SRX Services Gateway
Highlighted
SRX Services Gateway

Does SRX support IPSec VPN Transport mode?

‎03-19-2013 07:37 AM

Hi,

 

Does SRX support IPSec VPN Transport mode?

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
12 REPLIES 12
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

[ Edited ]
‎03-19-2013 08:25 AM

Do you mean is terminating an IPSec VPN supported while running in transparent mode?  Then the answer is no, Layer 2 only!

 

http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-int...

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-19-2013 12:15 PM

@michael.saw wrote:

 

Does SRX support IPSec VPN Transport mode?


No... the SRX only supports IPsec in tunnel mode.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

[ Edited ]
‎03-20-2013 04:02 AM

DOH! I deserve Kudos for that one surely!!

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-22-2013 06:06 AM
Any Juniper products supporting Transport mode to recommend?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-22-2013 11:59 AM

@michael.saw wrote:
Any Juniper products supporting Transport mode to recommend?

I believe the only Juniper products that support transport mode are M/MX/T boxes...

 

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-24-2013 08:40 PM
Just to clarify, does Transport mode relates to Site-to-Site VPN?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-24-2013 10:17 PM

Not usually.

 

Tunnel mode is the typical use case for site-to-site VPNs.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-25-2013 12:30 AM


JNCIS-SEC Study Guide—Part 1
Chapter 7–14 • IPsec VPNs © 2012 Juniper Networks, Inc. All rights reserved.

 

IPsec Modes
IPsec handles the payload using one of two modes—transport or tunnel.
You can implement IPsec in the following two modes:
• Tunnel mode: Thismode is the most commonly implemented method. Tunnel mode is implemented between IPsec
gateways or an IPsec gateway and a remote client providing secure access to the networks behind the gateway. In
this method, end systems need not be aware of the IPsec protocol suite. All encryption and decryption takes place on the IPsec gateways on behalf of the hosts behind the gateway.
• Transport mode: This mode is implemented between IPsec end systems.End systems should be aware of the IPsec protocol suite. They do all the encryption and decryption of data.
IKE phase determines transport or tunnel mode.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-25-2013 07:07 PM
Hi lyndidon,

That's the dilemma...
Some say Transport mode is not supported, but the Juniper Guide says Transport mode is supported...
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-25-2013 08:21 PM

So you should lay out for us, exactly what you want to achieve and we can better determine how to accomplish it. Sometimes you will see something is said to be supported but looking closer it is supported only on some platforms and in specific configurations with a specific version. What is the environment, what equipment you have and exactly what you want to see happen/implement.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-27-2013 01:09 PM

@lyndidon wrote:


JNCIS-SEC Study Guide—Part 1
Chapter 7–14 • IPsec VPNs © 2012 Juniper Networks, Inc. All rights reserved.

 

IPsec Modes
IPsec handles the payload using one of two modes—transport or tunnel.
You can implement IPsec in the following two modes:
• Tunnel mode: Thismode is the most commonly implemented method. Tunnel mode is implemented between IPsec
gateways or an IPsec gateway and a remote client providing secure access to the networks behind the gateway. In
this method, end systems need not be aware of the IPsec protocol suite. All encryption and decryption takes place on the IPsec gateways on behalf of the hosts behind the gateway.
• Transport mode: This mode is implemented between IPsec end systems.End systems should be aware of the IPsec protocol suite. They do all the encryption and decryption of data.
IKE phase determines transport or tunnel mode.


 

This is just a description of the two modes -- it is important to know that they exist and what the difference is, therefore it's in the study guide for a security certification.  Makes sense.

 

It doesn't actually say that the SRX devices support transport mode.  Simply that it exists and what it is.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Highlighted
SRX Services Gateway

Re: Does SRX support IPSec VPN Transport mode?

‎03-27-2013 09:44 PM

The JSEC course is based on the SRX and more specifically the SRX240(branch series).


Here is a bit more information I researched. Hopefully it answers your questions. The Juniper document has  examples. You can test it in your environment or use Junosphere. Let us know the results.
In transport mode, the data portion of the IP packet is encrypted, but the IP header is not. Transport mode can be used only when the communication endpoint and cryptographic endpoint are the same. Virtual private network (VPN) gateways that provide encryption and decryption services for protected hosts cannot use transport mode for protected VPN communications. You configure manual SAs, and you must configure static values on both ends of the SA.
Note: When you use transport mode, the JUNOS software supports both BGP and OSPFv3 for manual SAs.
To configure IPSec security for transport mode, include the mode statement with the transport option at the edit security ipsec security-association sa-name] hierarchy level:

[edit security ipsec security-association sa-name ]
mode transport;
In transport mode, the JUNOS Software does not support authentication header (AH) and ESP header bundles.
In transport mode, the JUNOS Software supports only Border Gateway Protocol (BGP).
http://www.juniper.net/techpubs/en_US/junos10.4/information-products/topic-collections/feature-guide...

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback