[go: up one dir, main page]
Scribd
Upload
203 views64 pages

09 - SRX - Ipsec VPN

Uploaded by

Luc Tran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
203 views64 pages

09 - SRX - Ipsec VPN

Uploaded by

Luc Tran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 64

IPSEC VPN

2011-07
DEFINING VPNS

Historically, VPN is a broad term


 Generally defined as a means for transporting a subset of network
traffic over a separate network
 Performed through tunneling, separating, or securing different types
of traffic
Types of VPNs today:
 Clear-text VPNs—Layer 3 VPNs, Layer 2 VPNs, or VPLS
 Secure VPNs—IPsec
 Combination of clear-text and secure VPNs

2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


SECURE VPNS
10.1.20.3
Provide secure tunnels across the Internet
 Encryption
 Payload verification Private
10.1.20.1 10.1.20.4
 Authentication
IP Packet
Public
2.2.2.1
Public IPsec VPN
1.1.1.1

Encrypted Packet
Private
10.0.0.254

10.0.0.5

10.0.0.6 IP Packet

3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


SECURITY CONCERNS

Three major concerns:


 Confidentiality
 Keep data secure and hidden
 Integrity
 Ensure that data has not been changed
 Authentication
 Confirm the data came from the advertised source

4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIDENTIALITY—DATA ENCRYPTION

Data encryption details:


 Provides data confidentiality
 Encrypted and decrypted by using keys
 Symmetric (secret) key
 Asymmetric (public and private) key
 A reversible process

5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIDENTIALITY—SYMMETRIC KEY ENCRYPTION

Basic form of encryption:


 Symmetric keys are faster at bulk data encryption
 Typical key sizes range from 40–1024 bits
 Examples: DES, 3DES, AES

Sender Receiver

1 Original data Encrypted data


+
+ Key Key

Encrypted data 3 Original data

6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIDENTIALITY—PUBLIC KEY ENCRYPTION

Widely used form of strong encryption


 Slow when used for bulk data encryption
 Typical sizes range from 512–2048 bits
 Examples: RSA and DH

Sender Receiver

1 Pub Pub

Encrypted data
Original data + Pub + Priv
2 4

3
Encrypted data Original data
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
INTEGRITY

Hash functions provide integrity services


 One-way hashing algorithm—cannot determine original data from hash
value
 Fixed-length output (depending on algorithm)
 Examples: MD5 and SHA
 MD5 provides 128-bit output
 SHA provides 160-bit output

8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


INTEGRITY—ONE-WAY HASH ALGORITHMS

Example of a modulus operation:


7 r3
80mod11 = =3
11 80
77
3
 Given the value 3, what was the original data?

80mod11 =3
13mod5 =3
203mod10 =3
11mod8 =3
100mod97 =3

 Hash functions can use the modulus operation in the hash creation
process

9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


INTEGRITY—THE HASH PROCESS

Sender Receiver
Data HASH
Data
3

2 Data HASH
1

Data HASH
HASH HASH
5
If the hash values
match, the data is good
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
SOURCE AUTHENTICATION

Validates datagrams by verifying that they came from the proper


source
 Authentication process uses HMAC
 Adds a secret preshared key to the hashing process

11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


AUTHENTICATION WITH HMAC

Sender Receiver
Data HASH
Data Hash key
+
3

2 Data Hash key


+ HASH
1

Data HASH
HASH HASH
5

If the hash
If the
values
hashmatch,
valuesthe data is
good
match,
andthe
thedata
source
is good
is valid
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
HOW ARE KEYS EXCHANGED?

Encryption and hashing both rely on keys


 Manual configuration:
 Prone to configuration errors
 Rarely changed
 Automatic exchange:
 Uses public connections—how do you secure the key exchange?
The solution: Diffie-Hellman key exchange algorithm
 First published standard for public key cryptography
 Solves the key distribution problem through the use of public and
private key pairs
 Only the public key is sent across the network

13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


DIFFIE-HELLMAN GROUPS

Five sets of very large prime numbers (and a generator) serve as


the modulus for the Diffie-Hellman algorithm
 Juniper Networks supports Groups 1, 2, and 5
 Group 1 uses a 768-bit prime
 Group 2 uses a 1024-bit prime
 Group 5 uses a 1536-bit prime

