IPsecVPNs Juniper

IPsec VPNs
4-1
Copyright 2005 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
Defining VPNs
Historically, VPN is a broad term
Generally defined as a means for transporting a subset of
network traffic over a separate network
Performed through tunneling, separating, or securing
different types of traffic
Types of VPNs today:

Clear-text VPNsLayer 3 VPNs, Layer 2 VPNs, or VPLS
Secure VPNsIPsec
Combination of clear-text and secure VPNs
2009 Juniper Networks, Inc. All rights reserved.
Secure VPNs
10.1.20.3
Provide secure tunnels across the

Internet
Private
10.1.20.1
Encryption
Payload verification
Authentication
Public
1.1.1.1
10.1.20.4
IP Packet
IPsec VPN
Public
2.2.2.1
Encrypted Packet
Private
10.0.0.254
10.0.0.5
10.0.0.6
IP Packet
Security Concerns
Three major concerns:
Confidentiality
Keep data secure and hidden
Integrity
Ensure that data has not been changed
Authentication
Confirm the data came from the advertised source
ConfidentialityData Encryption
Data encryption details:
Provides data confidentiality
Encrypted and decrypted by using keys
Symmetric (secret) key
Asymmetric (public and private) key
A reversible process
ConfidentialitySymmetric Key Encryption

Basic form of encryption:
Symmetric keys are faster at bulk data encryption
Typical key sizes range from 401024 bits
Examples: DES, 3DES, AES
Sender
1
Original data
Receiver
Encrypted data
Key
Key
Encrypted data
Original data
ConfidentialityPublic Key Encryption

Widely used form of strong encryption
Slow when used for bulk data encryption
Typical sizes range from 5122048 bits
Examples: RSA and DH
Sender
Receiver
Pub
Pub
Original data
Encrypted data
+ Pub
Priv
2
Encrypted data
Original data
Integrity
Hash functions provide integrity services
One-way hashing algorithmcannot determine original data
from hash value
Fixed-length output (depending on algorithm)
Examples: MD5 and SHA
MD5 provides 128-bit output
SHA provides 160-bit output
IntegrityOne-Way Hash Algorithms

Example of a modulus operation:
80mod11 =
7 r3
=3
11 80
77
3
Given the value 3, what was the original data?

80mod11
13mod5
203mod10
11mod8
100mod97
=3
=3
=3
=3
=3
Hash functions can use the modulus operation in the hash

creation process
IntegrityThe Hash Process

Receiver
Sender
HASH
Data
Data
HASH
Data
4
Data
HASH
HASH
HASH
If the hash values

match, the data is good
10
Source Authentication
Validates datagrams by verifying that they came from
the proper source
Authentication process uses HMAC
Adds a secret preshared key to the hashing process
11
Authentication with HMAC

Receiver
Sender
Data
HASH
Data
Hash key
Data
Hash key
HASH
4
Data
HASH
HASH
HASH
If the hash If
values
the hash
match,
values
the data is good
match,
and the
the
source
data is
is good
valid
12
How Are Keys Exchanged?

Encryption and hashing both rely on keys
Manual configuration:
Prone to configuration errors
Rarely changed
Automatic exchange:
Uses public connectionshow do you secure the key exchange?
The solution: Diffie-Hellman key exchange algorithm

First published standard for public key cryptography
Solves the key distribution problem through the use of
public and private key pairs
Only the public key is sent across the network
13
Diffie-Hellman Groups
Five sets of very large prime numbers (and a
generator) serve as the modulus for the Diffie-Hellman
algorithm
Juniper Networks supports Groups 1, 2, and 5
Group 1 uses a 768-bit prime
14
The DH Key Exchange Process

