- No category
advertisement
Junos
®
OS
IKE and ESP ALG Feature Guide for Security
Devices
Release
12.1X46-D10
Modified: 2016-01-27
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000 www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Junos
®
OS IKE and ESP ALG Feature Guide for Security Devices
12.1X46-D10
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html
. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
ii Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Part 1
Part 2
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Overview
Configuration
Example: Enabling IKE and ESP ALG and Setting Timeouts . . . . . . . . . . . . . . . . . . 14
Copyright © 2016, Juniper Networks, Inc.
iii
IKE and ESP ALG Feature Guide for Security Devices
Part 3
Part 4
Administration
Index
iv Copyright © 2016, Juniper Networks, Inc.
List of Tables
Part 3
Administration
Copyright © 2016, Juniper Networks, Inc.
v
IKE and ESP ALG Feature Guide for Security Devices vi Copyright © 2016, Juniper Networks, Inc.
About the Documentation
•
Documentation and Release Notes on page vii
•
Supported Platforms on page vii
•
Using the Examples in This Manual on page vii
•
Documentation Conventions on page ix
•
Documentation Feedback on page xi
•
Requesting Technical Support on page xi
Documentation and Release Notes
To obtain the most current version of all Juniper Networks
® technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ .
If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at http://www.juniper.net/books
.
Supported Platforms
For the features described in this document, the following platforms are supported:
• J Series
• SRX Series
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load merge relative command. These commands cause the software to merge the incoming configuration into the current candidate configuration. The example does not become active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple hierarchies), the example is a full example. In this case, use the load merge command.
Copyright © 2016, Juniper Networks, Inc.
vii
IKE and ESP ALG Feature Guide for Security Devices
If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the load merge relative command. These procedures are described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration example into a text file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system { scripts { commit { file ex-script.xsl;
}
}
} interfaces { fxp0 { disable; unit 0 { family inet { address 10.0.0.1/24;
}
}
}
}
2.
Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command:
[edit] user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1.
From the HTML or PDF version of the manual, copy a configuration snippet into a text file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file ex-script-snippet.conf
. Copy the ex-script-snippet.conf file to the /var/tmp directory on your routing platform.
commit { file ex-script-snippet.xsl; }
2.
Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: viii Copyright © 2016, Juniper Networks, Inc.
About the Documentation
[edit] user@host# edit system scripts
[edit system scripts]
3.
Merge the contents of the file into your routing platform configuration by issuing the load merge relative configuration mode command:
[edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see the CLI User Guide.
Documentation Conventions
defines notice icons used in this guide.
Table 1: Notice Icons
Icon Meaning
Informational note
Description
Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or hardware damage.
Warning Alerts you to the risk of personal injury or death.
Laser warning
Tip
Best practice
Alerts you to the risk of personal injury from a laser.
Indicates helpful information.
Alerts you to a recommended use or implementation.
defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this Represents text that you type.
To enter configuration mode, type the configure command: user@host> configure
Copyright © 2016, Juniper Networks, Inc.
ix
IKE and ESP ALG Feature Guide for Security Devices
Table 2: Text and Syntax Conventions (continued)
Convention Description
Fixed-width text like this
Italic text like this
Italic text like this
Text like this
Examples
Represents output that appears on the terminal screen.
user@host> show chassis alarms
No alarms currently active
•
•
•
Introduces or emphasizes important new terms.
Identifies guide names.
Identifies RFC and Internet draft titles.
•
•
•
A policy term is a named structure that defines match conditions and actions.
Junos OS CLI User Guide
RFC 1997, BGP Communities Attribute
Represents variables (options for which you substitute a value) in commands or configuration statements.
Configure the machine’s domain name:
[edit] root@# set system domain-name
domain-name
Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components.
•
•
To configure a stub area, include the stub statement at the
[edit protocols ospf area area-id] hierarchy level.
The console port is labeled
CONSOLE
.
< > (angle brackets)
| (pipe symbol)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Encloses optional keywords or variables.
stub <default-metric metric>;
Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity.
broadcast | multicast
(string1 | string2 | string3)
Indicates a comment specified on the same line as the configuration statement to which it applies.
rsvp { # Required for dynamic MPLS only
Encloses a variable for which you can substitute one or more values.
Identifies a level in the configuration hierarchy.
Identifies a leaf statement at a configuration hierarchy level.
community name members [
community-ids ]
[edit] routing-options { static { route default { nexthop address; retain;
}
}
}
GUI Conventions
Bold text like this Represents graphical user interface (GUI) items you click or select.
•
•
In the Logical Interfaces box, select
All Interfaces
.
To cancel the configuration, click
Cancel .
x Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention Description
> (bold right angle bracket)
Examples
Separates levels in a hierarchy of menu selections.
In the configuration editor hierarchy, select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:
• Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html
, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at http://www.juniper.net/techpubs/feedback/
.
• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf
.
• Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Copyright © 2016, Juniper Networks, Inc.
xi
IKE and ESP ALG Feature Guide for Security Devices
•
Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/
.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see http://www.juniper.net/support/requesting-support.html
.
xii Copyright © 2016, Juniper Networks, Inc.
PART 1
Overview
•
Copyright © 2016, Juniper Networks, Inc.
1
IKE and ESP ALG Feature Guide for Security Devices
2 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Basics
•
Understanding ALG for IKE and ESP on page 3
•
Understanding IKE and ESP ALG Operation on page 4
Understanding ALG for IKE and ESP
Supported Platforms
J Series
,
SRX Series
An SRX Series device can be used solely as a Network Address Translation (NAT) device when placed between VPN clients on the private side of the NAT gateway and the virtual private network (VPN) gateways on the public side.
Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) traffic is exchanged between the clients and the server. However, if the clients do not support
NAT-Traversal (NAT-T) and if the device assigns the same NAT-generated IP address to two or more clients, the device will be unable to distinguish and route return traffic properly.
NOTE: If the user wants to support both NAT-T-capable and non-NAT-T-capable clients, then some additional configurations are required.
If there are NAT-T capable clients, the user must enable the source NAT address persistence.
ALG for IKE and ESP monitors IKE traffic between the client and the server and permits only one IKE Phase 2 message exchange between any given client/server pair, not just one exchange between any client and any server.
ALG for IKE and ESP traffic has been created and NAT has been enhanced to implement the following:
• To enable the SRX Series to pass IKE and ESP traffic with a source NAT pool
• To allow the device to be configured to return the same NAT-generated IP address for the same IP address without NAT ("address-persistent NAT"). As a result, the device is able to associate a client's outgoing IKE traffic with its return traffic from the server, especially when the IKE session times out and needs to be reestablished.
Copyright © 2016, Juniper Networks, Inc.
3
IKE and ESP ALG Feature Guide for Security Devices
•
The resulting ESP traffic between the client and the server is also allowed, especially in the direction from the server to the client.
