STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Juniper SRX Services Gateway VPN Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-214676r382735_rule
V-214676
SRG-NET-000019
JUSX-VN-000009
CAT II
10
The following example command is an example of an IPsec policy.
[edit]
set security ipsec policy <IPSEC-POLICY> perfect-forward-secrecy keys group14
set security ipsec policy <IPSEC-POLICY> proposals <IPSEC-PROPOSAL>
The following command is an example of how to define an IPsec VPN using the IPsec policy and a secure tunnel interface. Alternatively, administrators can configure on-traffic tunnel establishment.
[edit]
set security ipsec vpn <VPN> bind-interface st0.0
set security ipsec vpn <VPN> ike gateway <IKE-PEER>
set security ipsec vpn <VPN> ike ipsec-policy <IPSEC-POLICY>
set security ipsec vpn <VPN> establish-tunnels immediately
For site-to-site VPN implementation, the SRX device is configured to route traffic over the IPsec VPN’s secure tunnel interface by establishing a route with the next-hop specified as the secure tunnel interface. The following commands configure an IPv4 and IPv6 static route for their respective secure tunnels.
set routing-options static route <IPv4 network/netmask> next-hop st0.0
set routing-options rib inet6.0 static route <IPv6 network/netmask> next-hop st0.1
Verify an IPsec policy is configured and used to control the VPN information flow.
[edit]
show security ipsec
Inspect the security policy.
If VPN traffic is not configured and controlled using an IPsec policy, this is a finding.
V-214676
False
JUSX-VN-000009
Verify an IPsec policy is configured and used to control the VPN information flow.
[edit]
show security ipsec
Inspect the security policy.
If VPN traffic is not configured and controlled using an IPsec policy, this is a finding.
M
4009