Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Example: Configuring OCSP for Certificate Revocation Status
This example shows how to configure two peers using the Online Certificate Status Protocol (OCSP) to check the revocation status of the certificates used in Phase 1 negotiations for the IPsec VPN tunnel.
Requirements
On each device:
- Obtain and enroll a local certificate. This can be done either manually or by using the Simple Certificate Enrollment Protocol (SCEP).
- Optionally, enable automatic renewal of the local certificate.
- Configure security policies to permit traffic to and from the peer device.
Overview
On both peers, a certificate authority (CA) profile OCSP-ROOT is configured with the following options:
- CA name is OCSP-ROOT.
- Enrollment URL is http://1.1.1.1:8080/scep/OCSP-ROOT/. This is the URL where SCEP requests to the CA are sent.
- The URL for the OCSP server is http://10.157.88.56:8210/OCSP-ROOT/.
- OCSP is used first to check the certificate revocation status. If there is no response from the OCSP server, then the certificate revocation list (CRL) is used to check the status. The CRL URL is http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45.
- The CA certificate received in an OCSP response is not checked for certificate revocation. Certificates received in an OCSP response generally have shorter lifetimes and a revocation check is not required.
Table 8 shows the Phase 1 options used in this example.
Table 8: Phase 1 Options for OCSP Configuration Example
Option | Peer A | Peer B |
|---|---|---|
IKE proposal | ike_prop | ike_prop |
Authentication method | RSA signatures | RSA signatures |
DH group | group2 | group2 |
Authentication algorithm | SHA 1 | SHA 1 |
Encryption algorithm | 3DES CBC | 3DES CBC |
IKE policy | ike_policy | ike_policy |
Mode | aggressive | aggressive |
Proposal | ike_prop | ike_prop |
Certificate | local-certificate localcert1 | local-certificate localcert1 |
IKE gateway | jsr_gateway | jsr_gateway |
Policy | ike_policy | ike_policy |
Gateway address | 101.10.2.50 | 100.10.1.50 |
Remote identity | localcert11.juniper.net | - |
Local identity | - | localcert11.juniper.net |
External interface | reth1 | ge-0/0/2.0 |
Version | v2 | v2 |
Table 9 shows the Phase 2 options used in this example.
Table 9: Phase 2 Options for OCSP Configuration Example
Option | Peer A | Peer B |
|---|---|---|
IPsec proposal | ipsec_prop | ipsec_prop |
Protocol | ESP | ESP |
Authentication algorithm | HMAC SHA1-96 | HMAC SHA1-96 |
Encryption algorithm | 3DES CBC | 3DES CBC |
Lifetime seconds | 1200 | 1200 |
Lifetime kilobytes | 150,000 | 150,000 |
IPsec policy | ipsec_policy | ipsec_policy |
PFC keys | group2 | group2 |
Proposal | ipsec_prop | ipsec_prop |
VPN | test_vpn | test_vpn |
Bind interface | st0.1 | st0.1 |
IKE gateway | jsr_gateway | jsr_gateway |
Policy | ipsec_policy | ipsec_policy |
Establish tunnels | - | immediately |
Figure 1 shows the peer devices that are configured in this example.
Figure 1: OCSP Configuration Example
Configuration
Configuring Peer A
CLI Quick Configuration
To quickly configure VPN peer A to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure VPN peer A to use OCSP:
- Configure interfaces.[edit interfaces]set ge-0/0/3 gigether-options redundant-parent reth1set ge-9/0/3 gigether-options redundant-parent reth1set lo0 unit 0 family inet address 100.100.1.100/24set lo0 redundant-pseudo-interface-options redundancy-group 1set reth1 redundant-ether-options redundancy-group 1set reth1 unit 0 family inet address 100.10.1.50/24set st0 unit 1 family inet address 202.2.1.100/24
- Configure the CA profile.[edit security pki ca-profile OCSP-ROOT]set ca-identity OCSP-ROOTset enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set revocation-check use-ocspset revocation-check ocsp disable-responder-revocation-checkset revocation-check ocsp connection-failure fallback-crlset revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45
- Configure Phase 1 options.[edit security ike proposal ike_prop]set authentication-method rsa-signaturesset dh-group group2set authentication-algorithm sha1set encryption-algorithm 3des-cbc[edit security ike policy ike_policy]set mode aggressiveset proposals ike_propset certificate local-certificate localcert1[edit security ike gateway jsr_gateway]set ike-policy ike_policyset address 101.10.2.50set remote-identity hostname localcert11.juniper.netset external-interface reth1set version v2-only
- Configure Phase 2 options.[edit security ipsec proposal ipsec_prop]set protocol espset authentication-algorithm hmac-sha1-96set encryption-algorithm 3des-cbcset lifetime-seconds 1200set lifetime-kilobytes 150000[edit security ipsec policy ipsec_policy]set perfect-forward-secrecy keys group2set proposals ipsec_prop[edit security ipsec vpn test_vpn]set bind-interface st0.1set ike gateway jsr_gatewayset ike ipsec-policy ipsec_policy
