Manual Key VPN Tunnel Configuration

Juniper Networks supports IPSec technology for creating VPN tunnels with two kinds of key creation mechanisms:

With Manual Keys, administrators at both ends of a tunnel configure all the security parameters. This is a viable technique for small, static networks where the distribution, maintenance, and tracking of keys is not difficult. However, safely distributing Manual Key configurations across great distances poses security issues. Aside from passing the keys face-to-face, you cannot be completely sure that the keys have not been compromised while in transit. Also, whenever you want to change the key, you are faced with the same security issues as when you initially distributed it.

To Create a Manual Key VPN

  1. Enter the necessary information in the following fields:

VPN Tunnel Name: The name identifying this VPN tunnel definition. Choose a descriptive name to help you identify the VPN tunnel. The name must be unique and is limited to 20 characters.

Gateway IP: The public IP address of the remote peer.

Security Index (HEX Number): A pair of local and remote security index numbers that uniquely distinguishes a particular encrypted tunnel from the others being used at the same time. Only a hexadecimal value greater than 3000 is accepted. The local security index serves as the other end's remote security index and vice versa. If you enter "Value_A Value_B", the other end of the tunnel must switch the order of the two components, as in "Value_B Value_A".

Outgoing Interface: Select the interface that you want to use to terminate the VPN tunnel on the local device from the Outgoing Interface drop-down list.

Note: The IP address of the outgoing interface is what the remote peer uses as the remote gateway address in its VPN configuration.

  1. Select ESP-CBC or AH. Encapsulating Security Payload (ESP) provides both encryption and authentication of an IP packet. Authentication Header (AH) provides authentication only.

ESP-CBC

Encryption Algorithm: An algorithm used for encryption. You can select NULL, DES-CBC, AES-CBC (128 bits), 3DES-CBC, AES-CBC (192 bits), or AES-CBC (256 bits).

HEX Key: An encryption key for the algorithm specified. Four fields, each holding up to 8 bytes (16 hexadecimal characters) or 64 bits of keys, are available. The fields will be concatenated together to form the complete key. For 56 or 64 bit keys such as DES, fill in only the left-most input field, with 16 hexadecimal characters. For 3DES, the left-most three fields need to be filled in. Depending on the peer device, these fields should comprise "key1, key2, key3" or "key1, key2, key1" where key1, key2, and key3 are unique strings of 16 hexadecimal characters. For other crypto graphical algorithms, enter the appropriate number of hexadecimal characters.

Generate Key by Password: The NetScreen device provides assistance in creating the hexadecimal key by allowing a password to define the generation of the hex key.

Note: The use of the password feature is a convenience and might lead to similar keys.

Authentication Algorithm: An algorithm used for authenticating the content of the encrypted IP packets. You can leave this field as NULL to omit authentication, or select either MD5 or SHA-1 from the drop-down menu.

HEX Key (16/20 Bytes): A hexadecimal value used to perform the authentication hash algorithm. For MD5, the key must be 16 bytes long. For SHA-1, the key must be 20 bytes long. (Two hexadecimal characters equal one byte.) In the fields to the right of the HEX Key radio button, enter a key with the appropriate length.

Generate Key by Password: You can direct the NetScreen device to generate a key for your selected hash algorithm based on a password that you enter. If you wish to use this option, select the Generate Key by Password radio button and enter a password in the corresponding field.

Note: The use of the password feature is a convenience and might lead to similar keys.

AH

The authentication header (AH) is used to verify a packet's authenticity. The header contains a cryptographic checksum calculated via a hash-based message authentication code (HMAC) coupled with MD5 or SHA-1. You can select either of these algorithms from the drop-down box.

Hash Algorithm: The hash algorithm is selectable. You can use either MD5 or SHA1. MD5 requires a 16-byte key; SHA1 requires a 20-byte key. In the fields to the right of the HEX Key radio button, enter a key with the appropriate length.

HEX Key (16/20 Bytes): A hexadecimal value used to perform the authentication hash algorithm. For MD5, the key must be 16 bytes long. For SHA-1, the key must be 20 bytes long. (Two hexadecimal characters equal one byte.) In the fields to the right of the HEX Key radio button, enter a key with the appropriate length.

Generate Key by Password: You can direct the NetScreen device to generate a key for your selected hash algorithm based on a password that you enter. If you wish to use this option, select the Generate Key by Password radio button and enter a password in the corresponding field.

Note: The use of the password feature is a convenience and might lead to similar keys.

  1. Click OK to save your changes.

  2. Click Advanced to complete the Manual Key VPN Tunnel configuration. For more information, see Manual Key VPN Tunnel Advanced Configuration.