Download this guide: IKE and ESP ALG

Junos

®

OS

IKE and ESP ALG Feature Guide for Security

Devices

Release

12.1X46-D10

Modified: 2016-01-27

Copyright © 2016, Juniper Networks, Inc.

Juniper Networks, Inc.

1133 Innovation Way

Sunnyvale, California 94089

USA

408-745-2000 www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Junos

®

OS IKE and ESP ALG Feature Guide for Security Devices

12.1X46-D10


All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html

. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

ii Copyright © 2016, Juniper Networks, Inc.

Table of Contents

Part 1

Chapter 1

Part 2

Chapter 2

Chapter 3

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Overview

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Understanding ALG for IKE and ESP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Understanding IKE and ESP ALG Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Configuration

IKE and ESP ALG and Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Example: Configuring the IKE and ESP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Example: Enabling IKE and ESP ALG and Setting Timeouts . . . . . . . . . . . . . . . . . . 14

Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Applications Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . 17

[edit security alg] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

[edit security policies] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

alg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

alg (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

ike-esp-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

alg-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 support-lib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

application-protocol (Applications) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

ftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

ike (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

nat-pat-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

policy (Security Policies) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

rtsp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

source-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

sql . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

talk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45


iii

IKE and ESP ALG Feature Guide for Security Devices

Part 3

Chapter 4

Part 4

tftp (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

traceoptions (Security ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Administration

Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

clear security alg ike-esp-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

show security alg ike-esp-nat summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

show security zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

show security zones type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

iv Copyright © 2016, Juniper Networks, Inc.

List of Tables

Part 3

Chapter 4

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Administration

Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Table 3: show security zones Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 4: show security zones type Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 57


v

IKE and ESP ALG Feature Guide for Security Devices vi Copyright © 2016, Juniper Networks, Inc.

About the Documentation

•

Documentation and Release Notes on page vii

•

Supported Platforms on page vii

•

Using the Examples in This Manual on page vii

•

Documentation Conventions on page ix

•

Documentation Feedback on page xi

•

Requesting Technical Support on page xi

Documentation and Release Notes

To obtain the most current version of all Juniper Networks

® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ .

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books

.

Supported Platforms

For the features described in this document, the following platforms are supported:

• J Series

• SRX Series

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load merge relative command. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example is a full example. In this case, use the load merge command.


vii


If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1.

From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following configuration to a file and name the file ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system { scripts { commit { file ex-script.xsl;

}

}

} interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24;

}

}

}

}

2.

Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command:

[edit] user@host# load merge /var/tmp/ex-script.conf

load complete

Merging a Snippet

To merge a snippet, follow these steps:

1.

From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file ex-script-snippet.conf

. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.

commit { file ex-script-snippet.xsl; }

2.

Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: viii Copyright © 2016, Juniper Networks, Inc.


[edit] user@host# edit system scripts

[edit system scripts]

3.

Merge the contents of the file into your routing platform configuration by issuing the load merge relative configuration mode command:

[edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf

load complete

For more information about the load command, see the CLI User Guide.

Documentation Conventions

Table 1 on page ix

defines notice icons used in this guide.

Table 1: Notice Icons

Icon Meaning

Informational note

Description

Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning

Tip

Best practice

Alerts you to the risk of personal injury from a laser.

Indicates helpful information.

Alerts you to a recommended use or implementation.

Table 2 on page ix

defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Convention Description Examples

Bold text like this Represents text that you type.

To enter configuration mode, type the configure command: user@host> configure


ix


Table 2: Text and Syntax Conventions (continued)

Convention Description

Fixed-width text like this

Italic text like this

Italic text like this

Text like this

Examples

Represents output that appears on the terminal screen.

user@host> show chassis alarms

No alarms currently active

•

•

•

Introduces or emphasizes important new terms.

Identifies guide names.

Identifies RFC and Internet draft titles.

•

•

•

A policy term is a named structure that defines match conditions and actions.

Junos OS CLI User Guide

RFC 1997, BGP Communities Attribute

Represents variables (options for which you substitute a value) in commands or configuration statements.

Configure the machine’s domain name:

[edit] root@# set system domain-name

domain-name

Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components.

•

•

To configure a stub area, include the stub statement at the

[edit protocols ospf area area-id] hierarchy level.

The console port is labeled

CONSOLE

.

< > (angle brackets)

| (pipe symbol)

# (pound sign)

[ ] (square brackets)

Indention and braces ( { } )

; (semicolon)

Encloses optional keywords or variables.

stub <default-metric metric>;

Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.

broadcast | multicast

(string1 | string2 | string3)

Indicates a comment specified on the same line as the configuration statement to which it applies.

rsvp { # Required for dynamic MPLS only

Encloses a variable for which you can substitute one or more values.

Identifies a level in the configuration hierarchy.

Identifies a leaf statement at a configuration hierarchy level.

community name members [

community-ids ]

[edit] routing-options { static { route default { nexthop address; retain;

}

}

}

GUI Conventions

Bold text like this Represents graphical user interface (GUI) items you click or select.

•

•

In the Logical Interfaces box, select

All Interfaces

.

To cancel the configuration, click

Cancel .

x Copyright © 2016, Juniper Networks, Inc.


Table 2: Text and Syntax Conventions (continued)

Convention Description

> (bold right angle bracket)

Examples

Separates levels in a hierarchy of menu selections.

In the configuration editor hierarchy, select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html

, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/

.

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

.

• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/


xi


•

Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/

.

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html

.

xii Copyright © 2016, Juniper Networks, Inc.

PART 1

Overview

•

Basics on page 3


1


2 Copyright © 2016, Juniper Networks, Inc.

CHAPTER 1

Basics

•

Understanding ALG for IKE and ESP on page 3

•

Understanding IKE and ESP ALG Operation on page 4

Understanding ALG for IKE and ESP

Supported Platforms

J Series

,

SRX Series

An SRX Series device can be used solely as a Network Address Translation (NAT) device when placed between VPN clients on the private side of the NAT gateway and the virtual private network (VPN) gateways on the public side.

Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support

NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.

NOTE: If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required.

