When you configure authentication-method rsa-signatures at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level, public key infrastructure (PKI) digital certificates authenticate peers; for more information, see Configuring an IKE Authentication Method. You must identify a local certificate that is sent to the peer during the IKE authentication phase.
To configure a IKE policy local certificate, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:
-
local-certificate identifier;
The local-certificate statement specifies the identifier used to obtain the end entity’s certificate from the certification authority. Configuring it in an IKE policy allows you the flexibility of using a separate certificate with each remote peer if that is needed. You must also specify the identity of the certification authority by configuring the ca-profile statement at the [edit security pki] hierarchy level; for more information, see the JUNOS System Basics Configuration Guide. For complete examples of digital certificate configuration, see the JUNOS Feature Guide.
You can use the configured profiles to establish a set of trusted certification authorities for use with a particular service set. This enables you to configure separate service sets for individual clients to whom you are providing IP services; the distinct service sets provide logical separation of one set of IKE sessions from another, using different local gateway addresses, or virtualization. To configure the set of trusted certification authorities, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:
-
trusted-ca ca-profile;
For more information, see Configuring IPSec Options.