.1 ge-0/0/1: ge-0/0/0: 2.2.8.1 10.1.210.1 10.1.210.5 Message 1: Cookie I, SA Proposal List Message 3: DH Public Value A, Nonce I Message 2: Cookie I, Cookie R, SA Proposal Accept Message 4: DH Public Value B, Nonce R Message 5: Identification I, Hash [ID-I + key] Encrypted and authenticated Message 6: Identification R, Hash [ID-R + key] www.juniper.net 8-26

IKE Phase 1: Aggressive Mode Remote Corporate Internet 10.1.10.5 ge-0/0/1: ge-0/0/0: ge-0/0/0: ge-0/0/1: 10.1.210.5 10.1.10.1 (dynamic) 2.2.8.1 10.1.210.1 Message 1: Cookie I, SA proposal list, DH public value A, nonce I Message 2: Cookie I, cookie R, SA proposal accept, DH public value B, nonce R, identification hash R Message 3: Hash [ID-I +key] Encrypted and authenticated www.juniper.net 8-28

IKE Phase 2: Quick Mode Remote Corporate Internet 10.1.10.5 ge-0/0/0: ge-0/0/1: ge-0/0/1: ge-0/0/0: 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1 10.1.210.5 Message 1: Hash using phase 1 information, message ID, SA proposal list, Nonce I, [DH Public Key I ], proxy ID Message 2: Hash using phase 1 information, message ID, SA proposal list accept, Nonce R, [DH Public Key I ], proxy ID Message 3: Hash using phase 1 information, message ID, Nonce I, Nonce R www.juniper.net 8-29

IPsec: a Two-Step Process Step 2 IPsec VPNs consist of two major steps: 1. Tunnel establishment: Establishes a secure tunnel and parameters that define the secure traffic Manual: Set all parameters manually Dynamic: Uses IKE 2. IPsec traffic processing: Protects traffic between the two tunnel endpoints by using security parameters defined in the tunnel establishment step www.juniper.net 8-31

Step 2: IPsec Traffic Processing Goal: Traffic protection IPsec modes: Transport Tunnel IPsec protocols: AH ESP IPsec Tunnel Transport AH ESP X www.juniper.net 8-32

IPsec Modes Transport Mode Tunnel Mode B IPsec VPN A C LAN E LAN IP Header TCP Payload IP Header TCP Payload IP Header IPsec Header TCP Payload New IP Header IPsec Header IP Header TCP Payload IPsec Trailer www.juniper.net 8-33

IPsec Protocols IPsec uses two protocols in transport or tunnel modes: AH: ESP: RFC 2402 Uses protocol number 51 RFC 2406 Uses protocol number 50 Most often used protocol in IPsec AH IPsec protocols 1. Integrity 2. Authentication 3. NO ENCRYPTION ESP 1. Integrity 2. Authentication 3. Confidentiality www.juniper.net 8-34

Example: Tunnel Mode AH Packets Original packet IP Header TCP Data Next Header Payload Length SPI Sequence Number ICV New IP Header Protocol 51 AH IP Header TCP Data Authenticated www.juniper.net 8-35

Example: Tunnel Mode ESP Packets Original packet IP Header TCP Data SPI Sequence Number New IP Header Protocol 50 ESP IP Header TCP Data ESP Trailer Next Header ICV Encrypted Authenticated www.juniper.net 8-36

Traffic Processing (1 of 2) Host A Remote Corporate Host B 10.1.10.5 Internet ge-0/0/1 ge-0/0/0 ge-0/0/0 ge-0/0/1 10.1.10.1 1.1.8.1 10.1.210.5 2.2.8.1 10.1.210.1 1 10.1.10.5 10.1.210.5 2 Prefix Interface Gateway 10.1.210.5 ge-0/0/0 1.1.0.254 3 From zone Private to zone Public : if SA =10.1.10.5 & DA =10.1.210.5 & Application= any, then use tunnel 4 10.1.10.5 10.1.210.5 5 10.1.10.5 10.1.210.5 HASH 6 1.1.8.1 2.2.8.1 50 SPI 10.1.10.5 10.1.210.5 HASH www.juniper.net 8-37

Traffic Processing (2 of 2) Host A Remote Corporate Host B 10.1.10.5 Internet ge-0/0/1: ge-0/0/0: ge-0/0/0: ge-0/0/1: 10.1.210.5 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1 7 1.1.8.1 2.2.8.1 50 SPI 10.1.10.5 10.1.210.5 HASH 8 SPI Encap Encryp Auth 3001 ESP AES SHA 9 HASH = HASH 10 10.1.10.5 10.1.210.5 10.1.10.5 10.1.210.5 11 Prefix Interface Gateway 10.1.210.5 ge -0/0/1 0.0.0.0 12 From zone Public to zone Private: if SA =10.1.10.5 & DA =10.1.210.5 & Application=all, then use tunnel www.juniper.net 8-38