If there are NAT-T capable clients, the user must enable the source NAT address persistence.

ALG for IKE and ESP monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.

ALG for IKE and ESP traffic has been created and NAT has been enhanced to implement the following:

• To enable the SRX Series to pass IKE and ESP traffic with a source NAT pool

• To allow the device to be configured to return the same NAT-generated IP address for the same IP address without NAT ("address-persistent NAT"). As a result, the device is able to associate a client's outgoing IKE traffic with its return traffic from the server, especially when the IKE session times out and needs to be reestablished.


3


•

The resulting ESP traffic between the client and the server is also allowed, especially in the direction from the server to the client.

• The return ESP traffic matches the following:

• The server IP address as source IP

• The client IP address as destination IP

NOTE: In SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices,

IKE negotiations involving NAT traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from

500 to 4500.

Related

Documentation

•

IKE and ESP ALG Feature Guide for Security Devices

Understanding IKE and ESP ALG Operation

Supported Platforms

J Series

,

SRX Series

Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating

Security Payload (ESP) traffic has the following behavior:

•

An IKE and ESP ALG monitors IKE traffic between the client and the server, and it permits only one IKE Phase 2 message exchange between the client and the server at any given time.

• For a Phase 2 message:

•

If a Phase 2 message exchange between the client and server does not happen, the

IKE ALG gates are opened for the relevant ESP traffic from the client to the server and from the server to the client.

• If both IKE ALG gates are not opened successfully, or if the Phase 2 message exchange already took place, then the Phase 2 message is dropped.

•

When ESP traffic hits the IKE ALG gates, sessions are created to capture subsequent

ESP traffic, and to perform the proper NATing (that is, the source IP address translation from the client to the server traffic and the destination IP address translation from the server to the client traffic).

•

When the ESP traffic does not hit either one or both of the gates, then the gates naturally time out.


Chapter 1: Basics

•

Once the IKE ALG gates are collapsed or timed out, another IKE Phase 2 message exchange is permitted.

• IKE NAT-T traffic on floating port 4500 is processed in an IKE ALG. To support a mixture of NAT-T-capable and non-capable clients, you need to enable source NAT address persistent.

Related

Documentation

•

ALG Overview

•

NAT Overview

•


•

Example: Configuring the IKE and ESP ALG on page 9

•

Example: Enabling IKE and ESP ALG and Setting Timeouts on page 14

•



5



PART 2

Configuration

•

IKE and ESP ALG and Timeouts on page 9

•

Configuration Statements on page 17


7



CHAPTER 2

IKE and ESP ALG and Timeouts

•


•


Example: Configuring the IKE and ESP ALG

Supported Platforms

J Series

,

SRX Series

This example shows how to configure the IKE and ESP ALG to pass through IKE and ESP traffic with a source NAT pool on Juniper Networks devices.

•

Requirements on page 9

•

Overview on page 9

•

Configuration on page 10

•

Verification on page 14

Requirements

Before you begin:

• Configure proxy ARP for all IP addresses in the source NAT pool.

•

Understand the concepts behind IKE and ESP ALG. See

“Understanding IKE and ESP

ALG Operation” on page 4

.

Overview

In this example, the ALG for IKE and ESP is configured to monitor and allow IKE and ESP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.

This example shows how to configure a source NAT pool and rule set, configure a custom application to support the IKE and ESP ALG, and associate this ALG to a policy.

If you want to support a mixture of NAT-traversal (NAT-T) capable clients and noncapable clients, you must enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address). You also must configure a custom IKE NAT traversal application


9

IKE and ESP ALG Feature Guide for Security Devices to support the encapsulation of IKE and ESP in UDP port 4500. This configuration enables

IKE and ESP to pass through the NAT-enabled device.

Configuration

•

Configuring a NAT Source Pool and Rule Set on page 10

•

Configuring a Custom Application and Associating it to a Policy on page 11

•

Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable

Clients on page 13

CLI Quick

Configuration

Configuring a NAT Source Pool and Rule Set

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32 set security zones security-zone green address-book address sa1 1.1.1.0/24 set security zones security-zone red address-book address da1 2.2.2.0/24 set security nat source rule-set rs1 from zone green set security nat source rule-set rs1 to zone red set security nat source rule-set rs1 rule r1 match source-address 1.1.1.0/24 set security nat source rule-set rs1 rule r1 match destination-address 2.2.2.0/24 set security nat source rule-set rs1 rule r1 then source-nat pool pool1

Step-by-Step

Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration

Mode.

To configure a source NAT pool:

1.

2.

3.

Create a NAT source pool.

[edit ] user@host# set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32

Configure security zone address book entries.

[edit] user@host# set security zones security-zone green address-book address sa1

1.1.1.0/24 user@host# set security zones security-zone red address-book address da1 2.2.2.0/24

Create a NAT source rule set.

[edit security nat source rule-set rs1] user@host# set from zone green user@host# set to zone red user@host# set rule r1 match source-address 1.1.1.0/24 user@host# set rule r1 match destination-address 2.2.2.0/24 user@host# set rule r1 then source-nat pool pool1


Chapter 2: IKE and ESP ALG and Timeouts

Results From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security nat source { pool pool1 { address {

10.10.10.1/32 to 10.10.10.10/32;

}

} rule-set rs1 { from zone green; to zone red; rule r1 { match { source-address 1.1.1.0/24; destination-address 2.2.2.0/24;

} then { source-nat { pool { pool1;

}

}

}

}

}

If you are done configuring the device, enter commit from configuration mode.

CLI Quick

Configuration

Configuring a Custom Application and Associating it to a Policy


set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-alg set security policies from-zone green to-zone red policy pol1 then permit

Step-by-Step

Procedure


Mode.

To configure a custom application and associate it to a policy:

1.

Configure a custom application.

[edit]


11


2.

user@host# set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat

Associate the custom application to a policy.

