SRX Services Gateway
SRX Services Gateway

IPSEC standard proposal

06.20.12   |  
‎06-20-2012 12:57 PM

Hi Experts

 

The standard proposal for IPSEC phase is esp-g2-3des-sha1 and esp-g2-aes128-sha1. My question is that when we use standard proposal then in IPSEC POLICY, we need to explicitly enable the PFS OR just using stardand proposal make sure that PFS group2 would be enabled?

 

Thanks

5 REPLIES
SRX Services Gateway

Re: IPSEC standard proposal

06.20.12   |  
‎06-20-2012 06:58 PM

Hi,

 

As the name suggests(g2),it should use pfs when we configure "standard" proposal set .No need to explicitly enable PFS. 

 

We can see from http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/soft...

 

Juniper Networks devices support up to four proposals for Phase 2 negotiations, allowing you to define how restrictive a range of tunnel parameters you will accept. Junos OS provides the following predefined Phase 2 proposals:

  • Standard—g2-esp-3des-sha and g2-esp-aes128-sha
  • Compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and nopfs-esp-des-md5
  • Basic—nopfs-esp-des-sha and nopfs-esp-des-md5

Compatible and Basic proposal sets says "nopfs" and Standard says DH Group 2.

Regards,
Pradeep JNCIE-SEC
SRX Services Gateway

Re: IPSEC standard proposal

06.21.12   |  
‎06-21-2012 08:17 AM

Hi Pradeep

 

Thanks for your reply. The point is when we define the proposal for PHASE-2 we do not have the option to define the PFS. Defining PFS is part of IPSEC POLICY so thats why I am wondering how it is possible that using standard proposal also enabled the PFS.

 

Please comment on this.

Highlighted
SRX Services Gateway

Re: IPSEC standard proposal

06.21.12   |  
‎06-21-2012 10:06 AM

Hi,

 

The main reason for me to believe that standard proposal set does support PFS is that , before Junos 10.3 Dynamic VPN Feature does not support standard proposal sets , we need to define custom  IKE/IPSEC security  proposals, and there PFS was mandatory .  

 

If it is predefined, i don't think the configuration hierarchy does matter( whether we define under proposals or policy ). Anyways IKE Traceoptions should help us clarify this with out any doubt . ( I do not have access to a device currently, may be you can verify that  if you have access to a device.

Regards,
Pradeep JNCIE-SEC
SRX Services Gateway

Re: IPSEC standard proposal

06.23.12   |  
‎06-23-2012 11:55 PM

I will check this and let you know

SRX Services Gateway

Re: IPSEC standard proposal

06.25.12   |  
‎06-25-2012 04:30 AM

Hi,

 

"If the proposal list starts with nopfs, perfect forward secrecy is not enabled. Otherwise,it is enabled and a Diffie-Hellman(DH) group number is required. "


So it seems that , we need to explicitly configure the DH Group number at the [edit security ipsec policy policyname] hierarchy even if we use the standard proposal set.

Regards,
Pradeep JNCIE-SEC