示例:通过为证书撤销状态配置 OCSP 来提高安全性
此示例说明如何通过使用在线证书状态协议 (OCSP) 配置两个对等方来检查 IPsec VPN 隧道第 1 阶段协商中使用的证书的撤销状态,从而提高安全性。
要求
在每台设备上:
获取并注册本地证书。这可以通过手动或使用简单证书注册协议 (SCEP) 来完成。
或者,启用本地证书的自动续订。
配置安全策略以允许往返对等设备的流量。
概述
在两个对等方上,都使用以下选项配置证书颁发机构 (CA) 配置文件 Root:
CA 名称为 Root。
http://10.1.1.1:8080/scep/Root/ 注册 URL。这是向 CA 发送 SCEP 请求的 URL。
OCSP 服务器的 URL 是 http://10.157.88.56:8210/Root/ 的。
OCSP 首先用于检查证书撤销状态。如果 OCSP 服务器没有响应,则使用证书撤销列表 (CRL) 检查状态。http://10.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45 CRL URL。
不会检查在 OCSP 响应中收到的 CA 证书是否撤销。在 OCSP 响应中收到的证书的生存期通常较短,并且不需要撤销检查。
表 1 显示了此示例中使用的第 1 阶段选项。
选项 |
对等方 A |
对等 B |
|---|---|---|
IKE 提议 |
ike_policy_ms_2_2_0 |
ike_proposal_ms_2_0_0 |
身份验证方法 |
rsa 签名 |
rsa 签名 |
DH 组 |
组 2 |
组 2 |
身份验证算法 |
SHA 1 |
SHA 1 |
加密算法 |
3des-cbc |
3des-cbc |
生存秒数 |
3000 |
3000 |
IKE 策略 |
ike_policy_ms_2_2_0 |
ike_policy_ms_2_0_0 |
模式 |
主要 |
主要 |
建议 |
ike_proposal_ms_2_2_0 |
ike_proposal_ms_2_0_0 |
证书 |
local7_neg |
local7_moji |
政策 |
ike_policy |
ike_policy |
网关地址 |
10.0.1.2 |
192.0.2.0 |
远程身份 |
fqdn company.net |
fqdn company.net |
本地身份 |
fqdn company.net |
fqdn company.net |
外部接口 |
ge-1/3/0 |
ge-1/3/0 |
版本 |
1 |
1 |
表 2 显示了此示例中使用的第 2 阶段选项。
选项 |
对等方 A |
对等 B |
|---|---|---|
IPsec 提议 |
ipsec_proposal_ms_2_2_0 |
ipsec_proposal_ms_2_0_0 |
协议 |
Esp |
Esp |
身份验证算法 |
hmac-sha1-96 |
hmac-sha1-96 |
加密算法 |
3des-cbc |
3des-cbc |
生存秒数 |
2000 |
2000 |
IPsec 策略 |
ipsec_policy_ms_2_2_0 |
ipsec_policy_ms_2_0_0 |
PFC 密钥 |
组 2 |
组 2 |
建议 |
ipsec_proposal_ms_2_2_0 |
ipsec_proposal_ms_2_0_0 |
Vpn |
test_vpn |
test_vpn |
政策 |
ipsec_policy |
ipsec_policy |
建立隧道 |
- |
立即 |
配置
配置对等方 A
CLI 快速配置
要快速配置 VPN 对等方 A 以使用 OCSP,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层次结构级别的 CLI 中,然后从配置模式进入 commit 。
set interfaces ge-1/3/0 unit 0 family inet address 10.0.1.2 set interfaces ms-2/2/0 unit 0 family inet set interfaces ms-2/2/0 unit 1 family inet set interfaces ms-2/2/0 unit 1 family inet6 set interfaces ms-2/2/0 unit 1 service-domain inside set interfaces ms-2/2/0 unit 2 family inet set interfaces ms-2/2/0 unit 2 family inet6 set interfaces ms-2/2/0 unit 2 service-domain outside set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl set services ipsec-vpn ike proposal ike_prop authentication-method rsa-signatures set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/2/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/2/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 10.0.1.2 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_2_01 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then remote-gateway 192.0.2.0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ike-policy ike_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 lifetime-seconds 2000 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0 proposals ipsec_proposal_ms_2_2_0 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 lifetime-seconds 3000 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_2_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 proposals ike_proposal_ms_2_2_0 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-certificate local7_neg set services ipsec-vpn ike policy ike_policy_ms_2_2_0 remote-id fqdn company.net set services ipsec-vpn traceoptions level all set services ipsec-vpn traceoptions flag all set services ipsec-vpn establish-tunnels immediately
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
将 VPN 对等方 A 配置为使用 OCSP:
配置接口。
