[Contents] [Prev] [Next] [Index] [Report an Error]

Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration

Figure 51: AS PIC IKE Dynamic SA Topology Diagram

Image g015519.gif

Figure 51 shows the same IPSec topology as the AS PIC dynamic SA example on Example: AS PIC IKE Dynamic SA Configuration. However, this configuration requires Routers 2 and 3 to establish an IKE-based IPSec tunnel by using digital certificates in place of preshared keys. Routers 1 and 4 continue to provide basic connectivity and are used to verify that the IPSec tunnel is operational.

On Router 1, provide basic OSPF connectivity to Router 2.

Router 1



[edit]
interfaces {


so-0/0/0 {
description "To R2 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.1/32;
}


}


}


}
routing-options {
router-id 10.0.0.1;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

On Router 2, you must request a CA certificate, create a local certificate, and load these digital certificates into the router before you can reference them in your IPSec configuration. To begin, configure an IPSec profile by specifying the trusted CA and URL of the CA server that handles CA certificate processing:



[edit]
security {


pki {


ca-profile entrust {
ca-identity entrust;


enrollment {
url http://ca-1.jnpr.net/cgi-bin/pkiclient.exe;
}


}


}


}

Certificate revocation list (CRL) verification is enabled by default. You can optionally specify the Lightweight Access Directory (LDAP) server where the CA stores the CRL. The certificate typically includes a certificate distribution point (CDP), which contains information about how to retrieve the CRL for the certificate. The router uses this information to download the CRL automatically. In this example, the LDAP URL is specified, which overrides the location provided in the certificate:



[edit]
security pki ca-profile entrust {


revocation-check {


crl {
url ldap://10.157.90.185/o=juniper,c=uscertificateRevocationListbase;
}


}


}

After you configure the CA profile, you can request a CA certificate from the trusted CA. In this example, the certificate is enrolled online and installed into the routing platform automatically.

user@R2> request security pki ca-certificate
enroll ca-profile entrust

Received following certificates:
  Certificate: C=us, O=juniper
    Fingerprint: 00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10
  Certificate: C=us, O=juniper, CN=First Officer
    Fingerprint: bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17
  Certificate: C=us, O=juniper, CN=First Officer
    Fingerprint: 46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f
Do you want to load the above CA certificate ? [yes,no] (no) yes

Note: If you obtain the CA certificate directly from the CA (for example, as an e-mail attachment or Web site download), you can install it with the request security pki ca-certificate load command.

Next, you must generate a private/public key pair before you can create a local certificate.

user@R2> request security pki generate-key-pair
certificate-id local-entrust2

Generated key pair local-entrust2, key size 1024 bits

When the key pair is available, generate a local certificate request and send it to the CA for processing.

user@R2> request security pki generate-certificate-request

certificate-id local-entrust2 domain-name router2.juniper.net
filename entrust-req2 subject cn=router2.juniper.net
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBoTCCAQoCAQAwGjEYMBYGA1UEAxMPdHAxLmp1bmlwZXIubmV0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiUFklQws1Ud+AqN5DDxRs2kVyKEhh9qoVFnz+
Hz4c9vsy3B8ElwTJlkmIt2cB3yifB6zePd+6WYpf57Crwre7YqPkiXM31F6z3YjX
H+1BPNbCxNWYvyrnSyVYDbFj8o0Xyqog8ACDfVL2JBWrPNBYy7imq/K9soDBbAs6
5hZqqwIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjAOBgNVHQ8BAf8EBAMCB4AwJAYD
VR0RAQH/BBowGIIWdHAxLmVuZ2xhYi5qdW5pcGVyLm5ldDANBgkqhkiG9w0BAQQF
AAOBgQBc2rq1v5SOQXH7LCb/FdqAL8ZM6GoaN5d6cGwq4bB6a7UQFgtoH406gQ3G
3iH0Zfz4xMIBpJYuGd1dkqgvcDoH3AgTsLkfn7Wi3x5H2qeQVs9bvL4P5nvEZLND
EIMUHwteolZCiZ70fO9Fer9cXWHSQs1UtXtgPqQJy2xIeImLgw==
-----END CERTIFICATE REQUEST-----
Fingerprint:
0d:90:b8:d2:56:74:fc:84:59:62:b9:78:71:9c:e4:9c:54:ba:16:97 (sha1)
1b:08:d4:f7:90:f1:c4:39:08:c9:de:76:00:86:62:b8 (md5)

Note: You can request the creation and installation of a local certificate online with the request security pki local-certificate enroll command. For more information, see Generating and Enrolling a Local Digital Certificate or the JUNOS System Basics and Services Command Reference.

