Junos security configuration module
Version: 2019-01-01
module junos-ex-conf-security { yang-version 1; namespace "http://yang.juniper.net/junos-ex/conf/security"; prefix jc-security; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-ex-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos security configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses security-group; } augment /jc:configuration/jc:groups { uses security-group; } grouping security-group { container security { description "Security configuration"; uses apply-advanced; container alarms { description "Configure security alarms"; uses apply-advanced; container audible { presence "enable audible"; description "Beep when new security alarms arrive"; uses apply-advanced; leaf continuous { type empty; description "Keep beeping until all security alarms have been cleared"; } } // container audible container potential-violation { description "Configure potential security violations"; uses apply-advanced; leaf authentication { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Raise alarm for specified number of authentication failures"; } leaf cryptographic-self-test { type empty; description "Raise alarm for cryptographic self test failures"; } leaf key-generation-self-test { type empty; description "Raise alarm for key generation self test failures"; } leaf non-cryptographic-self-test { type empty; description "Raise alarm for non-cryptographic self test failures"; } container policy { description "Raise alarm for flow policy violations"; } // container policy container replay-attacks { presence "enable replay-attacks"; description "No. of Replay attacks before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Replay threshold value"; } } // container replay-attacks leaf security-log-percent-full { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } description "Raise alarm when security log exceeds this percent capacity"; } } // container potential-violation } // container alarms container log { description "Configure auditable security logs"; uses log-object; } // container log container certificates { description "X.509 certificate configuration"; uses apply-advanced; list local { key "name"; ordered-by user; description "Local X.509 certificate configuration"; uses certificate-object; } // list local leaf path-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "15"; description "Maximum certificate path length"; } leaf maximum-certificates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4294967295"; } } default "1024"; description "Maximum number of certificates to cache"; } leaf cache-size { type string; units "bytes"; description "Maximum size of certificate cache"; } leaf cache-timeout-negative { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 4294967295"; } } default "20"; description "Time in seconds to cache negative responses"; } leaf enrollment-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } description "Number of retry attempts for an enrollment request"; } list certification-authority { key "name"; ordered-by user; description "CA X.509 certificate configuration"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "CA profile name"; } uses apply-advanced; leaf ca-name { type string; description "CA name"; } leaf file { type string; description "File to read certificate from"; } leaf crl { type string; description "File to read crl from"; } leaf enrollment-url { type string; description "URL"; } leaf ldap-url { type string; description "URL"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } } // list certification-authority } // container certificates container authentication-key-chains { description "Authentication key chain configuration"; uses security-authentication-key-chains; } // container authentication-key-chains container ssh-known-hosts { description "SSH known host list"; uses apply-advanced; list host { key "name"; ordered-by user; description "SSH known host entry"; leaf name { type string; description "Host name"; } uses apply-advanced; leaf rsa1-key { type string; description "Base64 encoded RSA key (protocol version 1)"; } leaf rsa-key { type string; description "Base64 encoded RSA key"; } leaf dsa-key { type string; description "Base64 encoded DSA key"; } leaf ecdsa-key { type string; status deprecated; description "Base64 encoded ECDSA key"; } leaf ecdsa-sha2-nistp256-key { type string; description "Base64 encoded ECDSA-SHA2-NIST256 key"; } leaf ecdsa-sha2-nistp384-key { type string; description "Base64 encoded ECDSA-SHA2-NIST384 key"; } leaf ecdsa-sha2-nistp521-key { type string; description "Base64 encoded ECDSA-SHA2-NIST521 key"; } leaf ed25519-key { type string; description "Base64 encoded ED25519 key"; } } // list host } // container ssh-known-hosts container pki { presence "enable pki"; description "PKI service configuration"; uses security-pki; } // container pki container group-vpn { description "Group VPN configuration"; uses security-group-vpn; } // container group-vpn container traceoptions { description "Trace options for IPSec key management"; uses security-traceoptions; } // container traceoptions container ipsec { description "IPSec configuration"; uses security-ipsec-vpn; } // container ipsec container ike { description "IKE configuration"; uses security-ike; } // container ike container macsec { description "MAC Security configuration"; uses security-macsec; } // container macsec } // container security } // grouping security-group grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping certificate-object { leaf name { type string; description "Simple name to identify this certificate"; } uses apply-advanced; leaf certificate { type string; description "Certificate and private key string"; } } // grouping certificate-object grouping log-object { description "Configure auditable security logs"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache } // grouping log-object grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping security-authentication-key-chains { uses apply-advanced; list key-chain { key "name"; description "Key chain configuration"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{33,}))$"; junos:pattern-message "Must be string of 32 characters or less with no spaces"; } description "Name of authentication key chain"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of this authentication-key-chain"; } leaf tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; default "3600"; description "Clock skew tolerance"; } list key { key "name"; description "Authentication element configuration"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 126"; } description "Authentication key"; } leaf key-name { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Key name in hexadecimal format used for macsec"; } leaf start-time { type jt:time; description "Start time for key transmission (YYYY-MM-DD.HH:MM)"; } leaf algorithm { type enumeration { enum "md5" { value 0; description "Message Digest 5"; } enum "hmac-sha-1" { junos:must "(".. options isis-enhanced")"; junos:must-message "sha algorithm required isis-enhanced"; value 1; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "ao" { value 2; description "TCP Authentication Option"; } } default "md5"; description "Authentication algorithm"; } leaf options { type enumeration { enum "basic" { value 0; description "Rudimentary encoding format"; } enum "isis-enhanced" { value 1; description "RFC 5310 based encoding"; } } default "basic"; description "Protocol's transmission encoding format"; } container ao-attribute { junos:must "(!(".. authentication-key"))"; junos:must-message "Cannot be configured with authentication-key"; junos:must "(".. algorithm ao")"; junos:must-message "Can only be configured with authentication-algorithm ao"; description "TCP Authentication option attributes"; uses apply-advanced; leaf send-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Send id for TCP-AO entry"; } leaf recv-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Recv id for TCP-AO entry"; } leaf tcp-ao-option { type enumeration { enum "enabled" { value 0; description "Include the TCP-AO option"; } enum "disabled" { value 1; description "Not include the TCP-AO option"; } } default "disabled"; description "Include TCP-AO option within message header"; } leaf cryptographic-algorithm { type enumeration { enum "hmac-sha-1-96" { value 0; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "aes-128-cmac-96" { value 1; description "Cipher-based Message Authentication Code (AES128) (96 bits)"; } } default "hmac-sha-1-96"; description "Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation"; } } // container ao-attribute } // list key } // list key-chain } // grouping security-authentication-key-chains grouping security-group-vpn { uses apply-advanced; container member { description "Group VPN member configuration"; uses gvpn-member; } // container member } // grouping security-group-vpn grouping gvpn-member { uses apply-advanced; container ike { description "Group VPN IKE configuration"; uses gvpn-member-ike; } // container ike container ipsec { description "Group VPN IPsec configuration"; uses gvpn-member-ipsec-vpn; } // container ipsec } // grouping gvpn-member grouping gvpn-member-ike { uses apply-advanced; container traceoptions { description "Trace options for Group VPN Member"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } } } } // list flag container gateway-filter { description "Set gateway filter for trace"; uses apply-advanced; leaf local-address { type jt:ipv4addr; description "Use an IP address to identify the local gateway"; } leaf remote-address { type jt:ipv4addr; description "Use an IP address to identify the remote gateway"; } } // container gateway-filter } // container traceoptions list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses gvpn-member-ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses gvpn-ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { junos:must "(!("security ike gateway $$"))"; junos:must-message "Gateway already defined under [security ike]"; type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!("security ike policy $$"))"; junos:must-message "Policy already defined under [security ike]"; junos:must "("security group-vpn member ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security group-vpn member ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } } // choice identity-type } // container local-identity leaf local-address { junos:must "(!(any "security group-vpn member ike gateway <*> server-address $$"))"; junos:must-message "Member can not have the same local address as server"; type jt:ipv4addr; description "Local IPv4 address for group member"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Referenced routing-instance must be defined"; type string; default "default"; description "Name of routing instance that hosts local address"; } } // list gateway } // grouping gvpn-member-ike grouping gvpn-ike-policy { leaf name { junos:must "((".. proposals" || ".. proposal-set"))"; junos:must-message "IKE policy must have either proposals or proposal-set configured"; junos:must "(((".. certificate local-certificate" || ".. pre-shared-key") && !((".. certificate local-certificate" && ".. pre-shared-key"))))"; junos:must-message "IKE policy must have either local certificate or pre-shared key configured"; junos:must "(!("security ike policy $$"))"; junos:must-message "Policy already defined under [security ike policy]"; type string { length "1 .. 32"; } description "Name of policy"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } default "main"; description "Define the IKE mode for Phase 1"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } container certificate { description "Certificate configuration"; uses apply-advanced; leaf local-certificate { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Local certificate identifier"; } container trusted-ca { status deprecated; description "Specify the CA to use"; choice ca { leaf ca-index { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Index of the preferred CA to use"; } leaf use-all { type empty; description "Use all configured CAs"; } } // choice ca } // container trusted-ca leaf peer-certificate-type { type enumeration { enum "pkcs7" { value 0; description "PKCS7 encoding"; } enum "x509-signature" { value 1; description "X509 signature encoding"; } } default "x509-signature"; description "Preferred type of certificate from peer"; } } // container certificate leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 0; description "IKE proposal-set for basic"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 1; description "IKE proposal-set for compatible"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IKE policy must not have both proposals and proposal-set configured"; value 2; description "IKE proposal-set for standard"; } } description "Types of default IKE proposal-set"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping gvpn-ike-policy grouping gvpn-member-ike-proposal { leaf name { junos:must "(!("security ike proposal $$"))"; junos:must-message "Proposal already defined under [security ike proposal]"; type string { length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group 1"; } enum "group2" { value 1; description "Diffie-Hellman Group 2"; } enum "group5" { value 2; description "Diffie-Hellman Group 5"; } enum "group14" { value 3; description "Diffie-Hellman Group 14"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; default "180"; description "Lifetime, in seconds"; } } // grouping gvpn-member-ike-proposal grouping gvpn-member-ipsec-vpn { uses apply-advanced; list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-gvpn-member-template; } // list vpn } // grouping gvpn-member-ipsec-vpn grouping ipsec-gvpn-member-template { description "Configure a Group VPN"; leaf name { junos:must "(!("security ipsec vpn $$"))"; junos:must-message "VPN already defined under [security ipsec]"; type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf ike-gateway { junos:must "("security group-vpn member ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security group-vpn member ike gateway]"; type string { length "1 .. 32"; } description "Name of IKE gateway"; } leaf group { junos:must "((".. no-group-check" || unique "security group-vpn member ipsec vpn <*> group $$"))"; junos:must-message "Group id must be unique among group vpns"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Enable Group VPN by defining group id"; } leaf match-direction { type enumeration { enum "input" { value 0; description "Match on input to interface"; } enum "output" { value 1; description "Match on output from interface"; } } description "Direction for which the rule match is applied"; } leaf tunnel-mtu { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 9192"; } } default "1500"; description "Maximum transmit packet size"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } default "clear"; description "Specifies how to handle the Don't Fragment bit"; } leaf forward-policy-mismatch { type empty; description "Enables forwarding of policy mismatch packets"; } container fail-open { description "List of fail open rules"; uses ipsec_gvpn_fail_open_rule_object; } // container fail-open } // grouping ipsec-gvpn-member-template grouping ipsec_gvpn_fail_open_rule_object { uses