[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-alg user@host# set then permit

Results From configuration mode, confirm your configuration by entering the show applications and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit] user@host# show applications application custom-ike-alg { application-protocol ike-esp-nat; protocol udp; source-port 500; destination-port 500;

}

[edit] user@host# show security zones security-zone Trust { host-inbound-traffic { system-services { all;

} protocols { all;

}

} interfaces { ge-0/0/1.0;

}

} security-zone green { address-book { address sa1 1.1.1.0/24;

}

} security-zone red { address-book { address da1 2.2.2.0/24;

}

}




CLI Quick

Configuration

Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable

Clients


set security nat source address-persistent set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500 set security policies from-zone green to-zone red policy pol1 match source-address sa1 set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-natt set security policies from-zone green to-zone red policy pol1 then permit

Step-by-Step

Procedure


Mode.

To configure IKE and ESP ALG support for both NAT-T capable and noncapable clients:

1.

2.

3.

Globally enable persistent source NAT translation.

[edit] user@host# set security nat source address-persistent

Configure the IKE NAT-T application.

[edit] user@host# set applications application custom-ike-natt protocol udp source-port

4500 destination-port 4500

Associate the NAT-T application using a policy.

[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-natt user@host# set then permit

Results From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit] user@host# show security nat source { address-persistent;

}

[edit] user@host# show security policies from-zone green to-zone red {


13

IKE and ESP ALG Feature Guide for Security Devices policy pol1 { match { source-address sa1; destination-address da1; application [ custom-ike-alg custom-ike-natt ];

} then { permit;

}

}

} default-policy { permit-all;

}


Verification

To confirm that the configuration is working properly, perform these tasks:

•

Verifying IKE and ESP ALG Custom Applications on page 14

•

Verifying the NAT Source Pool and Rule Set on page 14

Verifying IKE and ESP ALG Custom Applications

Purpose Verify that the custom applications to support the IKE and ESP ALG are enabled or not.

Action From operational mode, enter the show applications command.

Verifying the NAT Source Pool and Rule Set

Purpose Verify that the NAT source pool and rule set used to support the IKE and ESP ALG are working properly.

Action From operational mode, enter the show security nat command.

Related

Documentation

•


•

ALG Overview

•


•


Example: Enabling IKE and ESP ALG and Setting Timeouts

Supported Platforms

J Series

,

SRX Series



This example shows how to enable the IKE and ESP ALG and set the timeout values to allow time for the ALG to process ALG state information, ESP gates, and ESP sessions.

•

Requirements on page 15

•

Overview on page 15

•

Configuration on page 15

•

Verification on page 16

Requirements

Understand the concepts behind ALG for IKE and ESP. See

“Understanding IKE and ESP

ALG Operation” on page 4 .

Overview

The IKE and ESP ALG processes all traffic specified in any policy to which the ALG is attached. In this example, you configure the set security alg ike-esp-nat enable statement so the current default IPsec pass-through behavior is disabled for all IPsec pass-through traffic, regardless of policy.

You then set the timeout values to allow time for the IKE and ESP ALG to process ALG state information, ESP gates, and ESP sessions. In this example, you set the timeout of

ALG state information. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds. You then set the timeout of the ESP gates created after an

IKE Phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds. Finally, you set the idle timeout of the ESP sessions created from the IPsec gates. If no traffic hits the session, it is aged out after this period of time.

The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.

Configuration

CLI Quick

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security alg ike-esp-nat enable set security alg ike-esp-nat esp-gate-timeout 20 set security alg ike-esp-nat esp-session-timeout 2400 set security alg ike-esp-nat state-timeout 360

Step-by-Step

Procedure


Mode.

To enable the IKE and ESP ALG and set the timeout values:

1.

2.

Enable the IKE and ESP ALG.

[edit] user@host# set security alg ike-esp-nat enable

Set the timeout for the ALG state information.


15


3.

4.

[edit security alg ike-esp-nat] user@host# set state-timeout 360

Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.

[edit security alg ike-esp-nat] user@host# set esp-gate-timeout 20

Set the idle timeout for the ESP sessions created from the IPsec gates.

[edit security alg ike-esp-nat] user@host# set esp-session-timeout 2400

Results From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit] user@host# show security alg ike-esp-nat { enable; state-timeout 360; esp-gate-timeout 20; esp-session-timeout 2400;

}


Verification

To confirm that the configuration is working properly, perform these tasks:

•

Verifying the ALG for IKE and ESP and Timeout Settings on page 16

Verifying the ALG for IKE and ESP and Timeout Settings

Purpose Verify that the ALG for IKE and ESP is enabled and the timeout settings for this feature are correct.

Action From operational mode, enter the show security alg ike-esp-nat command.

Related

Documentation

•


•

ALG Overview

•

NAT Overview

•


•

Understanding IKE and ESP ALG Operation on page 4

•



CHAPTER 3

Configuration Statements

•

Applications Configuration Statement Hierarchy on page 17

•

[edit security alg] Hierarchy Level on page 18

•

[edit security policies] Hierarchy Level on page 22

•

alg on page 27

•

alg (Applications) on page 32

•

ike-esp-nat on page 33

•

alg-manager on page 34

•

support-lib on page 34

•

application-protocol (Applications) on page 35

•

ftp (Security ALG) on page 36

•

ike (Security) on page 37

•

nat-pat-address on page 39

•

policy (Security Policies) on page 40

•

rtsp on page 42

•

source-nat on page 43

•

sql on page 44

•

talk on page 45

•

tftp (Security ALG) on page 46

•

traceoptions (Security ALG) on page 47

Applications Configuration Statement Hierarchy

Supported Platforms

J Series

,

LN Series

,

SRX Series

Use the statements in the applications configuration hierarchy to configure applications properties and group applications objects.

applications { application application-name { application-protocol (dns | ftp |gprs-gtp-c| gprs-gtp-u | gprs-gtp-v0 |gprs-sctp | http

| ignore | ike-esp-nat | mgcp-ca | mgcp-ua | ms-rpc | q931 | ras | realaudio | rsh | rtsp

| sccp | sip | sqlnet-v2 | sun-rpc | talk | tftp);


17


} description text; destination-port port-identifier; do-not-translate-A-query-to-AAAA-query; do-not-translate-AAAA-query-to-A-query; ether-type hex-value; icmp-code value; icmp-type value; icmp6-code value; icmp6-type value; inactivity-timeout (seconds | never); protocol number; rpc-program-number number; source-port port-number; term term-name { alg application; destination-port port-identifier; icmp-code value; icmp-type value; icmp6-code value; icmp6-type value; inactivity-timeout (seconds | never); protocol number; rpc-program-number number; source-port port-number; uuid hex-value;

} uuid hex-value;

} application-set application-set-name { application application-name; application-set application-set-name; description text;

}

Related

Documentation

•

Junos OS Application Layer Gateways (ALGs) Library for Security Devices

•

Security Policy Applications Feature Guide for Security Devices

[edit security alg] Hierarchy Level

Supported Platforms J Series , LN Series , SRX Series security { alg { alg-manager { traceoptions { flag { all <extensive>;

}

}

} alg-support-lib { traceoptions { flag {


all <extensive>;

}

}

} dns { disable; doctoring (none | sanity-check); maximum-message-length number; traceoptions {

}

} ftp { flag { all <extensive>;

} allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;

}

}

} h323 { application-screen { message-flood { gatekeeper { threshold rate;

}

} unknown-message { permit-nat-applied; permit-routed;

}

} disable; dscp-rewrite { code-point string;

} endpoint-registration-timeout value-in-seconds; media-source-port-any; traceoptions { flag flag <detail | extensive | terse>;

}

} ike-esp-nat { enable; esp-gate-timeout value-in-seconds; esp-session-timeout value-in-seconds; state-timeout value-in-seconds; traceoptions { flag { all <extensive>;

}


Chapter 3: Configuration Statements

19


}

} mgcp { application-screen { connection-flood { threshold rate;

} message-flood { threshold rate;


}


} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; traceoptions { flag flag <extensive>;

} transaction-timeout value-in-seconds;

} msrpc { disable; traceoptions { flag { all <extensive>;

}

}

} pptp { disable; traceoptions {

}

} rsh { flag { all <extensive>;

} disable; traceoptions { flag { all <extensive>;

}

}

} rtsp { disable; traceoptions { flag { all <extensive>;

}


}

} sccp { application-screen { call-flood { threshold rate;


}


} inactive-media-timeout value-in-seconds; traceoptions { flag flag <extensive>;

}

} sip { application-screen { protect { deny { all { timeout value-in-seconds;

} destination-ip address; timeout value-in-seconds;

}


}

} c-timeout value-in-minutes; disable; dscp-rewrite { code-point string;

} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; retain-hold-resource; t1-interval value-in-milliseconds; t4-interval value-in-seconds; traceoptions { flag flag <detail | extensive | terse>;

}

} sql { disable; traceoptions { flag { all <extensive>;



21


}

}

}

}

} sunrpc { disable; traceoptions { flag { all <extensive>;

}

}

} talk { disable; traceoptions { flag { all <extensive>;

}

}

} tftp { disable; traceoptions { flag { all <extensive>;

}

}

} traceoptions { file {

filename; files number; match regular-expression;

(no-world-readable | world-readable); size maximum-file-size;

} level (brief | detail | extensive | verbose); no-remote-trace;

}

Related

Documentation

•

Security Configuration Statement Hierarchy

•


[edit security policies] Hierarchy Level

Supported Platforms J Series , SRX Series security { policies { default-policy (deny-all | permit-all); from-zone zone-name to-zone zone-name { policy policy-name { description description;



match { application {

[application]; any;

} destination-address {

[address]; any; any-ipv4; any-ipv6;

} destination-address-excluded; source-address {


} source-address-excluded; source-identity {

[role-name]; any; authenticated-user; unauthenticated-user; unknown-user;

}

} scheduler-name scheduler-name; then { count { alarm { per-minute-threshold number; per-second-threshold number;

}

} deny; log { session-close; session-init;

} permit { application-services { application-firewall { rule-set rule-set-name;

} application-traffic-control { rule-set rule-set-name;

} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;

} uac-policy {


23


24 captive-portal captive-portal;

} utm-policy policy-name;

} destination-address { drop-translated; drop-untranslated;

} firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; ssl-termination-profile profile-name; web-redirect; web-redirect-to-https;

} user-firewall { access-profile profile-name; ssl-termination-profile profile-name;

} web-authentication { client-match user-or-group-name;

}

} services-offload; tcp-options { sequence-check-required; syn-check-required;

} tunnel { ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy;

}

} reject;

}

}

} global { policy policy-name { description description; match { application {




} source-address {

[address]; any;



any-ipv4; any-ipv6;

} source-identity {


}


}




} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;

} uac-policy { captive-portal captive-portal;

} utm-policy policy-name;


} firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; ssl-termination-profile profile-name; web-redirect; web-redirect-to-https;

}


25


}

} user-firewall { access-profile profile-name ssl-termination-profile profile-name


}


}

} reject;

}

}

} policy-rematch; policy-stats { system-wide (disable | enable);




} flag flag; no-remote-trace;

}

Related

Documentation

•

Security Configuration Statement Hierarchy

•

MPLS Feature Guide for Security Devices

•

Application Firewall Feature Guide for Security Devices

•

Application Quality of Service Feature Guide for Security Devices

•

Security Policies Feature Guide for Security Devices

•

Junos OS VPN Library for Security Devices

•

Junos OS Logical Systems Library for Security Devices

•

Unified Access Control Design and Implementation Guide for Security Devices

•

IDP Policies Feature Guide for Security Devices

•

Infranet Authentication Feature Guide for Security Devices


alg

Supported Platforms J Series , LN Series , SRX Series

Syntax alg { alg-manager { traceoptions { flag { all <extensive>;

}

}

} alg-support-lib { traceoptions { flag { all <extensive>;

}

}

} dns { disable; doctoring (none | sanity-check); maximum-message-length number; traceoptions { flag { all <extensive>;

}

}

} ftp { allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;

}

}

} h323 { application-screen { message-flood { gatekeeper { threshold rate;

}


}




27


} endpoint-registration-timeout value-in-seconds; media-source-port-any; traceoptions { flag flag <detail | extensive | terse>;

