Thursday, December 11, 2014

Juniper Proposal sets IKE/IPSEC

When building VPNs on SRX platforms, you need to be aware of the built-in proposal sets. Juniper has 3 canned proposal-sets  known simply as;

basic
standard
compatible

basic offers DES with  DH-group1 and SHA1 or MD5 authentication

NOTE: I never recommend the above for a VPN

standard offers  slightly better and more proposals such as 3DES DH-group2 with sha1 or AES128 DHGRP2 and SHA1

NOTE: This is the minimum accept proposals that should be used IMHO
compatible offers  a few more options
                       3DES with DH-group2 SHA1
                       3DES with DH-group2 MD5
                        DES DH-group2 SHA1
                        DES DH-group2 md5


You need to be aware that the difference proposal sets, and the availability within each when using ipsec-vpn


Ideally, you should craft your own proposal and define these for your ike and ipsec proposals
set security ike proposal AES128-SHA128-DH5 authentication-method pre-shared-keys
set security ike proposal AES128-SHA128-DH5 dh-group group5
set security ike proposal AES128-SHA128-DH5 authentication-algorithm sha-128
set security ike proposal AES128-SHA128-DH5 encryption-algorithm aes-128-cbc
set security ike proposal AES128-SHA128-DH5 lifetime-seconds 28800
~                                                                     


 set security ike proposal AES192-SHA192-DH5 authentication-method pre-shared-keys
set security ike proposal AES192-SHA192-DH5 dh-group group5
set security ike proposal AES192-SHA192-DH5 authentication-algorithm sha-192
set security ike proposal AES192-SHA192-DH5 encryption-algorithm aes-192-cbc
set security ike proposal AES192-SHA192-DH5 lifetime-seconds 28800



and

set security ipsec proposal ESP-AES128-SHA256 protocol esp
set security ipsec proposal ESP-AES128-SHA256 authentication-algorithm hmac-SHA256-128
set security ipsec proposal ESP-AES128-SHA256 encryption-algorithm aes-128-cbc
set security ipsec proposal ESP-AES128-SHA256 lifetime-seconds 3600

~
set security ipsec proposal ESP-AES256-SHA192protocol esp
set security ipsec proposal ESP-AES256-SHA192 authentication-algorithm hmac-SHA256-192
set security ipsec proposal ESP-AES256-SHA192 encryption-algorithm aes-192-cbc
set security ipsec proposal ESP-AES256-SHA192 lifetime-seconds 3600



For DF-groups, you should strive for  DH-group14 or  higher & if the far-end peer supports it.

Try to avoid   dh-group 1 and 2 . Even dh-group5 should not be used but that's the minimum accept group  to avoid interoperability. Almost all security vpn devices supports dh-group5. For PFS, enable it when you can and if you need 100% security. PFS will ensure all new key-generation is not done from previous phase keys.

Even if some one knew your PSK for example, they could not break your encryption without brute-force and that would take million of years to do.
Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      @
      /   \

2 comments:

  1. so going all the way juniper, what are the cons and pros besides cost of using juniper gear to cisco gear? Obviously using comparable gear where applicable.
    Any words of wisdom on this?

    ReplyDelete
  2. Buhofromepn,

    1st thanks for the reply.

    Now does that question pertain to routers/switches/firewalls?

    There's differences between the cisco and juniper in these areas, minor but differences do exist. Cost wise, the differences are minor and it boils down to what you need want.

    A few differences that should be noted in a SRX vrs ASA

    SRX & ASA

    The cost per 1gbps of session bandwidth is about the same maybe slighly better in a SRX due to these platform typical are better on paper in numbers

    The SRXs have a wan-model interface options capabilities on most branch models to the bigger chassis. Cisco has never competed in this area. You can get T1/E1, isdn, 3g, adsl within a model and in some case an add-on slot is available.

    Cisco support contracts are always slightly higher, so if you have less say 100+ devices this could eat a big hole in your IT yearly budget.

    Juniper JTAC has over the last 10 years been less faithful, so expect more hardware failure and more outages.

    Cisco RMA is outstanding, effective, quick and easy to resolve, but cisco technical support has been lacking and following off since my interactions with TAC as late as the mid to late 90s

    ASAos and Junos, the folks at juniper actually fix stuff in a new release. I personally think more QC is used in Juniper than cisco ASA and the release are longer between made available. You almost never seen a Junos relase pulled because of a oops.....

    Features wise the UTM structure is much better in a SRX than a ASA, but if your looking at IPS, the ASA has a slight neck farther across the finish lines IMHO, but is an hardware module & limited. If you need IPS, get a dedicate IPS appliance.

    Wireless lan controller integration, Juniper SRX = YES, the cisco ASA ....not on the map at this time. I don’t see that ( cisco ) happening in the future and if you need a full wirelss lan, you probably need a dedicated wireless controller imho.

    But with regards to sslvpn, it’s a plus for cisco ASA and juniper SRX is not even on the map. You need yet another juniper appliance for SSLVPNs.

    Integral dialbackup, the SRXs also stands ahead of cisco with a support 3/4G addon with some of the smaller branches

    For routing features, hands down the juniper has been quite a few steps ahead of not only cisco, but everybody else as far as that. Heck cisco ASA just barely gotten t dynamic routing within a multicontext

    Bottom line, cisco is a multiple box, numerous license, while the SRXes is not as many but still heavily license.

    I will try to put together a SRX vrs ASA blog-thread b4 the year end. Since I get ask this exact same questions & just about every other month.


    ReplyDelete