Configure vários tipos de certificados para estabelecer o IKE e o IPsec SA
Este exemplo mostra como configurar vários tipos de certificados para estabelecer IKE e IPsec SA.
A partir do Junos OS Release 22.4R1, você pode estabelecer túneis independentemente do tipo de certificado usado no iniciador e responder se o método de autenticação estiver configurado como certificates
na proposta de IKE usando o set security ike proposal ike_proposal_name authentication-method certificates
comando.
Você pode visualizar o certificado inscrito usando show security pki local-certificate certificate-id certificate-name detail
o comando.
Você pode verificar o certificado inscrito usando o request security pki local-certificate verify certificate-id certificate-name
comando.
Requisitos
Antes de começar:
-
Certifique-se de ter certificados inscritos em seus dispositivos, veja Inscrição de certificados.
Você pode verificar os certificados inscritos em seus dispositivos usando o
request security pki local-certificate certificate-id certificate-name detail
comando. -
Certifique-se de ter o pacote IKE instalado para verificar se o pacote IKE instalado usa o
show version | match ike
comando operacional.Se você não tiver o pacote IKE instalado no dispositivo, você pode instalar o pacote IKE usando o comando
request system software add optional://junos-ike.tgz
operacional, para obter mais informações, ver Ativar o conjunto de recursos vpn IPsec.
Visão geral
Este exemplo configura vários tipos de certificados para estabelecer IKE e IPsec SA entre SRX_A e SRX_B.
Neste exemplo, inscrevemos o certificado RSA em SRX_A e o certificado ECDSA em dispositivos SRX_B. Para obter mais informações sobre como instalar os certificados, consulte a inscrição de certificados.
Nome do dispositivo | Interface usada | Endereço de gateway IKE | Endereço IP local do Gateway IKE |
---|---|---|---|
SRX_A | ge-0/0/0 | 192.168.1.2 | 192.168.1.1 |
SRX_B | ge-0/0/0 | 192.168.1.1 | 192.168.1.2 |
Topologia
A Figura 1 topologia descreve para vários tipos de configuração de suporte de certificados.
Configuração
Configuração de SRX_A
Configuração rápida da CLI
Para configurar rapidamente este exemplo, copie os seguintes comandos, cole-os em um arquivo de texto, remova quaisquer quebras de linha, altere todos os detalhes necessários para combinar com a configuração da sua rede, copiar e colar os comandos na CLI no nível de [edit]
hierarquia e, em seguida, entrar no commit
modo de configuração.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r0_rsa_crt set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.2 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.1 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Procedimento passo a passo
O exemplo a seguir exige que você navegue por vários níveis na hierarquia de configuração. Para obter instruções sobre como fazer isso, consulte o Overvie do modo de configuração CLI no Guia do usuário da CLI.
Para configurar vários tipos de certificados para estabelecer IKE e IPsec SA:
-
Veja os certificados inscritos em seus dispositivos usando o
show security pki local-certificate certificate-id certificate-name detail
comando.Instale o certificado em seu dispositivo se o seu dispositivo não tiver os certificados inscritos. Para obter mais informações, veja Inscrição de certificados.
-
Configure interfaces.
user@srxa# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 user@srxa# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 user@srxa# set interfaces st0 unit 1 family inet
-
Configure zonas de segurança e a política de segurança.
user@srxa# set security zones security-zone trust host-inbound-traffic system-services all user@srxa# set security zones security-zone trust host-inbound-traffic protocols all user@srxa# set security zones security-zone trust interfaces ge-0/0/1 user@srxa# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxa# set security zones security-zone untrust interfaces ge-0/0/0 user@srxa# set security zones security-zone VPN interfaces st0.1 user@srxa# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxa# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxa# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxa# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxa# set security policies default-policy deny-all
-
Configure a proposta IKE.
[edit] user@srxa# set security ike proposal IKE_PROP authentication-method certificates user@srxa# set security ike proposal IKE_PROP dh-group group5 user@srxa# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxa# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure a política de IKE.