Internet
Each device generates

a public and private
key pair
PrivA
PrivB
PubA
PubB
Public keys are

exchanged
Local private and remote public

keys are used in DH to form a
common session key
SESSION
KEY
Same session key,

two different places
SESSION
KEY
15
IPsec Overview
IPsec is an industry standard for providing IP data
security and integrity services
Works at the IP layer
Supports unicast and multicast traffic
According to RFC 2401, IPsec provides security services at the IP layer by

enabling a system to select required security protocols, determine the
algorithms to use for the services, and put in place any cryptographic keys
required to provide the requested services.
16
IPsec: A Two-Step Process

IPsec VPNs consist of two major steps:
1. Tunnel establishment: Establishes a secure tunnel and
parameters that define secure traffic
Manual: All parameters are set manually
Dynamic: Uses IKE
2. IPsec traffic processing: Protects traffic between the two

tunnel endpoints by using security parameters defined in
the tunnel establishment step
17
Step 1: Tunnel Establishment Using IKE

IKE provides increased functionality in secure
environments
Uses UDP, Port 500
Establishes:
Security parameters (security associations) for creating IPsec VPN
tunnels
Negotiates proposals containing encryption and authentication
algorithms
Creates encryption and authentication keys automatically, which
provides the ability to rekey frequently
Provides gateway identity function
18
Security Associations
SAs are a set of policies and keys used to protect
information between two peers
An SA is uniquely identified by:
The SPI, which is an internal index number
A destination IP address
A security protocol
IKE SAs are:

Established during IKE phase 1 negotiations
Bidirectional
IPsec SAs are:

Established during IKE phase 2 negotiations
Unidirectional
19
SA Database
Remote Office
10.0.0.5
10.0.0.6
Trust
10.10.0.1
Untrust
1.1.8.1
Trust
10.0.0.1
Security Database
Name: VPNtoCorporate
Gateway IP address: 2.2.8.1
SPI: Local: 3001, Remote: 3002
Security protocol: ESP
Encryption algorithm: 3DES
Encryption key: xxxxyyyyzzzz
Authentication algorithm: SHA
Authentication key: aaabbbccc
Untrust
2.2.8.1
10.10.0.5
10.10.0.6
Corporate Office
Security Database
Name: VPNtoRemote
Gateway IP address: 1.1.8.1
SPI: Local: 3002, Remote: 3001
Security Protocol: ESP
Encryption algorithm: 3DES
Encryption key: xxxxyyyyzzzz
Authentication algorithm: SHA
Authentication key: aaabbbccc
20
IKE Phases
IKE tunnel establishment:
Phase 1:
Two peers establish a secure, authenticated channel with which to
communicate
DH key exchange algorithm is used to generate a symmetric key
common to the communicating gateways
Main mode: Used when both tunnel peers have static IP addresses
Aggressive mode: Used when one tunnel peer has a
dynamically assigned IP address
Phase 2:
IPsec SAs are negotiated using a phase 1 secure channel
Proxy ID is used to identify which SA is referenced for VPN
Diffie-Hellman key exchange algorithm can be used (again) to
create PFS
Phase 2 mode is called quick mode
21
IKE Phase 1: Main Mode

Remote
10.1.10.5
ge-0/0/0: ge-0/0/1:
10.1.10.1 1.1.8.1
Message 1:
Cookie I, SA Proposal List
Corporate
ge-0/0/1:
2.2.8.1
ge-0/0/0:
10.1.210.1
10.1.210.5
Message 2:
Cookie I, Cookie R, SA Proposal Accept
Message 3:
DH Public Value A, Nonce I (Random #)
Message 4:
DH Public Value B, Nonce R (Random #)
Message 5:
Identification I, Hash [ID-I + key]
Encrypted and Authenticated
Message 6:
Identification R, Hash [ID-R + key]
22
IKE Phase 1: Aggressive Mode

Corporate
Remote
10.1.10.5
ge-0/0/1: ge-0/0/0:
10.1.10.1 (dynamic)
ge-0/0/0:
2.2.8.1
ge-0/0/1:
10.1.210.1
10.1.210.5
Message 1:
Cookie I, SA proposal list, DH public value A, nonce I
Message 2:
Cookie I, cookie R, SA proposal accept, DH public
value B, nonce R, identification hash R
Message 3:
Hash [ID-I +key]
Encrypted and authenticated
23
IKE Phase 2: Quick Mode

Remote
10.1.10.5
ge-0/0/0: ge-0/0/1:
10.1.10.1
1.1.8.1
Corporate
ge-0/0/1:
2.2.8.1
ge-0/0/0:
10.1.210.1
10.1.210.5
Message 1:
Hash using phase 1 information,
message ID, SA proposal list, Nonce I,
[DH Public Key I ], proxy ID
Message 2:
Message 3:

message ID, SA proposal list accept,
Nonce R, [DH Public Key I ], proxy ID

message ID, Nonce I, Nonce R
24
IPsec Dynamic Tunnel Establishment

Summary
Remote
10.1.10.5
ge-0/0/1:
10.1.10.1
Header, SA, DH
SA, Proxy ID
Corporate Juniper Networks
ge-0/0/0:
2.2.8.1
ge-0/0/0:
1.1.8.1
Phase 1
Phase 2
ge-0/0/1:
10.1.210.1
10.1.210.5
Header, SA, DH
SA, Proxy ID
IPsec tunnel
Data
IPsec VPN
Data
25
IPsec: A Two-Step ProcessStep 2

IPsec VPNs consist of two major steps:
1. Tunnel establishment: Establishes a secure tunnel and
parameters that define the secure traffic
Manual: All parameters are set manually
Dynamic: Uses IKE
2. IPsec traffic processing: Protects traffic between the two

tunnel endpoints by using security parameters defined in
the tunnel establishment step
26
Step 2: IPsec Traffic Processing

Goal: Traffic protection
IPsec modes:
Transport
Tunnel
IPsec protocols:
AH
ESP
27
IPsec Modes
Transport mode
Tunnel mode
IPsec VPN
E
A
LAN
LAN
IP header
IP header
TCP
IPsec
header
Payload
TCP
Payload
IP header
New IP
header
IPsec
header
IP header
TCP
TCP
Payload
Payload
IPsec
trailer
28
IPsec Protocols
IPsec uses two protocols
in transport or tunnel modes:
IPsec Protocols
AH:
RFC 2402
Uses protocol number 51
AH
ESP
ESP:
RFC 2406
Uses protocol number 50
Most often used protocol
in IPsec
1. Integrity
2. Authentication
1. Integrity
2. Authentication
3. Confidentiality
29
Example: Tunnel Mode AH Packets

Original Packet
IP header
Next
header
Payload
length
SPI
TCP
Data
Sequence
number
New IP header ProtocolDataAH

51
IP header
TCP
Data
Authenticated
30
Example: Tunnel Mode ESP Packets

Original packet
IP header
SPI
TCP
Data
Sequence
number
New IP header ProtocolData

ESP
50
IP header
TCP
Data
ESP trailer
ESP Auth
Encrypted
Authenticated
31
Traffic Processing (1 of 2)
Remote
Host A
10.1.10.5
ge-0/0/1
10.1.10.1
10.1. 10.5
10.1.210.5
Prefix
10.1. 210. 5
Interface
ge - 0/0/0
Corporate
ge-0/0/0
1.1.8.1
ge-0/0/0
2.2.8.1
10.1.210.5
Gateway
1 . 1.0.254
From zone Private to zone Public : if SA = 10 . 1 . 10 . 5 & DA = 10 . 1 . 210 . 5 & Application
10.1. 10.5
10.1.210.5
10. 1. 10.5
10.1.210 . 5
1.1. 8.1
2.2. 8.1
ge-0/0/1
10.1.210.1
Host B
= any, then use tunnel
HASH
50
SPI
10.1. 10.5
10.1.210.5
HASH
32
Traffic Processing (2 of 2)
Remote
Host A
10.1.10.5
ge-0/0/1:
10.1.10.1
1.1. 8.1
SPI
3001
HASH
ge-0/0/0:
1.1.8.1
2.2. 8.1
Encap
ESP
50
Encryp
AES
SPI
ge-0/0/0: ge-0/0/1:
2.2.8.1
10.1.210.1
10.1. 10.5
10.1.210.5
Host B
10.1.210.5
HASH
Auth
SHA
HASH
10
10.1. 10.5
10.1.210.5
11
Prefix
10. 1. 210.5
Interface
ge - 0/0/1
12
Corporate
10.1. 10.5
10.1.210.5
Gateway
0 .0. 0.0
From zone Public to zone Private : if SA =10.1.10.5 & DA =10.1.210. 5 & Application = all , then use tunnel
33
IPsec SummaryTraffic Flow