14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


THE DH KEY EXCHANGE PROCESS

Internet

Each device PrivA PrivB


generates a public
PubA PubB
and private key pair

Public keys are


exchanged

Local private and remote public SESSION Same session key, SESSION
keys are used in DH to form a KEY two different places KEY
common session key
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IPSEC OVERVIEW

IPsec is an industry standard for providing IP data security and


integrity services
 Works at the IP layer
 Supports unicast and multicast traffic

According to RFC 2401, IPsec provides security services at the IP


layer by enabling a system to select required security protocols,
determine the algorithms to use for the services, and put in place any
cryptographic keys required to provide the requested services.

16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


IPSEC: A TWO-STEP PROCESS

 IPsec VPNs consist of two major steps:


1. Tunnel establishment: Establishes a secure tunnel and parameters
that define secure traffic
 Manual: All parameters are set manually
 Dynamic: Uses IKE

2. IPsec traffic processing: Protects traffic between the


two tunnel endpoints by using security parameters
defined in the tunnel establishment step

17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


STEP 1: TUNNEL ESTABLISHMENT USING IKE

IKE provides increased functionality in secure environments


 Uses UDP, Port 500
 Establishes:
 Security parameters (security associations) for creating IPsec VPN tunnels
 Negotiates proposals containing encryption and authentication algorithms
 Creates encryption and authentication keys automatically, which provides
the ability to rekey frequently
 Provides gateway identity function

18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


SECURITY ASSOCIATIONS

SAs are a set of policies and keys used to protect information


between two peers
 An SA is uniquely identified by:
 The SPI, which is an internal index number
 A destination IP address
 A security protocol
 IKE SAs are:
 Established during IKE phase 1 negotiations
 Bidirectional
 IPsec SAs are:
 Established during IKE phase 2 negotiations
 Unidirectional

19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


SA DATABASE
Remote Office Untrust Trust
1.1.8.1 10.10.0.1
10.10.0.5
10.0.0.5

Trust Untrust
10.0.0.1 10.10.0.6
10.0.0.6 2.2.8.1
Corporate Office

Security Database Security Database


Name: VPNtoCorporate Name: VPNtoRemote
Gateway IP address: 2.2.8.1 Gateway IP address: 1.1.8.1
SPI: Local: 3001, Remote: SPI: Local: 3002, Remote:
3002 3001
Security protocol: ESP Security Protocol: ESP
Encryption algorithm: 3DES Encryption algorithm: 3DES
Encryption key: xxxxyyyyzzzz Encryption key: xxxxyyyyzzzz
Authentication algorithm: SHA Authentication algorithm: SHA
Authentication key: aaabbbccc Authentication key: aaabbbccc
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IKE PHASES

IKE tunnel establishment:


 Phase 1:
 Two peers establish a secure, authenticated channel with which to
communicate
 DH key exchange algorithm is used to generate a symmetric key common
to the communicating gateways
 Main mode: Used when both tunnel peers have static IP addresses
 Aggressive mode: Used when one tunnel peer has a
dynamically assigned IP address
 Phase 2:
 IPsec SAs are negotiated using a phase 1 secure channel
 Proxy ID is used to identify which SA is referenced for VPN
 Diffie-Hellman key exchange algorithm can be used (again) to create PFS
 Phase 2 mode is called quick mode

21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


IKE PHASE 1: MAIN MODE
Remote Corporate

ge-0/0/0: ge-0/0/1: ge-0/0/1: ge-0/0/0: 10.1.210.5


10.1.10.5 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1

Message 1:
Cookie I, SA Proposal Message 2:
List Cookie I, Cookie R, SA Proposal Accept

Message 3:
DH Public Value A, Nonce I (Random #) Message 4:
DH Public Value B, Nonce R (Random #)

Message 5:
Identification I, Hash [ID-I + key] Message 6:
Encrypted and Authenticated Identification R, Hash [ID-R + key]
22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IKE PHASE 1: AGGRESSIVE MODE
Remote Corporate

ge-0/0/1: ge-0/0/0: ge-0/0/0: ge-0/0/1:


10.1.10.5 10.1.210.5
10.1.10.1 (dynamic) 2.2.8.1 10.1.210.1

Message 1:
Cookie I, SA proposal list, DH public value A, nonce I

Message 2:
Cookie I, cookie R, SA proposal accept, DH public
value B, nonce R, identification hash R

