Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Encrypting messages between two nodes in a chassis cluster

0

0

Article ID: KB34629 KB Last Updated: 28 Jun 2019Version: 1.0
Summary:

On high-end Junos OS security devices, the control-link can optionally be configured to encrypt messages between two nodes in a cluster. This would ensure secure login by using configured internal IPsec security association (SA).

This articles details the procedure to enable the encryption on such high-end Junos OS security devices.

 

Symptoms:

When the internal IPsec SA is configured, IPsec-based rlogin and remote command (rcmd) are enforced so that attackers cannot gain privileged access or observe traffic containing administrator commands and outputs.

Note: You do not need to configure the internal IPsec SA on both nodes because the nodes are synchronized when the configuration is committed.

 

Solution:

To configure this feature, execute the following commands:

{primary:node0} [edit security ipsec internal security-association]
root@srx-8# show | display set 
set security ipsec internal security-association manual encryption algorithm 3des-cbc
set security ipsec internal security-association manual encryption ike-ha-link-encryption enable
set security ipsec internal security-association manual encryption key ascii-text "$9$8gPx-b4aU.PQs2PQFnpu8X7dsgGUHPT3.Pu1EhvMwYgJjq3n9CpBFntOREeKZGDj.fu01hcr"

Note: The only supported encryption algorithm is 3des-cbc and the key must be exactly 24 bytes long; otherwise, the configuration will result in commit failure.

Example of a commit failure due to a shorter/longer key

{primary:node0}[edit]
root@srx-8# ...ssociation manual encryption key ascii-text JuniperNetworksIpsecVPNControl          <<< 30 bytes instead of 24

{primary:node0}[edit]
root@srx-8# commit  
warning: 3des key size must be 24 bytes
error: configuration check-out failed

After the settings have been configured correctly and committed, a reboot would be required for the feature to take effect.

{primary:node0}[edit]
root@srx-8# commit 
warning: changes needs reboot to take effect
node0: 
commit complete
node1:
commit complete 

Before reboot, the status of this feature is disabled.

{primary:node0}
root@srx-8> show security internal-security-association      

node0:
--------------------------------------------------------------------------
Internal SA Status : Disabled
HA link encryption for IKE internal message status: Disabled

node1:
--------------------------------------------------------------------------
Internal SA Status : Disabled
HA link encryption for IKE internal message status: Disabled

After reboot, to ensure that the encryption is active, use the following verification command:

{primary:node0}
root@srx-8> show security internal-security-association      

node0:
--------------------------------------------------------------------------
Internal SA Status : Enabled
HA link encryption for IKE internal message status: Enabled

node1:
--------------------------------------------------------------------------
Internal SA Status : Enabled
HA link encryption for IKE internal message status: Enabled
 

For additional information, refer to internal (Security IPsec).

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search