SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

IPSEC standard proposal

Hi Experts

 

The standard proposal for IPSEC phase is esp-g2-3des-sha1 and esp-g2-aes128-sha1. My question is that when we use standard proposal then in IPSEC POLICY, we need to explicitly enable the PFS OR just using stardand proposal make sure that PFS group2 would be enabled?

 

Thanks

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: IPSEC standard proposal

Hi,

 

As the name suggests(g2),it should use pfs when we configure "standard" proposal set .No need to explicitly enable PFS. 

 

We can see from http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/soft...

 

Juniper Networks devices support up to four proposals for Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you will accept. Junos OS provides the following predefined Phase 2 proposals:

  • Standard—g2-esp-3des-sha and g2-esp-aes128-sha
  • Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5
  • Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Compatible and Basic proposal sets says "nopfs" and Standard says DH Group 2.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IPSEC standard proposal

Hi Pradeep

 

Thanks for your reply. The point is when we define the proposal for PHASE-2 we do not have the option to define the PFS. Defining PFS is part of IPSEC POLICY so thats why I am wondering how it is possible that using standard proposal also enabled the PFS.

 

Please comment on this.

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: IPSEC standard proposal

Hi,

 

The main reason for me to believe that standard proposal set does support PFS is that , before Junos 10.3 Dynamic VPN Feature does not support standard proposal sets , we need to define custom  IKE/IPSEC security  proposals, and there PFS was mandatory .  

 

If it is predefined, i don't think the configuration hierarchy does matter( whether we define under proposals or policy ). Anyways IKE Traceoptions should help us clarify this with out any doubt . ( I do not have access to a device currently, may be you can verify that  if you have access to a device.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IPSEC standard proposal

I will check this and let you know

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: IPSEC standard proposal

Hi,

 

"If the proposal list starts with nopfs, perfect forward secrecy is not enabled. Otherwise,it is enabled and a Diffie-Hellman(DH) group number is required. "


So it seems that , we need to explicitly configure the DH Group number at the [edit security ipsec policy policyname] hierarchy even if we use the standard proposal set.

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.