The Juniper SRX Services Gateway VPN must use Encapsulating Security Payload (ESP) in tunnel mode.
An XCCDF Rule
Description
<VulnDiscussion>ESP provides confidentiality, data origin authentication, integrity, and anti-replay services within the IPsec suite of protocols. ESP in tunnel mode ensures a secure path for communications for site-to-site VPNs and gateway to endpoints, including header information. ESP can be deployed in either transport or tunnel mode. Transport mode is used to create a secured session between two hosts. It can also be used when two hosts simply want to authenticate each IP packet with IPsec authentication header (AH). With ESP transport mode, only the payload (transport layer) is encrypted, whereas with tunnel mode, the entire IP packet is encrypted and encapsulated with a new IP header. Tunnel mode is used to encrypt traffic between secure IPsec gateways or between an IPsec gateway and an end-station running IPsec software. Hence, it is the only method to provide a secured path to transport traffic between remote sites or end-stations and the central site.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-214681r385561_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure Phase 2 for ESP and allow IKE as a host-inbound service within the security zone associated with the IKE gateway’s external interface configuration. Any traffic that you wish to encrypt is routed to this tunnel interface.
Example:
[edit
set security ipsec proposal IPSEC-PROPOSAL protocol esp