06-20-2012 12:57 PM
The standard proposal for IPSEC phase is esp-g2-3des-sha1 and esp-g2-aes128-sha1. My question is that when we use standard proposal then in IPSEC POLICY, we need to explicitly enable the PFS OR just using stardand proposal make sure that PFS group2 would be enabled?
06-20-2012 06:58 PM
As the name suggests(g2),it should use pfs when we configure "standard" proposal set .No need to explicitly enable PFS.
Juniper Networks devices support up to four proposals for Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you will accept. Junos OS provides the following predefined Phase 2 proposals:
- Standard—g2-esp-3des-sha and g2-esp-aes128-sha
- Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5
- Basic—nopfs-esp-des-sha and nopfs-esp-des-md5
Compatible and Basic proposal sets says "nopfs" and Standard says DH Group 2.
06-21-2012 08:17 AM
Thanks for your reply. The point is when we define the proposal for PHASE-2 we do not have the option to define the PFS. Defining PFS is part of IPSEC POLICY so thats why I am wondering how it is possible that using standard proposal also enabled the PFS.
Please comment on this.
06-21-2012 10:06 AM
The main reason for me to believe that standard proposal set does support PFS is that , before Junos 10.3 Dynamic VPN Feature does not support standard proposal sets , we need to define custom IKE/IPSEC security proposals, and there PFS was mandatory .
If it is predefined, i don't think the configuration hierarchy does matter( whether we define under proposals or policy ). Anyways IKE Traceoptions should help us clarify this with out any doubt . ( I do not have access to a device currently, may be you can verify that if you have access to a device.
06-25-2012 04:30 AM
"If the proposal list starts with nopfs, perfect forward secrecy is not enabled. Otherwise,it is enabled and a Diffie-Hellman(DH) group number is required. "
So it seems that , we need to explicitly configure the DH Group number at the [edit security ipsec policy policyname] hierarchy even if we use the standard proposal set.