The trusted CA digitally signs the local certificate and returns it to you. Copy the certificate file into the routing platform and load the certificate.

user@R2> request security pki local-certificate
load filename /tmp/router2-cert              certificate-id local-entrust2

Local certificate local-entrust2 loaded successfully

Note: The name of the file sent to you by the CA might not match the name of the certificate identifier. However, the certificate-id name must always match the name of the key pair you generated for the routing platform.

After the local and CA certificates have been loaded, you can reference them in your IPSec configuration.

Using default values in the AS PIC, you do not need to configure an IPSec proposal or IPSec policy. However, you must configure an IKE proposal that specifies the use of digital certificates, reference the IKE proposal and local certificate in an IKE policy, and apply the CA profile to the service set. To enable an IKE proposal for digital certificates, include the rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name authentication-method] hierarchy level. To reference the local certificate in the IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. To identify the CA or RA in the service set, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

Note: For more information about default IKE and IPSec policies and proposals on the AS PIC, see Table 45.

Optionally, you can configure automatic reenrollment of the certificate with the auto-re-enrollment statement at the [edit security pki] hierarchy level.

The remaining configuration components of your IKE-based IPSec tunnel are the same as when you use preshared keys. Enable OSPF as the underlying routing protocol to connect to Routers 1 and 3. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.

To direct traffic into the AS PIC and the IPSec tunnel, configure a next-hop style service set and add the adaptive services logical interface used as the IPSec inside interface into the OSPF configuration.

Router 2



[edit]
interfaces {


so-0/0/0 {
description "To R1 so-0/0/0";


unit 0 {


family inet {
address 10.1.12.1/30;
}


}


}




so-0/0/1 {
description "To R3 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.1/30;
}


}


}




sp-1/2/0 {


unit 0 {
family inet;
}




                   
unit 1 { #
sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                   
unit 2 { #
sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.2/32;
}


}


}


}
routing-options {
router-id 10.0.0.2;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
                   
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
interface lo0.0;
}


}


}
               
security { #
Configure CA profiles here, including the URLs used to reach the CAs.


pki {


ca-profile entrust {
ca-identity entrust;


enrollment {
url http://ca-1.jnpr.net/cgi-bin/pkiclient.exe;
}




                     
revocation-check {


                       
crl {
  url ldap://10.157.90.185/o=juniper,c=uscertificateRevocationListbase;
# Specify the URL of the LDAP server where the CA stores
the CRL.
}


}


}




ca-profile microsoft {
ca-identity microsoft;


enrollment {
url http://192.168.11.78:80/certsrv/mscep/mscep.dll;
}


}




ca-profile verisign {
ca-identity verisign;


enrollment {
url http://pilotonsiteipsec.verisign.com/cgi-bin/pkiclient.exe;
}


}


}


}
services {


                 
service-set service-set-dynamic-BiEspsha3des
{ # Define your service set here.


                   
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                   
trusted-ca entrust; # Reference the CA profile here.
                   
local-gateway 10.1.15.1; # Specify the local IP address of the IPSec tunnel.
}


                 
ipsec-vpn-rules rule-ike; # Reference your IPSec VPN rule here.
}




ipsec-vpn {


                   
rule rule-ike { # Define your IPSec VPN rule here.


term term-ike {


then {
                       
remote-gateway 10.1.15.2; # The remote IP address of the IPSec tunnel.


