Friday, January 16, 2015

Using PKI Build Route-Based IPSec VPN between Juniper SRX

There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}[email protected]> request security pki generate-key-pair certificate-id PRO size 2048   
node0:
--------------------------------------------------------------------------
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair


[email protected]> clear security pki certificate-request ?
Possible completions:
  all                  Clear all certificate requests
  certificate-id       Certificate identifier
{primary:node1}
[email protected]> clear security pki certificate-request all      
{primary:node1}
[email protected]>request security pki generate-certificate-request certificate-id PRO subject "CN=fw-test1.51sec.org,OU=IT,O=John Yan Firm Inc.,L=Toronto,ST=ON,C=CA" email [email protected] filename ms-cert-req                                   
node1:
--------------------------------------------------------------------------
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIDCDCCAfACAQAwgZAxGjAYBgNVBAMTEWZ3LW1vbjEuZ2ktZGUuY29tMQswCQYD
VQQLEwJJVDE4MDYGA1UEChMvR2llc2Vja2UgJiBEZXZyaWVudCBNb2JpbGUgU2Vj
dXJpdHkgQ2FuYWRhIEluYy4xETAPBgNVBAcTCE1vbnRyZWFsMQswCQYDVQQIEwJP
TjELMAkGA1UEBhMCW0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn
YzYl6u9H9KtGiyR3GZuZt8Wc7L0co6v8RuclNr5+lMdjvKFsMHhWZD1QRkUw/tl5
YlXrFA6a7PtT8O7ji8qvyC6qwiioJjjZ0NhI8d/y0u21NIEawhu2XcY5oSL2aqOX
WYex7jVGT/JLSRz7h5MH5EZ1mOC08Ubu5Bicf+8C6XpR0CICt4BogFPHHMxQ2V2t
JPoaPk3KvTaIIsRhDNoUb6ryFcPsXEGmTrOCP0nBYJ3LByr/4uBS0phhQeco6s/i
U+oVfd4pcDOYA1q/F/s9tdeQyS6iDGftZog6zQdUN+agK2xV9NE8e+awklEP09Z9
YnCw8wVrF7Mjilz6uuZTAgMBAAGgMjAwBgkqhkiG9w0BCQ4xIzAhMB8GA1UdEQQY
MBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0GCSqGSIb3DQEBBQUAA4IBAQCZI8H0
qoGG8ybRSt9/hIPvdfO/f1bFWMu6I1Y2wp7tpbILx12/wC03Lvh94DspwIXfyZ+2
gHB55wPFIvEnYO87uBzYqnd0JZ0pZTKs4Rqmj9sqJoVEqdhvV0cB0TV0FNw5rZ/1
C/tgg5a171p57U0LktBErrp3FWbzkhhWEiEBbQMCXi7vAgbsCna/m6XQUqC+JGlG
OIzcC71HeDx9iX8lpswHzE85iTyVGhQieUg6ykfKOlJRu2G7TRsVyUJJURCs0rjG
kWF+zdrRJMic+RbJuNkNmE/4kCeNrHQGx+sVA9qLSbayizN02D5yeO2T7fyglWkW
8bikAgE9LLri1NCV
-----END CERTIFICATE REQUEST-----
Fingerprint:
18:fc:10:eb:f8:8f:b9:08:25:64:02:9c:c0:12:56:74:3b:fb:f5:3d (sha1)
5b:8e:40:5c:68:21:51:ea:bf:42:f9:d4:c7:2c:2d:15 (md5)



3. Submit Cert Request to the CA and Retrieve Certs







4. Copying the Local Cert, CA Cert to local firewall


You can either use ftp to transfer file to local devices or using vi to copy/paste cert into local folder just like it shows below:
[email protected]% cd /var/tmp
[email protected]% vi cert.cer