• The return ESP traffic matches the following:
• The server IP address as source IP
• The client IP address as destination IP
NOTE: In SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices,
IKE negotiations involving NAT traversal do not work if the IKE peer is behind a NAT device that will change the source IP address of the IKE packets during the negotiation. For example, if the NAT device is configured with DIP, it changes the source IP because the IKE protocol switches the UDP port from
500 to 4500.
Related
Documentation
•
IKE and ESP ALG Feature Guide for Security Devices
Understanding IKE and ESP ALG Operation
Supported Platforms
J Series
,
SRX Series
Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and Encapsulating
Security Payload (ESP) traffic has the following behavior:
•
An IKE and ESP ALG monitors IKE traffic between the client and the server, and it permits only one IKE Phase 2 message exchange between the client and the server at any given time.
• For a Phase 2 message:
•
If a Phase 2 message exchange between the client and server does not happen, the
IKE ALG gates are opened for the relevant ESP traffic from the client to the server and from the server to the client.
• If both IKE ALG gates are not opened successfully, or if the Phase 2 message exchange already took place, then the Phase 2 message is dropped.
•
When ESP traffic hits the IKE ALG gates, sessions are created to capture subsequent
ESP traffic, and to perform the proper NATing (that is, the source IP address translation from the client to the server traffic and the destination IP address translation from the server to the client traffic).
•
When the ESP traffic does not hit either one or both of the gates, then the gates naturally time out.
4 Copyright © 2016, Juniper Networks, Inc.
Chapter 1: Basics
•
Once the IKE ALG gates are collapsed or timed out, another IKE Phase 2 message exchange is permitted.
• IKE NAT-T traffic on floating port 4500 is processed in an IKE ALG. To support a mixture of NAT-T-capable and non-capable clients, you need to enable source NAT address persistent.
Related
Documentation
•
ALG Overview
•
NAT Overview
•
Understanding ALG for IKE and ESP on page 3
•
Example: Configuring the IKE and ESP ALG on page 9
•
Example: Enabling IKE and ESP ALG and Setting Timeouts on page 14
•
IKE and ESP ALG Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
5
IKE and ESP ALG Feature Guide for Security Devices
6 Copyright © 2016, Juniper Networks, Inc.
PART 2
Configuration
•
IKE and ESP ALG and Timeouts on page 9
•
Configuration Statements on page 17
Copyright © 2016, Juniper Networks, Inc.
7
IKE and ESP ALG Feature Guide for Security Devices
8 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 2
IKE and ESP ALG and Timeouts
•
Example: Configuring the IKE and ESP ALG on page 9
•
Example: Enabling IKE and ESP ALG and Setting Timeouts on page 14
Example: Configuring the IKE and ESP ALG
Supported Platforms
J Series
,
SRX Series
This example shows how to configure the IKE and ESP ALG to pass through IKE and ESP traffic with a source NAT pool on Juniper Networks devices.
•
•
•
•
Requirements
Before you begin:
• Configure proxy ARP for all IP addresses in the source NAT pool.
•
Understand the concepts behind IKE and ESP ALG. See
.
Overview
In this example, the ALG for IKE and ESP is configured to monitor and allow IKE and ESP traffic to be exchanged between the clients and the server located on opposite sides of a Juniper Networks device.
This example shows how to configure a source NAT pool and rule set, configure a custom application to support the IKE and ESP ALG, and associate this ALG to a policy.
If you want to support a mixture of NAT-traversal (NAT-T) capable clients and noncapable clients, you must enable persistent source NAT translation (so that once a particular source NAT is associated with a given IP address, subsequent source NAT translations use the same IP address). You also must configure a custom IKE NAT traversal application
Copyright © 2016, Juniper Networks, Inc.
9
IKE and ESP ALG Feature Guide for Security Devices to support the encapsulation of IKE and ESP in UDP port 4500. This configuration enables
IKE and ESP to pass through the NAT-enabled device.
Configuration
•
Configuring a NAT Source Pool and Rule Set on page 10
•
Configuring a Custom Application and Associating it to a Policy on page 11
•
Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable
CLI Quick
Configuration
Configuring a NAT Source Pool and Rule Set
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32 set security zones security-zone green address-book address sa1 1.1.1.0/24 set security zones security-zone red address-book address da1 2.2.2.0/24 set security nat source rule-set rs1 from zone green set security nat source rule-set rs1 to zone red set security nat source rule-set rs1 rule r1 match source-address 1.1.1.0/24 set security nat source rule-set rs1 rule r1 match destination-address 2.2.2.0/24 set security nat source rule-set rs1 rule r1 then source-nat pool pool1
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a source NAT pool:
1.
2.
3.
Create a NAT source pool.
[edit ] user@host# set security nat source pool pool1 address 10.10.10.1/32 to 10.10.10.10/32
Configure security zone address book entries.
[edit] user@host# set security zones security-zone green address-book address sa1
1.1.1.0/24 user@host# set security zones security-zone red address-book address da1 2.2.2.0/24
Create a NAT source rule set.
[edit security nat source rule-set rs1] user@host# set from zone green user@host# set to zone red user@host# set rule r1 match source-address 1.1.1.0/24 user@host# set rule r1 match destination-address 2.2.2.0/24 user@host# set rule r1 then source-nat pool pool1
10 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: IKE and ESP ALG and Timeouts
Results From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host# show security nat source { pool pool1 { address {
10.10.10.1/32 to 10.10.10.10/32;
}
} rule-set rs1 { from zone green; to zone red; rule r1 { match { source-address 1.1.1.0/24; destination-address 2.2.2.0/24;
} then { source-nat { pool { pool1;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
CLI Quick
Configuration
Configuring a Custom Application and Associating it to a Policy
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-alg set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a custom application and associate it to a policy:
1.
Configure a custom application.
[edit]
Copyright © 2016, Juniper Networks, Inc.
11
IKE and ESP ALG Feature Guide for Security Devices
2.
user@host# set applications application custom-ike-alg source-port 500 destination-port 500 protocol udp application-protocol ike-esp-nat
Associate the custom application to a policy.
[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-alg user@host# set then permit
Results From configuration mode, confirm your configuration by entering the show applications and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] user@host# show applications application custom-ike-alg { application-protocol ike-esp-nat; protocol udp; source-port 500; destination-port 500;
}
[edit] user@host# show security zones security-zone Trust { host-inbound-traffic { system-services { all;
} protocols { all;
}
} interfaces { ge-0/0/1.0;
}
} security-zone green { address-book { address sa1 1.1.1.0/24;
}
} security-zone red { address-book { address da1 2.2.2.0/24;
}
}
If you are done configuring the device, enter commit from configuration mode.
12 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: IKE and ESP ALG and Timeouts
CLI Quick
Configuration
Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable
Clients
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security nat source address-persistent set applications application custom-ike-natt protocol udp source-port 4500 destination-port 4500 set security policies from-zone green to-zone red policy pol1 match source-address sa1 set security policies from-zone green to-zone red policy pol1 match destination-address da1 set security policies from-zone green to-zone red policy pol1 match application custom-ike-natt set security policies from-zone green to-zone red policy pol1 then permit
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure IKE and ESP ALG support for both NAT-T capable and noncapable clients:
1.
2.
3.
Globally enable persistent source NAT translation.
[edit] user@host# set security nat source address-persistent
Configure the IKE NAT-T application.
[edit] user@host# set applications application custom-ike-natt protocol udp source-port
4500 destination-port 4500
Associate the NAT-T application using a policy.
[edit security policies from-zone green to-zone red policy pol1] user@host# set match source-address sa1 user@host# set match destination-address da1 user@host# set match application custom-ike-natt user@host# set then permit
Results From configuration mode, confirm your configuration by entering the show security nat and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] user@host# show security nat source { address-persistent;
}
[edit] user@host# show security policies from-zone green to-zone red {
Copyright © 2016, Juniper Networks, Inc.
13
IKE and ESP ALG Feature Guide for Security Devices policy pol1 { match { source-address sa1; destination-address da1; application [ custom-ike-alg custom-ike-natt ];
} then { permit;
}
}
} default-policy { permit-all;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying IKE and ESP ALG Custom Applications on page 14
•
Verifying the NAT Source Pool and Rule Set on page 14
Verifying IKE and ESP ALG Custom Applications
Purpose Verify that the custom applications to support the IKE and ESP ALG are enabled or not.
Action From operational mode, enter the show applications command.
Verifying the NAT Source Pool and Rule Set
Purpose Verify that the NAT source pool and rule set used to support the IKE and ESP ALG are working properly.
Action From operational mode, enter the show security nat command.
Related
Documentation
•
IKE and ESP ALG Feature Guide for Security Devices
•
ALG Overview
•
Understanding ALG for IKE and ESP on page 3
•
Example: Enabling IKE and ESP ALG and Setting Timeouts on page 14
Example: Enabling IKE and ESP ALG and Setting Timeouts
Supported Platforms
J Series
,
SRX Series
14 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: IKE and ESP ALG and Timeouts
This example shows how to enable the IKE and ESP ALG and set the timeout values to allow time for the ALG to process ALG state information, ESP gates, and ESP sessions.
•
•
•
•
Requirements
Understand the concepts behind ALG for IKE and ESP. See
Overview
The IKE and ESP ALG processes all traffic specified in any policy to which the ALG is attached. In this example, you configure the set security alg ike-esp-nat enable statement so the current default IPsec pass-through behavior is disabled for all IPsec pass-through traffic, regardless of policy.
You then set the timeout values to allow time for the IKE and ESP ALG to process ALG state information, ESP gates, and ESP sessions. In this example, you set the timeout of
ALG state information. The timeout range is 180 through 86400 seconds. The default timeout is 14400 seconds. You then set the timeout of the ESP gates created after an
IKE Phase 2 exchange has completed. The timeout range is 2 through 30 seconds. The default timeout is 5 seconds. Finally, you set the idle timeout of the ESP sessions created from the IPsec gates. If no traffic hits the session, it is aged out after this period of time.
The timeout range is 60 through 2400 seconds. The default timeout is 1800 seconds.
Configuration
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set security alg ike-esp-nat enable set security alg ike-esp-nat esp-gate-timeout 20 set security alg ike-esp-nat esp-session-timeout 2400 set security alg ike-esp-nat state-timeout 360
Step-by-Step
Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To enable the IKE and ESP ALG and set the timeout values:
1.
2.
Enable the IKE and ESP ALG.
[edit] user@host# set security alg ike-esp-nat enable
Set the timeout for the ALG state information.
Copyright © 2016, Juniper Networks, Inc.
15
IKE and ESP ALG Feature Guide for Security Devices
3.
4.
[edit security alg ike-esp-nat] user@host# set state-timeout 360
Set the timeout for the ESP gates created after an IKE Phase 2 exchange has completed.
[edit security alg ike-esp-nat] user@host# set esp-gate-timeout 20
Set the idle timeout for the ESP sessions created from the IPsec gates.
[edit security alg ike-esp-nat] user@host# set esp-session-timeout 2400
Results From configuration mode, confirm your configuration by entering the show security alg command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] user@host# show security alg ike-esp-nat { enable; state-timeout 360; esp-gate-timeout 20; esp-session-timeout 2400;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
•
Verifying the ALG for IKE and ESP and Timeout Settings on page 16
Verifying the ALG for IKE and ESP and Timeout Settings
Purpose Verify that the ALG for IKE and ESP is enabled and the timeout settings for this feature are correct.
Action From operational mode, enter the show security alg ike-esp-nat command.
Related
Documentation
•
IKE and ESP ALG Feature Guide for Security Devices
•
ALG Overview
•
NAT Overview
•
Understanding ALG for IKE and ESP on page 3
•
Understanding IKE and ESP ALG Operation on page 4
•
Example: Configuring the IKE and ESP ALG on page 9
16 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 3
Configuration Statements
•
Applications Configuration Statement Hierarchy on page 17
•
[edit security alg] Hierarchy Level on page 18
•
[edit security policies] Hierarchy Level on page 22
•
•
•
•
•
•
application-protocol (Applications) on page 35
•
•
•
•
policy (Security Policies) on page 40
•
•
•
•
•
tftp (Security ALG) on page 46
•
traceoptions (Security ALG) on page 47
Applications Configuration Statement Hierarchy
Supported Platforms
J Series
,
LN Series
,
SRX Series
Use the statements in the applications configuration hierarchy to configure applications properties and group applications objects.
applications { application application-name { application-protocol (dns | ftp |gprs-gtp-c| gprs-gtp-u | gprs-gtp-v0 |gprs-sctp | http
| ignore | ike-esp-nat | mgcp-ca | mgcp-ua | ms-rpc | q931 | ras | realaudio | rsh | rtsp
| sccp | sip | sqlnet-v2 | sun-rpc | talk | tftp);
Copyright © 2016, Juniper Networks, Inc.
17
IKE and ESP ALG Feature Guide for Security Devices
} description text; destination-port port-identifier; do-not-translate-A-query-to-AAAA-query; do-not-translate-AAAA-query-to-A-query; ether-type hex-value; icmp-code value; icmp-type value; icmp6-code value; icmp6-type value; inactivity-timeout (seconds | never); protocol number; rpc-program-number number; source-port port-number; term term-name { alg application; destination-port port-identifier; icmp-code value; icmp-type value; icmp6-code value; icmp6-type value; inactivity-timeout (seconds | never); protocol number; rpc-program-number number; source-port port-number; uuid hex-value;
} uuid hex-value;
} application-set application-set-name { application application-name; application-set application-set-name; description text;
}
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
•
Security Policy Applications Feature Guide for Security Devices
[edit security alg] Hierarchy Level
Supported Platforms J Series , LN Series , SRX Series security { alg { alg-manager { traceoptions { flag { all <extensive>;
