<

Go Premium for a chance to win a PS4. Enter to Win

x

Juniper SSG VPN with FIPS

Published on
10,543 Points
4,443 Views
1 Endorsement
Last Modified:
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140.


What and Why of FIPS 140
Federal Information Processing Standard (FIPS) 140 is a US Federal Government standard for information systems security and protection. Vendors submit their products for testing and once they pass testing, the product is FIPS 140 certified. However, the FIPS 140 certification stipulates a specific configuration and operating system. If you are working on a governmental project or have data that requires US governmental classification, FIPS 140 is usually required.  Outside of required use, FIPS 140 can be used to provide advanced information security. Read more at http://en.wikipedia.org/wiki/FIPS_140.

Juniper has several models and versions  of ScreenOS that are FIPS compliant. See their web site  http://www.juniper.net/techpubs/hardware/netscreen-certifications.html for details.


Juniper Configuration Guide
If you are new to setting up Junipers using ScreenOS, I recommend getting the Concepts and Examples Guide for your ScreenOS version at http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/screenos/product/index.html.
 
Chapter "Site-to-Site Virtual Private Networks" and section “Route-Based Site-to-Site VPN, AutoKey IKE”  covers the basic setup for site to site VPN networks, but several of the items the guide tells us to do, don't work in FIPS mode. After much experimentation, I came up with a configuration that works and I wanted to share it here to help anyone else from having to go though what I did.


Setting up FIPS Mode
This example is based on ScreenOS 5.4.0r4 because at the time, it was the only version FIPS certified.Since then, ScreenOS 6.2 has become certified. Other versions of ScreenOS support FIPS mode, but have not been tested and certified. If you don't require a certified version, you can use the most current release of ScreenOS.

This guide assumes you know how to configure a Juniper SSG. If you need help, read through the Concepts & Examples Guide listed above.

You must use a console cable to configure the routers. FIPS mode disables Telnet and HTTP management. Setup the minimum configuration to allow you to connect to the inside port. Don't add any rules or other configuration because as soon as FIPS mode is turned on, your configuration is erased.

The first order of business is to upgrade or downgrade the ScreenOS version desired. Set up a TFTP server and load the ScreenOS on the SSG and change the ScreenOS and reboot.

FIPS mode will do a checksum on the ScreenOS on boot up.  So before you switch to FIPS mode,  you must install the Authentication Certificate from http://www.juniper.net/techpubs/software/screenos/mibs.html to the router using a TFTP server. 192.168.1.5 is our TFTP server in this example.
save image-key tftp 192.168.1.5 imagekey.cer from bgroup0

Open in new window

Once the certificate is loaded, enable FIPS mode
set FIPS-mode enable

Open in new window

The device will reboot and erase the configuration.

Configure the basic administration and interface information. Change the admin account’s name and password. The FIPS password must have Uppercase letters, Lowercase letters, Numbers and Punctuation.


VPN Setup

The most important part is configuring VPN with a Preshared Key.
First, we have to define our own Phase 1 group because FIPS-mode deleted them. FIPS requires a more stringent phase 1, using DH Group 5, at least Triple DES, and no MD5:
set ike p1-proposal pre-g5-esp-3des-sha-1 group5 esp 3des sha-1

Open in new window

Assign the Phase 1 proposal to the remote gateway. Use your remote gateway’s IP address. This example uses 10.10.10.1, and h1p8A24nG5 is the example preshared key:
set ike gateway To_Remote address 10.10.10.1 main outgoing-interface ethernet0/0 preshare h1p8A24nG5 proposal pre-g5-esp-3des-sha-1

Open in new window

Next, the Phase 2 proposal with the same choice of settings:
set ike p2-proposal g5-esp-3des-sha-1 group5 esp 3des sha-1

Open in new window

Set up the VPN tunnel with our Phase 2 proposal and bind to an tunnel interface (we will use route-based VPN):
set vpn New_Tunnel gateway To_Remote proposal g5-esp-3des-sha-1
set vpn New_Tunnel bind interface tunnel.1

Open in new window

Define the IP address at the end of the tunnel (192.1681.0 is local, 192.168.2.0 is remote):
set vpn New_Tunnel proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.2.0/24 any

Open in new window

Setup a route to the other network:
set vrouter trust-vr route 192.168.2.0/24 interface tunnel.1

Open in new window

Define names for your LANs:
set address Trust Local_LAN 192.168.1.0/24
set address Untrust Remote_Office 192.168.2.0/24

Open in new window

And then setup policies to allow the traffic:
set policy top name "To Remote" from Trust to Untrust Local_LAN Remote_Office any permit
set policy top name "From Remote" from Untrust to Trust Remote_Office Local_LAN any permit

Open in new window

Finally, we save the configuration.
save

Open in new window

Reverse the subnets for the other side of the VPN tunnel and configure that unit.


Limitations for Configuring
Because of FIPS restriction the VPN created above does not allow for remote mangement via Telnet or HTTP – those would require a VPN using AES 256.
Locally, Telnet and HTTP(S) are not available anyway.
And remember that import/export of configuration files is disabled with FIPS mode. If you want to save your configuration somewhere outside of the Juniper device you will need to either capture the   get config   output of the console or a SSHv2 session, or use the WebUI/Telnet passing a AES 256 VPN.

Juniper recommends to set up SSHv2, and disable configuration using the console port. But caution: SSHv2 uses Triple DES, which is considered to have 112 bits key length – and you cannot configure a VPN with an higher encryption, like AES 256, which is required for remote configuration using HTTP or Telnet. If you disable the console port as recommended, without having created a AES 256 VPN for remote administration, you are not able to do so anymore. As soon as you try to enable console port administration again, your FIPS mode is disabled and the configuration erased!


This should help you get a VPN tunnel setup on your FIPS mode Juniper. If you have any questions, leave a comment, and I’ll get back to you.

Happy networking!
1
Comment
Author:dcj21
0 Comments

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month