Remote
10.1.10.5
ge-0/0/1:
10.1.10.1
Header, SA, DH
SA, Proxy ID
Corporate
ge-0/0/0:
2.2.8.1
ge-0/0/0:
1.1.8.1
Phase 1
Phase 2
ge-0/0/1:
10.1.210.1
10.1.210.5
Header, SA, DH
SA, Proxy ID
IPsec tunnel
Data
IPsec VPN
Data
34
JUNOS Software IPsec Implementation

IPsec implementation methods:
Policy based:
Upon a match, the security policy sets up the IPsec tunnel
New tunnel is generated for each flow of traffic that matches the
policy
Always has permit as policy action
Route based:
Upon a match, the security policy permits traffic with the
destination address pointing to the secure tunnel interfacest.x
A route to the destination is through the st.x interface, which is
bound to a specific IPsec tunnel
Only one tunnel is generated between two sites
35
Elements of IPsec VPN Configuration

Elements of IPsec VPN configuration include:
1. Configuration of IKE phase 1
2. Configuration of IKE phase 2
3. Applying IPsec implementation method:
Configuration of policy-based IPsec VPNs
Configuration of route-based IPsec VPNs
36
Configuring IKE Phase 1 Parameters (1 of 3)

Step A:
Configuring IKE phase 1 proposals:
[edit security ike]
user@host# show
proposal proposal-name {
authentication-method [pre-shared-keys | rsa-signatures];
dh-group [group1 | group2 | group5];
authentication-algorithm [md5 | sha-256 | sha1];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-seconds seconds;
Optionally, use JUNOS softwares predefined phase 1

proposal from these choices:
basic
compatible
standard
37

Step B:
Configure IKE phase 1 policies and reference the IKE
proposals
[edit security ike]
user@host# show
policy policy-name {
mode [main | aggressive];
(proposals proposal-name) | (proposal-set [basic | compatible | standard]);
pre-shared-key [ascii-text | hexadecimal];
38

Step C:
Configure the IKE phase 1 gateway and reference the IKE
policy configured in Step B
[edit security ike]
user@host# show
gateway gateway-name {
ike-policy policy-name;
address address;
external-interface interface-name;
dead-peer-detection {
interval seconds;
threshold number;
}
39

Step A:
Configure IKE phase 2 proposals:
[edit security ipsec]
user@host# show
proposal proposal-name {
protocol [ah | esp];
authentication-algorithm [hmac-md5-96 | hmac-sha1-96];
encryption-algorithm [3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc];
lifetime-kilobytes kilobytes;
lifetime-seconds seconds;
Optionally, use JUNOS softwares predefined phase 1

proposal from these choices:
basic
compatible
standard
40

Step B:
Configure the IKE phase 2 policies and reference the IKE
proposals
user@host# show
perfect-forward-secrecy {
keys [group1 | group2 | group5];
}
(proposals proposal-name) | (proposal-set [basic | compatible | standard]);
41