}
}
} alg-support-lib { traceoptions { flag {
18 Copyright © 2016, Juniper Networks, Inc.
all <extensive>;
}
}
} dns { disable; doctoring (none | sanity-check); maximum-message-length number; traceoptions {
}
} ftp { flag { all <extensive>;
} allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;
}
}
} h323 { application-screen { message-flood { gatekeeper { threshold rate;
}
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
} endpoint-registration-timeout value-in-seconds; media-source-port-any; traceoptions { flag flag <detail | extensive | terse>;
}
} ike-esp-nat { enable; esp-gate-timeout value-in-seconds; esp-session-timeout value-in-seconds; state-timeout value-in-seconds; traceoptions { flag { all <extensive>;
}
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
19
IKE and ESP ALG Feature Guide for Security Devices
}
} mgcp { application-screen { connection-flood { threshold rate;
} message-flood { threshold rate;
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; traceoptions { flag flag <extensive>;
} transaction-timeout value-in-seconds;
} msrpc { disable; traceoptions { flag { all <extensive>;
}
}
} pptp { disable; traceoptions {
}
} rsh { flag { all <extensive>;
} disable; traceoptions { flag { all <extensive>;
}
}
} rtsp { disable; traceoptions { flag { all <extensive>;
}
20 Copyright © 2016, Juniper Networks, Inc.
}
} sccp { application-screen { call-flood { threshold rate;
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; traceoptions { flag flag <extensive>;
}
} sip { application-screen { protect { deny { all { timeout value-in-seconds;
} destination-ip address; timeout value-in-seconds;
}
} unknown-message { permit-nat-applied; permit-routed;
}
} c-timeout value-in-minutes; disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; retain-hold-resource; t1-interval value-in-milliseconds; t4-interval value-in-seconds; traceoptions { flag flag <detail | extensive | terse>;
}
} sql { disable; traceoptions { flag { all <extensive>;
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
21
IKE and ESP ALG Feature Guide for Security Devices
}
}
}
}
} sunrpc { disable; traceoptions { flag { all <extensive>;
}
}
} talk { disable; traceoptions { flag { all <extensive>;
}
}
} tftp { disable; traceoptions { flag { all <extensive>;
}
}
} traceoptions { file {
filename; files number; match regular-expression;
(no-world-readable | world-readable); size maximum-file-size;
} level (brief | detail | extensive | verbose); no-remote-trace;
}
Related
Documentation
•
Security Configuration Statement Hierarchy
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
[edit security policies] Hierarchy Level
Supported Platforms J Series , SRX Series security { policies { default-policy (deny-all | permit-all); from-zone zone-name to-zone zone-name { policy policy-name { description description;
22 Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.
match { application {
[application]; any;
} destination-address {
[address]; any; any-ipv4; any-ipv6;
} destination-address-excluded; source-address {
[address]; any; any-ipv4; any-ipv6;
} source-address-excluded; source-identity {
[role-name]; any; authenticated-user; unauthenticated-user; unknown-user;
}
} scheduler-name scheduler-name; then { count { alarm { per-minute-threshold number; per-second-threshold number;
}
} deny; log { session-close; session-init;
} permit { application-services { application-firewall { rule-set rule-set-name;
} application-traffic-control { rule-set rule-set-name;
} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;
} uac-policy {
Chapter 3: Configuration Statements
23
IKE and ESP ALG Feature Guide for Security Devices
24 captive-portal captive-portal;
} utm-policy policy-name;
} destination-address { drop-translated; drop-untranslated;
} firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; ssl-termination-profile profile-name; web-redirect; web-redirect-to-https;
} user-firewall { access-profile profile-name; ssl-termination-profile profile-name;
} web-authentication { client-match user-or-group-name;
}
} services-offload; tcp-options { sequence-check-required; syn-check-required;
} tunnel { ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy;
}
} reject;
}
}
} global { policy policy-name { description description; match { application {
[application]; any;
} destination-address {
[address]; any; any-ipv4; any-ipv6;
} source-address {
[address]; any;
Copyright © 2016, Juniper Networks, Inc.
Copyright © 2016, Juniper Networks, Inc.
any-ipv4; any-ipv6;
} source-identity {
[role-name]; any; authenticated-user; unauthenticated-user; unknown-user;
}
} scheduler-name scheduler-name; then { count { alarm { per-minute-threshold number; per-second-threshold number;
}
} deny; log { session-close; session-init;
} permit { application-services { application-firewall { rule-set rule-set-name;
} application-traffic-control { rule-set rule-set-name;
} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;
} uac-policy { captive-portal captive-portal;
} utm-policy policy-name;
} destination-address { drop-translated; drop-untranslated;
} firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; ssl-termination-profile profile-name; web-redirect; web-redirect-to-https;
}
Chapter 3: Configuration Statements
25
IKE and ESP ALG Feature Guide for Security Devices
}
} user-firewall { access-profile profile-name ssl-termination-profile profile-name
} web-authentication { client-match user-or-group-name;
}
} services-offload; tcp-options { sequence-check-required; syn-check-required;
}
} reject;
}
}
} policy-rematch; policy-stats { system-wide (disable | enable);
} traceoptions { file {
filename; files number; match regular-expression;
(no-world-readable | world-readable); size maximum-file-size;
} flag flag; no-remote-trace;
}
Related
Documentation
•
Security Configuration Statement Hierarchy
•
MPLS Feature Guide for Security Devices
•
Application Firewall Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
•
Junos OS VPN Library for Security Devices
•
Junos OS Logical Systems Library for Security Devices
•
Unified Access Control Design and Implementation Guide for Security Devices
•
IDP Policies Feature Guide for Security Devices
•
Infranet Authentication Feature Guide for Security Devices
26 Copyright © 2016, Juniper Networks, Inc.
alg
Supported Platforms J Series , LN Series , SRX Series
Syntax alg { alg-manager { traceoptions { flag { all <extensive>;
}
}
} alg-support-lib { traceoptions { flag { all <extensive>;
}
}
} dns { disable; doctoring (none | sanity-check); maximum-message-length number; traceoptions { flag { all <extensive>;
}
}
} ftp { allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;
}
}
} h323 { application-screen { message-flood { gatekeeper { threshold rate;
}
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
27
IKE and ESP ALG Feature Guide for Security Devices
} endpoint-registration-timeout value-in-seconds; media-source-port-any; traceoptions { flag flag <detail | extensive | terse>;
}
} ike-esp-nat { enable; esp-gate-timeout value-in-seconds; esp-session-timeout value-in-seconds; state-timeout value-in-seconds; traceoptions { flag { all <extensive>;
}
}
} mgcp { application-screen { connection-flood { threshold rate;
} message-flood { threshold rate;
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; traceoptions { flag flag <extensive>;
} transaction-timeout value-in-seconds;
} msrpc { disable; traceoptions { flag { all <extensive>;
}
}
} pptp { disable; traceoptions { flag { all <extensive>;