-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgIQLW8DBB6T4el6zXWK6UDm2zANBgkqhkiG90BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDEwOTAwMDAwMFoX
DTE4MDQwNTIzNTk1OVowgYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlv
MRAwDgYDVQQHDAdNYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IFN5c3RlbXMgQ2FuYWRhIEluYzELMAkGA1UECwwCSVQxGzAZBNVBAMMEm1vbnRy
ZWFsLmdpLWRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2W
x3bDZiXD7Fhh7smdgq7W3ib/UOixoM7NDxryWVaff0mq3oioXUxpClvwkadJ5Js7
3+QOJH0j/jJLwJ6mN/8Me64Caxy3fHkp43NNTz1aOEr2QwOLuY4Z6rvNUgBdqLWo
OpI8OAYTMlBWMT++aKK35PAtDKLxCyKz6iqeR3tbqsxDnfJO5YafyDf8AtRmNJPg
1ms1yV0lKZBtq4weAKHLeSe0+SYu5CIgKHDhUbZ9SjQHyaNpSSY0agtm7gwppcYU
BPtkSTFyyxAVxMQrZrOMPSF2ND1qgwtQkv4ypAx70oLSP2FjWYxXS8eZCaBXRWzp
+2Q0gEbcQ85NG9DZCuMCAwEAAaOCAWswggFnMB0GA1UdEQQWMBSCEm1vbnRyZWFs
LmdpLWRlLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDArBgNVHR8EJDAi
MCCgHqAchhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNybDBlBgNHSAEXjBcMFoG
CmCGSAGG+EUBBzYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9j
cHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMaAFF9gz2GQVd+EQxSK
YCqy9Xr0QxjvMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Nz
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5j
cnQwDQYJKoZIhvcNAQELBQADggEBAGSmIK5nDbs0e1aryWxbrCp9vMC7dTiJYP9
7VlUZsP63WXTWmOs1CBcyxv1NiO2Ub+CgiynAjnBKzDjPM8EesaTLlHnFqjRD65d
jXwa5UnlQnuZLzdadThp2qmhQbTeGBmT/y4c3rSwHnXwjB0aMQzz7QrKEmNrv13o
2eYEMp2tvZVSemPWpABj265tu6RcD6If3oTxKJy10/pKA/YU3xRLL9XB3NvU5NUO
Ej7ubdQsBTTBeJIE8/C5coDLEZbxYpQVSnqDBrOXLG5R2pNi0hIebXFaVDG36gy
NCGfTTNr8Elo7RYMspaZZhyQRZzXefzCxJwqxu39MwTNRJAhTPA=
-----END CERTIFICATE-----

[email protected]% vi root.cer
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----

5. Creating a Trusted CA Profile and load local certificate and CA Certificate

ca-profile rootverisign {
    ca-identity test.com;
    revocation-check {
        disable;
    }
    administrator {
        email-address "[email protected]";
    }
 }

{primary:node0}[email protected]> request security pki local-certificate load certificate-id PRO filename /var/tmp/cert.cer
node0:
--------------------------------------------------------------------------
Local certificate loaded successfully

{primary:node0}[email protected]> request security pki ca-certificate load ca-profile rootverisign filename /var/tmp/root.cer
node0:
--------------------------------------------------------------------------
error: Command aborted as CA certificate already exists. Retry after clearing the existing CA certificate
This error is relating to existing CA certificate. We will clear it first by following command:
{primary:node0}
[email protected]> clear security pki ca-certificate ca-profile rootverisign 
or You can directly go into cert folder to delete it.
[email protected]> request security pki ca-certificate load ca-profile Montreal-PRO filename /var/tmp/root.cer 
node0:
--------------------------------------------------------------------------
Fingerprint:
  44:f4:34:20:3e:fa:be:7e:9e:c5:82:94:e3:b2:36:0b:4c:c5:c0:c0 (sha1)
  1a:3e:85:80:2b:c7:57:86:c2:44:66:ff:89:ad:1e:c8 (md5)
error: Failed to write the CA certificate to local store

This error message usaully caused by unrecognized certificate file format. Actually, Juniper SRX does not take this kind of CA certification which has two certifications inside one file. We have to manually split this Certification to two parts then separately import different CA Profile, such as G4 and G5 we created below.
pki {
    ca-profile G4 {
        ca-identity test.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address "[email protected]";
        }
    }
    ca-profile G5 {
        ca-identity test.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address "[email protected]";
        }
    }
    traceoptions {
        file PKITRACE size 1m;
        flag all;
    }
}
[email protected]> request security pki ca-certificate load ca-profile G4 filename /var/tmp/g4.cer 
node0:
--------------------------------------------------------------------------
Fingerprint:
  ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
  23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
CA certificate for profile G4 loaded successfully

{primary:node0}
[email protected]> request security pki ca-certificate load ca-profile G5 filename /var/tmp/g5.cer    
node0:
--------------------------------------------------------------------------
Fingerprint:
  32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
  f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
CA certificate for profile G5 loaded successfully

6. Using the Cert in IPsec VPN Configuration

ike {
    inactive: traceoptions {
        file IKELOG size 1m;
        flag policy-manager;
        flag ike;
        flag routing-socket;
        flag certificates;
    }
    proposal P1-AES_1_1_1 {
        authentication-method rsa-signatures;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 86400;
    }
    policy ike-pol-Myvpn {
        mode main;
        proposals P1-AES_1_1_1;
        certificate {
            local-certificate Mark-PRO;
            peer-certificate-type x509-signature;
        }
        inactive: pre-shared-key ascii-text "$9$4xZGjqmT3nCHqp01IcSs2g4Uj"; ## SECRET-DATA
    }
    gateway gw-TheirGateway {
        ike-policy ike-pol-Myvpn;
        address 10.9.1.1;
        local-identity hostname mark.test.com;
        remote-identity hostname mont.test.com;
        external-interface reth9.0;
        local-address 10.4.1.1;
    }
}
ipsec {
    proposal P2-AES_1 {
        description group2;
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy ipsec-pol-1 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals P2-AES_1;
    }
    vpn vpn-ToThem {
        bind-interface st0.0;
        ike {
            gateway gw-TheirGateway;
            idle-time 1800;
            ipsec-policy ipsec-pol-1;
        }
    }

}

Some Other Configuration for Route-Based IPSec VPN

Interfaces {
    st0 {
        unit 0 {
            family inet;
        }
    }
}

[email protected]> show configuration routing-instances 
vr_SRX2{
    instance-type virtual-router;
    interface reth9.0;
    interface st0.0;
    routing-options {
        static {
            route 1.1.1.0/24 next-hop 10.4.1.2;
            route 10.9.0.0/16 next-hop st0.0;
            route 10.9.1.1/32 next-hop 10.4.1.2;
        }
        aggregate {
            route 10.94.0.0/16 {
                preference 2;
            }
            route 192.168.0.0/16 {
                preference 2;
            }
        }
        instance-import from_all_to_SRXl;
    }






{primary:node0}
[email protected]> show security ike security-associations 
node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
4640121 UP     218f8fe0aa03c0f3  fb3f6ffff4b01e76  Main           10.9.1.1       

{primary:node0}
[email protected]> show security ipsec security-associations 
node0:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes-cbc-128/sha1 8f2d3002 2443/ unlim - root 500 10.9.1.1       
  >131073 ESP:aes-cbc-128/sha1 42e65863 2443/ unlim - root 500 10.9.1.1       


{primary:node0}
[email protected]> show security ipsec security-associations detail 
node0:
--------------------------------------------------------------------------

ID: 131073 Virtual-system: root, VPN Name: vpn-ToThem
  Local Gateway: 10.19.1.1, Remote Gateway: 10.9.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
  Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 
  Tunnel events: 
    Sun Feb 18 2018 12:22:28: IPSec SA negotiation successfully completed (2 times)
    Sun Feb 18 2018 11:32:49: IKE SA negotiation successfully completed (1 times)
    Sun Feb 18 2018 11:32:37: No response from peer. Negotiation failed (4 times)
    Sun Feb 18 2018 11:29:01: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Sun Feb 18 2018 11:27:18: External interface's address received. Information updated (1 times)
    Sun Feb 18 2018 11:27:18: Deactivated tunnel as interface information is not ready on new primary node (1 times)
    Sun Feb 18 2018 11:27:18: External interface's address received. Information updated (1 times)
    Sun Feb 18 2018 11:27:18: External interface's zone received. Information updated (1 times)
  Direction: inbound, SPI: 8f2d3002, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2075 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1486 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 42e65863, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2075 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1486 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64



{primary:node0}
[email protected]> show security ike security-associations detail 
node0:
--------------------------------------------------------------------------
IKE peer 10.9.1.1, Index 4640121, Gateway Name: gw-Peer-MA
  Role: Responder, State: UP
  Initiator cookie: 218f8fe0aa03c0f3, Responder cookie: fb3f6ffff4b01e76
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 10.19.1.1:500, Remote: 10.9.1.1:500
  Lifetime: Expires in 81690 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: t1.test.com
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1420
   Output bytes  :                 1116
   Input  packets:                    8
   Output packets:                    5
   Input  fragmentated packets:       0
   Output fragmentated packets:       0
  IPSec security associations: 2 created, 1 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 10.19.1.1:500, Remote: 10.9.1.1:500
    Local identity: mon.test.com
    Remote identity: mar.test.com
    Flags: IKE SA is created










Reference:

1. Commands to clear pki related files

  • clear security pki key-pair certificate-id Markham-PRO
  • clear security pki local-certificate certificate-id Markham-PRO
  • clear security pki key-pair certificate-id Markham-PRO
  • clear security pki ca-certificate ca-profile Markham-PRO
  • clear security pki certificate-request certificate-id Markham-PRO
2. J Series / SRX Series IPSec VPN with PKI Certificates Primer
3. Example: Configuring the PKI in Junos OS
4. Certificate based IPSEC VPN in SRX
5. Juniper SRX - PKI - Certificate-based VPNs - Part 02 - SRX Configuration & Certificate Signings

Notes:

The following will setup your installed SSL certificate on fe-0/0/0.0 You need to assign this to the
externally facing interface. The interface should be set to accept HTTPS.

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic systemservices https
set system services web-management https pki-local-certificate PRO interface fe-0/0/0.0

No comments:

Post a Comment