Message
3:
Hash [ID-I and authenticated
Encrypted
+key]
23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IKE PHASE 2: QUICK MODE
Remote Corporate

ge-0/0/0: ge-0/0/1: ge-0/0/1: ge-0/0/0:


10.1.10.5 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1
10.1.210.5

Message 1:
Hash using phase 1 information,
message ID, SA proposal list, Nonce I,
[DH Public Key I ], proxy ID

Message 2:
Hash using phase 1 information,
message ID, SA proposal list accept,
Nonce R, [DH Public Key I ], proxy ID
Message 3:
Hash using phase 1 information,
message ID, Nonce I, Nonce R
24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IPSEC DYNAMIC TUNNEL ESTABLISHMENT—
SUMMARY
Remote Corporate Juniper Networks

ge-0/0/1: ge- ge-0/0/0: ge- 10.1.210.5


10.1.10.5 0/0/1:
0/0/0:
10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1

Phase
Header, SA, DH 1 Header, SA, DH

Phase
SA, Proxy ID 2 SA, Proxy ID
IPsec tunnel

Data IPsec VPN Data


25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
IPSEC: A TWO-STEP PROCESS—STEP 2

 IPsec VPNs consist of two major steps:


1. Tunnel establishment: Establishes a secure tunnel and parameters
that define the secure traffic
 Manual: All parameters are set manually
 Dynamic: Uses IKE

2. IPsec traffic processing: Protects traffic between the


two tunnel endpoints by using security parameters
defined in the tunnel establishment step

26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


STEP 2: IPSEC TRAFFIC PROCESSING

Goal: Traffic protection


IPsec modes:
 Transport
 Tunnel
IPsec protocols:
 AH
 ESP

27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


IPSEC MODES
Transport mode Tunnel mode

B
IPsec VPN
E
A
LAN LAN
C

IP header TCP Payload IP header TCP Payload

IPsec New IP IPsec IPsec


IP header TCP Payload IP header TCP Payload
header header header trailer

28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


IPSEC PROTOCOLS

IPsec uses two protocols


in transport or tunnel modes: IPsec Protocols
 AH:
 RFC 2402
 Uses protocol number 51
AH ESP
 ESP:
 RFC 2406
 Uses protocol number 50
 Most often used protocol 1. Integrity 1. Integrity
2. Authentication 2. Authentication
in IPsec 3. Confidentiality

29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


EXAMPLE: TUNNEL MODE AH PACKETS

Original Packet
IP header TCP Data

Next Payload Sequence


SPI
header length number

New IP header ProtocData


AH IP header TCP Data
ol 51

Authenticated

30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


EXAMPLE: TUNNEL MODE ESP PACKETS

Original packet
IP header TCP Data

Sequence
SPI
number

New IP header ProtocData


ESP IP header TCP Data ESP trailer ESP Auth
ol 50

Encrypted

Authenticated

31 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


TRAFFIC PROCESSING (1 OF 2)
Host A Remote Corporate Host B

ge-0/0/1 ge-0/0/0 ge-0/0/0 ge-0/0/1


10.1.10.5 10.1.10.1 1.1.8.1 10.1.210.5
2.2.8.1 10.1.210.1

1 10.1.10.5 10.1.210.5

2 Prefix Interface Gateway


10 .1.210.5 ge -0/0/0 1 .1.0.254

3 From zone Private tozone Public


: if SA =10 .1.10 .5 & DA = 10 .1 .210 .5 & Application = any, then use tunnel

4 10.1.10.5 10.1.210.5

5 10.1.10 .5 10 .1.210 .5 HASH

6 1.1.8.1 2.2.8.1 50 SPI 10.1.10.5 10.1.210.5 HASH

32 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


TRAFFIC PROCESSING (2 OF 2)
Host A
Remote Corporate Host B

ge-0/0/1: ge- ge-0/0/0: ge-0/0/1:


10.1.10.5 10.1.210.5
0/0/0: 2.2.8.1 10.1.210.1
10.1.10.1 1.1.8.1

1.1.8.1 2.2.8.1 50 SPI 10.1.10.5 10.1.210.5 HASH


7

SPI Encap Encryp Auth


8 3001 ESP AES SHA

9 HASH = HASH

10 10.1.10.5 10.1.210.5 10.1.10.5 10.1.210.5

Prefix Interface Gateway


11
10.1.210.5 ge-0/0/1 0.0.0.0

12 From zone Public tozone Private: if SA=10.1.10.5 & DA=10.1.210.5 & Application= all, then use tunnel

33 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


IPSEC SUMMARY—TRAFFIC FLOW
Remote Corporate

ge-0/0/1: ge-0/0/0: ge-0/0/0: ge-0/0/1:


10.1.10.5 10.1.10.1 1.1.8.1 2.2.8.1 10.1.210.1 10.1.210.5

Phase
Header, SA, DH 1 Header, SA, DH

Phase
SA, Proxy ID 2 SA, Proxy ID
IPsec tunnel

Data IPsec VPN Data


34 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
JUNOS SOFTWARE IPSEC IMPLEMENTATION

IPsec implementation methods:


 Policy based:
 Upon a match, the security policy sets up the IPsec tunnel
 New tunnel is generated for each flow of traffic that matches the policy
 Always has permit as policy action
 Route based:
 Upon a match, the security policy permits traffic with the destination
address pointing to the secure tunnel interface—st.x
 A route to the destination is through the st.x interface, which is bound to
a specific IPsec tunnel
 Only one tunnel is generated between two sites

35 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


ELEMENTS OF IPSEC VPN CONFIGURATION

Elements of IPsec VPN configuration include:


1. Configuration of IKE phase 1
2. Configuration of IKE phase 2
3. Applying IPsec implementation method:
 Configuration of policy-based IPsec VPNs
 Configuration of route-based IPsec VPNs

36 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 1 PARAMETERS (1 OF 3)

Step A:
 Configuring IKE phase 1 proposals:
[edit security ike]
user@host# show
proposal proposal-name {
authentication-method [pre-shared-keys | rsa-signatures];
dh-group [group1 | group2 | group5];
authentication-algorithm [md5 | sha-256 | sha1];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-seconds seconds;

}
 Optionally, use JUNOS software’s predefined phase 1 proposal from
these choices:
 basic
 compatible
 standard

37 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 1 PARAMETERS (2 OF 3)

Step B:
 Configure IKE phase 1 policies and reference the IKE proposals

[edit security ike]


user@host# show
policy policy-name {
mode [main | aggressive];
(proposals proposal-name) | (proposal-set [basic | compatible | standard]);
pre-shared-key [ascii-text | hexadecimal];

}

38 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 1 PARAMETERS (3 OF 3)

Step C:
 Configure the IKE phase 1 gateway and reference the IKE policy
configured in Step B

[edit security ike]


user@host# show
gateway gateway-name {
ike-policy policy-name;
address address;
external-interface interface-name;
dead-peer-detection {
interval seconds;
threshold number;
}

}

39 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 2 PARAMETERS (1 OF 3)
Step A:
 Configure IKE phase 2 proposals:

 Optionally, use JUNOS software’s predefined phase 1 proposal from these choices:
 basic
 compatible
 standard

[edit security ipsec]


user@host# show
proposal proposal-name {
protocol [ah | esp];
authentication-algorithm [hmac-md5-96 | hmac-sha1-96];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-kilobytes kilobytes;
lifetime-seconds seconds;

}

40 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 2 PARAMETERS (2 OF 3)

Step B:
 Configure the IKE phase 2 policies and reference the IKE proposals

[edit security ipsec]


user@host# show
policy policy-name {
perfect-forward-secrecy {
keys [group1 | group2 | group5];
}
(proposals proposal-name) | (proposal-set [basic | compatible | standard]);

}

41 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


CONFIGURING IKE PHASE 2 PARAMETERS (3 OF 3)

Step C:
 Configure the IKE phase 2 VPN tunnel and reference the IKE phase 2
policy configured in Step B

[edit security ipsec]


user@host# show
vpn vpn-name { Is necessary only for
bind-interface stx.y; route-based
ike { VPNs
gateway gateway-name;
ipsec-policy policy-name; Is necessary if the
… dynamic key is
} used
manual {
… Is necessary if the
} manual key is used
establish-tunnels [immediately | on-traffic];