[edit interfaces] set interfaces ge-1/3/0 unit 0 family inet address 10.0.1.2 set interfaces ms-2/2/0 unit 0 family inet set interfaces ms-2/2/0 unit 1 family inet set interfaces ms-2/2/0 unit 1 family inet6 set interfaces ms-2/2/0 unit 1 service-domain inside set interfaces ms-2/2/0 unit 2 family inet set interfaces ms-2/2/0 unit 2 family inet6 set interfaces ms-2/2/0 unit 2 service-domain outside
配置 CA 配置文件。
[edit security pki ca-profile Root] set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl
配置第 1 阶段选项。
[edit services ipsec-vpn ike proposal ike_proposal_ms_2_2_0] set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 lifetime-seconds 3000 [edit services ipsec-vpn ike policy ike_policy_ms_2_2_0] set services ipsec-vpn ike policy ike_policy_ms_2_2_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_2_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 proposals ike_proposal_ms_2_2_0 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-certificate local7_neg set services ipsec-vpn ike policy ike_policy_ms_2_2_0 remote-id fqdn company.net
配置第 2 阶段选项。
[edit services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0] set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 lifetime-seconds 2000 [edit services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0] set services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0 proposals ipsec_proposal_ms_2_2_0 [edit services service-set ips_ss1] set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/2/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/2/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 10.0.1.2 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_2_01 [edit services ipsec-vpn rule vpn_rule_ms_2_2_01] set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then remote-gateway 192.0.2.0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ike-policy ike_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 match-direction input
结果
在配置模式下,输入 show interfaces、 show security pki ca-profile Root、 show services ipsec-vpn ike和 show services ipsec-vpn ipsec 命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit]
user@host# show interfaces
ge-1/3/0 {
unit 0 {
family inet {
address 10.0.1.2/24;
}
}
}
ms-2/2/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain inside;
}
}
[edit]
user@host# show security pki ca-profile Root
ca-identity Root;
enrollment {
url http://10.1.1.1:8080/scep/Root/;
}
revocation-check {
ocsp {
url http://10.157.88.56:8210/Root/;
disable-responder-revocation-check;
connection-failure fallback-crl;
}
use-ocsp;
}
[edit]
user@host# show services ipsec-vpn ike
proposal ike_proposal_ms_2_2_0 {
authentication-method rsa-signatures;
dh-group group2;
lifetime-seconds 3000;
}
policy ike_policy_ms_2_2_0 {
mode main;
version 1;
proposals ike_proposal_ms_2_2_0;
local-id fqdn company.net;
local-certificate local7_neg;
remote-id fqdn company.net;
}
[edit]
user@host# show services ipsec-vpn ipsec
proposal ipsec_proposal_ms_2_2_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 2000;
}
policy ipsec_policy_ms_2_2_0 {
proposals ipsec_proposal_ms_2_2_0;
}
完成设备配置后,请从配置模式进入 commit 。
配置对等 B
CLI 快速配置
要快速配置 VPN 对等 B 以使用 OCSP,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到 [edit] 层次结构级别的 CLI 中,然后从配置模式进入 commit 。
set interfaces ge-1/3/0 unit 0 family inet address 192.0.2.0/24 set interfaces ms-2/0/0 unit 0 family inet set interfaces ms-2/0/0 unit 1 family inet set interfaces ms-2/0/0 unit 1 family inet6 set interfaces ms-2/0/0 unit 1 service-domain inside set interfaces ms-2/0/0 unit 2 family inet set interfaces ms-2/0/0 unit 2 family inet6 set interfaces ms-2/0/0 unit 2 service-domain outside set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/0/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/0/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 192.0.2.0 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_0_01 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then remote-gateway 10.0.1.2 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ike-policy ike_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 lifetime-seconds 2000 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0 proposals ipsec_proposal_ms_2_0_0 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 lifetime-seconds 3000 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_0_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 proposals ike_proposal_ms_2_0_0 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-certificate local7_moji set services ipsec-vpn ike policy ike_policy_ms_2_0_0 remote-id fqdn company.net set services ipsec-vpn traceoptions level all set services ipsec-vpn traceoptions flag all
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 CLI 用户指南中的在配置模式下使用 CLI 编辑器。
将 VPN 对等方 B 配置为使用 OCSP:
配置接口。
[edit interfaces] set interfaces ge-1/3/0 unit 0 family inet address 192.0.2.0/24 set interfaces ms-2/0/0 unit 0 family inet set interfaces ms-2/0/0 unit 1 family inet set interfaces ms-2/0/0 unit 1 family inet6 set interfaces ms-2/0/0 unit 1 service-domain inside set interfaces ms-2/0/0 unit 2 family inet set interfaces ms-2/0/0 unit 2 family inet6 set interfaces ms-2/0/0 unit 2 service-domain outside
配置 CA 配置文件。
[edit security pki ca-profile Root] set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl
配置第 1 阶段选项。
[edit services ipsec-vpn ike proposal ike_proposal_ms_2_0_0] set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 lifetime-seconds 3000 [edit services ipsec-vpn ike policy ike_policy_ms_2_0_0] set services ipsec-vpn ike policy ike_policy_ms_2_0_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_0_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 proposals ike_proposal_ms_2_0_0 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-certificate local7_moji set services ipsec-vpn ike policy ike_policy_ms_2_0_0 remote-id fqdn company.net
配置第 2 阶段选项。
[edit services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0] set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 lifetime-seconds 2000 [edit services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0] set services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0 proposals ipsec_proposal_ms_2_0_0 [edit services service-set ips_ss1] set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/0/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/0/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 192.0.2.0 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_0_01 [edit services ipsec-vpn rule vpn_rule_ms_2_0_01] set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then remote-gateway 10.0.1.2 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ike-policy ike_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 match-direction input
结果
在配置模式下,输入 show interfaces、 show security pki ca-profile Root、 show services ipsec-vpn ike和 show services ipsec-vpn ipsec 命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit]
user@host# show interfaces
ge-1/3/0 {
unit 0 {
family inet {
address 192.0.2.0/24;
}
}
}
ms-2/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain inside;
}
}
[edit]
user@host# show security pki ca-profile Root
ca-identity Root;
enrollment {
url http://10.1.1.1:8080/scep/Root/;
}
revocation-check {
ocsp {
url http://10.157.88.56:8210/Root/;
disable-responder-revocation-check;
connection-failure fallback-crl;
}
use-ocsp;
}
[edit]
user@host# show services ipsec-vpn ike
proposal ike_proposal_ms_2_0_0 {
authentication-method rsa-signatures;
dh-group group2;
lifetime-seconds 3000;
}
policy ike_policy_ms_2_0_0 {
mode main;
version 1;
proposals ike_proposal_ms_2_0_0;
local-id fqdn company.net;
local-certificate local7_moji;
remote-id fqdn company.net;
}
[edit]
user@host# show services ipsec-vpn ipsec
proposal ipsec_proposal_ms_2_0_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 2000;
}
policy ipsec_policy_ms_2_0_0 {
proposals ipsec_proposal_ms_2_0_0;
}
完成设备配置后,请从配置模式进入 commit 。
验证
确认配置工作正常。
验证 CA 证书
目的
验证每个对等设备上的 CA 证书的有效性。
行动
在操作模式下,输入 show security pki ca-certificate ca-profile Root 或 show security pki ca-certificate ca-profile Root detail 命令。
user@host> show security pki ca-certificate ca-profile Root
Certificate identifier: Root
Issued to: Root, Issued by: C = US, O = Juniper, CN = Root
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(2048 bits)
user@host> show security pki ca-certificate ca-profile Root detail
Certificate identifier: Root
Certificate version: 3
Serial number: 0000a17f
Issuer:
Organization: Juniper, Country: US, Common name: Root
Subject:
Organization: Juniper, Country: US, Common name: Root
Subject string:
C=US, O=Juniper, CN=Root
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:c6:38:e9:03:69:5e:45:d8:a3:ea:3d
2e:e3:b8:3f:f0:5b:39:f0:b7:35:64:ed:60:a0:ba:89:28:63:29:e7
27:82:47:c4:f6:41:53:c8:97:d7:1e:3c:ca:f0:a0:b9:09:0e:3d:f8
76:5b:10:6f:b5:f8:ef:c5:e8:48:b9:fe:46:a3:c6:ba:b5:05:de:2d
91:ce:20:12:8f:55:3c:a6:a4:99:bb:91:cf:05:5c:89:d3:a7:dc:a4
d1:46:f2:dc:36:f3:f0:b5:fd:1d:18:f2:e6:33:d3:38:bb:44:8a:19
ad:e0:b1:1a:15:c3:56:07:f9:2d:f6:19:f7:cd:80:cf:61:de:58:b8
a3:f5:e0:d1:a3:3a:19:99:80:b0:63:03:1f:25:05:cc:b2:0c:cd:18
ef:37:37:46:91:20:04:bc:a3:4a:44:a9:85:3b:50:33:76:45:d9:ba
26:3a:3b:0d:ff:82:40:36:64:4e:ea:6a:d8:9b:06:ff:3f:e2:c4:a6
76:ee:8b:58:56:a6:09:d3:4e:08:b0:64:60:75:f3:e2:06:91:64:73
d2:78:e9:7a:cb:8c:57:0e:d1:9a:6d:3a:4a:9e:5b:d9:e4:a2:ef:31
5d:2b:2b:53:ab:a1:ad:45:49:fd:a5:e0:8b:4e:0b:71:52:ca:6b:fa
8b:0e:2c:7c:7b:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://10.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
Authority Information Access OCSP:
http://10.1.1.1:8090/Root/
Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
Fingerprint:
ed:ce:ec:13:1a:d2:ab:0a:76:e5:26:6d:2c:29:5d:49:90:57:f9:41 (sha1)
af:87:07:69:f0:3e:f7:c6:b8:2c:f8:df:0b:ae:b0:28 (md5)
注意:
在此示例中,CA 配置文件配置中的 URL 中使用了 IP 地址。如果 IP 地址未与 CA 颁发的证书或 CA 证书一起使用,则必须在设备的配置中配置 DNS。DNS 必须能够解析分布 CRL 和 CA 配置文件配置中的 CA URL 中的主机。此外,您必须能够访问同一主机的网络才能接收撤销检查。
意义
输出显示每个对等方上的 CA 证书的详细信息和有效性,如下所示:
C- 国家/地区。O-组织。CN- 通用名称。Not before- 生效日期开始。Not after— 有效期结束日期。
验证本地证书
目的
验证每个对等设备上的本地证书的有效性。
行动
在操作模式下,输入 show security pki local-certificate certificate-id localcert1 detail 命令。
user@host> show security pki local-certificate certificate-id local7_neg detail
Certificate identifier: local7_neg
Certificate version: 3
Serial number: 0007d964
Issuer:
Organization: juniper, Country: us, Common name: Subca2
Subject:
Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: local, Domain component: juniper
Subject string:
DC=juniper, CN=local, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us
Alternate subject: "test@company.net", company.net, 10.0.0.2
Validity:
Not before: 04- 5-2016 03:30 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:b9:44:42:0e:26:5a:46:8e:a7:9c:b9:15:a5
f1:38:e4:59:59:9d:84:75:ee:7a:64:ca:0a:a7:68:3b:2b:0c:dc:a8
de:60:df:07:80:23:58:7d:56:dd:4f:50:de:a4:57:f1:a0:df:a9:7a
6c:3d:e0:6d:7a:cf:ef:af:95:1b:12:7a:c4:54:61:12:db:65:0c:f9
25:40:2d:01:71:21:8a:fc:fc:f6:9d:db:5a:63:ca:1a:92:2b:a3:98
f6:6b:e4:23:67:53:92:6a:5e:ad:ae:d7:82:ab:32:c1:60:6f:01:14
fd:46:bd:3f:b3:6b:fd:e6:41:de:6d:94:0d:6f:ad:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Distribution CRL:
http://10.1.1.1:8080/crl-as-der/currentcrl-1925.crl?id=1925
Authority Information Access OCSP:
http://10.204.128.120:8090/Subca2/
Fingerprint:
69:00:fe:e1:81:37:ab:54:27:81:ce:57:11:a1:f2:d8:00:e7:e6:c7 (sha1)
1e:27:93:a1:96:eb:28:0c:dc:f3:50:20:bb:eb:ed:57 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
意义
输出显示每个对等方上本地证书的详细信息和有效性,如下所示:
DC-域组件。CN- 通用名称。OU- 组织单位。O-组织。L— 位置ST-状态。C- 国家/地区。Not before- 生效日期开始。Not after— 有效期结束日期。
验证 IKE 第 1 阶段状态
目的
验证每个对等设备上的 IKE 第 1 阶段状态。
行动
在操作模式下,输入 show services ipsec-vpn ike security-associations 命令。
user@host> show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 192.0.2.0 Matured 63b3445edda507fb 2715ee5895ed244d Main
在操作模式下,输入 show services ipsec-vpn ike security-associations detail 命令。
user@host> show services ipsec-vpn ike security-associations detail IKE peer 192.0.2.0 Role: Initiator, State: Matured Initiator cookie: 63b3445edda507fb, Responder cookie: 2715ee5895ed244d Exchange type: Main, Authentication method: RSA-signatures Local: 10.0.1.2, Remote: 192.0.2.0 Lifetime: Expires in 788 seconds Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : 2 Traffic statistics: Input bytes : 3100 Output bytes : 4196 Input packets: 7 Output packets: 9 Flags: IKE SA created IPSec security associations: 4 created, 4 deleted
意义
flags输出中的字段显示,已创建 IKE 安全关联。
验证 IPsec 第 2 阶段状态
目的
验证每个对等设备上的 IPsec 第 2 阶段状态。
行动
在操作模式下,输入 show services ipsec-vpn ipsec security-associations 命令。
user@host> show services ipsec-vpn ipsec security-associations
Service set: ips_ss1, IKE Routing-instance: default
Rule: vpn_rule_ms_2_2_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.2, Remote gateway: 192.0.2.0
IPSec inside interface: ms-2/2/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 2151932129 0 tunnel dynamic ESP
outbound 4169263669 0 tunnel dynamic ESP
在操作模式下,输入 show services ipsec-vpn ipsec security-associations detail 命令。
user@host> show services ipsec-vpn ipsec security-associations detail
Service set: ips_ss1, IKE Routing-instance: default
Rule: vpn_rule_ms_2_2_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.2, Remote gateway: 192.0.2.0
IPSec inside interface: ms-2/2/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Local identity: ipv4_subnet(any:0,[0..7]=80.0.0.0/16)
Remote identity: ipv4_subnet(any:0,[0..7]=30.0.0.0/16)
Direction: inbound, SPI: 3029124496, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 840 seconds
Hard lifetime: Expires in 1273 seconds
Anti-replay service: Enabled, Replay window size: 4096
Copy ToS: Disabled, ToS value: 0
Copy TTL: Disabled, TTL value: 64
Direction: outbound, SPI: 4046774180, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 840 seconds
Hard lifetime: Expires in 1273 seconds
Anti-replay service: Enabled, Replay window size: 4096
Copy ToS: Disabled, ToS value: 0
Copy TTL: Disabled, TTL value: 64
意义
输出显示 ipsec 安全关联详细信息。