}
28 Copyright © 2016, Juniper Networks, Inc.
}
} real { disable; traceoptions { flag { all <extensive>;
}
}
} rsh { disable; traceoptions {
}
} rtsp { flag { all <extensive>;
} disable; traceoptions { flag { all <extensive>;
}
}
} sccp { application-screen { call-flood { threshold rate;
} unknown-message { permit-nat-applied; permit-routed;
}
} disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; traceoptions { flag flag <extensive>;
}
} sip { application-screen { protect { deny { all { timeout value-in-seconds;
} destination-ip address; timeout value-in-seconds;
}
}
Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
29
IKE and ESP ALG Feature Guide for Security Devices unknown-message { permit-nat-applied; permit-routed;
}
} c-timeout value-in-minutes; disable; dscp-rewrite { code-point string;
} inactive-media-timeout value-in-seconds; maximum-call-duration value-in-minutes; retain-hold-resource; t1-interval value-in-milliseconds; t4-interval value-in-seconds; traceoptions { flag flag <detail | extensive | terse>;
}
} sql { disable; traceoptions { flag { all <extensive>;
}
}
} sunrpc { disable; traceoptions { flag { all <extensive>;
}
}
} talk { disable; traceoptions { flag { all <extensive>;
}
}
} tftp { disable; traceoptions { flag { all <extensive>;
}
}
} traceoptions { file {
filename; files number; match regular-expression;
30 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
}
}
(no-world-readable | world-readable); size maximum-file-size;
} level (brief | detail | extensive | verbose); no-remote-trace;
Hierarchy Level [edit security]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure an Application Layer Gateway (ALG) on the device. An ALG runs as a service and can be associated in policies with specified types of traffic. ALGs are enabled by default.
Options The remaining statements are explained separately.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Network Monitoring and Troubleshooting Guide for Security Devices
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
31
IKE and ESP ALG Feature Guide for Security Devices
alg (Applications)
Supported Platforms SRX Series
Syntax alg application;
Hierarchy Level [edit applications application application-name <term term-name>]
Release Information Statement introduced in Junos OS Release 8.5. The ike-esp-nat option introduced in
Junos OS Release 10.2.
Description Define individual Application Layer Gateway (ALG).
Options
application
—Name of the application. The following protocols are supported:
• dns
—Domain Name Service
• ftp
—File Transfer Protocol
• ignore —Ignore application type
• ike-esp-nat —IKE ESP NAT application protocol
• mgcp-ca —Media Gateway Control Protocol with Call Agent
• mgcp-ua —MGCP with User Agent
• ms-rpc —Microsoft RPC
• pptp —Point-to-Point Tunneling Protocol
• q931 —ISDN connection control protocol (Q.931)
• ras —Remote Access Service
• realaudio —RealAudio
• rsh —UNIX remote shell services
• rtsp —Real-Time Streaming Protocol
• sccp —Skinny Client Control Protocol
• sip —Session Initiation Protocol
• sqlnet-v2 —Oracle SQLNET v2
• sun-rpc —Sun Microsystems RPC
• talk —TALK program
• tftp —Trivial File Transfer Protocol
Required Privilege
Level system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Related
Documentation
•
term (Applications)
32 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
ike-esp-nat
Supported Platforms J Series , SRX Series
Syntax ike-esp-nat { enable; esp-gate-timeout seconds; esp-session-timeout seconds; state-timeout seconds; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure Application Layer Gateway (ALG) for Internet Key Exchange (IKE) and
Encapsulating Security Payload (ESP) traffic with Network Address Translation (NAT).
Options
• Enable
—Enable the IKE-ESP ALG.
• esp-gate-timeout seconds
—Set the timeout for the ESP gates created after an IKE
Phase 2 exchange has completed.
Range: 2 through 30 seconds.
Default: 5 seconds.
• esp-session-timeout seconds
—Set the idle timeout for the ESP sessions created from the IPsec gates.
Range: 60 through 2400 seconds.
Default: 1800 seconds.
• state-timeout seconds —Set the timeout for the ALG state information.
Range: 180 through 86,400 seconds.
Default: 14,400 seconds.
• traceoptions
—Set the IKE-ESP ALG trace options.
• flag
—Specify which tracing operation to perform.
• all
—Trace all operations.
• extensive
—Set trace verbosity level to extensive.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Copyright © 2016, Juniper Networks, Inc.
33
IKE and ESP ALG Feature Guide for Security Devices
Related
Documentation
alg-manager
•
IKE and ESP ALG Feature Guide for Security Devices
Supported Platforms
J Series
,
SRX Series
Syntax alg-manager { traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level
[edit security alg]
Description Configure the Application Layer Gateway (ALG) manager.
Options The remaining statements are explained separately.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
support-lib
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
Supported Platforms
J Series
,
SRX Series
Syntax alg-support-lib { traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level
[edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure the Application Layer Gateway (ALG) support library.
Options The remaining statements are explained separately.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
34 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
application-protocol (Applications)
Supported Platforms J Series , LN Series , SRX Series
Syntax application-protocol (dns | ftp | http | ignore | ike-esp-nat | mgcp-ca | mgcp-ua | ms-rpc | q931 | ras | realaudio | rsh | rtsp | sccp | sip | sqlnet-v2 | sun-rpc | talk | tftp);
Hierarchy Level
[edit applications application application-name ]
Release Information Statement modified in Junos OS Release 8.5. The ike-esp-nat option introduced in Junos
OS Release 10.2.
Description Identify the application protocol name. The following protocols are supported:
• dns
—Domain Name Service
• ftp
—File Transfer Protocol
• ignore
—Ignore application type
• ike-esp-nat —IKE ESP NAT application protocol
• mgcp-ca —Media Gateway Control Protocol with Call Agent
• mgcp-ua —MGCP with User Agent
• ms-rpc —Microsoft RPC
• pptp —Point-to-Point Tunneling Protocol
• q931 —ISDN connection control protocol (Q.931)
• ras —Remote Access Service
• realaudio —RealAudio
• rsh —UNIX remote shell services
• rtsp —Real-Time Streaming Protocol
• sccp —Skinny Client Control Protocol
• sip —Session Initiation Protocol
• sqlnet-v2 —Oracle SQLNET v2
• sun-rpc —Sun Microsystems RPC
• talk —TALK program
• tftp —Trivial File Transfer Protocol
Required Privilege
Level system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Related
Documentation
•
Security Policy Applications Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
35
IKE and ESP ALG Feature Guide for Security Devices
ftp (Security ALG)
Supported Platforms J Series , SRX Series
Syntax ftp { allow-mismatch-ip-address; disable; ftps-extension; line-break-extension; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level [edit security alg]
Release Information Statement modified in Junos OS Release 11.4.
Description Specify the FTP ALG on the device.
Options
• disable —Disable the FTP ALG. By default, the FTP ALG is enabled. This option will enable or disable FTP ALG for both IPV4 and IPV6 mode.
• ftps-extension
—Enable secure FTP and FTP SSL protocols.
• line-break-extension
—Enable line-break-extension. This option will enable the FTP
ALG to recognize the LF as line break in addition to the standard CR+LF (carriage return, followed by line feed).
