Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 228

Configuring ScreenOS Devices Guide
Table 49: Configuring Keys
Generating Keys
Manual Key IKE
Autokey IKE
Replay protection
Related
Documentation
204
decrypt the data. For additional security, you can encrypt the keys that decrypt the data
using Diffie-Hellman asymmetric encryption. ESP can also authenticate data in the VPN
using MD5 and SHA-1 algorithms. You can use ESP to encrypt, authenticate, or encrypt
and authenticate data depending on your security requirements.
NOTE: We strongly recommend that you do not use null AH with ESP.
Because ESP uses keys to encrypt and decrypt data, each VPN node must have the
correct key to send and receive VPN data through the VPN tunnel.
You can manually configure a key for each VPN node, or use a key exchange protocol to
automate key generation and distribution. Table 49 on page 204 describes how to configure
keys.
Description
You can specify the encryption algorithm, authentication algorithm, and the Security Parameter
Index (SPI) for each VPN node. Because all security parameters are static and consistent,
VPN nodes can send and receive data automatically, without negotiation.
You can use the Internet Key Exchange (IKE) protocol to generate and distribute encryption
keys and authentication algorithms to all VPN nodes. IKE automatically generates new
encryption keys for the traffic on the network, and automatically replaces those keys when
they expire. Because IKE generates keys automatically, you can give each key a short life
span, making it expire before it can be broken. By also exchanging authentication algorithms,
IKE can confirm that the communication in the VPN tunnel is secure.
Because all security parameters are dynamically assigned, VPN nodes must negotiate the
exact set of security parameters that will be used to send and receive data to other VPN
nodes. To enable negotiations, each VPN node contains a list of proposals; each proposal is
a set of encryption keys and authentication algorithms. When a VPN node attempts to send
data through the VPN tunnel, IKE compares the proposals from each VPN node and selects
a proposal that is common to both nodes. If IKE cannot find a proposal that exists on both
nodes, the connection is not established.
IKE negotiations include two phases:
In Phase 1, two members establish a secure and authenticated communication channel.
In Phase 2, two members negotiate Security Associations for services (such as IPsec) that
require key material and/or parameters.
VPN nodes must use the same authentication and encryption algorithms to establish
communication.
In a replay attack, an attacker intercepts a series of legitimate packets and uses them to
create a denial of service (DoS) against the packet destination or to gain entry to trusted
networks. Replay protection enables your security devices to inspect every IPsec packet to
see if the packet has been received before—if packets arrive outside a specified sequence
range, the security device rejects them.
Defining Members and Topology in NSM on page 207
Traffic Protection Using Tunneling Protocol in NSM Overview on page 202
Copyright © 2010, Juniper Networks, Inc.