apply-advanced; list rule { key "name"; max-elements 10; ordered-by user; description "Define fail open rules upto 10"; uses ipsec_gvpn_rule_address_object; } // list rule } // grouping ipsec_gvpn_fail_open_rule_object grouping ipsec_gvpn_rule_address_object { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 63"; } description "Rule name"; } uses apply-advanced; container source-address { presence "enable source-address"; description "Match IP source address"; uses ipsec_gvpn_addr_object; } // container source-address container destination-address { presence "enable destination-address"; description "Match IP destination address"; uses ipsec_gvpn_addr_object; } // container destination-address } // grouping ipsec_gvpn_rule_address_object grouping ipsec_gvpn_addr_object { uses apply-advanced; leaf address { type jt:ipv4prefix-only; description "Prefix to match"; } } // grouping ipsec_gvpn_addr_object grouping security-ike { uses apply-advanced; container traceoptions { description "Trace options for IPSec key management"; uses security-traceoptions; } // container traceoptions container respond-bad-spi { presence "enable respond-bad-spi"; description "Respond to IPSec packets with bad SPI values"; leaf max-responses { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 30"; } } default "5"; description "Maximum number of times to respond"; } } // container respond-bad-spi list proposal { key "name"; ordered-by user; description "Define an IKE proposal"; uses ike-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IKE policy"; uses ike-policy; } // list policy list gateway { key "name"; ordered-by user; description "Define an IKE gateway"; leaf name { type string { length "1 .. 32"; } description "Label for the remote (peer) gateway"; } uses apply-advanced; leaf ike-policy { junos:must "(!(("security ike policy $$ mode main" && ("security ike policy $$ pre-shared-key" && ".. dynamic"))))"; junos:must-message "Main mode for dynamic peer with Preshared key based authentication is not allowed"; junos:must "("security ike policy $$")"; junos:must-message "Referenced IKE policy must be defined under [edit security ike policy]"; type string { length "1 .. 32"; } description "Name of the IKE policy"; } choice remote-identifier { leaf-list address { type string; ordered-by user; description "Addresses or hostnames of peer:1 primary, upto 4 backups"; } container dynamic { description "Site to site peer with dynamic IP address"; uses apply-advanced; choice remote-id-type { container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; choice name-type { leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // choice name-type } // container distinguished-name leaf hostname { type string; description "Use a fully-qualified domain name"; } leaf inet { type jt:ipv4addr; description "Use an IPV4 address to identify the dynamic peer"; } leaf inet6 { type jt:ipv6addr; description "Use an IPV6 address to identify the dynamic peer"; } leaf user-at-hostname { type string; description "Use an e-mail address"; } } // choice remote-id-type leaf connections-limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Maximum number of users connected to gateway"; } leaf ike-user-type { type enumeration { enum "group-ike-id" { value 0; description "Email address or FQDN shared as IKED ID by multiple users"; } enum "shared-ike-id" { junos:must "(" .. .. xauth")"; junos:must-message "Need to configure xauth at [edit security ike gateway]"; value 1; description "Email address shared as IKED ID by multiple users"; } } description "Type of the IKE ID"; } } // container dynamic } // choice remote-identifier container dead-peer-detection { presence "enable dead-peer-detection"; description "Enable RFC-3706 DPD"; uses apply-advanced; leaf always-send { type empty; description "Send DPD messages periodically, regardless of traffic"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 60"; } } units "seconds"; default "10"; description "The interval at which to send DPD messages"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 5"; } } default "5"; description "Maximum number of DPD retransmissions"; } } // container dead-peer-detection leaf no-nat-traversal { type empty; description "Disable IPSec NAT traversal"; } leaf nat-keepalive { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 300"; } } units "seconds"; default "5"; description "Interval at which to send NAT keepalives"; } container local-identity { description "Set the local IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The local IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The local IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The local hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The local user-FQDN"; } } // container user-at-hostname leaf distinguished-name { type empty; description "Use a distinguished name specified in local certificate"; } } // choice identity-type } // container local-identity container remote-identity { junos:must "(!(".. dynamic"))"; junos:must-message "Since the remote gateway is dynamic, Define remote identity under dynamic"; description "Set the remote IKE identity"; choice identity-type { container inet { description "Use an IPv4 address"; uses apply-advanced; leaf identity-ipv4 { type jt:ipv4addr; description "The remote IPv4 identity"; } } // container inet container inet6 { description "Use an IPv6 address"; uses apply-advanced; leaf identity-ipv6 { type jt:ipv6addr; description "The remote IPv6 identity"; } } // container inet6 container hostname { description "Use a fully-qualified domain name"; uses apply-advanced; leaf identity-hostname { type string; description "The remote hostname"; } } // container hostname container user-at-hostname { description "Use an e-mail address"; uses apply-advanced; leaf identity-user { type string; description "The remote user-FQDN"; } } // container user-at-hostname container distinguished-name { presence "enable distinguished-name"; description "Use a distinguished name: "; uses apply-advanced; leaf container { type string; description "Specify the container string"; } leaf wildcard { type string; description "Specify the wildcard string"; } } // container distinguished-name } // choice identity-type } // container remote-identity leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for IKE negotiations"; } container xauth { description "Use extended authentication"; leaf access-profile { junos:must "("access profile $$")"; junos:must-message "profile needs to be configured"; type string; description "Access profile that contains authentication information"; } } // container xauth leaf general-ikeid { junos:must "(!(".. remote-identity"))"; junos:must-message "general-ikeid option is not allowed when remote-identity is configured"; junos:must "(!(".. dynamic"))"; junos:must-message "general-ikd-id option is not available for dynamic peer."; type empty; description "Accept peer IKE-ID in general"; } leaf version { type enumeration { enum "v1-only" { value 0; description "The connection must be initiated using IKE version 1"; } enum "v2-only" { value 1; description "The connection must be initiated using IKE version 2"; } } default "v1-only"; description "Negotiate using either IKE v1 or IKE v2 protocol"; } } // list gateway } // grouping security-ike grouping ike-policy { leaf name { junos:must "(("security ike policy $$ pre-shared-key" || "security ike policy $$ local-certificate"))"; junos:must-message "Either pre-shared-key or local-certificate must be configured in ike policy"; type jt:ipv4addr; description "IKE peer address"; } uses apply-advanced; leaf mode { type enumeration { enum "main" { value 0; description "Main mode"; } enum "aggressive" { value 1; description "Aggressive mode"; } } description "Define the IKE first phase mode"; } leaf description { type string { length "1 .. 