Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is a Crypto-policy?

0

0

Article ID: KB27101 KB Last Updated: 18 Mar 2013Version: 1.0
Summary:
This article provides information about the crypto options that are available on the firewall.
Symptoms:
Information about the crypto options that are available on the firewall.
Cause:

Solution:
Crypto-policy is a set of access lists that determines the proposals to be used, when configuring VPN phase1 and phase2.

The following types of administrators can configure a crypto-policy:

  • Root administrator

  • Read-write admin user, without any role attribute assigned.

  • Read-write admin user with a cryptographic role

The default crypto-policy that is set on the firewall is as follows:
isg2000.192-> get crypto-policy
crypto policies:
encryption alg supported: ALL
authentication alg supported: ALL
DH group supported: ALL
mode supported: ALL
authentication method supported: ALL
no limitation for P1 lifetime
no limitation for P2 lifetime
no limitation for P2 lifesize
To configure the crypto-policy, you have to provide the context via the following command:
isg2000.192-> set crypto-policy
isg2000.192(crypto-policy)->
The description of all the parameters that can be configured is as follows:

  • Encryption ALG -The encryption algorithms that can be configured are as follows:
    isg2000.192(crypto-policy)-> set encrypt-alg ?
    3des                           3DES - Encrypt Alg
    aes128                      AES(128bits) - Encrypt Alg
    aes192                      AES(192bits) - Encrypt Alg
    aes256                      AES(256bits) - Encrypt Alg
    des                             DES - Encrypt Alg
  • Authentication ALG -The authentication algorithms that can be configured are as follows:
    isg2000.192(crypto-policy)-> set auth-alg ?
    md5                           HMAC-MD5 - Auth Alg
    sha-1                        HMAC-SHA1 - Auth Alg
    sha2-256                 HMAC-SHA2-256 - Auth Alg
  • DH Group -The DH groups that can be configured are as follows:
    isg2000.192(crypto-policy)-> set dh ?
    group1                      DH Group 1
    group14                    DH Group 14
    group19                    DH Group 19
    group2                      DH Group 2
    group20                    DH Group 20
    group5                      DH Group 5
    no-pfs                       no-pfs (only for p2 sa)
  • Mode -The configuration to support thew Main or Aggressive mode is as follows:
    isg2000.192(crypto-policy)-> set mode ?
    aggressive               Aggressive Mode
    main                          Main Mode (ID protection)
    
  • Authentication mode -This is the configuration that decides whether the preshared key or certificate-based authentication is supported:
    isg2000.192(crypto-policy)-> set auth-method ?
    dsa-sig                     Authenticated by DSA Signature
    eap                            Authenticated by EAP(only in V2 )
    ecdsa-sig                 Authenticated by ECDSA Signature
    preshare                  Authenticated by Preshared Key
    rsa-sig                      Authenticated by RSA Signature
  • Phase-1 Lifetime - This is to configure the upper-limit on the Phase-1 lifetime:
    isg2000.192(crypto-policy)-> set p1-sa-lifetime upper-threshold ?
    days                         Lifetime in (day)
    hours                       Lifetime in (hour)
    minutes                   Lifetime in (min)
    seconds                  Lifetime in (sec)
  • Phase-2 Lifetime - This is to configure the upper-limit on the Phase-2 lifetime:
    isg2000.192(crypto-policy)-> set p2-sa-lifetime upper-threshold ?
    days                         Lifetime in (day)
    hours                       Lifetime in (hour)
    minutes                  Lifetime in (min)
    seconds                 Lifetime in (sec)
  • Phase-2 Lifesize - This is to configure the upper-limit on the Phase-2 lifesize:
    isg2000.192(crypto-policy)-> set p2-sa-lifesize upper-threshold ?
    <number> Lifesize
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search