Results
From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile OCSP-ROOT, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Configuring Peer B
CLI Quick Configuration
To quickly configure VPN peer B to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure VPN peer B to use OCSP:
- Configure interfaces.[edit interfaces]set ge-0/0/2 unit 0 family inet address 101.10.2.50/24set lo0 unit 0 family inet address 102.100.1.100/24set st0 unit 1 family inet address 202.2.1.1/24
- Configure the CA profile.[edit security pki ca-profile OCSP-ROOT]set ca-identity OCSP-ROOTset enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set revocation-check use-ocspset revocation-check ocsp disable-responder-revocation-checkset revocation-check ocsp connection-failure fallback-crlset revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45
- Configure Phase 1 options.[edit security ike proposal ike_prop]set authentication-method rsa-signaturesset dh-group group2set authentication-algorithm sha1set encryption-algorithm 3des-cbc[edit security ike policy ike_policy]set mode aggressiveset proposals ike_propset certificate local-certificate localcert1[edit security ike gateway jsr_gateway]set ike-policy ike_policyset address 100.10.1.50set local-identity hostname localcert11.juniper.netset external-interface ge-0/0/2.0set version v2-only
- Configure Phase 2 options.[edit security ipsec proposal ipsec_prop]set protocol espset authentication-algorithm hmac-sha1-96set encryption-algorithm 3des-cbcset lifetime-seconds 1200set lifetime-kilobytes 150000[edit security ipsec policy ipsec_policy]set perfect-forward-secrecy keys group2set proposals ipsec_prop[edit security ipsec vpn test_vpn]set bind-interface st0.1set ike gateway jsr_gatewayset ike ipsec-policy ipsec_policyset establish-tunnels immediately
Results
From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile OCSP-ROOT, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying CA Certificates
- Verifying Local Certificates
- Verifying IKE Phase 1 Status
- Verifying IPsec Phase 2 Status
Verifying CA Certificates
Purpose
Verify the validity of a CA certificate on each peer device.
Action
From operational mode, enter the show security pki ca-certificate ca-profile OCSP-ROOT or show security pki ca-certificate ca-profile OCSP-ROOT detail command.
Certificate identifier: OCSP-ROOT
Issued to: OCSP-ROOT, Issued by: C = US, O = Juniper, CN = OCSP-ROOT
Validity:
Not before: 11-15-2013 22:26 UTC
Not after: 11-14-2016 22:26 UTC
Public key algorithm: rsaEncryption(2048 bits)
user@host> show security pki ca-certificate
ca-profile OCSP-ROOT detailCertificate identifier: OCSP-ROOT
Certificate version: 3
Serial number: 0000a17f
Issuer:
Organization: Juniper, Country: US, Common name: OCSP-ROOT
Subject:
Organization: Juniper, Country: US, Common name: OCSP-ROOT
Subject string:
C=US, O=Juniper, CN=OCSP-ROOT
Validity:
Not before: 11-15-2013 22:26 UTC
Not after: 11-14-2016 22:26 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:c6:38:e9:03:69:5e:45:d8:a3:ea:3d
2e:e3:b8:3f:f0:5b:39:f0:b7:35:64:ed:60:a0:ba:89:28:63:29:e7
27:82:47:c4:f6:41:53:c8:97:d7:1e:3c:ca:f0:a0:b9:09:0e:3d:f8
76:5b:10:6f:b5:f8:ef:c5:e8:48:b9:fe:46:a3:c6:ba:b5:05:de:2d
91:ce:20:12:8f:55:3c:a6:a4:99:bb:91:cf:05:5c:89:d3:a7:dc:a4
d1:46:f2:dc:36:f3:f0:b5:fd:1d:18:f2:e6:33:d3:38:bb:44:8a:19
ad:e0:b1:1a:15:c3:56:07:f9:2d:f6:19:f7:cd:80:cf:61:de:58:b8
a3:f5:e0:d1:a3:3a:19:99:80:b0:63:03:1f:25:05:cc:b2:0c:cd:18
ef:37:37:46:91:20:04:bc:a3:4a:44:a9:85:3b:50:33:76:45:d9:ba
26:3a:3b:0d:ff:82:40:36:64:4e:ea:6a:d8:9b:06:ff:3f:e2:c4:a6
76:ee:8b:58:56:a6:09:d3:4e:08:b0:64:60:75:f3:e2:06:91:64:73
d2:78:e9:7a:cb:8c:57:0e:d1:9a:6d:3a:4a:9e:5b:d9:e4:a2:ef:31
5d:2b:2b:53:ab:a1:ad:45:49:fd:a5:e0:8b:4e:0b:71:52:ca:6b:fa
8b:0e:2c:7c:7b:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://1.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
Authority Information Access OCSP:
http://1.1.1.1:8090/OCSP-ROOT/
Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
Fingerprint:
ed:ce:ec:13:1a:d2:ab:0a:76:e5:26:6d:2c:29:5d:49:90:57:f9:41 (sha1)
af:87:07:69:f0:3e:f7:c6:b8:2c:f8:df:0b:ae:b0:28 (md5)
In this example, IP addresses are used in the URLs in the CA profile configuration. If IP addresses are not used with CA-issued certificates or CA certificates, DNS must be configured in the device’s configuration. DNS must be able to resolve the host in the distribution CRL and in the CA URL in the CA profile configuration. Additionally, you must have network reachability to the same host to receive revocation checks.