                         
dynamic { # This creates a dynamic SA.
                         
ike-policy ike-digital-certificates; # Reference your IKE policy here.
}


}


}


                   
match-direction input; # Specify in which direction the rule should match.
}




ike {


proposal ike-proposal {
                     
authentication-method
rsa-signatures; # Uses digital certificates
}




policy ike-digital-certificates {
                     
proposals ike-proposal; # Apply the IKE proposal here.
                     
local-id fqdn router2.juniper.net; # Provide an identifier for the local router.
                     
local-certificate local-entrust2; # Reference the local certificate here.
                     
remote-id fqdn router3.juniper.net; # Provide an ID for the remote router.
}


}


establish-tunnels immediately;
}


}

On Router 3, you must repeat the digital certificate procedures you performed on Router 2. If the IPSec peers do not have a symmetrical configuration containing all the necessary components, they cannot establish a peering relationship.

You need to request a CA certificate, create a local certificate, load these digital certificates into the router, and reference them in your IPSec configuration. Begin by configuring an IPSec CA profile. Include the ca-profile statement at the [edit security pki] hierarchy level and specify the trusted CA and URL of the CA server that handles CA certificate processing. Include the CRL statements found on Router 2 to complete your CA profile on Router 3.

After you configure the CA profile, request a CA certificate from the trusted CA. In this example, the certificate is enrolled online and installed into the routing platform automatically.

user@R3> request security pki ca-certificate
enroll ca-profile entrust

Received following certificates:
  Certificate: C=us, O=juniper
    Fingerprint: 00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10
  Certificate: C=us, O=juniper, CN=First Officer
    Fingerprint: bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17
  Certificate: C=us, O=juniper, CN=First Officer
    Fingerprint: 46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f
Do you want to load the above CA certificate ? [yes,no] (no) yes

Next, generate a private/public key pair.

user@R3> request security pki generate-key-pair
certificate-id local-entrust3

Generated key pair local-entrust3, key size 1024 bits

When the key pair is available, you can generate a local certificate request and send it to the CA for processing.

user@R3> request security pki generate-certificate-request

certificate-id local-entrust3 domain-name router3.juniper.net
filename entrust-req3 subject cn=router3.juniper.net
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIB8jCCAVsCAQAwZTEYMBYGA1UEAxMPdHA1Lmp1bmlwZXIubmV0MRQwEgYDVQQL
EwtFbmdpbmVlcmluZzEQMA4GA1UEChMHSnVuaXBlcjETMBEGA1UECBMKQ2FsaWZv
cm5pYTEMMAoGA1UEBhMDVVNBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg
Wjo50w8jrnphs0sRFvqQMwC6PlYa65thrJ8nHZ2qgYgRbSrO8hdODhvU6/5VuD2/
zBtgV5ZSAOlyV6DXqlbVj/2XirQAJMRCr1eYu6DhYRBMNq/UaQv4Z8Sse1EJv+uR
HTNbD7xlwpw2zwzltRuGFtFr/FrGB0hF7IE+Xm5e2wIDAQABoE0wSwYJKoZIhvcN
AQkOMT4wPDAOBgNVHQ8BAf8EBAMCB4AwKgYDVR0RAQH/BCAwHocEwKhGk4IWdHA1
LmVuZ2xhYi5qdW5pcGVyLm5ldDANBgkqhkiG9w0BAQQFAAOBgQBbiJ+ZCeQ59/eY
4Rd6awIpJFTz0svRZLxxjFWogusVTmaD2dsqFBqftS1eJBdeiueRcYMF9vOn0GKm
FNfouegwei5+vzdNmNo55eIb3rs4pP62q0W5CUgmbHrjtp3lyJsvuOxTTcPNY8zw
b6GyM2Hdkk3Vh2ReX11tQUSqYujTjw==
-----END CERTIFICATE REQUEST-----
Fingerprint:
7c:e8:f9:45:93:8d:a3:92:7f:18:29:02:f1:c8:e2:85:3d:ad:df:1f (sha1)
00:4e:df:a0:6b:ad:8c:50:da:7c:a1:cf:5d:37:b0:ea (md5)

The trusted CA digitally signs the local certificate and returns it to you. Copy the certificate file into the routing platform and load the certificate.

user@R3> request security pki local-certificate
load filename /tmp/router3-cert certificate-id local-entrust3

Local certificate local-entrust3 loaded successfully

After the local and CA certificates have been loaded, you can reference them in your IPSec configuration. Using default values in the AS PIC, you do not need to configure an IPSec proposal or IPSec policy. However, you must configure an IKE proposal that uses digital certificates, reference the IKE proposal and local certificate in an IKE policy, and apply the CA profile to the service set. To enable the IKE proposal for digital certificates, include the rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name authentication-method] hierarchy level. To reference the local certificate in the IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. To identify the CA or RA in the service set, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

The remaining configuration components of your IKE-based IPSec tunnel are the same as when you use preshared keys. Enable OSPF as the underlying routing protocol to connect to Routers 2 and 4. Configure a bidirectional IKE dynamic SA in a rule called rule-ike at the [edit ipsec-vpn rule] hierarchy level. Reference this rule in a service set called service-set-dynamic-BiEspsha3des at the [edit services service-set] hierarchy level.