80"; } description "Text description of IKE policy"; } leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf local-certificate { junos:must "(!(".. local-key-pair $$"))"; junos:must-message "Local certificate and local key pair files must be different"; type string { length "1 .. 255"; } description "File to read certificate from"; } leaf local-key-pair { type string { length "1 .. 255"; } description "File to read key-pair from"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } leaf identity { type string { length "1 .. 32"; } description "Define the remote certificate name"; } container pre-shared-key { description "Define a preshared key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container pre-shared-key } // grouping ike-policy grouping ike-proposal { leaf name { junos:must "((("services ipsec-vpn ike proposal $$" && !("security ike proposal $$")) || ("security ike proposal $$" && !("services ipsec-vpn ike proposal $$"))))"; junos:must-message "Referenced IKE proposal must not be defined both under [edit security ike proposal] and [edit services ipsec-vpn ike proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IKE proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IKE proposal"; } leaf authentication-method { type enumeration { enum "pre-shared-keys" { value 0; description "Preshared keys"; } enum "rsa-signatures" { value 1; description "RSA signatures"; } enum "dsa-signatures" { value 2; description "DSA signatures"; } enum "ecdsa-signatures-256" { value 3; description "ECDSA signatures (254 bit modulus)"; } enum "ecdsa-signatures-384" { value 4; description "ECDSA signatures (384 bit modulus)"; } } description "Define authentication method"; } leaf dh-group { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } leaf authentication-algorithm { type enumeration { enum "md5" { value 0; description "MD5 authentication algorithm"; } enum "sha1" { value 1; description "SHA1 authentication algorithm"; } enum "sha-256" { value 2; description "SHA 256-bit authentication algorithm"; } enum "sha-384" { value 3; description "SHA 384-bit authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ike-proposal grouping security-ipsec-vpn { uses apply-advanced; container traceoptions { description "Trace options for IPSec data-plane debug"; uses ipsec-traceoptions; } // container traceoptions container vpn-monitor-options { presence "enable vpn-monitor-options"; description "Global options for VPN liveliness monitoring"; uses ipsec-vpn-monitor; } // container vpn-monitor-options list proposal { key "name"; ordered-by user; description "Define an IPSec proposal"; uses ipsec-proposal; } // list proposal list policy { key "name"; ordered-by user; description "Define an IPSec policy"; uses ipsec-policy; } // list policy list vpn { key "name"; ordered-by user; description "Define an IPSec VPN"; uses ipsec-vpn-template; } // list vpn list security-association { key "name"; ordered-by user; description "Define an IPSec security association"; uses ipsec-sa; } // list security-association container internal { presence "enable internal"; description "Define an IPSec SA for internal RE-RE communication"; uses apply-advanced; container security-association { presence "enable security-association"; description "Define an IPSec security association"; uses ipsec-internal-sa; } // container security-association } // container internal container trusted-channel { junos:must "("security ipsec trusted-channel security-association")"; junos:must-message "Must configure trusted-channel security-association"; presence "enable trusted-channel"; description "Define an IPSec SA for trusted-channel communication"; uses apply-advanced; container security-association { presence "enable security-association"; description "Define an IPSec security association"; uses ipsec-trusted-channel-sa; } // container security-association leaf-list port-exclusion-list { junos:must "("security ipsec trusted-channel security-association")"; junos:must-message "Must configure trusted-channel security-association"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } ordered-by user; description "Define port exlusion list"; } } // container trusted-channel } // grouping security-ipsec-vpn grouping ipsec-internal-sa { uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of internal security association"; } container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual } // grouping ipsec-internal-sa grouping ipsec-policy { leaf name { junos:must "((("services ipsec-vpn ipsec policy $$" && !("security ipsec policy $$")) || ("security ipsec policy $$" && !("services ipsec-vpn ipsec policy $$"))))"; junos:must-message "Referenced IPSec policy must not be defined both under [edit security ipsec policy] and [edit services ipsec-vpn ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec policy"; } container perfect-forward-secrecy { description "Define perfect forward secrecy"; uses apply-advanced; leaf keys { type enumeration { enum "group1" { value 0; description "Diffie-Hellman Group1"; } enum "group2" { value 1; description "Diffie-Hellman Group2"; } enum "group5" { value 2; description "Diffie-Hellman Group5"; } enum "group14" { value 3; description "Diffie-Hellman Group14"; } enum "group15" { value 4; description "Diffie-Hellman Group15"; } enum "group16" { value 5; description "Diffie-Hellman Group16"; } enum "group19" { value 6; description "Diffie-Hellman Group19"; } enum "group20" { value 7; description "Diffie-Hellman Group20"; } enum "group24" { value 8; description "Diffie-Hellman Group24"; } } description "Define Diffie-Hellman group"; } } // container perfect-forward-secrecy leaf-list proposals { junos:must "(".. .. .. proposal $$")"; junos:must-message "Referenced proposal is not defined"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } ordered-by user; description "Name of the proposal"; } leaf proposal-set { type enumeration { enum "basic" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 0; description "IPSEC basic proposal-set"; } enum "compatible" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 1; description "IPSEC compatible proposal-set"; } enum "standard" { junos:must "(!(".. proposals"))"; junos:must-message "IPSec policy must not have both proposals and proposal-set configured"; value 2; description "IPSEC standard proposal-set"; } } description "Types of default IPSEC proposal-set"; } } // grouping ipsec-policy grouping ipsec-proposal { leaf name { junos:must "((("services ipsec-vpn ipsec proposal $$" && !("security ipsec proposal $$")) || ("security ipsec proposal $$" && !("services ipsec-vpn ipsec proposal $$"))))"; junos:must-message "Referenced IPSec proposal must not be defined both under [edit security ipsec proposal] and [edit services ipsec-vpn ipsec proposal]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec proposal"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of IPSec proposal"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption-algorithm"))"; junos:must-message "Encryption algorithm must not be defined for AH"; value 0; description "Authentication header"; } enum "esp" { value 1; description "Encapsulated Security Payload header"; } enum "bundle" { value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the proposal"; } leaf authentication-algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { junos:must "(".. .. .. .. ipsec-vpn")"; junos:must-message "hmac-sha-256-128 algorithm is not supported for IKE and IPSec configuration in security hierarchy"; value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } enum "hmac-sha2-256" { value 4; description "HMAC-SHA2-256 authentication algorithm"; } } description "Define authentication algorithm"; } leaf encryption-algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } enum "aes-128-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 5; description "AES-GCM 128-bit encryption algorithm with 16 octet ICV"; } enum "aes-192-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 6; description "AES-GCM 192-bit encryption algorithm with 16 octet ICV"; } enum "aes-256-gcm" { junos:must "(!