Verifying Local Certificates
Purpose
Verify the validity of a local certificate on each peer device.
Action
From operational mode, enter the show security pki local-certificate certificate-id localcert1 detail command.
Certificate identifier: localcert1
Certificate version: 3
Serial number: 013e3f1d
Issuer:
Organization: Juniper, Country: US, Common name: OCSP-ROOT
Subject:
Organization: juniper1, Organizational unit: sltqa1, State: california1, Locality: sunnyvale1, Common name: localcert1, Domain component: domain_component1
Subject string:
DC=domain_component1, CN=localcert1, OU=sltqa1, O=juniper1, L=sunnyvale1, ST=california1, C=us1
Alternate subject: "localcert1@juniper.net", localcert1.juniper.net, 100.10.1.50
Validity:
Not before: 01-28-2014 22:23 UTC
Not after: 03-29-2014 22:53 UTC
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:a6:df:c1:57:59:f8:4d:0f:c4:a8:96:25:97
03:c4:a0:fb:df:d5:f3:d5:56:b6:5a:26:65:b8:1a:ec:be:f6:c6:5f
b3:d7:d3:59:39:48:52:4a:e3:1b:e4:e0:6d:24:c3:c1:50:8c:55:3b
c0:c1:29:a0:45:29:8e:ec:3e:52:2f:84:b3:e8:89:9a:0f:8b:7d:e8
90:4b:c1:28:48:95:b3:aa:11:ab:b4:8c:a8:80:ce:90:07:2a:13:a2
2f:84:44:92:3b:be:7d:39:5b:2f:9a:4c:7a:2f:2d:31:8b:12:6d:52
34:7d:6b:e4:69:7e:f3:86:55:e2:89:31:98:c9:15:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://1.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
Authority Information Access OCSP:
http://1.1.1.1/:8090/OCSP-ROOT/
Fingerprint:
00:c6:56:64:ad:e3:ce:8e:26:6b:df:17:1e:de:fc:14:a4:bb:8c:e4 (sha1)
7f:43:c6:ed:e4:b3:7a:4f:9a:8c:0b:61:95:01:c9:52 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
Verifying IKE Phase 1 Status
Purpose
Verify the IKE Phase 1 status on each peer device.
Action
From operational mode, enter the show security ike security-associations command.
Index State Initiator cookie Responder cookie Mode Remote Address 6534660 UP 3e62e05abd6a703f c552b238e8a26668 IKEv2 101.10.2.50
From operational mode, enter the show security ike security-associations detail command.
IKE peer 101.10.2.50, Index 6534660, Gateway Name: jsr_gateway
Role: Responder, State: UP
Initiator cookie: 3e62e05abd6a703f, Responder cookie: c552b238e8a26668
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 100.10.1.50:500, Remote: 101.10.2.50:500
Lifetime: Expires in 26906 seconds
Peer ike-id: localcert11.juniper.net
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 2152
Output bytes : 2097
Input packets: 4
Output packets: 4
Flags: IKE SA is created
IPSec security associations: 4 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 100.10.1.50:500, Remote: 101.10.2.50:500
Local identity: 100.10.1.50
Remote identity: localcert11.juniper.net
Flags: IKE SA is created
Verifying IPsec Phase 2 Status
Purpose
Verify the IPsec Phase 2 status on each peer device.
Action
From operational mode, enter the show security ipsec security-associations command.
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 9d1066e2 252/ 150000 - root 500 101.10.2.50 >131073 ESP:3des/sha1 82079c2c 252/ 150000 - root 500 101.10.2.50
From operational mode, enter the show security ipsec security-associations detail command.
ID: 131073 Virtual-system: root, VPN Name: test_vpn
Local Gateway: 100.10.1.50, Remote Gateway: 101.10.2.50
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv2
DF-bit: clear
Bind-interface: st0.1
Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: Delete payload received
Direction: inbound, SPI: 9d1066e2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 249 seconds
Lifesize Remaining: 150000 kilobytes
Soft lifetime: Expires in 10 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 82079c2c, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 249 seconds
Lifesize Remaining: 150000 kilobytes
Soft lifetime: Expires in 10 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64Related Documentation
- Understanding Online Certificate Status Protocol
- Public Key Infrastructure Feature Guide for Security Devices
