[j-nsp] IKE Key Life-times on J-series vs. SRX
Devin Kennedy
devinkennedy415 at hotmail.com
Thu Jun 2 11:36:39 EDT 2011
Hello All:
I am seeing a difference in behavior on the J4350 vs. the SRX240 for the IKE
key lifetime negotiation for IPsec phase 1. In both cases the peer is a
Cisco 1841. Please see outputs below. Has anyone else run into this? I
would expect that it ought to take the lower lifetime value as it does on
the SRX240.
BTW, I’m running Junos 10.4R4.5 on both Juniper routers.
On the SRX I saw what I expected to see, which is that the negotiated value
is the lesser of the two if they do not match:
SRX240
[edit]
Devin at SRX240-1# show security ike proposal testikeprop
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
[edit]
Devin at SRX240-1# run show security ike security-associations detail
IKE peer 10.10.3.89, Index 7707821,
Role: Initiator, State: UP
Initiator cookie: ed10b684f40a71d2, Responder cookie: 3c2a1fb09e701c34
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 10.10.3.93:500, Remote: 10.10.3.89:500
Lifetime: Expires in 28795 seconds
Peer ike-id: 10.10.3.89
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : aes-cbc (256 bits)
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 688
Output bytes : 880
Input packets: 4
Output packets: 5
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 1851437682
Local: 10.10.3.93:500, Remote: 10.10.3.89:500
Local identity: ipv4_subnet(any:0,[0..7]=10.100.9.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24)
Flags: Caller notification sent, Waiting for done
Cisco 1841
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
C1841-2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256
bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
C1841-2#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
1156 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2 0
D
Engine-id:Conn-id = ???
(deleted)
1155 10.10.3.89 10.10.3.93 ACTIVE aes sha psk 2
07:59:34 D
Engine-id:Conn-id = SW:155
With the J4350 in place of the SRX240 with the same configuration as shown
for the SRX240 and same configuration as shown for the Cisco 1841, I see:
J4350
[edit]
Devin at J4350-1# show security ike proposal testikeprop ß No lifetime
configured so should use default of 28800
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
[edit]
Devin at J4350-1#
Devin at J4350-1> show security ike security-associations detail
IKE peer 10.10.3.89, Index 4833153,
Role: Responder, State: UP
Initiator cookie: b4443ecf19364ac2, Responder cookie: 7c741a4fcb0f5558
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 10.10.3.85:500, Remote: 10.10.3.89:500
Lifetime: Expires in 86321 seconds
Peer ike-id: 10.10.3.89
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : aes-cbc (256 bits)
Pseudo random function: hmac-sha1
Traffic statistics:
Input bytes : 864
Output bytes : 1092
Input packets: 5
Output packets: 5
Flags: Caller notification sent
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 931695683
Local: 10.10.3.85:500, Remote: 10.10.3.89:500
Local identity: ipv4_subnet(any:0,[0..7]=10.100.11.0/24)
Remote identity: ipv4_subnet(any:0,[0..7]=10.100.7.0/24)
Flags: Caller notification sent, Waiting for done
Cisco 1841
C1841-2#sho crypto isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
0 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2 0
D
Engine-id:Conn-id = ???
1237 10.10.3.89 10.10.3.85 ACTIVE aes sha psk 2
23:59:19 D
Engine-id:Conn-id = SW:237
C1841-2#sho crypto isa pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256
bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Thanks,
Devin
More information about the juniper-nsp
mailing list