(".. authentication-algorithm"))"; junos:must-message "HMAC Authentication is not compatible with AES-GCM"; value 7; description "AES-GCM 256-bit encryption algorithm with 16 octet ICV"; } } description "Define encryption algorithm"; } leaf lifetime-seconds { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "180 .. 86400"; } } units "seconds"; description "Lifetime, in seconds"; } } // grouping ipsec-proposal grouping ipsec-sa { leaf name { type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of IPSec security association"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of security association"; } leaf mode { type enumeration { enum "transport" { junos:must "(!(".. dynamic"))"; junos:must-message "Dynamic security associations are not supported in transport mode"; junos:must "(".. manual")"; junos:must-message "Manual block must be configured for transport mode security association"; value 0; description "Transport mode"; } enum "tunnel" { value 1; description "Tunnel mode"; } } default "tunnel"; description "Define security association mode"; } choice sa_choice { container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual container dynamic { description "Define a dynamic security association"; uses apply-advanced; leaf replay-window-size { type enumeration { enum "32" { value 0; description "32-packet window size"; } enum "64" { value 1; description "64-packet window size"; } } description "Define replay protection window size"; } leaf ipsec-policy { junos:must "("security ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit security ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } } // container dynamic } // choice sa_choice } // grouping ipsec-sa grouping ipsec-traceoptions { description "Data-plane IPSec tracing options"; uses apply-advanced; list flag { key "name"; ordered-by user; description "Events to include in data-plane IPSec trace output"; leaf name { type enumeration { enum "packet-processing" { value 0; description "Trace data packet processing events"; } enum "packet-drops" { value 1; description "Trace packet drops"; } enum "security-associations" { value 2; description "Trace security association management events"; } enum "next-hop-tunnel-binding" { value 3; description "Trace next-hop tunnel binding events"; } enum "all" { value 4; description "Trace with all flags enabled"; } } } } // list flag } // grouping ipsec-traceoptions grouping ipsec-trusted-channel-sa { uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of trusted channel security association"; } container manual { description "Define a manual security association"; uses apply-advanced; list direction { key "name"; ordered-by user; description "Define the direction of the security association"; leaf name { type enumeration { enum "inbound" { junos:must "(".. .. direction $$={outbound}")"; junos:must-message "Outbound block must be configured"; value 0; description "Inbound security association"; } enum "outbound" { junos:must "(".. .. direction $$={inbound}")"; junos:must-message "Inbound block must be configured"; value 1; description "Outbound security association"; } enum "bidirectional" { junos:must "((!(".. .. direction $$={inbound}") && !(".. .. direction $$={outbound}")))"; junos:must-message "Outbound or inbound blocks must not be configured"; value 2; description "Bidirectional security association"; } } } uses apply-advanced; leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } enum "bundle" { junos:must "(".. auxiliary-spi")"; junos:must-message "Auxiliary SPI must be defined for AH plus ESP bundle"; junos:must "(".. encryption")"; junos:must-message "Encryption must be defined for AH plus ESP bundle"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH plus ESP bundle"; value 2; description "Bundle (AH authentication plus ESP encryption)"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } leaf auxiliary-spi { junos:must "(".. protocol bundle")"; junos:must-message "Auxiliary SPI must be configured with protocol bundle only"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "ESP security parameter index for IPSec SA bundle"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha2-256" { value 2; description "HMAC-SHA2-256 authentication algorithm"; } enum "hmac-sha-256-128" { value 3; description "HMAC-SHA-256-128 authentication algorithm"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // list direction } // container manual } // grouping ipsec-trusted-channel-sa grouping ipsec-vpn-monitor { description "Configure VPN monitoring"; uses apply-advanced; leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 3600"; } } units "seconds"; default "10"; description "Monitor interval in seconds"; } leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65536"; } } default "10"; description "Number of consecutive failures to determine connectivity"; } } // grouping ipsec-vpn-monitor grouping ipsec-vpn-template { description "Configure an IPSec VPN"; leaf name { type string { length "1 .. 32"; } description "Name of the VPN"; } uses apply-advanced; leaf bind-interface { junos:must "(("interfaces $$" || any "logical-systems <*> interfaces $$"))"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-name; type string { pattern "<.*>|$.*"; } } description "Bind to tunnel interface (route-based VPN)"; } leaf df-bit { type enumeration { enum "clear" { value 0; description "Clear DF bit of outer header"; } enum "set" { value 1; description "Set DF bit of outer header"; } enum "copy" { value 2; description "Copy DF bit from inner header"; } } description "Specifies how to handle the Don't Fragment bit"; } container vpn-monitor { presence "enable vpn-monitor"; description "Monitor VPN liveliness"; uses ipsec-template-monitor; } // container vpn-monitor choice negotiation { container manual { description "Define a manual security association"; uses apply-advanced; leaf gateway { type jt:hostname; description "Define the IPSec peer"; } leaf external-interface { junos:must "(!("interfaces $$ family bridge"))"; junos:must-message "Bridge interface is not allowed as external-interface"; junos:must "("interfaces $$-IFL")"; junos:must-message "Referenced interface must be configured under [edit interfaces] hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "External interface for the security association"; } leaf protocol { type enumeration { enum "ah" { junos:must "(!(".. encryption"))"; junos:must-message "Encryption must not be defined for AH"; junos:must "(".. authentication")"; junos:must-message "Authentication must be defined for AH"; value 0; description "Authentication header"; } enum "esp" { junos:must "((".. authentication" || ".. encryption"))"; junos:must-message "Either authentication or encryption must be defined for ESP"; value 1; description "Encapsulated Security Payload header"; } } description "Define an IPSec protocol for the security association"; } leaf spi { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "256 .. 