 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The ERX router validates X.509v3 certificates from the peer by confirming that the ID payload passed in IKE matches the identifiers in the peer certificate. The router also verifies that the signature is correct, based on the root CA public key.
The ERX router also validates the certificate based on its time window, so correct UTC time on the router is essential. In addition to the certificate checks, the router confirms that message data received from the peer has the correct signature based on the peer's public key as found in its certificate. After the IKE authentication is done, quick-mode negotiation of SAs can proceed.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |