Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Improving Security by Configuring OCSP for Certificate Revocation Status

 

This example shows how to improve security by configuring two peers using the Online Certificate Status Protocol (OCSP) to check the revocation status of the certificates used in Phase 1 negotiations for the IPsec VPN tunnel.

Requirements

On each device:

  • Obtain and enroll a local certificate. This can be done either manually or by using the Simple Certificate Enrollment Protocol (SCEP).

  • Optionally, enable automatic renewal of the local certificate.

  • Configure security policies to permit traffic to and from the peer device.

Overview

On both peers, a certificate authority (CA) profile Root is configured with the following options:

  • CA name is Root.

  • Enrollment URL is http://1.1.1.1:8080/scep/Root/. This is the URL where SCEP requests to the CA are sent.

  • The URL for the OCSP server is http://10.157.88.56:8210/Root/.

  • OCSP is used first to check the certificate revocation status. If there is no response from the OCSP server, then the certificate revocation list (CRL) is used to check the status. The CRL URL is http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45.

  • The CA certificate received in an OCSP response is not checked for certificate revocation. Certificates received in an OCSP response generally have shorter lifetimes and a revocation check is not required.

Table 1 shows the Phase 1 options used in this example.

Table 1: Phase 1 Options for OCSP Configuration Example

Option

Peer A

Peer B

IKE proposal

ike_policy_ms_2_2_0

ike_proposal_ms_2_0_0

Authentication method

rsa-signatures

rsa-signatures

DH group

group2

group2

Authentication algorithm

SHA 1

SHA 1

Encryption algorithm

3des-cbc

3des-cbc

Lifetime seconds

3000

3000

IKE policy

ike_policy_ms_2_2_0

ike_policy_ms_2_0_0

Mode

main

main

Proposal

ike_proposal_ms_2_2_0

ike_proposal_ms_2_0_0

Certificate

local7_neg

local7_moji

Policy

ike_policy

ike_policy

Gateway address

10.0.1.2

192.0.2.0

Remote identity

fqdn company.net

fqdn company.net

Local identity

fqdn company.net

fqdn company.net

External interface

ge-1/3/0

ge-1/3/0

Version

1

1

Table 2 shows the Phase 2 options used in this example.

Table 2: Phase 2 Options for OCSP Configuration Example

Option

Peer A

Peer B

IPsec proposal

ipsec_proposal_ms_2_2_0

ipsec_proposal_ms_2_0_0

Protocol

esp

esp

Authentication algorithm

hmac-sha1-96

hmac-sha1-96

Encryption algorithm

3des-cbc

3des-cbc

Lifetime seconds

2000

2000

IPsec policy

ipsec_policy_ms_2_2_0

ipsec_policy_ms_2_0_0

PFC keys

group2

group2

Proposal

ipsec_proposal_ms_2_2_0

ipsec_proposal_ms_2_0_0

VPN

test_vpn

test_vpn

Policy

ipsec_policy

ipsec_policy

Establish tunnels

-

immediately

Topology

Figure 1 shows the peer devices that are configured in this example.

Figure 1: OCSP Configuration Example
 OCSP Configuration
Example

Configuration

Configuring Peer A

CLI Quick Configuration

To quickly configure VPN peer A to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure VPN peer A to use OCSP:

  1. Configure interfaces.
  2. Configure the CA profile.
  3. Configure Phase 1 options.
  4. Configure Phase 2 options.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile Root, show services ipsec-vpn ike, and show services ipsec-vpn ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Peer B

CLI Quick Configuration

To quickly configure VPN peer B to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure VPN peer B to use OCSP:

  1. Configure interfaces.
  2. Configure the CA profile.
  3. Configure Phase 1 options.
  4. Configure Phase 2 options.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile Root, show services ipsec-vpn ike, and show services ipsec-vpn ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying CA Certificates

Purpose

Verify the validity of a CA certificate on each peer device.

Action

From operational mode, enter the show security pki ca-certificate ca-profile Root or show security pki ca-certificate ca-profile Root detail command.

Note

In this example, IP addresses are used in the URLs in the CA profile configuration. If IP addresses are not used with CA-issued certificates or CA certificates, DNS must be configured in the device’s configuration. DNS must be able to resolve the host in the distribution CRL and in the CA URL in the CA profile configuration. Additionally, you must have network reachability to the same host to receive revocation checks.

Meaning

The output shows the details and validity of CA certificate on each peer as follows:

  • C—Country.

  • O—Organization.

  • CN—Common name.

  • Not before—Begin date of validity.

  • Not after—End date of validity.

Verifying Local Certificates

Purpose

Verify the validity of a local certificate on each peer device.

Action

From operational mode, enter the show security pki local-certificate certificate-id localcert1 detail command.

Meaning

The output shows the details and validity of a local certificate on each peer as follows:

  • DC—Domain component.

  • CN—Common name.

  • OU—Organizational unit.

  • O—Organization.

  • L—Locality

  • ST—State.

  • C—Country.

  • Not before—Begin date of validity.

  • Not after—End date of validity.

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status on each peer device.

Action

From operational mode, enter the show services ipsec-vpn ike security-associations command.

From operational mode, enter the show services ipsec-vpn ike security-associations detail command.

Meaning

The flags field in the output shows that, IKE security association is created.

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status on each peer device.

Action

From operational mode, enter the show services ipsec-vpn ipsec security-associations command.

From operational mode, enter the show services ipsec-vpn ipsec security-associations detail command.

Meaning

The output shows the ipsec security associations details.