16639"; } } description "Define security parameter index"; } container authentication { description "Define authentication parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "hmac-md5-96" { value 0; description "HMAC-MD5-96 authentication algorithm"; } enum "hmac-sha1-96" { value 1; description "HMAC-SHA1-96 authentication algorithm"; } enum "hmac-sha-256-128" { value 2; description "HMAC-SHA-256-128 authentication algorithm"; } enum "hmac-sha-256-96" { value 3; description "HMAC-SHA-256-96 authentication algorithm (non-RFC compliant)"; } } description "Define authentication algorithm"; } container key { description "Define an authentication key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container authentication container encryption { description "Define encryption parameters"; uses apply-advanced; leaf algorithm { type enumeration { enum "des-cbc" { value 0; description "DES-CBC encryption algorithm"; } enum "3des-cbc" { value 1; description "3DES-CBC encryption algorithm"; } enum "aes-128-cbc" { value 2; description "AES-CBC 128-bit encryption algorithm"; } enum "aes-192-cbc" { value 3; description "AES-CBC 192-bit encryption algorithm"; } enum "aes-256-cbc" { value 4; description "AES-CBC 256-bit encryption algorithm"; } } description "Define encryption algorithm"; } container key { description "Define an encryption key"; choice key-choice { leaf ascii-text { type string { length "1 .. 255"; } description "Format as text"; } leaf hexadecimal { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 255"; } description "Format as hexadecimal"; } } // choice key-choice } // container key } // container encryption } // container manual container ike { description "Define an IKE-keyed IPSec vpn"; uses apply-advanced; leaf gateway { junos:must "(!(("security ike gateway $$ dynamic ike-user-type" && ".. .. vpn-monitor destination-ip")))"; junos:must-message "No destination ip support for vpn-monitor in vpn using shared or group ike"; junos:must "(!((".. .. bind-interface" && ("security ike gateway $$ dynamic ike-user-type" && "security ike gateway $$ version v2-only"))))"; junos:must-message "No IKEv2 support for shared or group ike in route-based vpn"; junos:must "("security ike gateway $$")"; junos:must-message "Referenced IKE gateway must be defined under [edit security ike gateway]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of remote gateway"; } leaf idle-time { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 999999"; } } units "seconds"; description "Idle time to delete SA"; } leaf no-anti-replay { type empty; description "Disable the anti-replay check"; } container proxy-identity { presence "enable proxy-identity"; description "IPSec proxy-id to use in IKE negotiations"; uses ipsec-template-proxy-id; } // container proxy-identity leaf ipsec-policy { junos:must "("security ipsec policy $$")"; junos:must-message "Referenced IPSec policy must be defined under [edit security ipsec policy]"; type string { junos:posix-pattern "^[[:alnum:]][[:alnum:]_-]*$"; junos:pattern-message "Must be a string beginning with a number or letter and consisting of letters, numbers, dashes and underscores."; length "1 .. 32"; } description "Name of the IPSec policy"; } leaf install-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 10"; } } units "seconds"; default "1"; description "Delay installation of rekeyed outbound SAs on initiator"; } } // container ike } // choice negotiation leaf establish-tunnels { junos:must "(".. ike")"; junos:must-message "VPN must be IKE-keyed to define establish-tunnel method"; type enumeration { enum "immediately" { value 0; description "Establish tunnels immediately"; } enum "on-traffic" { value 1; description "Establish tunnels on traffic"; } } default "on-traffic"; description "Define the criteria to establish tunnels"; } } // grouping ipsec-vpn-template grouping ipsec-template-monitor { description "Configure VPN monitoring"; uses apply-advanced; leaf optimized { type empty; description "Optimize for scalability"; } leaf source-interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Source interface for monitor message"; } leaf destination-ip { type jt:ipaddr; description "Destination IP addres for monitor message"; } } // grouping ipsec-template-monitor grouping ipsec-template-proxy-id { description "Proxy identity settings"; uses apply-advanced; leaf local { type jt:ipprefix-mandatory; description "Local IP address/prefix length"; } leaf remote { type jt:ipprefix-mandatory; description "Remote IP address/prefix length"; } leaf service { type string { length "1 .. 32"; } description "Name of serivce that passes through, any enables all services"; } } // grouping ipsec-template-proxy-id grouping security-macsec { uses apply-advanced; container traceoptions { presence "enable traceoptions"; description "Tracing options for debugging protocol operation"; uses macsec-trace-options; } // container traceoptions list connectivity-association { key "name"; ordered-by user; description "Configure connectivity association properties"; leaf name { type string { length "1 .. 32"; } description "Connectivity association name"; } uses apply-advanced; leaf security-mode { junos:must "((!(".. security-mode static-cak") || (".. pre-shared-key cak" || (".. pre-shared-key-chain" || ".. fallback-key cak"))))"; junos:must-message "Pre-shared key or fallback-key or pre-shared-key-chain required for static-cak mode"; type enumeration { enum "dynamic" { value 0; description "Dynamic connectivity and secure association mode (MKA and dot1x)"; } enum "static-sak" { value 1; description "Static secure association key mode (no MKA)"; } enum "static-cak" { value 2; description "Static connectivity association key mode (MKA and Pre-shared key)"; } } description "Connectivity association mode"; } leaf sak-hash-128 { junos:must "((".. cipher-suite gcm-aes-256" || ".. cipher-suite gcm-aes-xpn-256"))"; junos:must-message "Allowed only for cipher-suite gcm-aes-256 or gcm-aes-xpn-256"; type empty; description "Configure to generate 128bit SAK hash to program HW"; } list secure-channel { junos:must "(".. security-mode static-sak")"; junos:must-message "Secure-channel configuration allowed only for static-sak mode"; key "name"; ordered-by user; description "Configure secure channel properties"; leaf name { type string; description "Secure channel name"; } uses apply-advanced; container id { description "Secure channel identifier"; uses apply-advanced; leaf mac-address { type jt:mac-addr; description "MAC addresses"; } leaf port-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 65535"; } } description "Port identifier"; } } // container id leaf direction { type enumeration { enum "inbound" { value 0; } enum "outbound" { value 1; } } description "Secure channel direction"; } leaf encryption { type empty; description "Enable Encryption"; } leaf offset { type enumeration { enum "0" { value 0; description "Confidentiality protected for all octets of MACSec PDU data"; } enum "30" { value 1; description "Confidentiality not protected for initial 30 octets of MACSec PDU data"; } enum "50" { value 2; description "Confidentiality not protected for initial 50 octets of MACSec PDU data"; } } description "Confidentiality offset"; } leaf include-sci { type empty; description "Include secure channel identifier in MAC Security PDU"; } list security-association { key "name"; ordered-by user; description "Security association"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3"; } } description "Security association number"; } uses apply-advanced; leaf key { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F) of length 32"; length "32"; } description "Security association key in hexadecimal format of length 32"; } } // list security-association } // list secure-channel container mka { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "MKA configuration can be set only for dynamic/static-cak modes"; presence "enable mka"; description "Configure MAC Security Key Agreement protocol properties"; uses apply-advanced; leaf transmit-interval { junos:must "(!