}

42 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


APPLYING IPSEC—POLICY-BASED IPSEC VPNS

Apply the IPsec VPN from the security policy

[edit security policies]


user@host# show
from-zone source-zone-name to-zone destination-zone-name {
policy policy-name {
match {


} Reference to the
then { IPsec VPN tunnel
permit {
tunnel {
ipsec-vpn ipsec-tunnel-name;
}
}
}
}
}

43 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


APPLYING IPSEC—ROUTE-BASED IPSEC VPNS

Steps:
[edit interface]
user@host# show
st0 {
unit number { [edit security zones]
family inet { user@host# show security-zone zone-name
address address; …
mtu mtu-size; interfaces {
} ge-1/0/1.0;
} st0.0;
} }

[edit security ipsec]


user@host# show

vpn vpn-name {

bind-interface stx.y;

}
44 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EXAMPLE: CREATING POLICY-BASED IPSEC VPNS
USING IKE

HR Public
Zone Zone
Edge Remote

Internet 1.1.70.1

A ge-1/0/1 C
B
PrivatePC 2.2.2.1
10.1.10.5

[edit security policies] [edit security policies]


user@Edge# show user@Remote# show
from-zone HR to-zone Public { from-zone Public to-zone Public {
policy vpnToLo { policy allow {
match { match {
source-address allPCs; source-address any;
destination-address Public-hosts; destination-address any;
application any; application any;
} }
then { then {
permit { permit {
tunnel { tunnel {
ipsec-vpn ToLo; ipsec-vpn ToLo;
} }
} }
} }
} }
} }
45 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EXAMPLE:
CONFIGURING IKE PHASE 1 PARAMETERS

[edit security ike]


user@Edge# show
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ike-policy1 {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}

46 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


EXAMPLE: CONFIGURING IKE PHASE 2 PARAMETERS
FOR POLICY-BASED IPSEC VPNS

[edit security ipsec]


user@Edge# show
proposal ike-phase2-proposal {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3200;
}
policy ipsec-pol1 {
perfect-forward-secrecy {
keys group2;
}
proposals ike-phase2-proposal;
}
vpn TunnelA {
ike {
gateway ike-phase1-gateway;
ipsec-policy ipsec-pol1;
}
establish-tunnels immediately;
}

47 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


MONITORING POLICY-BASED IPSEC VPNS—EDGE

user@Edge> show security ike security-associations


Index Remote Address State Initiator cookie Responder cookie Mode IKE
19 1.1.70.1 UP 1927f01c38bc08db ca631d7f107c871d Main phase 1
results
user@Edge> show security ipsec security-associations
total configured sa: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<2 1.1.70.1 500 ESP:3des/md5 3de5f00d 3178/ unlim - 0
>2 1.1.70.1 500 ESP:3des/md5 b4c44e62 3178/ unlim - 0
IKE
user@Edge> show security ipsec statistics phase 2
ESP Statistics: results
Encrypted bytes: 7616
Decrypted bytes: 4704
Encrypted packets: 56
Decrypted packets: 56
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
48 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MONITORING POLICY-BASED IPSEC VPNS—REMOTE

user@Remote> show security ike security-associations


Index Remote Address State Initiator cookie Responder cookie Mode
3 1.1.70.2 UP 1927f01c38bc08db ca631d7f107c871d Main IKE
phase 1
user@Remote> show security ipsec security-associations results
total configured sa: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<2 1.1.70.2 500 ESP:3des/md5 b4c44e62 3135/ unlim - 0
>2 1.1.70.2 500 ESP:3des/md5 3de5f00d 3135/ unlim - 0

user@Remote> show security ipsec statistics IKE


ESP Statistics: phase 2
Encrypted bytes: 10472 results
Decrypted bytes: 6468
Encrypted packets: 77
Decrypted packets: 77
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
49 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EXAMPLE:
CREATING ROUTE-BASED IPSEC VPNS USING IKE