• traceoptions
—Configure FTP ALG tracing options. To specify more than one trace operation, include multiple flag statements.
• flag —Trace operation to perform.
• all —Trace all events.
• extensive —(Optional) Display extensive amount of data.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
36 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
ike (Security)
Supported Platforms J Series , LN Series , SRX Series
Syntax ike { gateway gateway-name { address [ip-address-or-hostname]; dead-peer-detection {
(always-send | optimized | probe-idle-tunnel); interval seconds; threshold number;
} dynamic { connections-limit number;
(distinguished-name <container container-string> <wildcard wildcard-string> | hostname domain-name | inet ip-address | inet6 ipv6-address | user-at-hostname
e-mail-address); ike-user-type (group-ike-id | shared-ike-id);
} external-interface external-interface-name; general-ikeid; ike-policy policy-name; local-identity {
(distinguished-name | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname e-mail-address);
} nat-keepalive seconds; no-nat-traversal; remote-identity {
} version (v1-only | v2-only); xauth { access-profile profile-name;
}
(distinguished-name <container container-string> <wildcard wildcard-string> | hostname hostname | inet ip-address | inet6 ipv6-address | user-at-hostname
e-mail-address);
} policy policy-name { certificate { local-certificate certificate-id; peer-certificate-type (pkcs7 | x509-signature);
} description description; mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposal-set (basic | compatible | standard } suiteb-gcm-128 | suiteb-gcm-256); proposals [proposal-name];
} proposal proposal-name { authentication-algorithm (md5 | sha-256 | sha-384| sha1); authentication-method (dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384
| pre-shared-keys | rsa-signatures); description description; dh-group (group1 | group14 | group19 | group2 | group20 | group24 | group5);
Copyright © 2016, Juniper Networks, Inc.
37
IKE and ESP ALG Feature Guide for Security Devices
} encryption-algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc); lifetime-seconds seconds;
} respond-bad-spi <max-responses>; traceoptions { file {
filename; files number; match regular-expression; size maximum-file-size;
(world-readable | no-world-readable);
} flag flag; no-remote-trace; rate-limit messages-per-second;
}
Hierarchy Level [edit security]
Release Information Statement modified in Junos OS Release 8.5. Support for IPv6 addresses added in Junos
OS Release 11.1. The inet6 option added in Junos OS Release 11.1.
Description Define Internet Key Exchange (IKE) configuration.
Options The remaining statements are explained separately.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
IKE and ESP ALG Feature Guide for Security Devices
•
AutoVPN Feature Guide for SRX Series Gateway Devices
•
Dynamic VPN Feature Guide for SRX Series Gateway Devices
•
IPsec VPN Feature Guide for Security Devices
•
Master Administrator for Logical Systems Feature Guide for Security Devices
38 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
nat-pat-address
Supported Platforms SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
Syntax nat-pat-address { maximum amount; reserved amount;
}
Hierarchy Level
[edit system security-profile security-profile-name]
Release Information Statement introduced in Junos OS Release 11.2.
Description Specify the number of NAT with port address translation (PAT) configurations that user logical system administrators and master logical system administrators can configure for their logical systems if the security profile is bound to the logical systems.
The master administrator:
• uses security profiles to provision logical systems with resources.
• binds security profiles to user logical systems and the master logical system.
• can configure more than one security profile, specifying different amounts of resource allocations in various profiles.
Only the master administrator can create security profiles and bind them to logical systems.
Options
• maximum amount —A maximum allowed quota. If a logical system requires more of a resource than its reserved amount allows it can utilize resources configured for the global maximum amount if they are available—that is, if they are not allocated to other logical systems. The maximum allowed quota specifies the portion of the free global resources that the logical system can use. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available.
Logical systems compete for global resources.
• reserved amount
—A reserved quota that guarantees that the resource amount specified is always available to the logical system.
Required Privilege
Level system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
•
Master Administrator for Logical Systems Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
39
IKE and ESP ALG Feature Guide for Security Devices
policy (Security Policies)
Supported Platforms J Series , SRX Series
Syntax policy policy-name { description description; match { application {
[application]; any;
} destination-address {
[address]; any; any-ipv4; any-ipv6;
} source-address {
[address]; any; any-ipv4; any-ipv6;
} source-identity {
[role-name]; any; authenticated-user; unauthenticated-user; unknown-user;
}
} scheduler-name scheduler-name; then { count { alarm { per-minute-threshold number; per-second-threshold number;
}
} deny; log { session-close; session-init;
} permit { application-services { application-firewall { rule-set rule-set-name;
} application-traffic-control { rule-set rule-set-name;
} gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp;
40 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
}
} redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name;
} uac-policy {
} destination-address { drop-translated; drop-untranslated;
} captive-portal captive-portal;
} utm-policy policy-name; firewall-authentication { pass-through { access-profile profile-name; client-match user-or-group-name; web-redirect;
} user-firewall { access-profile profile-name; ssl-termination-profile profile-name;
} web-authentication { client-match user-or-group-name;
}
} services-offload; tcp-options { sequence-check-required; syn-check-required;
} tunnel {
}
} reject; ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy;
Hierarchy Level [edit security policies from-zone zone-name to-zone zone-name]
Release Information Statement introduced in Junos OS Release 8.5. The services-offload option added in
Junos OS Release 11.4. Statement updated with the source-identity option and the description option added in Junos OS Release 12.1. Support for the user-firewall option added in Junos OS Release 12.1X45-D10.
Description Define a security policy.
Options
policy-name
—Name of the security policy.
The remaining statements are explained separately.
Copyright © 2016, Juniper Networks, Inc.
41
IKE and ESP ALG Feature Guide for Security Devices
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
Application Quality of Service Feature Guide for Security Devices
•
Security Policies Feature Guide for Security Devices
rtsp
Supported Platforms
J Series
,
SRX Series
Syntax rtsp { disable; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the Real-Time Streaming Protocol (RTSP) ALG on the device.
Options
• disable —Disable the RTSP ALG. By default, the RTSP ALG is enabled.
• traceoptions
—Configure RTSP ALG tracing options.
• flag
—Trace operation to perform.
• all
—Trace all events.
•
extensive
—Display extensive amount of data.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Security Policy Applications Feature Guide for Security Devices
42 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
source-nat
Supported Platforms J Series , LN Series , SRX Series
Syntax source-nat { interface { persistent-nat { address-mapping; inactivity-timeout seconds; max-session-number value; permit (any-remote-host | target-host | target-host-port);
}
} off; pool <pool-name>; persistent-nat { address-mapping; inactivity-timeout seconds; max-session-number number; permit (any-remote-host | target-host | target-host-port);
} rule-session-count-alarm (clear-threshold value | raise-threshold value);
}
Hierarchy Level [edit security nat source rule-set rule-set-name rule rule-name then]
Release Information Statement modified in Junos OS Release 9.6. Statement modified in Junos OS Release
12.1X45-D10.
