JNCIE-SEC IPSEC & NAT

Below is the list of topics for IPSEC and NAT that you may see in JNCIE-SEC exam according to exam page. I will not only talk about exam topics but also in general about protocols and my troubleshooting tests. I would like to start JNCIE-SEC with IPSEC as I have lack of knowledge in this topic. I also would like to improve this JNCIE-SEC journal with the help of readers. You are encouraged to send your own case studies. Just for your information, the content I am going to create about this exam is all about my interpretation of the topics published by Juniper. I may not adhere %100 to exam topics and from time to time I can write about something that isn’t relevant to the exam. Without further ado, let’s begin the journey;

IPsec VPNs

NAT

  • Implementation of NAT
  • Source NAT
  • Destination NAT
  • Static NAT
  • Implementation of NAT with IPSec
  • Overlapping IPs between sites


Implementation of IPsec VPNs

IPSEC has two phases IKE Phase 1 and Phase 2. IKE Phase 1 has also two modes.

  • Main Mode
  • Aggressive Mode

Main Mode
Here is a simple site to site route based VPN topology.

ipsec_peers_route_based

Below is a wireshark capture of these two peers’ IPSEC negotiation.

ipsec_main_mode_setup

Click to download the pcap file

Main mode has three two-way exchanges. In the first exchange initiator may propose several proposals i.e their encryption algorithms, hashes, authentication method, lifetime etc. but responder must reply with one. Practically speaking what you see in this exchange is what you configure in SRX’s IKE proposal for the specific connection;

In the second exchange peers use Diffie-Hellman, it is used to generate keying material to exchange shared secrets.

Third exchange is where encrypted communication starts. Peers verify their identities, PSKs exchanged etc.

Once this 6 messages are exchanged IKE Phase 2 starts which has only one mode: Quick Mode
In this mode, communication is already encrypted provided by IKE phase 1. Here IPSEC SAs are established and it is also used to renegotiate when IPSEC lifetime expires.

Practically this is what we get once IKE and IPSEC SAs are established

Note: Initiator cookie doesn’t match the packet capture as it was taken during
another IPSEC negotiation.

Let’s send a 1000 byte ICMP packet from J23 and see how it looks on the wire;

ICMP ECHO REQUEST
ipsec_esp_echo

If you look at the packet capture our IP packet (echo request) is encapsulated and SPI is a352cf0f
which is what we see in the command output for outbound direction.

ICMP ECHO REPLY
ipsec_esp_echo_reply

You can also see the SPI 6be505e0 in the inbound direction of the packet capture.

IPSEC SA management has different behavior between different releases. You may check KB26692 to see the difference.

When you have an established IPSEC SA, you have also two sessions installed for this;

These are inbound sessions only but I don’t recall the reason for two of them instead of one.

I would like to end this post here though it isn’t really a VPN implementation post, I just wanted to make an introduction for future posts in which I will do more practical stuff.

You have a feedback?