(".. bounded-delay"))"; junos:must-message "Might not be configured with bounded-delay"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2000 .. 6000"; } } units "milliseconds"; default "2000"; description "Configure MKA periodic transmit interval"; } leaf sak-rekey-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "60 .. 86400"; } } units "seconds"; description "Configure SAK rekeying interval"; } leaf bounded-delay { junos:must "(".. .. replay-protect replay-window-size")"; junos:must-message "replay-window-size must be configured with bounded-delay"; type empty; description "Configure Bounded Hello Time"; } leaf key-server-priority { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } default "16"; description "Configure MKA key server priority"; } leaf must-secure { junos:must "(".. .. security-mode dynamic")"; junos:must-message "Allowed only for dynamic mode"; type empty; description "Allow only secure dot1x traffic"; } leaf should-secure { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static mode"; type empty; description "Configure fail open mode for MKA protocol"; } leaf eapol-address { junos:must "(".. .. security-mode static-cak")"; junos:must-message "Allowed only for static-cak mode"; type string; default "pae"; description "Configure EAPOL destination group address"; } } // container mka container replay-protect { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; description "Configure replay protection"; uses apply-advanced; leaf replay-window-size { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } units "packets"; description "Configure replay protection window size"; } } // container replay-protect leaf no-encryption { junos:must "(!(".. offset"))"; junos:must-message "Offset can be configured only with encryption"; junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Encryption for static-sak mode should be configured under secure-channel"; type empty; description "Disable encryption"; } leaf disable-preceding-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Enabling configuration allowed only in static-cak mode"; type empty; description "Disable CA preceding key duing key switch-over"; } leaf offset { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Offset for static-sak mode should be configured under secure-channel"; type enumeration { enum "0" { value 0; description "Confidentiality provided for all octets of data"; } enum "30" { value 1; description "Confidentiality not provided for initial 30 octets of data"; } enum "50" { value 2; description "Confidentiality not provided for initial 50 octets of data"; } } default "0"; description "Confidentiality offset"; } leaf include-sci { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; type empty; description "Include secure channel identifier in MAC Security PDU"; } container pre-shared-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Pre-shared key configuration allowed only in static-cak mode"; presence "enable pre-shared-key"; description "Configure pre-shared connectivity association key"; uses apply-advanced; leaf ckn { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association key in hexadecimal format"; } } // container pre-shared-key container fallback-key { junos:must "(".. security-mode static-cak")"; junos:must-message "Fallback key configuration allowed only in static-cak mode"; presence "enable fallback-key"; description "Configure fallback key for connectivity association"; uses apply-advanced; leaf ckn { junos:must "(!(".. .. pre-shared-key ckn $$"))"; junos:must-message "fallback-key CKN cannot be same as pre-shared-key CKN"; type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Connectivity association fallback key name in hexadecimal format"; } leaf cak { type string { junos:posix-pattern "^[[:xdigit:]]+$"; junos:pattern-message "Must be hexadecimal digits (0-9, a-f, A-F)"; length "1 .. 64"; } description "Connectivity association fallback key secret in hexadecimal format"; } } // container fallback-key leaf pre-shared-key-chain { junos:must "(!(".. pre-shared-key"))"; junos:must-message "May not be configured with pre-shared-key"; junos:must "("security authentication-key-chains key-chain $$")"; junos:must-message "authentication-key-chains not defined !!"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Pre-shared key chain name for connectivity association"; } list exclude-protocol { junos:must "((".. security-mode static-cak" || ".. security-mode dynamic"))"; junos:must-message "Not allowed for static-sak mode"; key "name"; ordered-by user; description "Configure protocols to exclude from MAC Security"; leaf name { type enumeration { enum "cdp" { value 0; description "Cisco Discovery Protocol"; } enum "lldp" { value 1; description "Link Level Discovery Protocol"; } enum "lacp" { value 2; description "Link Aggregation Control Protocol"; } } } } // list exclude-protocol } // list connectivity-association list interfaces { key "name"; description "Interfaces on which macsec configuration is applied"; leaf name { type union { type jt:interface-device; type string { pattern "<.*>|$.*"; } } } uses apply-advanced; leaf connectivity-association { junos:must "("security macsec connectivity-association $$")"; junos:must-message "Connectivity association not defined"; type string; description "Connectivity association name"; } container traceoptions { junos:must "(".. connectivity-association")"; junos:must-message "Connectivity association should be configured on interface to enable traceoptions"; presence "enable traceoptions"; description "Tracing options of MKA protocol"; uses mka-trace-options; } // container traceoptions } // list interfaces } // grouping security-macsec grouping macsec-trace-options { description "Trace options for MACSec Protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "config" { value 0; description "Trace configuration messages"; } enum "debug" { value 1; description "Trace debug messages"; } enum "normal" { value 2; description "Trace normal messages"; } enum "all" { value 3; description "Trace all"; } } } } // list flag } // grouping macsec-trace-options grouping mka-trace-options { description "Trace options for MKA protocol"; uses apply-advanced; container file { description "Trace file options"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf replace { type empty; status deprecated; description "Replace trace file rather than appending to it"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "10"; description "Maximum number of trace files"; } leaf no-stamp { type empty; status deprecated; description "Do not timestamp trace file"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice } // container file list flag { junos:must "(".. file")"; junos:must-message "Trace file name required to enable tracing"; key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "mka-packets" { value 0; description "Trace MKA input and output packets"; } enum "state" { value 1; description "Trace MKA state information"; } enum "to-secy" { value 2; description "Trace MKA to SecY state changes"; } enum "keys" { value 3; description "Trace key creation/generation information"; } enum "normal" { value 4; description "Trace normal events"; } enum "all" { value 5; description "Trace all"; } } } } // list flag } // grouping mka-trace-options grouping security-pki { uses apply-advanced; list ca-profile { key "name"; ordered-by user; description "Certificate authority profile configuration"; leaf name { type string { junos:posix-pattern "![/%. ]"; junos:pattern-message "Must not contain '/', %, '.' or a space"; length "1 .. 