IPsec Summary Remote Corporate 10.1.10.5 Internet ge-0/0/1: ge-0/0/0: ge-0/0/0: ge-0/0/1: 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1 10.1.210.5 Header, SA, DH Phase 1 Header, SA, DH SA, Proxy ID Data Phase 2 IPsec Tunnel IPsec VPN SA, Proxy ID Data www.juniper.net 8-39

Agenda: IPsec VPNs VPN Types Secure VPN Requirements IPsec Details Configuration of IPsec VPNs IPsec VPN Monitoring www.juniper.net 8-40

Junos OS IPsec Implementation IPsec implementation methods: Policy based: Upon a match, the security policy sets up the IPsec tunnel New tunnel generates for each flow of traffic that matches a policy Always has permit as policy action Route based: Upon a match, the security policy permits traffic with the destination address pointing to the secure tunnel interface st0.x A route to the destination is through the st0.x interface, which is bound to a specific IPsec tunnel Typically only one VPN generated between two sites www.juniper.net 8-41

Elements of IPsec VPN Configuration Elements of IPsec VPN configuration include: 1. Configuration of IKE Phase 1 2. Configuration of IKE Phase 2 3. Applying IPsec implementation method: Configuration of policy-based IPsec VPNs Configuration of route-based IPsec VPNs www.juniper.net 8-42

Configuring IKE Phase 1 Parameters (1 of 3) Step A: Configuring IKE Phase 1 proposals: [edit security ike] user@srx# show proposal proposal-name { authentication-method [pre-shared-keys rsa-signatures]; dh-group [group1 group2 group5]; authentication-algorithm [md5 sha-256 sha1]; encryption-algorithm [3des-cbc aes-128-cbc aes-192-cbc aes-256-cbc des-cbc]; lifetime-seconds seconds; Optionally, use the Junos predefined Phase 1 proposal from these choices: basic compatible standard www.juniper.net 8-43

Configuring IKE Phase 1 Parameters (2 of 3) Step B: Configure IKE Phase 1 policies and reference the IKE proposals [edit security ike] user@srx# show policy policy-name { mode [main aggressive]; (proposals proposal-name) (proposal-set [basic compatible standard]); pre-shared-key [ascii-text hexadecimal]; www.juniper.net 8-45

Configuring IKE Phase 1 Parameters (3 of 3) Step C: Configure the IKE Phase 1 gateway and reference the IKE policy configured in Step B [edit security ike] user@srx# show gateway gateway-name { ike-policy policy-name; address address; external-interface interface-name; dead-peer-detection { interval seconds; threshold number; www.juniper.net 8-46

Configuring IKE Phase 2 Parameters (1 of 3) Step A: Configure IKE Phase 2 proposals: [edit security ipsec] user@srx# show proposal proposal-name { protocol [ah esp]; authentication-algorithm [hmac-md5-96 hmac-sha1-96]; encryption-algorithm [3des-cbc aes-128-cbc aes-192-cbc aes-256-cbc des-cbc]; lifetime-kilobytes kilobytes; lifetime-seconds seconds; Optionally, use the Junos predefined Phase 2 proposal from these choices: basic compatible standard www.juniper.net 8-47

Configuring IKE Phase 2 Parameters (2 of 3) Step B: Configure the IKE Phase 2 policies and reference the IKE proposals [edit security ipsec] user@srx# show policy policy-name { perfect-forward-secrecy { keys [group1 group2 group5]; (proposals proposal-name) (proposal-set [basic compatible standard]); www.juniper.net 8-49

Configuring IKE Phase 2 Parameters (3 of 3) Step C: Configure the IKE Phase 2 VPN tunnel and reference the IKE Phase 2 policy configured in Step B [edit security ipsec] user@srx# show vpn vpn-name { bind-interface st0.x; ike { gateway gateway-name; ipsec-policy policy-name; manual { establish-tunnels [immediately on-traffic]; Is necessary only for route-based VPNs Is necessary if using the dynamic key Is necessary if using the manual key www.juniper.net 8-50

Applying IPsec Policy-Based IPsec VPNs Apply the IPsec VPN from the security policy [edit security policies] user@srx# show from-zone source-zone-name to-zone destination-zone-name { policy policy-name { match { then { permit { tunnel { ipsec-vpn ipsec-tunnel-name; Reference to the IPsec VPN tunnel www.juniper.net 8-51