[edit] user@srxa# set security ike policy IKE_POL proposals IKE_PROP user@srxa# set security ike policy IKE_POL certificate local-certificate r0_rsa_crt
-
Configure o gateway IKE.
[edit] user@srxa# set security ike gateway IKE_GW ike-policy IKE_POL user@srxa# set security ike gateway IKE_GW address 192.168.1.2 user@srxa# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxa# set security ike gateway IKE_GW local-address 192.168.1.1 user@srxa# set security ike gateway IKE_GW version v2-only
-
Configure a proposta IPsec.
[edit] user@srxa# set security ipsec proposal IPSEC_PROP protocol esp user@srxa# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxa# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure a política de IPsec.
[edit] user@srxa# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure a VPN IPsec.
[edit] user@srxa# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxa# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxa# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxa# set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Resultados
A partir do modo de configuração, confirme sua configuração entrando nos show interfaces
show security ike
comandos eshow security ipsec
. Se a saída não exibir a configuração pretendida, repita as instruções de configuração neste exemplo para corrigi-la.
[edit] user@srxa# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.16.1.1/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxa# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r0_crt_rsa; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.2; external-interface ge-0/0/0; local-address 192.168.1.1; version v2-only; } [edit] user@srxa# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels on-traffic; }
Se você terminar de configurar o dispositivo, entre no commit
modo de configuração.
Configuração de SRX_B
Configuração rápida da CLI
Para configurar rapidamente este exemplo, copie os seguintes comandos, cole-os em um arquivo de texto, remova quaisquer quebras de linha, altere todos os detalhes necessários para combinar com a configuração da sua rede, copiar e colar os comandos na CLI no nível de [edit]
hierarquia e, em seguida, entrar no commit
modo de configuração.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384 set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.1 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.2 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Procedimento passo a passo
O exemplo a seguir exige que você navegue por vários níveis na hierarquia de configuração. Para obter instruções sobre como fazer isso, veja a visão geral do modo de configuração CLI no Guia do usuário da CLI.
Para configurar vários tipos de certificados para estabelecer IKE e IPsec SA:
-
Veja os certificados inscritos em seus dispositivos usando o
request security pki local-certificate certificate-id certificate-name detail
comando.Instale o certificado em seu dispositivo se o seu dispositivo não tiver os certificados inscritos. Para obter mais informações, veja Inscrição de certificados.
-
Configure interfaces.
user@srxb# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 user@srxb# set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 user@srxb# set interfaces st0 unit 1 family inet
-
Configure zonas de segurança e a política de segurança.
user@srxb# set security zones security-zone trust host-inbound-traffic system-services all user@srxb# set security zones security-zone trust host-inbound-traffic protocols all user@srxb# set security zones security-zone trust interfaces ge-0/0/1 user@srxb# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxb# set security zones security-zone untrust interfaces ge-0/0/0 user@srxb# set security zones security-zone VPN interfaces st0.1 user@srxb# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxb# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxb# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxb# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxb# set security policies default-policy deny-all
-
Configure a proposta IKE.
[edit] user@srxb# set security ike proposal IKE_PROP authentication-method certificates user@srxb# set security ike proposal IKE_PROP dh-group group5 user@srxb# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxb# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure a política de IKE.
[edit] user@srxb# set security ike policy IKE_POL proposals IKE_PROP user@srxb# set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384
-
Configure o gateway IKE.
[edit] user@srxb# set security ike gateway IKE_GW ike-policy IKE_POL user@srxb# set security ike gateway IKE_GW address 192.168.1.1 user@srxb# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxb# set security ike gateway IKE_GW local-address 192.168.1.2 user@srxb# set security ike gateway IKE_GW version v2-only
-
Configure a proposta IPsec.
[edit] user@srxb# set security ipsec proposal IPSEC_PROP protocol esp user@srxb# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxb# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure a política de IPsec.
[edit] user@srxb# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure a VPN IPsec.
[edit] user@srxb# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxb# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxb# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxb# set security ipsec vpn IPSEC_VPN establish-tunnels immediately
Resultados
A partir do modo de configuração, confirme sua configuração entrando nos show interfaces
show security ike
comandos eshow security ipsec
. Se a saída não exibir a configuração pretendida, repita as instruções de configuração neste exemplo para corrigi-la.
[edit] user@srxb# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.2/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.18.1.2/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxb# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r1_crt_ecdsa384; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.1; external-interface ge-0/0/0; local-address 192.168.1.2; version v2-only; } [edit] user@srxb# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels immediately; }
Se você terminar de configurar o dispositivo, entre no commit
modo de configuração.
Verificação
Confirme se a configuração está funcionando corretamente.
Verificar SRX_A
As saídas de amostra mostradas estão no SRX-A.
Propósito
Verifique o status da Fase 2 do IPsec.
Ação
A partir do modo operacional, entre no show security ike security-associations
comando.
user@srxa> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 32 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.2
A partir do modo operacional, entre no show security ipsec security-associations
comando.
user@srxa> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500033 ESP:aes-cbc-192/sha256 0x5f156c1b 2750/ unlim - root 500 192.168.1.2 >500033 ESP:aes-cbc-192/sha256 0x7ea065e7 2750/ unlim - root 500 192.168.1.2
A partir do modo operacional, entre no show security ike security-associations detail
comando.
user@srxa> show security ike security-associations detail IKE peer 192.168.1.2, Index 32, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: RSA-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Lifetime: Expires in 28165 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1346 Output bytes : 1887 Input packets: 3 Output packets: 4 Input fragmented packets: 2 Output fragmented packets: 3 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500033 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Local identity: 192.168.1.1 Remote identity: 192.168.1.2 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
A partir do modo operacional, entre no show security ipsec security-associations detail
comando.
user@srxa> show security ipsec security-associations detail ID: 500033 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 09 2023 22:41:36: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32 Direction: outbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32
A partir do modo operacional, entre no show security pki local-certificate certificate-id r0_rsa_cr detail
comando.
user@srxa> show security pki local-certificate certificate-id r0_rsa_crt detail LSYS: root-logical-system Certificate identifier: r0_rsa_crt Certificate version: 3 Serial number: hexadecimal: 0x0186a62478ae8f0cdd766eb38dbd53 decimal: 7923302907757301847007106226306387 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r0, Domain component: juniper Subject string: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r0@juniper.net", r0.juniper.net, 192.168.1.1 Cert-Chain: Root-CA Validity: Not before: 03- 3-2023 05:54 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:b0:e5:53:8d:7e:20:fa:6b:21:c2:d1 2b:48:8f:af:c3:eb:8b:23:4a:f7:c5:1f:cf:2c:6a:b3:2e:8a:ef:1b f7:97:aa:fd:1d:ab:1c:76:9b:40:a3:ac:bb:49:f6:93:f9:e1:4e:62 df:3d:ca:e5:d2:95:9c:a0:f4:2b:d7:7e:1d:20:94:69:a8:e4:cf:dc 15:90:4c:be:1d:d8:1c:52:08:3a:d1:05:a3:bb:2f:8f:31:0c:6b:21 ef:76:c3:c7:fb:be:4a:cb:da:cc:8d:04:3a:75:0c:eb:5d:e2:f6:13 50:fe:39:67:c0:77:2f:32:b0:5e:38:6f:9c:79:b3:5d:f3:57:f4:f8 42:f5:22:5b:6c:58:67:90:4e:1e:ec:6a:03:e2:c0:87:65:02:ca:da 6f:95:0a:8c:2a:fd:45:4f:3a:b5:ef:18:05:1c:54:e6:fe:45:bb:73 53:81:b2:c6:b7:36:36:57:6d:9c:d3:d9:80:e7:d6:85:92:74:32:88 16:01:03:27:57:76:8e:5e:d6:73:ac:bf:68:fd:6d:a1:2a:8f:f5:3a 29:b0:c9:44:9b:c8:46:c1:bf:c0:52:2a:f0:51:be:b5:f6:e1:f5:3e 96:1d:3a:42:29:28:d3:cf:60:b9:eb:24:04:47:d3:f1:3f:5e:38:fc 7f:33:f6:94:9d:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Fingerprint: 4d:f6:89:c5:d6:3c:74:73:db:3e:f6:4b:1e:26:6c:c1:1c:1d:a7:4d (sha1) 6b:1c:a8:1f:de:5a:9b:3e:d5:c4:85:29:af:3f:82:f2 (md5) 6b:7a:b5:d1:57:cf:75:9d:1f:63:b9:f6:49:e4:4e:b3:13:2c:83:f1:f7:25:44:6f:45:2f:0d:2f:ae:a8:80:85 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
A partir do modo operacional, entre no show security pki ca-certificate ca-profile Root-CA detail
comando.