Step C:
Configure the IKE phase 2 VPN tunnel and reference the IKE
phase 2 policy configured in Step B
user@host# show
vpn vpn-name {
bind-interface stx.y;
ike {
gateway gateway-name;
ipsec-policy policy-name;
}
manual {
}
establish-tunnels [immediately | on-traffic];
Is necessary only for

route-based VPNs
Is necessary if the
dynamic key is used
Is necessary if the
manual key is used
42
Applying IPsecPolicy-Based IPsec VPNs

Apply the IPsec VPN from the security policy
[edit security policies]
user@host# show
from-zone source-zone-name to-zone destination-zone-name {
match {
}
then {
permit {
tunnel {
ipsec-vpn ipsec-tunnel-name;
}
}
}
}
}
Reference to the
IPsec VPN tunnel
43
Applying IPsecRoute-Based IPsec VPNs

Steps:
[edit interface]
user@host# show
st0 {
unit number {
family inet {
address address;
mtu mtu-size;
}
}
}
[edit security zones]

user@host# show security-zone zone-name
interfaces {
ge-1/0/1.0;
st0.0;
}

user@host# show
vpn vpn-name {
bind-interface stx.y;
44
Example: Creating Policy-Based IPsec VPNs

Using IKE
HR
Zone
Public
Zone
Remote
Edge
Internet
1.1.70.1
ge-1/0/1
PrivatePC
10.1.10.5

user@Edge# show
from-zone HR to-zone Public {
policy vpnToLo {
match {
source-address allPCs;
destination-address Public-hosts;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ToLo;
}
}
}
}
}
C
2.2.2.1

user@Remote# show
from-zone Public to-zone Public {
policy allow {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn ToLo;
}
}
}
}
}
45
Example:
Configuring IKE Phase 1 Parameters
[edit security ike]
user@Edge# show
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 600;
}
policy ike-policy1 {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
46
Example: Configuring IKE Phase 2

Parameters for Policy-Based IPsec VPNs
user@Edge# show
protocol esp;
authentication-algorithm hmac-md5-96;
}
policy ipsec-pol1 {
keys group2;
}
}
vpn TunnelA {
ike {
gateway ike-phase1-gateway;
ipsec-policy ipsec-pol1;
}
establish-tunnels immediately;
}
47
Monitoring Policy-Based IPsec VPNsEdge

user@Edge> show security ike security-associations
Index
Remote Address State Initiator cookie Responder cookie
19
1.1.70.1
UP
1927f01c38bc08db ca631d7f107c871d
user@Edge> show security
total configured sa: 2
ID
Gateway
<2
1.1.70.1
>2
1.1.70.1
ipsec security-associations
Port
500
500
Algorithm
ESP:3des/md5
ESP:3des/md5
SPI
Life:sec/kb
3de5f00d 3178/ unlim
b4c44e62 3178/ unlim
user@Edge> show security ipsec statistics

ESP Statistics:
Encrypted bytes:
7616
Decrypted bytes:
4704
Encrypted packets:
56
Decrypted packets:
56
AH Statistics:
Input bytes:
0
Output bytes:
0
Input packets:
0
Output packets:
0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Mode
Main
IKE
phase 1
results
Mon vsys
0
0
IKE
phase 2
results
48
Monitoring Policy-Based IPsec VPNs

Remote
user@Remote> show security ike security-associations
Index
3
1.1.70.2
UP
1927f01c38bc08db ca631d7f107c871d
user@Remote> show security ipsec security-associations
ID
Gateway
Port Algorithm
SPI
Life:sec/kb
<2
1.1.70.2
500
ESP:3des/md5
b4c44e62 3135/ unlim
>2
1.1.70.2
500
ESP:3des/md5
3de5f00d 3135/ unlim
user@Remote> show security ipsec statistics
ESP Statistics:
Encrypted bytes:
10472
Decrypted bytes:
6468
Encrypted packets:
77
Decrypted packets:
77
AH Statistics:
Input bytes:
0
Output bytes:
0
Input packets:
0
Output packets:
0
Errors:
Mode
Main
IKE
phase 1
results
Mon vsys
0
0
IKE
phase 2
results
49
Example:
Creating Route-Based IPsec VPNs Using IKE
1.1.80.0/28
HR
Zone
Public
Zone
Edge
Remote
Internet
ge-1/0/1
1.1.70.1
ge-1/0/0
B
Private PC
10.1.10.5
[edit routing-options]
user@Edge# show
static {
route 0.0.0.0/0 next-hop 1.1.80.1;
}
[edit interfaces]
lab@Edge# show st0
unit 0 {
family inet {
address 1.1.80.2/28;
}
}
C
2.2.2.1
[edit routing-options]
user@Remote# show
static {
route 0.0.0.0/0 next-hop 1.1.80.2;
}
[edit interfaces]
lab@Remote# show st0
unit 0 {
family inet {
address 1.1.80.1/28;
}
}
50
Example: Configuring a Security Zone for a

Route-Based IPsec VPN
[edit security zones]
user@Edge# show security-zone Public
address-book {
address host1 2.2.2.1/32;
address host2 1.1.70.251/32;
address-set Public-hosts {
address host1;
address host2;
}
}
screen protect;
host-inbound-traffic {
system-services {
any-service;
}
}
interfaces {
ge-1/0/1.0;
st0.0;
}
st0.0 interfaces are

added to the Public
security zone at both
ends of the tunnel
51
Example:
Configuring IKE Phase 1 Parameters
[edit security ike]
user@Edge# show
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
}
policy ike-policy1 {
mode main;
pre-shared-key ascii-text "$9$lMaeLNsYoGjq4a"; ## SECRET-DATA
}
gateway ike-phase1-gateway {
ike-policy ike-policy1;
address 1.1.70.1;
interval 20;
threshold 5;
}
external-interface ge-1/0/1.0;
}
Identical to the
configuration for
a policy-based
IPsec VPN
52
Example: Configuring IKE Phase 2

Parameters for a Route-Based IPsec VPN
user@Edge# show
protocol esp;
authentication-algorithm hmac-md5-96;
}
policy ipsec-pol1 {
keys group2;
}
}
vpn TunnelA {
bind-interface st0.0;
ike {
gateway ike-phase1-gateway;
ipsec-policy ipsec-pol1;
}
establish-tunnels immediately;
}
Binding the IPsec VPN to

the st0 interface makes
that VPN route-based
53
Monitoring a Route-Based IPsec VPNEdge

(1 of 4)
user@Edge> show security ike security-associations
Index
2
1.1.70.1
UP
04c17bc8fee7056d 5cfd8286f6415e9b
1
1.1.70.1
UP
044f6f7455e6abbb 97428c95adef94aa
user@Edge> show security
ID
Gateway
<16384 1.1.70.1
>16384 1.1.70.1
<16384 1.1.70.1
>16384 1.1.70.1
IKE
phase 1
results
ipsec security-associations
Port
500
500
500
500
Algorithm
ESP:3des/md5
ESP:3des/md5
ESP:3des/md5
ESP:3des/md5
SPI
2236e53c
f5965f43
ecf3c3ae
452bc489
Life:sec/kb
3080/ unlim
3080/ unlim
3082/ unlim
3082/ unlim
user@Edge> show security ipsec statistics

ESP Statistics:
Encrypted bytes:
19176
Decrypted bytes:
11844
Encrypted packets:
141
Decrypted packets:
141
AH Statistics:
Input bytes:
0
Output bytes:
0
Input packets:
0
Output packets:
0
Errors:
Mode
Main
Main
Mon vsys
0
0
0
0
IKE
phase 2
results
54

(2 of 4)
user@Edge> show interfaces st0 terse
Interface
Admin Link Proto
st0
up
up
st0.0
up
up
inet
Local
Remote
1.1.80.2/28
user@Edge> show interfaces st0 detail

Physical interface: st0, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 42, Generation: 130
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192,
Speed: Unspecified
Hold-times
: Up 0 ms, Down 0 ms
Device flags
: Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
12389
0 bps
Input packets:
0
0 pps
Output packets:
145
0 pps
The st0
interface is up
Statistics for
the st0
interface
Logical interface st0.0 (Index 67) (SNMP ifIndex 45) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : any-service
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
144
VPN packets :
0
Bytes permitted by policy :
14112
Connections established :
0
The output is continued on the next page

55

(3 of 4)
Flow Output statistics:

Multicast packets :
0
15386
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 9192, Generation: 140, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.80.0/28, Local: 1.1.80.2, Broadcast: Unspecified,
Generation: 140
Statistics
for the st0
interface
56

(4 of 4)
user@Edge> show route
inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
1.1.70.0/28
1.1.70.2/32
1.1.80.0/28
1.1.80.2/32
*[Static/5] 00:25:32
> to 1.1.80.1 via st0.0
*[Direct/0] 00:25:15
> via ge-1/0/1.0
*[Local/0] 00:25:16
Local via ge-1/0/1.0
*[Direct/0] 00:25:32
> via st0.0
*[Local/0] 00:25:32
Local via st0.0
Default route
pointing to the
st0 interface
Direct and local

routes associated
with the st0
interface
57
Monitoring a Route-Based IPsec VPN

Remote (1 of 4)
user@Remote> show security ike
Index
Remote Address State
1
1.1.70.2
UP
2
1.1.70.2
UP
security-associations
Initiator cookie Responder cookie
04c17bc8fee7056d 5cfd8286f6415e9b
044f6f7455e6abbb 97428c95adef94aa
user@Remote> show security ipsec security-associations

ID
Gateway
Port Algorithm
SPI
<16384 1.1.70.2
500
ESP:3des/md5
f5965f43
>16384 1.1.70.2
500
ESP:3des/md5
2236e53c
<16384 1.1.70.2
500
ESP:3des/md5
452bc489
>16384 1.1.70.2
500
ESP:3des/md5
ecf3c3ae
Life:sec/kb
3068/ unlim
3068/ unlim
3070/ unlim
3070/ unlim
user@Remote> show security ipsec statistics

ESP Statistics:
Encrypted bytes:
18224
Decrypted bytes:
11256
Encrypted packets:
134
Decrypted packets:
134
AH Statistics:
Input bytes:
0
Output bytes:
0
Input packets:
0
Output packets:
0
Errors:
Mode
Main
Main
IKE
phase 1
results
Mon vsys
0
0
0
0
IKE
phase 2
results
58

Remote (2 of 4)
user@Remote> show interfaces st0 terse
Interface
Admin Link Proto
st0
up
up
st0.0
up
up
inet
Local
Remote
1.1.80.1/28
user@Remote> show interfaces st0 detail

Physical interface: st0, Enabled, Physical link is Up
Interface index: 129, SNMP ifIndex: 39, Generation: 130
Type: Secure-Tunnel, Link-level type: Secure-Tunnel, MTU: 9192,
Speed: Unspecified
Hold-times
: Up 0 ms, Down 0 ms
Device flags
: Present Running
Interface flags: Point-To-Point
Statistics last cleared: Never
Traffic statistics:
Input bytes :
0
0 bps
Output bytes :
12682
0 bps
Input packets:
0
0 pps
Output packets:
146
0 pps
The st0
interface Is up
Statistics for
the st0
interface
Logical interface st0.0 (Index 67) (SNMP ifIndex 48) (Generation 134)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Security: Zone: Public
Allowed host-inbound traffic : ftp ping telnet
Flow Statistics :
Flow Input statistics :
Self packets :
0
ICMP packets :
144
VPN packets :
0
14112
Connections established :
144
The output is continued on the next page

59

Remote (3 of 4)
Flow Output statistics:

Multicast packets :
0
14382
Flow error statistics (Packets dropped due to):
Address spoofing:
0
Authentication failed:
0
Incoming NAT errors:
0
Invalid zone received packet:
0
Multiple user authentications:
0
Multiple incoming NAT:
0
No parent for a gate:
0
No one interested in self packets: 0
No minor session:
0
No more sessions:
0
No NAT gate:
0
No route present:
0
No SA for incoming SPI:
0
No tunnel found:
0
No session for a gate:
0
No zone or NULL zone binding
0
Policy denied:
0
Security association not active:
0
TCP sequence number out of window: 0
Syn-attack protection:
0
User authentication errors:
0
Protocol inet, MTU: 9192, Generation: 140, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 1.1.80.0/28, Local: 1.1.80.1, Broadcast: Unspecified,
Generation: 144
Statistics
for the st0
interface
60

Remote (4 of 4)
user@Remote> show route
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
1.1.70.0/28
1.1.70.1/32
1.1.70.251/32
1.1.80.0/28
1.1.80.1/32
*[Static/5] 00:34:48
> to 1.1.80.2 via st0.0
*[Direct/0] 00:34:10
> via ge-1/0/0.0
*[Local/0] 00:34:31
Local via ge-1/0/0.0
*[Direct/0] 00:35:03
> via lo0.0
*[Direct/0] 00:34:48
> via st0.0
*[Local/0] 00:34:48
Local via st0.0
Default route
pointing to the
st0 interface
Direct and local routes

associated with the st0
interface
61
Other IPsec VPN Monitoring Commands

Other useful monitoring commands include:
traceoptions
clear security ike
clear security ipsec
62
Common IPsec Configuration Problems

Watch for the following problems:
Proposal mismatch
Preshared key mismatch
No available route information
Misconfiguration of the peer gateway and outgoing interface
63

IPsecVPNs Juniper

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IPsecVPNs Juniper

Hochgeladen von

Copyright:

Verfügbare Formate

IPsec VPNs

Proprietary and Confidential

Types of VPNs today:

2009 Juniper Networks, Inc. All rights reserved.

Provide secure tunnels across the

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

ConfidentialitySymmetric Key Encryption

2009 Juniper Networks, Inc. All rights reserved.

ConfidentialityPublic Key Encryption

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

IntegrityOne-Way Hash Algorithms

Given the value 3, what was the original data?

Hash functions can use the modulus operation in the hash

IntegrityThe Hash Process

If the hash values

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

Authentication with HMAC

2009 Juniper Networks, Inc. All rights reserved.

How Are Keys Exchanged?

The solution: Diffie-Hellman key exchange algorithm

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

The DH Key Exchange Process

Each device generates

Public keys are

Local private and remote public

Same session key,

According to RFC 2401, IPsec provides security services at the IP layer by

2009 Juniper Networks, Inc. All rights reserved.

IPsec: A Two-Step Process

2. IPsec traffic processing: Protects traffic between the two

2009 Juniper Networks, Inc. All rights reserved.

Step 1: Tunnel Establishment Using IKE

2009 Juniper Networks, Inc. All rights reserved.

IKE SAs are:

IPsec SAs are:

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

IKE Phase 1: Main Mode

IKE Phase 1: Aggressive Mode

2009 Juniper Networks, Inc. All rights reserved.

IKE Phase 2: Quick Mode

Hash using phase 1 information,

Hash using phase 1 information,

IPsec Dynamic Tunnel Establishment

Corporate Juniper Networks

IPsec: A Two-Step ProcessStep 2

2. IPsec traffic processing: Protects traffic between the two

2009 Juniper Networks, Inc. All rights reserved.

Step 2: IPsec Traffic Processing

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

Example: Tunnel Mode AH Packets

New IP header ProtocolDataAH

2009 Juniper Networks, Inc. All rights reserved.

Example: Tunnel Mode ESP Packets

New IP header ProtocolData

2009 Juniper Networks, Inc. All rights reserved.

From zone Private to zone Public : if SA = 10 . 1 . 10 . 5 & DA = 10 . 1 . 210 . 5 & Application