}

} ike-esp-nat { enable; esp-gate-timeout value-in-seconds; esp-session-timeout value-in-seconds; state-timeout value-in-seconds; traceoptions { flag { all <extensive>;

}

}

} mgcp { application-screen { connection-flood { threshold rate;

} message-flood { threshold rate;


}


} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; traceoptions { flag flag <extensive>;

} transaction-timeout value-in-seconds;

} msrpc { disable; traceoptions { flag { all <extensive>;

}

}

} pptp { disable; traceoptions { flag { all <extensive>;

}


}

} real { disable; traceoptions { flag { all <extensive>;

}

}

} rsh { disable; traceoptions {

}

} rtsp { flag { all <extensive>;

} disable; traceoptions { flag { all <extensive>;

}

}

} sccp { application-screen { call-flood { threshold rate;


}


} inactive-media-timeout value-in-seconds; traceoptions { flag flag <extensive>;

}

} sip { application-screen { protect { deny { all { timeout value-in-seconds;

} destination-ip address; timeout value-in-seconds;

}

}



29

IKE and ESP ALG Feature Guide for Security Devices unknown-message { permit-nat-applied; permit-routed;

}

} c-timeout value-in-minutes; disable; dscp-rewrite { code-point string;

} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; retain-hold-resource; t1-interval value-in-milliseconds; t4-interval value-in-seconds; traceoptions { flag flag <detail | extensive | terse>;

}

} sql { disable; traceoptions { flag { all <extensive>;

}

}

} sunrpc { disable; traceoptions { flag { all <extensive>;

}

}

} talk { disable; traceoptions { flag { all <extensive>;

}

}

} tftp { disable; traceoptions { flag { all <extensive>;

}

}





}

}



Hierarchy Level [edit security]

Release Information Statement introduced in Junos OS Release 8.5.

Description Configure an Application Layer Gateway (ALG) on the device. An ALG runs as a service and can be associated in policies with specified types of traffic. ALGs are enabled by default.

Options The remaining statements are explained separately.

Required Privilege

Level security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Related

Documentation

•

Network Monitoring and Troubleshooting Guide for Security Devices

•



31


alg (Applications)

Supported Platforms SRX Series

Syntax alg application;

Hierarchy Level [edit applications application application-name <term term-name>]

Release Information Statement introduced in Junos OS Release 8.5. The ike-esp-nat option introduced in

Junos OS Release 10.2.

Description Define individual Application Layer Gateway (ALG).

Options

application

—Name of the application. The following protocols are supported:

• dns

—Domain Name Service

• ftp

—File Transfer Protocol

• ignore —Ignore application type

• ike-esp-nat —IKE ESP NAT application protocol

• mgcp-ca —Media Gateway Control Protocol with Call Agent

• mgcp-ua —MGCP with User Agent

• ms-rpc —Microsoft RPC

• pptp —Point-to-Point Tunneling Protocol

• q931 —ISDN connection control protocol (Q.931)

• ras —Remote Access Service

• realaudio —RealAudio

• rsh —UNIX remote shell services

• rtsp —Real-Time Streaming Protocol

• sccp —Skinny Client Control Protocol

• sip —Session Initiation Protocol

• sqlnet-v2 —Oracle SQLNET v2

• sun-rpc —Sun Microsystems RPC

• talk —TALK program

• tftp —Trivial File Transfer Protocol

Required Privilege

Level system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Related

Documentation

•

term (Applications)



ike-esp-nat

Supported Platforms J Series , SRX Series

Syntax ike-esp-nat { enable; esp-gate-timeout seconds; esp-session-timeout seconds; state-timeout seconds; traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level [edit security alg]


Description Configure Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and

Encapsulating Security Payload (ESP) traffic with Network Address Translation (NAT).

Options

• Enable

—Enable the IKE-ESP ALG.

• esp-gate-timeout seconds

—Set the timeout for the ESP gates created after an IKE

Phase 2 exchange has completed.

Range: 2 through 30 seconds.

Default: 5 seconds.

• esp-session-timeout seconds

—Set the idle timeout for the ESP sessions created from the IPsec gates.

Range: 60 through 2400 seconds.

Default: 1800 seconds.

• state-timeout seconds —Set the timeout for the ALG state information.

Range: 180 through 86,400 seconds.

Default: 14,400 seconds.

• traceoptions

—Set the IKE-ESP ALG trace options.

• flag

—Specify which tracing operation to perform.

• all

—Trace all operations.

• extensive

—Set trace verbosity level to extensive.

Required Privilege




33


Related

Documentation

alg-manager

•


Supported Platforms

J Series

,

SRX Series

Syntax alg-manager { traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level

[edit security alg]

Description Configure the Application Layer Gateway (ALG) manager.


Required Privilege



Related

Documentation

support-lib

•


Supported Platforms

J Series

,

SRX Series

Syntax alg-support-lib { traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level

[edit security alg]


Description Configure the Application Layer Gateway (ALG) support library.


Required Privilege



Related

Documentation

•




application-protocol (Applications)


Syntax application-protocol (dns | ftp | http | ignore | ike-esp-nat | mgcp-ca | mgcp-ua | ms-rpc | q931 | ras | realaudio | rsh | rtsp | sccp | sip | sqlnet-v2 | sun-rpc | talk | tftp);

Hierarchy Level

[edit applications application application-name ]

Release Information Statement modified in Junos OS Release 8.5. The ike-esp-nat option introduced in Junos

OS Release 10.2.

Description Identify the application protocol name. The following protocols are supported:

• dns

—Domain Name Service

• ftp

—File Transfer Protocol

• ignore

—Ignore application type

• ike-esp-nat —IKE ESP NAT application protocol

• mgcp-ca —Media Gateway Control Protocol with Call Agent

• mgcp-ua —MGCP with User Agent

• ms-rpc —Microsoft RPC

• pptp —Point-to-Point Tunneling Protocol

• q931 —ISDN connection control protocol (Q.931)

• ras —Remote Access Service

• realaudio —RealAudio

• rsh —UNIX remote shell services

• rtsp —Real-Time Streaming Protocol

• sccp —Skinny Client Control Protocol

• sip —Session Initiation Protocol

• sqlnet-v2 —Oracle SQLNET v2

• sun-rpc —Sun Microsystems RPC

• talk —TALK program

• tftp —Trivial File Transfer Protocol

Required Privilege



Related

Documentation

•



35


ftp (Security ALG)


Syntax ftp { allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;

}

}

}


Release Information Statement modified in Junos OS Release 11.4.