user@srxa> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)
Verificar SRX_B
As saídas de amostra mostradas estão no SRX-B.
Propósito
Verifique o status da Fase 2 do IPsec.
Ação
A partir do modo operacional, entre no show security ike security-associations
comando.
user@srxb> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 56042 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.1
A partir do modo operacional, entre no show security ipsec security-associations
comando.
user@srxb> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500230 ESP:aes-cbc-192/sha256 0x7ea065e7 2638/ unlim - root 500 192.168.1.1 >500230 ESP:aes-cbc-192/sha256 0x5f156c1b 2638/ unlim - root 500 192.168.1.1
A partir do modo operacional, entre no show security ike security-associations detail
comando.
user@srxb> show security ike security-associations detail IKE peer 192.168.1.1, Index 56042, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: ECDSA-384-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Lifetime: Expires in 18995 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 2934 Output bytes : 2379 Input packets: 10 Output packets: 9 Input fragmented packets: 3 Output fragmented packets: 2 IPSec security associations: 8 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500230 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 2 Response In : 1 Response Out : 2 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
A partir do modo operacional, entre no show security ipsec security-associations detail
comando.
user@srxb> show security ipsec security-associations detail ID: 500230 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 02 2023 22:26:16: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042 Direction: outbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042
A partir do modo operacional, entre no show security pki local-certificate certificate-id r1_crt_ecdsa384 detail
comando.
user@srxb> show security pki local-certificate certificate-id r1_crt_ecdsa384 detail LSYS: root-logical-system Certificate identifier: r1_crt_ecdsa384 Certificate version: 3 Serial number: hexadecimal: 0x0186a6254347a38063946d08595a55 decimal: 7923303152683216740296668848151125 Issuer: Organization: juniper, Country: India, Common name: root-ecdsa-384 Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r1_spk1, Domain component: juniper Subject string: DC=juniper, CN=r1_spk1, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r1_spk1@juniper.net", r1_spk1.juniper.net, 192.168.2 Cert-Chain: root-ecdsa-384 Validity: Not before: 03- 3-2023 05:55 UTC Not after: 06- 6-2027 13:21 UTC Public key algorithm: ecdsaEncryption(384 bits) 04:c2:ba:19:dc:0d:62:a7:94:7b:9b:1d:4d:ff:a1:e1:44:b5:57:a7 cb:7d:33:6b:35:87:b8:e4:ca:44:b1:6c:6d:63:ae:6f:3c:31:7c:7e 65:99:b3:2d:a3:76:30:23:e5:0e:34:e1:28:54:d6:3e:d3:8b:de:b6 b9:45:05:82:6f:1d:20:b7:6f:3c:ce:a2:13:a2:b4:37:0b:db:35:1e 20:54:b5:06:9d:f8:7f:19:7b:c5:d7:7b:57:8b:28:31:d3 Signature algorithm: ecdsa-with-SHA384 Fingerprint: 9b:cb:5a:57:a8:60:a0:ee:5c:be:59:4c:db:35:39:d3:b7:29:ef:b1 (sha1) ef:b5:e3:be:35:1b:6e:02:0b:61:11:a5:53:07:b4:89 (md5) 8f:86:d0:12:ea:bc:a8:81:a8:17:3a:f9:03:e4:91:57:20:9c:11:bc:a4:dd:d1:7f:d1:48:3f:5b:d9:fb:93:32 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
s
A partir do modo operacional, entre no show security pki ca-certificate ca-profile Root-CA detail
comando.
user@srxb> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)