32"; } description "Name of certificate authority profile"; } uses apply-advanced; leaf ca-identity { type string; description "Certificate authority identifier"; } leaf source-address { type jt:ipaddr; description "Use specified address as source address"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [edit services proxy profile]"; type string; description "Use specified proxy server"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string; description "Use specified routing instance"; } container enrollment { description "Enrollment parameters for certificate authority"; uses apply-advanced; leaf url { type string; description "Enrollment URL of certificate authority"; } leaf retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } default "1000"; description "Number of enrollment retry attempts before aborting"; } leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } default "600"; description "Interval in seconds between the enrollment retries"; } } // container enrollment container revocation-check { description "Method for checking certificate revocations"; uses apply-advanced; choice revocation-check-options { leaf use-crl { type empty; description "Use CRL for revocation check"; } leaf use-ocsp { type empty; description "Use OCSP for revocation check"; } leaf disable { type empty; description "Disable revocation check"; } } // choice revocation-check-options container ocsp { presence "enable ocsp"; description "Online Certificate Status Protocol (OCSP) configuration"; uses apply-advanced; list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "HTTP URL for OCSP access location"; } uses apply-advanced; } // list url leaf nonce-payload { type enumeration { enum "enable" { value 0; description "Send nonce paylod in OCSP request"; } enum "disable" { value 1; description "Do not send nonce payload in OCSP request"; } } description "Include nonce payload in OCSP requests"; } leaf disable-responder-revocation-check { type empty; description "Disable OCSP responder certificate revocation check"; } leaf accept-unknown-status { type empty; description "Accept certificates with unknown status"; } container connection-failure { presence "enable connection-failure"; description "Actions on failure to connect to OCSP Responder"; uses apply-advanced; choice connection-failure-options { leaf fallback-crl { type empty; description "Use CRL for revocation check"; } leaf disable { type empty; description "Disable OCSP check on connection failure"; } } // choice connection-failure-options } // container connection-failure } // container ocsp container crl { description "Certificate revocation list configuration"; uses apply-advanced; container disable { leaf on-download-failure { type empty; description "Check revocation status with existing CRL file if present, otherwise skip. This feature must be enabled for manual CRL download."; } } // container disable list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "URL of CRL distribution point for certificate authority"; } uses apply-advanced; leaf password { type jt:unreadable; description "Password for authentication with the server"; } } // list url leaf refresh-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 8784"; } } units "hours"; description "CRL refresh interval"; } } // container crl } // container revocation-check container administrator { description "Administrator information"; uses apply-advanced; leaf email-address { type string; description "Administrator e-mail to which to send certificate requests"; } } // container administrator } // list ca-profile list trusted-ca-group { key "name"; ordered-by user; description "Trusted Certificate Authority group configuration"; leaf name { type string { length "1 .. 63"; } description "Name of the trusted CA group"; } uses apply-advanced; leaf-list ca-profiles { type string { length "1 .. 63"; } max-elements 20; ordered-by user; description "Name of the CA profiles (maximum 20)"; } } // list trusted-ca-group container trap { presence "enable trap"; description "Trap options for PKI certificates"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "Local certificate identifier"; leaf name { type string; description "Local cert id"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list certificate-id list ca-identity { key "name"; ordered-by user; description "CA identity"; leaf name { junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string; description "CA profile"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list ca-identity container all-certificates { presence "enable all-certificates"; description "Trap config for all certificates"; uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // container all-certificates } // container trap container auto-re-enrollment { description "Auto re-enroll of certificate"; uses apply-advanced; container cmpv2 { presence "enable cmpv2"; description "CMPv2 auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "CMPv2 auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } } // list certificate-id } // container cmpv2 container scep { presence "enable scep"; description "SCEP auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "SCEP auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container scep list certificate-id { key "name"; ordered-by user; description "Auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container auto-re-enrollment container traceoptions { description "PKI trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "certificate-verification" { value 0; description "PKI certificate verification tracing"; } enum "online-crl-check" { value 1; description "PKI online crl tracing"; } enum "enrollment" { value 2; description "PKI certificate enrollment tracing"; } enum "all" { value 3; description "Trace with all flags enabled"; } } } } // list flag } // container traceoptions } // grouping security-pki grouping security-traceoptions { description "Trace options for key management process"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file leaf rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } default "0"; description "Limit the incoming rate of trace messages"; } list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "timer" { value 0; description "Trace internal timer events"; } enum "routing-socket" { value 1; description "Trace routing socket messages"; } enum "parse" { value 2; description "Trace configuration processing"; } enum "config" { value 3; description "Trace configuration download processing"; } enum "ike" { value 4; description "Trace IKE module processing"; } enum "policy-manager" { value 5; description "Trace policy manager processing"; } enum "general" { value 6; description "Trace general events"; } enum "database" { value 7; description "Trace security associations database events"; } enum "certificates" { value 8; description "Trace certificate events"; } enum "snmp" { value 9; description "Trace SNMP operations"; } enum "thread" { value 10; description "Trace thread processing"; } enum "high-availability" { value 11; description "Trace high-availability operations"; } enum "next-hop-tunnels" { value 12; description "Trace next-hop-tunnels operations"; } enum "all" { value 13; description "Trace everything"; } enum "ams" { value 14; description "Trace AMS events"; } enum "lic" { value 15; description "Trace License events"; } } } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // grouping security-traceoptions } // module junos-ex-conf-security
© 2023 YumaWorks, Inc. All rights reserved.