Description Specify the action of the source NAT rule.
Options
• off
—Do not perform the source NAT operation.
The remaining statements are explained separately.
Required Privilege
Level security — To view this statement in the configuration.
security-control— To add this statement to the configuration.
Related
Documentation
•
Network Address Translation Feature Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc.
43
IKE and ESP ALG Feature Guide for Security Devices
sql
Supported Platforms J Series , SRX Series
Syntax sql { disable; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level
[edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the Oracle SQL ALG on the device.
Options
• disable
—Disable the SQL ALG. By default, the SQL ALG is disabled.
• traceoptions
—Configure SQL ALG tracing options.
• flag
—Trace operation to perform.
• all
—Trace all events.
•
extensive
—Display extensive amount of data.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
44 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
talk
Supported Platforms J Series , SRX Series
Syntax talk { disable; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level
[edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the TALK program ALG on the device.
Options
• disable
—Disable the TALK program ALG. By default, the TALK program ALG is enabled.
• traceoptions
—Configure TALK program ALG tracing options.
• flag
—Trace operation to perform.
• all
—Trace all events.
•
extensive
—Display extensive amount of data.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
Copyright © 2016, Juniper Networks, Inc.
45
IKE and ESP ALG Feature Guide for Security Devices
tftp (Security ALG)
Supported Platforms J Series , SRX Series
Syntax tftp { disable; traceoptions { flag { all <extensive>;
}
}
}
Hierarchy Level
[edit security alg]
Release Information Statement modified in Junos OS Release 9.2.
Description Configure the Trivial File Transfer Protocol (TFTP) ALG on the device.
Options
• disable
—Disable the TFTP ALG. By default, the TFTP ALG is enabled.
NOTE: By default, the TFTP ALG is disabled for SRX Series devices.
• traceoptions
—Configure TFTP ALG tracing options.
• flag
—Trace operation to perform.
• all
—Trace all events.
•
extensive
—Display extensive amount of data.
Required Privilege
Level security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
46 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: Configuration Statements
traceoptions (Security ALG)
Supported Platforms J Series , SRX Series
Syntax traceoptions { file {
filename; files number; match regular-expression; size maximum-file-size;
(world-readable | no-world-readable);
} level (brief | detail | extensive | verbose); no-remote-trace;
}
Hierarchy Level [edit security alg]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure ALG tracing options.
Options
• file —Configure the trace file options.
•
filename
—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. By default, the name of the file is the name of the process being traced.
• files number
—Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed to trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.
If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename.
Range: 2 through 1000 files
Default: 10 files
• match regular-expression —Refine the output to include lines that contain the regular expression.
• size maximum-file-size —Maximum size of each trace file, in kilobytes (KB), megabytes
(MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0
is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.
If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and a filename.
Syntax: x K to specify KB, x m to specify MB, or x g to specify GB
Copyright © 2016, Juniper Networks, Inc.
47
IKE and ESP ALG Feature Guide for Security Devices
Range: 10 KB through 1 GB
Default: 128 KB
• world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.
• level —Set the level of debugging the output option.
• brief —Match brief messages
• detail —Match detail messages.
• extensive —Match extensive messages.
• verbose —Match verbose messages.
• no-remote-trace —Set remote tracing as disabled.
Required Privilege
Level trace—To view this statement in the configuration.
trace-control—To add this statement to the configuration.
Related
Documentation
•
Junos OS Application Layer Gateways (ALGs) Library for Security Devices
48 Copyright © 2016, Juniper Networks, Inc.
PART 3
Administration
•
Operational Commands on page 51
Copyright © 2016, Juniper Networks, Inc.
49
IKE and ESP ALG Feature Guide for Security Devices
50 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 4
Operational Commands
•
clear security alg ike-esp-nat
•
show security alg ike-esp-nat summary
•
•
Copyright © 2016, Juniper Networks, Inc.
51
IKE and ESP ALG Feature Guide for Security Devices
clear security alg ike-esp-nat
Supported Platforms J Series , SRX Series
Syntax clear security alg ike-esp-nat
Release Information Command introduced in Junos OS Release 10.2.
Description Clear state information about Application Layer Gateway (ALG) for IKE and ESP.
Required Privilege
Level clear
Related
Documentation
•
show security alg ike-esp-nat summary on page 53
List of Sample Output
clear security alg ike-esp-nat on page 52
Output Fields This command produces no output.
Sample Output clear security alg ike-esp-nat user@host> clear security alg ike-esp-nat
10 active IKE-ESP alg state cleared
52 Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Operational Commands
show security alg ike-esp-nat summary
Supported Platforms J Series , SRX Series
Syntax show security alg ike-esp-nat summary
Release Information Command introduced in Junos OS Release 10.2.
Description Display Application Layer Gateway (ALG) for IKE and ESP information summary.
Required Privilege
Level view
Related
Documentation
•
clear security alg ike-esp-nat on page 52
List of Sample Output
show security alg ike-esp-nat summary on page 53
Sample Output show security alg ike-esp-nat summary user@host> security alg ike-esp-nat summary
Initiator cookie: d5732d9b4114de1a
Responder cookie: 4776fe31164ef
Session-ID: 13
ALG state : 1
Timeout: 6292
Used IKE cookies: 0
Maximum IKE cookies: 2400
Copyright © 2016, Juniper Networks, Inc.
53
IKE and ESP ALG Feature Guide for Security Devices
show security zones
Supported Platforms J Series , LN Series , SRX Series
Syntax show security zones
<detail | terse>
< zone-name >
Release Information Command introduced in Junos OS Release 8.5. The Description output field added in
Junos OS Release 12.1.
Description Display information about security zones.
Options
• none—Display information about all zones.
• detail
| terse—(Optional) Display the specified level of output.
•
zone-name
—(Optional) Display information about the specified zone.
Required Privilege
Level view
Related
Documentation
•
Ethernet Port Switching Feature Guide for Security Devices
•
Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
•
security-zone
•
Security Zones and Interfaces Feature Guide for Security Devices
•
Junos OS Logical Systems Library for Security Devices
List of Sample Output
show security zones terse on page 56
Output Fields
lists the output fields for the show security zones command. Output fields are listed in the approximate order in which they appear.
Table 3: show security zones Output Fields
Field Name Field Description
Security zone
Name of the security zone.
Description
Policy configurable
Interfaces bound
Description of the security zone.
Whether the policy can be configured or not.
Interfaces
Number of interfaces in the zone.
List of the interfaces in the zone.
54 Copyright © 2016, Juniper Networks, Inc.
Table 3: show security zones Output Fields (continued)
Field Name Field Description
Zone
Type
Name of the zone.
Type of the zone.
Sample Output show security zones user@host> show security zones
Functional zone: management
Description: This is the management zone.
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: Host
Description: This is the host zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
fxp0.0
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: def
Description: This is the def zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Sample Output show security zones abc user@host> show security zones abc
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output show security zones abc detail user@host> show security zones abc detail
Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Operational Commands
55
IKE and ESP ALG Feature Guide for Security Devices
Security zone: abc
Description: This is the abc zone.