Router 3



[edit]
interfaces {


so-0/0/0 {
description "To R4 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.1/30;
}


}


}




so-0/0/1 {
description "To R2 so-0/0/1";


unit 0 {


family inet {
address 10.1.15.2/30;
}


}


}




sp-1/2/0 {


unit 0 {
family inet;
}




                   
unit 1 { #
sp-1/2/0.1 is the IPSec inside interface.
family inet;
service-domain inside;
}




                   
unit 2 { #
sp-1/2/0.2 is the IPSec outside interface.
family inet;
service-domain outside;
}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.3/32;
}


}


}


}
routing-options {
router-id 10.0.0.3;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
                   
interface sp-1/2/0.1; # This sends OSPF traffic over the IPSec tunnel.
interface lo0.0;
}


}


}
               
security { #
Configure CA profiles here, including the URLs used to reach the CAs.


pki {


ca-profile entrust {
ca-identity entrust;


enrollment {
url http://ca-1.jnpr.net/cgi-bin/pkiclient.exe;
}




                     
revocation-check {                   



                       
crl {
                       
url 
                     ldap://10.157.90.185/o=juniper,c=uscertificateRevocationListbase;                     

# Specify the URL of the LDAP server where the CA stores
the CRL.
}


}


}




ca-profile microsoft {
ca-identity microsoft;


enrollment {
url http://192.168.11.78:80/certsrv/mscep/mscep.dll;
}


}




ca-profile verisign {
ca-identity verisign;


enrollment {
url http://pilotonsiteipsec.verisign.com/cgi-bin/pkiclient.exe;
}


}


}


}
services {


                 
service-set service-set-dynamic-BiEspsha3des
{ # Define your service set here.


                   
next-hop-service { # Required for dynamic routing protocols such as OSPF.
inside-service-interface sp-1/2/0.1;
outside-service-interface sp-1/2/0.2;
}




ipsec-vpn-options {
                   
trusted-ca entrust; # Reference the CA profile here.
                   
local-gateway 10.1.15.2; # Specify the local IP address of the IPSec tunnel.
}


                 
ipsec-vpn-rules rule-ike; # Reference your IPSec VPN rule here.
}




ipsec-vpn {


                   
rule rule-ike { # Define your IPSec VPN rule here.


term term-ike {


then {
                       
remote-gateway 10.1.15.1; # The remote IP address of the IPSec tunnel.


                         
dynamic { # This creates a dynamic SA.
                         
ike-policy ike-digital-certificates; # Reference your IKE policy here.
}


}


}


                   
match-direction input; # Specify in which direction the rule should match.
}




ike {


proposal ike-proposal {
                     
authentication-method
rsa-signatures; # Uses digital certificates
}




policy ike-digital-certificates {
                     
proposals ike-proposal; # Apply the IKE proposal here.
                     
local-id fqdn router3.juniper.net; # Provide an identifier for the local router.
                     
local-certificate local-entrust3; # Reference the local certificate here.
                     
remote-id fqdn router2.juniper.net; # Provide an ID for the remote router.
}


}


establish-tunnels immediately;
}


}

On Router 4, provide basic OSPF connectivity to Router 3.

Router 4



[edit]
interfaces {


so-0/0/0 {
description "To R3 so-0/0/0";


unit 0 {


family inet {
address 10.1.56.2/30;
}


}


}




lo0 {


unit 0 {


family inet {
address 10.0.0.4/32;
}


}


}


}
routing-options {
    router-id 10.0.0.4;
}
protocols {


ospf {


area 0.0.0.0 {
interface so-0/0/0.0;
interface lo0.0;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]