Description Specify the FTP ALG on the device.

Options

• disable —Disable the FTP ALG. By default, the FTP ALG is enabled. This option will enable or disable FTP ALG for both IPV4 and IPV6 mode.

• ftps-extension

—Enable secure FTP and FTP SSL protocols.

• line-break-extension

—Enable line-break-extension. This option will enable the FTP

ALG to recognize the LF as line break in addition to the standard CR+LF (carriage return, followed by line feed).

• traceoptions

—Configure FTP ALG tracing options. To specify more than one trace operation, include multiple flag statements.

• flag —Trace operation to perform.

• all —Trace all events.

• extensive —(Optional) Display extensive amount of data.

Required Privilege



Related

Documentation

•




ike (Security)


Syntax ike { gateway gateway-name { address [ip-address-or-hostname]; dead-peer-detection {

(always-send | optimized | probe-idle-tunnel); interval seconds; threshold number;

} dynamic { connections-limit number;

(distinguished-name <container container-string> <wildcard wildcard-string> | hostname domain-name | inet ip-address | inet6 ipv6-address | user-at-hostname

e-mail-address); ike-user-type (group-ike-id | shared-ike-id);

} external-interface external-interface-name; general-ikeid; ike-policy policy-name; local-identity {

(distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname e-mail-address);

} nat-keepalive seconds; no-nat-traversal; remote-identity {

} version (v1-only | v2-only); xauth { access-profile profile-name;

}

(distinguished-name <container container-string> <wildcard wildcard-string> | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname

e-mail-address);

} policy policy-name { certificate { local-certificate certificate-id; peer-certificate-type (pkcs7 | x509-signature);

} description description; mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposal-set (basic | compatible | standard } suiteb-gcm-128 | suiteb-gcm-256); proposals [proposal-name];

} proposal proposal-name { authentication-algorithm (md5 | sha-256 | sha-384| sha1); authentication-method (dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384

| pre-shared-keys | rsa-signatures); description description; dh-group (group1 | group14 | group19 | group2 | group20 | group24 | group5);


37


} encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc); lifetime-seconds seconds;

} respond-bad-spi <max-responses>; traceoptions { file {

filename; files number; match regular-expression; size maximum-file-size;

(world-readable | no-world-readable);

} flag flag; no-remote-trace; rate-limit messages-per-second;

}

Hierarchy Level [edit security]

Release Information Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos

OS Release 11.1. The inet6 option added in Junos OS Release 11.1.

Description Define Internet Key Exchange (IKE) configuration.


Required Privilege



Related

Documentation

•


•

AutoVPN Feature Guide for SRX Series Gateway Devices

•

Dynamic VPN Feature Guide for SRX Series Gateway Devices

•

IPsec VPN Feature Guide for Security Devices

•

Master Administrator for Logical Systems Feature Guide for Security Devices



nat-pat-address

Supported Platforms SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800

Syntax nat-pat-address { maximum amount; reserved amount;

}

Hierarchy Level

[edit system security-profile security-profile-name]


Description Specify the number of NAT with port address translation (PAT) configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.

The master administrator:

• uses security profiles to provision logical systems with resources.

• binds security profiles to user logical systems and the master logical system.

• can configure more than one security profile, specifying different amounts of resource allocations in various profiles.

Only the master administrator can create security profiles and bind them to logical systems.

Options

• maximum amount —A maximum allowed quota. If a logical system requires more of a resource than its reserved amount allows it can utilize resources configured for the global maximum amount if they are available—that is, if they are not allocated to other logical systems. The maximum allowed quota specifies the portion of the free global resources that the logical system can use. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available.

Logical systems compete for global resources.

• reserved amount

—A reserved quota that guarantees that the resource amount specified is always available to the logical system.

Required Privilege



Related

Documentation

•


•

Master Administrator for Logical Systems Feature Guide for Security Devices


39


policy (Security Policies)


Syntax policy policy-name { description description; match { application {




} source-address {


} source-identity {


}


}




} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp;



}

} redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;

} uac-policy {


} captive-portal captive-portal;

} utm-policy policy-name; firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; web-redirect;

} user-firewall { access-profile profile-name; ssl-termination-profile profile-name;


}


} tunnel {

}

} reject; ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy;

Hierarchy Level [edit security policies from-zone zone-name to-zone zone-name]

Release Information Statement introduced in Junos OS Release 8.5. The services-offload option added in

Junos OS Release 11.4. Statement updated with the source-identity option and the description option added in Junos OS Release 12.1. Support for the user-firewall option added in Junos OS Release 12.1X45-D10.

Description Define a security policy.

Options

policy-name

—Name of the security policy.

The remaining statements are explained separately.


41


Required Privilege



Related

Documentation

•

Ethernet Port Switching Feature Guide for Security Devices

•

Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices

•

Application Quality of Service Feature Guide for Security Devices

•

Security Policies Feature Guide for Security Devices

rtsp

Supported Platforms

J Series

,

SRX Series

Syntax rtsp { disable; traceoptions { flag { all <extensive>;

}

}

}



Description Specify the Real-Time Streaming Protocol (RTSP) ALG on the device.

Options

• disable —Disable the RTSP ALG. By default, the RTSP ALG is enabled.

• traceoptions

—Configure RTSP ALG tracing options.

• flag

—Trace operation to perform.

• all

—Trace all events.

•

extensive

—Display extensive amount of data.