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Sample Output show security zones terse user@host> show security zones terse
Zone Type my-internal Security my-external Security dmz Security
56 Copyright © 2016, Juniper Networks, Inc.
Chapter 4: Operational Commands
show security zones type
Supported Platforms J Series , LN Series , SRX Series
Syntax show security zones type
(functional | security)
<detail | terse>
Release Information Command introduced in Junos OS Release 8.5. The Description output field added in
Junos OS Release 12.1.
Description Display information about security zones of the specified type.
Options
• functional —Display functional zones.
• security —Display security zones.
• detail | terse—(Optional) Display the specified level of output.
Required Privilege
Level view
Related
Documentation
•
security-zone
•
Security Zones and Interfaces Feature Guide for Security Devices
List of Sample Output
Output Fields
lists the output fields for the show security zones type command.
Output fields are listed in the approximate order in which they appear.
Table 4: show security zones type Output Fields
Field Name Field Description
Security zone
Zone name.
Description Description of the security zone.
Whether the policy can be configured or not.
Policy configurable
Interfaces bound Number of interfaces in the zone.
List of the interfaces in the zone.
Interfaces
Zone
Type
Name of the zone.
Type of the zone.
Copyright © 2016, Juniper Networks, Inc.
57
IKE and ESP ALG Feature Guide for Security Devices
Sample Output show security zones type functional user@host> show security zones type functional
Functional zone: management
Description: management zone
Policy configurable: No
Interfaces bound: 0
Interfaces:
Sample Output show security zones type security user@host> show security zones type security
Security zone: trust
Description: trust zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: untrust
Description: untrust zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: junos-host
Description: junos-host zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
Sample Output show security zones type security terse user@host> show security zones type security terse
Zone Type trust Security untrust Security junos-host Security
Sample Output show security zones type security detail user@host> show security zones type security detail
Security zone: trust
Description: trust zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
58 Copyright © 2016, Juniper Networks, Inc.
Security zone: untrust
Description: untrust zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/1.0
Security zone: junos-host
Description: junos-host zone
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
Chapter 4: Operational Commands
Copyright © 2016, Juniper Networks, Inc.
59
IKE and ESP ALG Feature Guide for Security Devices
60 Copyright © 2016, Juniper Networks, Inc.
PART 4
Index
•
Copyright © 2016, Juniper Networks, Inc.
61
IKE and ESP ALG Feature Guide for Security Devices
62 Copyright © 2016, Juniper Networks, Inc.
Index
Symbols
#, comments in configuration statements......................
( ), in syntax descriptions........................................................
< >, in syntax descriptions......................................................
[ ], in configuration statements............................................
{ }, in configuration statements...........................................
| (pipe), in syntax descriptions.............................................
A
alg statement.....................................................................
alg-ike-esp-nat........................................................................
alg-manager.............................................................................
alg-support-lib.........................................................................
application-protocol statement.......................................
Applications Configurations Statement
Hierarchy.................................................................................
B
braces, in configuration statements...................................
brackets
angle, in syntax descriptions.........................................
x square, in configuration statements..........................
C clear security alg ike-esp-nat command.......................
comments, in configuration statements..........................
conventions
text and syntax..................................................................
curly braces, in configuration statements........................
customer support.....................................................................
xi contacting JTAC................................................................
D documentation
comments on....................................................................
F firewall filters statistics
displaying.................................................................
font conventions.......................................................................
ftp statement...........................................................................
I
IKE ALG configuration..............................................................
setting timeouts..............................................................
ike statement
(Security)...........................................................................
M manuals
comments on....................................................................
N
nat-pat-address statement...............................................
P
parentheses, in syntax descriptions...................................
policy statement:
(Security Policies).........................................................
R
rtsp statement.........................................................................
S show security alg ike-esp-nat summary command..............................................................................
show security zones command.........................................
show security zones type command...............................
source-nat statement: (Source NAT Services
Gateway)...............................................................................
sql statement...........................................................................
support, technical See technical support
syntax conventions..................................................................
T talk statement.........................................................................
technical support
contacting JTAC................................................................
tftp statement.........................................................................
traceoptions statement
(ALG)...................................................................................
Copyright © 2016, Juniper Networks, Inc.
63
IKE and ESP ALG Feature Guide for Security Devices
64 Copyright © 2016, Juniper Networks, Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Table of Contents
- 5 List of Tables
- 7 About the Documentation
- 7 Documentation and Release Notes
- 7 Supported Platforms
- 7 Using the Examples in This Manual
- 8 Merging a Full Example
- 8 Merging a Snippet
- 9 Documentation Conventions
- 11 Documentation Feedback
- 11 Requesting Technical Support
- 11 Self-Help Online Tools and Resources
- 12 Opening a Case with JTAC
- 13 Part 1: Overview
- 15 Chapter 1: Basics
- 15 Understanding ALG for IKE and ESP
- 16 Understanding IKE and ESP ALG Operation
- 19 Part 2: Configuration
- 21 Chapter 2: IKE and ESP ALG and Timeouts
- 21 Example: Configuring the IKE and ESP ALG
- 21 Requirements
- 21 Overview
- 22 Configuration
- 22 Configuring a NAT Source Pool and Rule Set
- 23 Configuring a Custom Application and Associating it to a Policy
- 25 Configuring IKE and ESP ALG Support for Both NAT-T Capable and Noncapable Clients
- 26 Verification
- 26 Verifying IKE and ESP ALG Custom Applications
- 26 Verifying the NAT Source Pool and Rule Set
- 26 Example: Enabling IKE and ESP ALG and Setting Timeouts
- 27 Requirements
- 27 Overview
- 27 Configuration
- 28 Verification
- 28 Verifying the ALG for IKE and ESP and Timeout Settings
- 29 Chapter 3: Configuration Statements
- 29 Applications Configuration Statement Hierarchy
- 30 [edit security alg] Hierarchy Level
- 34 [edit security policies] Hierarchy Level
- 39 alg
- 44 alg (Applications)
- 45 ike-esp-nat
- 46 alg-manager
- 46 support-lib
- 47 application-protocol (Applications)
- 48 ftp (Security ALG)
- 49 ike (Security)
- 51 nat-pat-address
- 52 policy (Security Policies)
- 54 rtsp
- 55 source-nat
- 56 sql
- 57 talk
- 58 tftp (Security ALG)
- 59 traceoptions (Security ALG)
- 61 Part 3: Administration
- 63 Chapter 4: Operational Commands
- 64 clear security alg ike-esp-nat
- 65 show security alg ike-esp-nat summary
- 66 show security zones
- 69 show security zones type
- 73 Part 4: Index
- 75 Index
- 75 Symbols
- 75 A
- 75 B
- 75 C
- 75 D
- 75 F
- 75 I
- 75 M
- 75 N
- 75 P
- 75 R
- 75 S
- 75 T