1.1.80.0/28

HR Public
Zone Edge
Zone Remote

Internet 1.1.70.1

A ge-1/0/1 ge-1/0/0 C
B
2.2.2.1
Private PC
10.1.10.5

[edit routing-options] [edit routing-options]


user@Edge# show user@Remote# show
static { static {
route 0.0.0.0/0 next-hop 1.1.80.1; route 0.0.0.0/0 next-hop 1.1.80.2;
} }
[edit interfaces] [edit interfaces]
lab@Edge# show st0 lab@Remote# show st0
unit 0 { unit 0 {
family inet { family inet {
address 1.1.80.2/28; address 1.1.80.1/28;
} }
} }
50 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
EXAMPLE: CONFIGURING A SECURITY ZONE FOR A
ROUTE-BASED IPSEC VPN

[edit security zones]


user@Edge# show security-zone Public
address-book {
address host1 2.2.2.1/32;
address host2 1.1.70.251/32; st0.0 interfaces are
address-set Public-hosts { added to the Public
address host1; security zone at both
address host2;
}
ends of the tunnel
}
screen protect;
host-inbound-traffic {
system-services {
any-service;
}
}
interfaces {
ge-1/0/1.0;
st0.0;
}

51 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


EXAMPLE:
CONFIGURING IKE PHASE 1 PARAMETERS

[edit security ike]


user@Edge# show
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2; Identical to the
authentication-algorithm md5; configuration for
encryption-algorithm 3des-cbc; a policy-based
lifetime-seconds 600; IPsec VPN
}
policy ike-policy1 {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
dead-peer-detection {
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}

52 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


EXAMPLE: CONFIGURING IKE PHASE 2 PARAMETERS
FOR A ROUTE-BASED IPSEC VPN

[edit security ipsec]


user@Edge# show
proposal ike-phase2-proposal {
protocol esp;
authentication-algorithm hmac-md5-96; Binding the IPsec VPN to
encryption-algorithm 3des-cbc; the st0 interface makes
lifetime-seconds 3200; that VPN route-based
}
policy ipsec-pol1 {
perfect-forward-secrecy {
keys group2;
}
proposals ike-phase2-proposal;
}
vpn TunnelA {
bind-interface st0.0;
ike {
gateway ike-phase1-gateway;
ipsec-policy ipsec-pol1;
}
establish-tunnels immediately;
}

53 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


MONITORING A ROUTE-BASED IPSEC VPN—EDGE (1
OF 4)
user@Edge> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
2 1.1.70.1 UP 04c17bc8fee7056d 5cfd8286f6415e9b Main IKE
1 1.1.70.1 UP 044f6f7455e6abbb 97428c95adef94aa Main phase 1
results
user@Edge> show security ipsec security-associations
total configured sa: 4
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<16384 1.1.70.1 500 ESP:3des/md5 2236e53c 3080/ unlim - 0
>16384 1.1.70.1 500 ESP:3des/md5 f5965f43 3080/ unlim - 0
<16384 1.1.70.1 500 ESP:3des/md5 ecf3c3ae 3082/ unlim - 0
>16384 1.1.70.1 500 ESP:3des/md5 452bc489 3082/ unlim - 0

user@Edge> show security ipsec statistics IKE


ESP Statistics: phase 2
Encrypted bytes: 19176 results
Decrypted bytes: 11844
Encrypted packets: 141
Decrypted packets: 141
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
54 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MONITORING A ROUTE-BASED IPSEC VPN—EDGE (2
OF 4)
user@Edge> show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up up inet 1.1.80.2/28

user@Edge> show interfaces st0 detail


Physical interface: st0, Enabled, Physical link is Up The st0
Interface index: 129, SNMP ifIndex: 42, Generation: 130 interface is up
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192,
Speed: Unspecified
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running Statistics for
Interface flags: Point-To-Point the st0
Statistics last cleared: Never interface
Traffic statistics:
Input bytes : 0 0 bps
Output bytes : 12389 0 bps
Input packets: 0 0 pps
Output packets: 145 0 pps

Logical interface st0.0 (Index 67) (SNMP ifIndex 45) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : any-service
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 144
VPN packets : 0
Bytes permitted by policy : 14112
Connections established : 0

The
55
output is continued on the next page …
Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MONITORING A ROUTE-BASED IPSEC VPN—EDGE (3
OF 4)

Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 15386
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0 Statistics
No one interested in self packets: 0 for the st0
No minor session: 0 interface
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 9192, Generation: 140, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.80.0/28, Local: 1.1.80.2, Broadcast: Unspecified,
Generation: 140