Required Privilege



Related

Documentation

•




source-nat


Syntax source-nat { interface { persistent-nat { address-mapping; inactivity-timeout seconds; max-session-number value; permit (any-remote-host | target-host | target-host-port);

}

} off; pool <pool-name>; persistent-nat { address-mapping; inactivity-timeout seconds; max-session-number number; permit (any-remote-host | target-host | target-host-port);

} rule-session-count-alarm (clear-threshold value | raise-threshold value);

}

Hierarchy Level [edit security nat source rule-set rule-set-name rule rule-name then]

Release Information Statement modified in Junos OS Release 9.6. Statement modified in Junos OS Release

12.1X45-D10.

Description Specify the action of the source NAT rule.

Options

• off

—Do not perform the source NAT operation.

The remaining statements are explained separately.

Required Privilege

Level security — To view this statement in the configuration.

security-control— To add this statement to the configuration.

Related

Documentation

•

Network Address Translation Feature Guide for Security Devices


43


sql


Syntax sql { disable; traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level

[edit security alg]


Description Specify the Oracle SQL ALG on the device.

Options

• disable

—Disable the SQL ALG. By default, the SQL ALG is disabled.

• traceoptions

—Configure SQL ALG tracing options.

• flag


• all


•

extensive


Required Privilege



Related

Documentation

•




talk


Syntax talk { disable; traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level

[edit security alg]


Description Specify the TALK program ALG on the device.

Options

• disable

—Disable the TALK program ALG. By default, the TALK program ALG is enabled.

• traceoptions

—Configure TALK program ALG tracing options.

• flag


• all


•

extensive


Required Privilege



Related

Documentation

•



45


tftp (Security ALG)


Syntax tftp { disable; traceoptions { flag { all <extensive>;

}

}

}

Hierarchy Level

[edit security alg]

Release Information Statement modified in Junos OS Release 9.2.

Description Configure the Trivial File Transfer Protocol (TFTP) ALG on the device.

Options

• disable

—Disable the TFTP ALG. By default, the TFTP ALG is enabled.

NOTE: By default, the TFTP ALG is disabled for SRX Series devices.

• traceoptions

—Configure TFTP ALG tracing options.

• flag


• all


•

extensive


Required Privilege



Related

Documentation

•




traceoptions (Security ALG)


Syntax traceoptions { file {

filename; files number; match regular-expression; size maximum-file-size;

(world-readable | no-world-readable);


}



Description Configure ALG tracing options.

Options

• file —Configure the trace file options.

•

filename

—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. By default, the name of the file is the name of the process being traced.

• files number

—Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed to trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.

If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename.

Range: 2 through 1000 files

Default: 10 files

• match regular-expression —Refine the output to include lines that contain the regular expression.

• size maximum-file-size —Maximum size of each trace file, in kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0

is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and a filename.

Syntax: x K to specify KB, x m to specify MB, or x g to specify GB


47


Range: 10 KB through 1 GB

Default: 128 KB

• world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.

• level —Set the level of debugging the output option.

• brief —Match brief messages

• detail —Match detail messages.

• extensive —Match extensive messages.

• verbose —Match verbose messages.

• no-remote-trace —Set remote tracing as disabled.

Required Privilege

Level trace—To view this statement in the configuration.

trace-control—To add this statement to the configuration.

Related

Documentation

•



PART 3

Administration

•

Operational Commands on page 51


49



CHAPTER 4

Operational Commands

•

clear security alg ike-esp-nat

•

show security alg ike-esp-nat summary

•

show security zones

•

show security zones type


51


clear security alg ike-esp-nat


Syntax clear security alg ike-esp-nat

Release Information Command introduced in Junos OS Release 10.2.

Description Clear state information about Application Layer Gateway (ALG) for IKE and ESP.

Required Privilege

Level clear

Related

Documentation

•

show security alg ike-esp-nat summary on page 53

List of Sample Output

clear security alg ike-esp-nat on page 52

Output Fields This command produces no output.

Sample Output clear security alg ike-esp-nat user@host> clear security alg ike-esp-nat

10 active IKE-ESP alg state cleared


Chapter 4: Operational Commands

show security alg ike-esp-nat summary


Syntax show security alg ike-esp-nat summary

Release Information Command introduced in Junos OS Release 10.2.

Description Display Application Layer Gateway (ALG) for IKE and ESP information summary.

Required Privilege

Level view

Related

Documentation

•

clear security alg ike-esp-nat on page 52


show security alg ike-esp-nat summary on page 53

Sample Output show security alg ike-esp-nat summary user@host> security alg ike-esp-nat summary

Initiator cookie: d5732d9b4114de1a

Responder cookie: 4776fe31164ef

Session-ID: 13

ALG state : 1

Timeout: 6292

Used IKE cookies: 0

Maximum IKE cookies: 2400


53


show security zones


Syntax show security zones

<detail | terse>

< zone-name >

Release Information Command introduced in Junos OS Release 8.5. The Description output field added in


Description Display information about security zones.

Options

• none—Display information about all zones.

• detail

| terse—(Optional) Display the specified level of output.

•

zone-name

—(Optional) Display information about the specified zone.

Required Privilege

Level view

Related

Documentation

•

Ethernet Port Switching Feature Guide for Security Devices

•

Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices

•

security-zone

•

Security Zones and Interfaces Feature Guide for Security Devices

•

Junos OS Logical Systems Library for Security Devices


show security zones on page 55 show security zones abc on page 55 show security zones abc detail on page 55

show security zones terse on page 56

Output Fields

Table 3 on page 54

lists the output fields for the show security zones command. Output fields are listed in the approximate order in which they appear.

Table 3: show security zones Output Fields

Field Name Field Description

Security zone

Name of the security zone.

Description

Policy configurable

Interfaces bound

Description of the security zone.

Whether the policy can be configured or not.

Interfaces

Number of interfaces in the zone.

List of the interfaces in the zone.


Table 3: show security zones Output Fields (continued)


Zone

Type

Name of the zone.

Type of the zone.

Sample Output show security zones user@host> show security zones

Functional zone: management

Description: This is the management zone.

Policy configurable: No

Interfaces bound: 1

Interfaces:

ge-0/0/0.0

Security zone: Host

Description: This is the host zone.

Send reset for non-SYN session TCP packets: Off

Policy configurable: Yes

Interfaces bound: 1

Interfaces:

fxp0.0

Security zone: abc

Description: This is the abc zone.



Interfaces bound: 1

Interfaces:

ge-0/0/1.0

Security zone: def

Description: This is the def zone.



Interfaces bound: 1

Interfaces:

ge-0/0/2.0

Sample Output show security zones abc user@host> show security zones abc

Security zone: abc




Interfaces bound: 1

Interfaces:

ge-0/0/1.0

Sample Output show security zones abc detail user@host> show security zones abc detail



55


Security zone: abc




Interfaces bound: 1

Interfaces:

ge-0/0/1.0

Sample Output show security zones terse user@host> show security zones terse

Zone Type my-internal Security my-external Security dmz Security



show security zones type


Syntax show security zones type

(functional | security)

<detail | terse>

Release Information Command introduced in Junos OS Release 8.5. The Description output field added in


Description Display information about security zones of the specified type.

Options

• functional —Display functional zones.

• security —Display security zones.

• detail | terse—(Optional) Display the specified level of output.

Required Privilege

Level view

Related

Documentation

•

security-zone

•

Security Zones and Interfaces Feature Guide for Security Devices


show security zones type functional on page 58 show security zones type security on page 58 show security zones type security terse on page 58 show security zones type security detail on page 58

Output Fields

Table 4 on page 57

lists the output fields for the show security zones type command.

Output fields are listed in the approximate order in which they appear.

Table 4: show security zones type Output Fields


Security zone

Zone name.

Description Description of the security zone.

Whether the policy can be configured or not.

Policy configurable

Interfaces bound Number of interfaces in the zone.

List of the interfaces in the zone.

Interfaces

Zone

Type

Name of the zone.

Type of the zone.


57


Sample Output show security zones type functional user@host> show security zones type functional

Functional zone: management

Description: management zone

Policy configurable: No

Interfaces bound: 0

Interfaces:

Sample Output show security zones type security user@host> show security zones type security

Security zone: trust

Description: trust zone



Interfaces bound: 1

Interfaces:

ge-0/0/0.0

Security zone: untrust

Description: untrust zone



Interfaces bound: 1

Interfaces:

ge-0/0/1.0

Security zone: junos-host

Description: junos-host zone



Interfaces bound: 0

Interfaces:

Sample Output show security zones type security terse user@host> show security zones type security terse

Zone Type trust Security untrust Security junos-host Security

Sample Output show security zones type security detail user@host> show security zones type security detail

Security zone: trust

Description: trust zone



Interfaces bound: 1

Interfaces:

ge-0/0/0.0


Security zone: untrust

Description: untrust zone



Interfaces bound: 1

Interfaces:

ge-0/0/1.0

Security zone: junos-host

Description: junos-host zone



Interfaces bound: 0

Interfaces:



59



PART 4

Index

•

Index on page 63


61



Index

Symbols

#, comments in configuration statements......................

x

( ), in syntax descriptions........................................................

x

< >, in syntax descriptions......................................................

x

[ ], in configuration statements............................................

x

{ }, in configuration statements...........................................

x

| (pipe), in syntax descriptions.............................................

x

A

alg statement.....................................................................

27 ,

32

alg-ike-esp-nat........................................................................

33

alg-manager.............................................................................

34

alg-support-lib.........................................................................

34

application-protocol statement.......................................

35

Applications Configurations Statement

Hierarchy.................................................................................

17

B

braces, in configuration statements...................................

x

brackets

angle, in syntax descriptions.........................................

x square, in configuration statements..........................

x

C clear security alg ike-esp-nat command.......................

52

comments, in configuration statements..........................

x

conventions

text and syntax..................................................................

ix

curly braces, in configuration statements........................

x

customer support.....................................................................

xi contacting JTAC................................................................

xi

D documentation

comments on....................................................................

xi

F firewall filters statistics

displaying.................................................................

54

font conventions.......................................................................

ix

ftp statement...........................................................................

36

I

IKE ALG configuration..............................................................

9

setting timeouts..............................................................

14

ike statement

(Security)...........................................................................

37

M manuals

comments on....................................................................

xi

N

nat-pat-address statement...............................................

39

P

parentheses, in syntax descriptions...................................

x

policy statement:

(Security Policies).........................................................

40

R

rtsp statement.........................................................................

42

S show security alg ike-esp-nat summary command..............................................................................

53

show security zones command.........................................

54

show security zones type command...............................

57

source-nat statement: (Source NAT Services

Gateway)...............................................................................

43

sql statement...........................................................................

44

support, technical See technical support

syntax conventions..................................................................

ix

T talk statement.........................................................................

45

technical support

contacting JTAC................................................................

xi

tftp statement.........................................................................

46

traceoptions statement

(ALG)...................................................................................

47


63



Download this guide: IKE and ESP ALG

Junos

®

OS

IKE and ESP ALG Feature Guide for Security

Devices

Table of Contents

List of Tables

About the Documentation

Documentation and Release Notes

Supported Platforms

Using the Examples in This Manual

Documentation Conventions

Documentation Feedback

Requesting Technical Support

Overview

Basics

Understanding ALG for IKE and ESP

Understanding IKE and ESP ALG Operation

Configuration

IKE and ESP ALG and Timeouts

Example: Configuring the IKE and ESP ALG

Example: Enabling IKE and ESP ALG and Setting Timeouts

Configuration Statements

Applications Configuration Statement Hierarchy

[edit security alg] Hierarchy Level

[edit security policies] Hierarchy Level

alg

alg (Applications)

ike-esp-nat

alg-manager

support-lib

application-protocol (Applications)

ftp (Security ALG)

ike (Security)

nat-pat-address

policy (Security Policies)

rtsp

source-nat

sql

talk

tftp (Security ALG)

traceoptions (Security ALG)

Administration

Operational Commands

clear security alg ike-esp-nat

show security alg ike-esp-nat summary

show security zones

show security zones type

Index

Index

Related manuals

Juniper

Junos OS

Table of contents