Applying IPsec Route-Based IPsec VPNs Steps: [edit interface] user@srx# show st0 { unit number { family inet { address address; mtu mtu-size; [edit routing-options] user@srx# show static { route 10.8.14.0/24 next-hop st0.x; [edit security zones] user@srx# show security-zone zone-name interfaces { ge-1/0/1.0; st0.x; [edit security ipsec] user@srx# show vpn vpn-name { bind-interface st0.x; www.juniper.net 8-52

Agenda: IPsec VPNs VPN Types Secure VPN Requirements IPsec Details Configuration of IPsec VPNs IPsec VPN Monitoring www.juniper.net 8-53

Example: Creating Policy-Based IPsec VPNs Using IKE HR Zone Edge Public Zone Remote A ge-1/0/1 Internet 1.1.70.1 B C PrivatePC 10.1.10.5 2.2.2.1 [edit security policies] user@edge# show from-zone HR to-zone Public { policy vpna { match { source-address allpcs; destination-address Public-hosts; application any; then { permit { tunnel { ipsec-vpn TunnelA; [edit security policies] user@remote# show from-zone Public to-zone Public { policy allow { match { source-address any; destination-address any; application any; then { permit { tunnel { ipsec-vpn TunnelA; www.juniper.net 8-54

Example: Configuring IKE Phase 1 Parameters [edit security ike] user@edge# show proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 600; policy ike-policy1 { mode main; proposals ike-phase1-proposal; pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA gateway ike-phase1-gateway { ike-policy ike-policy1; address 1.1.70.1; dead-peer-detection { interval 20; threshold 5; external-interface ge-1/0/1.0; www.juniper.net 8-55

Example: Configuring IKE Phase 2 Parameters for Policy-Based IPsec VPNs [edit security ipsec] user@edge# show proposal ike-phase2-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec-pol1 { perfect-forward-secrecy { keys group2; proposals ike-phase2-proposal; vpn TunnelA { ike { gateway ike-phase1-gateway; ipsec-policy ipsec-pol1; establish-tunnels immediately; www.juniper.net 8-56

Monitoring Policy-Based IPsec VPNs user@edge> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 19 1.1.70.1 UP 1927f01c38bc08db ca631d7f107c871d Main user@edge> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 1.1.70.1 500 ESP:3des/md5 3de5f00d 3178/ unlim - 0 >2 1.1.70.1 500 ESP:3des/md5 b4c44e62 3178/ unlim - 0 user@edge> show security ipsec statistics ESP Statistics: Encrypted bytes: 7616 Decrypted bytes: 4704 Encrypted packets: 56 Decrypted packets: 56 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 IKE Phase 1 results IKE Phase 2 results www.juniper.net 8-57

Example: Creating Route-Based IPsec VPNs Using IKE 1.1.80.0/28 HR Zone Edge Public Zone Remote A Private PC 10.1.10.5 ge-1/0/1 Internet 1.1.70.1 ge-1/0/0 B C 2.2.2.1 [edit routing-options] user@edge# show static { route 0.0.0.0/0 next-hop 1.1.80.1; [edit interfaces] user@edge# show st0 unit 0 { family inet { address 1.1.80.2/28; [edit routing-options] user@remote# show static { route 0.0.0.0/0 next-hop 1.1.80.2; [edit interfaces] user@remote# show st0 unit 0 { family inet { address 1.1.80.1/28; www.juniper.net 8-58

Example: Configuring a Security Zone for a Route-Based IPsec VPN [edit security zones] user@edge# show security-zone Public address-book { address host1 2.2.2.1/32; address host2 1.1.70.251/32; address-set Public-hosts { address host1; address host2; screen protect; host-inbound-traffic { system-services { any-service; interfaces { ge-1/0/1.0; st0.0; st0.0 interface added to the Public security zone at both ends of the tunnel www.juniper.net 8-59

Example: Configuring IKE Phase 1 Parameters [edit security ike] user@edge# show proposal ike-phase1-proposal { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 600; policy ike-policy1 { mode main; proposals ike-phase1-proposal; pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA gateway ike-phase1-gateway { ike-policy ike-policy1; address 1.1.70.1; dead-peer-detection { interval 20; threshold 5; external-interface ge-1/0/1.0; Identical to the configuration for a policy-based IPsec VPN www.juniper.net 8-60