56 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


MONITORING A ROUTE-BASED IPSEC VPN—EDGE (4
OF 4)
user@Edge> show route

inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:25:32 Default route


> to 1.1.80.1 via st0.0 pointing to the
st0 interface
1.1.70.0/28 *[Direct/0] 00:25:15
> via ge-1/0/1.0
1.1.70.2/32 *[Local/0] 00:25:16
Local via ge-1/0/1.0 Direct and local
1.1.80.0/28 *[Direct/0] 00:25:32 routes associated
> via st0.0 with the st0
1.1.80.2/32 *[Local/0] 00:25:32 interface
Local via st0.0

57 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


MONITORING A ROUTE-BASED IPSEC VPN—REMOTE (1
OF 4)
user@Remote> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
1 1.1.70.2 UP 04c17bc8fee7056d 5cfd8286f6415e9b Main IKE
2 1.1.70.2 UP 044f6f7455e6abbb 97428c95adef94aa Main phase 1
results
user@Remote> show security ipsec security-associations
total configured sa: 4
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<16384 1.1.70.2 500 ESP:3des/md5 f5965f43 3068/ unlim - 0
>16384 1.1.70.2 500 ESP:3des/md5 2236e53c 3068/ unlim - 0
<16384 1.1.70.2 500 ESP:3des/md5 452bc489 3070/ unlim - 0
>16384 1.1.70.2 500 ESP:3des/md5 ecf3c3ae 3070/ unlim - 0

user@Remote> show security ipsec statistics


ESP Statistics: IKE
Encrypted bytes: 18224 phase 2
Decrypted bytes: 11256 results
Encrypted packets: 134
Decrypted packets: 134
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
58 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MONITORING A ROUTE-BASED IPSEC VPN—REMOTE (2
OF 4)
user@Remote> show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up up inet 1.1.80.1/28

user@Remote> show interfaces st0 detail


Physical interface: st0, Enabled, Physical link is Up
The st0
Interface index: 129, SNMP ifIndex: 39, Generation: 130 interface Is up
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192,
Speed: Unspecified
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running Statistics for
Interface flags: Point-To-Point the st0
Statistics last cleared: Never interface
Traffic statistics:
Input bytes : 0 0 bps
Output bytes : 12682 0 bps
Input packets: 0 0 pps
Output packets: 146 0 pps

Logical interface st0.0 (Index 67) (SNMP ifIndex 48) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : ftp ping telnet
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 144
VPN packets : 0
Bytes permitted by policy : 14112
Connections established : 144

The output is continued on the next page …


59 Copyright © 2009 Juniper Networks, Inc. www.juniper.net
MONITORING A ROUTE-BASED IPSEC VPN—REMOTE (3
OF 4)

Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 14382
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0 Statistics
No one interested in self packets: 0 for the st0
No minor session: 0 interface
No more sessions: 0
No NAT gate: 0
No route present: 0
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 0
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 9192, Generation: 140, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.80.0/28, Local: 1.1.80.1, Broadcast: Unspecified,
Generation: 144

60 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


MONITORING A ROUTE-BASED IPSEC VPN—REMOTE (4
OF 4)
user@Remote> show route

inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:34:48


> to 1.1.80.2 via st0.0 Default route
1.1.70.0/28 *[Direct/0] 00:34:10 pointing to the
> via ge-1/0/0.0 st0 interface
1.1.70.1/32 *[Local/0] 00:34:31
Local via ge-1/0/0.0
1.1.70.251/32 *[Direct/0] 00:35:03
> via lo0.0 Direct and local routes
1.1.80.0/28 *[Direct/0] 00:34:48 associated with the
> via st0.0 st0 interface
1.1.80.1/32 *[Local/0] 00:34:48
Local via st0.0

61 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


OTHER IPSEC VPN MONITORING COMMANDS

Other useful monitoring commands include:


 traceoptions
 clear security ike
 clear security ipsec

62 Copyright © 2009 Juniper Networks, Inc. www.juniper.net


COMMON IPSEC CONFIGURATION PROBLEMS

Watch for the following problems:


 Proposal mismatch
 Preshared key mismatch
 No available route information
 Misconfiguration of the peer gateway and outgoing interface

63 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

You might also like