Example: Configuring IKE Phase 2 Parameters for a Route-Based IPsec VPN [edit security ipsec] user@edge# show proposal ike-phase2-proposal { protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; policy ipsec-pol1 { perfect-forward-secrecy { keys group2; proposals ike-phase2-proposal; vpn TunnelA { bind-interface st0.0; ike { gateway ike-phase1-gateway; ipsec-policy ipsec-pol1; establish-tunnels immediately; Binding the IPsec VPN to the st0 interface makes that VPN route-based www.juniper.net 8-61

Monitoring a Route-Based IPsec VPN (1 of 4) user@edge> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 2 1.1.70.1 UP 04c17bc8fee7056d 5cfd8286f6415e9b Main 1 1.1.70.1 UP 044f6f7455e6abbb 97428c95adef94aa Main user@edge> show security ipsec security-associations total configured sa: 4 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <16384 1.1.70.1 500 ESP:3des/md5 2236e53c 3080/ unlim - 0 >16384 1.1.70.1 500 ESP:3des/md5 f5965f43 3080/ unlim - 0 <16384 1.1.70.1 500 ESP:3des/md5 ecf3c3ae 3082/ unlim - 0 >16384 1.1.70.1 500 ESP:3des/md5 452bc489 3082/ unlim - 0 user@edge> show security ipsec statistics ESP Statistics: Encrypted bytes: 19176 Decrypted bytes: 11844 Encrypted packets: 141 Decrypted packets: 141 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 IKE Phase 1 Results IKE Phase 2 Results www.juniper.net 8-62

Monitoring a Route-Based IPsec VPN (2 of 4) user@edge> show interfaces st0 terse Interface Admin Link Proto Local Remote st0 up up st0.0 up up inet 1.1.80.2/28 user@edge> show interfaces st0 detail Physical interface: st0, Enabled, Physical link is Up Interface index: 129, SNMP ifindex: 118, Generation: 132 Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192, Speed: Unspecified Hold-times : Up 0 ms, Down 0 ms Device flags : Present Running Interface flags: Point-To-Point Statistics last cleared: Never Traffic statistics: Input bytes : 0 0 bps Output bytes : 12389 0 bps Input packets: 0 0 pps Output packets: 145 0 pps The st0 interface is up Statistics for the st0 interface Logical interface st0.0 (Index 66) (SNMP ifindex 546) (Generation 187) Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel Traffic statistics: Input bytes : 5416 Output bytes : 7914 Input packets: 99 Output packets: 63 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: The output is continued Input bytes : 5416 0 bps Output bytes : 7914 0 bps on the next page Input packets: 99 0 pps 2012 Juniper Output Networks, packets: Inc. All rights reserved. 63 Worldwide 0 Education pps Services www.juniper.net 8-63

Monitoring a Route-Based IPsec VPN (3 of 4) Security: Zone: untrust Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 2 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 5248 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 7914 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 2 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 9192, Generation: 205, Route table: 0 Flags: None Addresses, Flags: Is-Primary Destination: Unspecified, Local: 192.168.100.2, Broadcast: Unspecified, Generation: 222 Statistics for the st0 interface www.juniper.net 8-64

Monitoring a Route-Based IPsec VPN (4 of 4) user@edge> show route inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:25:32 > to 1.1.80.1 via st0.0 1.1.70.0/28 *[Direct/0] 00:25:15 > via ge-1/0/1.0 1.1.70.2/32 *[Local/0] 00:25:16 Local via ge-1/0/1.0 1.1.80.0/28 *[Direct/0] 00:25:32 > via st0.0 1.1.80.2/32 *[Local/0] 00:25:32 Local via st0.0 Default route pointing to the st0 interface Direct and local routes associated with the st0 interface www.juniper.net 8-65

Other IPsec VPN Monitoring Commands Other useful monitoring commands include: traceoptions clear security ike security-associations clear security ipsec security-associations www.juniper.net 8-66

Common IPsec Configuration Problems Watch for the following problems: Proposal mismatch Preshared key mismatch No available route information Misconfiguration of the peer gateway and outgoing interface www.juniper.net 8-67

Summary In this chapter, we: Identified various types of VPNs Defined three major security concerns Described IPsec VPNs and their functionality Configured IPsec VPNs using policy-based and route-based methods Discussed the monitoring of IPsec VPNs www.juniper.net 8-68

Review Questions 1. Name three major security concerns. 2. What is the main difference between ESP and AH? 3. How does the Junos OS ensure data integrity? 4. What are the different modes in IKE Phase 1? www.juniper.net 8-69

Lab 6: Implementing IPsec VPNs Perform configuration and verification steps associated with IPsec VPNs. www.juniper.net 8-70

Worldwide Education Services

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback