여러 인증서 유형을 구성하여 IKE 및 IPsec SA 설정
이 예에서는 여러 인증서 유형을 구성하여 IKE 및 IPsec SA를 설정하는 방법을 보여 줍니다.
Junos OS 릴리스 22.4R1부터 명령을 사용하여 IKE(Internet Key Exchange) 제안에서와 같이 certificates
authentication-method가 구성된 경우 개시자 및 응답자에 사용되는 인증서 유형에 관계없이 터널을 설정할 수 있습니다 set security ike proposal ike_proposal_name authentication-method certificates
.
명령어를 사용하여 show security pki local-certificate certificate-id certificate-name detail
등록된 인증서를 확인할 수 있습니다.
명령을 사용하여 등록된 인증서를 확인할 수 있습니다 request security pki local-certificate verify certificate-id certificate-name
.
요구 사항
시작하기 전에:
-
장치에 인증서가 등록 되어 있는지 확인하려면 인증서 등록을 참조하십시오.
명령을 사용하여
request security pki local-certificate certificate-id certificate-name detail
디바이스에 등록된 인증서를 확인할 수 있습니다. -
IKE 패키지가 설치되어 있는지 확인하고 설치된 IKE 패키지가 작동 명령을 사용
show version | match ike
하는지 확인합니다.디바이스에 IKE 패키지가 설치되어 있지 않은 경우 작동 명령을
request system software add optional://junos-ike.tgz
사용하여 IKE 패키지를 설치할 수 있으며, 자세한 내용은 IPsec VPN 기능 집합 사용을 참조하십시오.
개요
이 예에서는 여러 인증서 유형을 구성하여 SRX_A와 SRX_B 사이에 IKE 및 IPsec SA를 설정합니다.
이 예에서는 SRX_A에 RSA 인증서를 등록하고 SRX_B 디바이스에 ECDSA 인증서를 등록했습니다. 인증서를 설치하는 방법에 대한 자세한 내용은 인증서 등록을 참조하십시오.
장치 이름 | 사용된 인터페이스 | IKE(Internet Key Exchange) 게이트웨이 주소 | IKE(Internet Key Exchange) 게이트웨이 로컬 IP 주소 |
---|---|---|---|
SRX_A | ge-0/0/0 | 192.168.1.2 | 192.168.1.1 |
SRX_B | ge-0/0/0 | 192.168.1.1 | 192.168.1.2 |
토폴로지
에서는 그림 1 여러 인증서 유형 지원 구성에 대한 토폴로지를 설명합니다.
구성
SRX_A 구성하기
CLI 빠른 구성
이 예를 빠르게 구성하려면, 아래 명령을 복사하여 텍스트 파일로 붙여 넣은 다음 모든 라인브레이크를 제거하고, 네트워크 구성을 일치하는 데 필요한 세부 사항을 바꾸고 [edit]
계층 수준에서 명령을 CLI로 복사해 붙여 넣은 다음, 구성 모드에서 commit
을(를) 입력합니다.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r0_rsa_crt set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.2 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.1 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
단계별 절차
다음 예는 구성 계층에서 다양한 수준의 탐색이 필요합니다. 이를 수행하는 방법에 대한 지침은 CLI 사용 설명서의CLI 구성 모드 오버비를 참조하십시오.
IKE(Internet Key Exchange) 및 IPsec SA를 설정하기 위해 여러 인증서 유형을 구성하려면 다음을 수행합니다.
-
명령을 사용하여
show security pki local-certificate certificate-id certificate-name detail
디바이스에 등록된 인증서를 봅니다.장치에 인증서가 등록되어 있지 않은 경우 장치에 인증서를 설치합니다. 자세한 내용은 인증서 등록을 참조하십시오.
-
인터페이스를 구성합니다.
user@srxa# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 user@srxa# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 user@srxa# set interfaces st0 unit 1 family inet
-
보안 영역과 보안 정책을 구성합니다.
user@srxa# set security zones security-zone trust host-inbound-traffic system-services all user@srxa# set security zones security-zone trust host-inbound-traffic protocols all user@srxa# set security zones security-zone trust interfaces ge-0/0/1 user@srxa# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxa# set security zones security-zone untrust interfaces ge-0/0/0 user@srxa# set security zones security-zone VPN interfaces st0.1 user@srxa# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxa# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxa# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxa# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxa# set security policies default-policy deny-all
-
IKE(Internet Key Exchange) 제안을 구성합니다.
[edit] user@srxa# set security ike proposal IKE_PROP authentication-method certificates user@srxa# set security ike proposal IKE_PROP dh-group group5 user@srxa# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxa# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
IKE(Internet Key Exchange) 정책을 구성합니다.
[edit] user@srxa# set security ike policy IKE_POL proposals IKE_PROP user@srxa# set security ike policy IKE_POL certificate local-certificate r0_rsa_crt
-
IKE(Internet Key Exchange) 게이트웨이를 구성합니다.
[edit] user@srxa# set security ike gateway IKE_GW ike-policy IKE_POL user@srxa# set security ike gateway IKE_GW address 192.168.1.2 user@srxa# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxa# set security ike gateway IKE_GW local-address 192.168.1.1 user@srxa# set security ike gateway IKE_GW version v2-only
-
IPsec 제안을 구성합니다.
[edit] user@srxa# set security ipsec proposal IPSEC_PROP protocol esp user@srxa# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxa# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
IPsec 정책을 구성합니다.
[edit] user@srxa# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
IPSec VPN을 구성합니다.
[edit] user@srxa# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxa# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxa# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxa# set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
결과
구성 모드에서 , show security ike
및 show security ipsec
명령을 입력하여 show interfaces
구성을 확인합니다. 출력이 의도된 구성을 표시하지 않으면, 이 예의 구성 지침을 반복하여 수정합니다.
[edit] user@srxa# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.16.1.1/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxa# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r0_crt_rsa; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.2; external-interface ge-0/0/0; local-address 192.168.1.1; version v2-only; } [edit] user@srxa# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels on-traffic; }
디바이스 구성을 마쳤으면 구성 모드에서 commit
을(를) 입력합니다.
SRX_B 구성하기
CLI 빠른 구성
이 예를 빠르게 구성하려면, 아래 명령을 복사하여 텍스트 파일로 붙여 넣은 다음 모든 라인브레이크를 제거하고, 네트워크 구성을 일치하는 데 필요한 세부 사항을 바꾸고 [edit]
계층 수준에서 명령을 CLI로 복사해 붙여 넣은 다음, 구성 모드에서 commit
을(를) 입력합니다.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384 set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.1 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.2 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
단계별 절차
다음 예는 구성 계층에서 다양한 수준의 탐색이 필요합니다. 이를 수행하는 방법에 대한 지침은 CLI 사용자 가이드의 CLI 구성 모드 개요를 참조하십시오.
IKE(Internet Key Exchange) 및 IPsec SA를 설정하기 위해 여러 인증서 유형을 구성하려면 다음을 수행합니다.
-
명령을 사용하여
request security pki local-certificate certificate-id certificate-name detail
디바이스에 등록된 인증서를 봅니다.장치에 인증서가 등록되어 있지 않은 경우 장치에 인증서를 설치합니다. 자세한 내용은 인증서 등록을 참조하십시오.
-
인터페이스를 구성합니다.
user@srxb# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 user@srxb# set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 user@srxb# set interfaces st0 unit 1 family inet
-
보안 영역과 보안 정책을 구성합니다.
user@srxb# set security zones security-zone trust host-inbound-traffic system-services all user@srxb# set security zones security-zone trust host-inbound-traffic protocols all user@srxb# set security zones security-zone trust interfaces ge-0/0/1 user@srxb# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxb# set security zones security-zone untrust interfaces ge-0/0/0 user@srxb# set security zones security-zone VPN interfaces st0.1 user@srxb# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxb# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxb# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxb# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxb# set security policies default-policy deny-all
-
IKE(Internet Key Exchange) 제안을 구성합니다.
[edit] user@srxb# set security ike proposal IKE_PROP authentication-method certificates user@srxb# set security ike proposal IKE_PROP dh-group group5 user@srxb# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxb# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
IKE(Internet Key Exchange) 정책을 구성합니다.
[edit] user@srxb# set security ike policy IKE_POL proposals IKE_PROP user@srxb# set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384
-
IKE(Internet Key Exchange) 게이트웨이를 구성합니다.
[edit] user@srxb# set security ike gateway IKE_GW ike-policy IKE_POL user@srxb# set security ike gateway IKE_GW address 192.168.1.1 user@srxb# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxb# set security ike gateway IKE_GW local-address 192.168.1.2 user@srxb# set security ike gateway IKE_GW version v2-only
-
IPsec 제안을 구성합니다.
[edit] user@srxb# set security ipsec proposal IPSEC_PROP protocol esp user@srxb# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxb# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
IPsec 정책을 구성합니다.
[edit] user@srxb# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
IPSec VPN을 구성합니다.
[edit] user@srxb# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxb# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxb# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxb# set security ipsec vpn IPSEC_VPN establish-tunnels immediately
결과
구성 모드에서 , show security ike
및 show security ipsec
명령을 입력하여 show interfaces
구성을 확인합니다. 출력이 의도된 구성을 표시하지 않으면, 이 예의 구성 지침을 반복하여 수정합니다.
[edit] user@srxb# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.2/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.18.1.2/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxb# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r1_crt_ecdsa384; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.1; external-interface ge-0/0/0; local-address 192.168.1.2; version v2-only; } [edit] user@srxb# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels immediately; }
디바이스 구성을 마쳤으면 구성 모드에서 commit
을(를) 입력합니다.
검증
구성이 올바르게 작동하고 있는지 확인합니다.
SRX_A 확인
표시된 샘플 출력은 SRX-A에 있습니다.
목적
IPsec 2단계 상태를 확인합니다.
작업
운영 모드에서 show security ike security-associations
명령을 입력합니다.
user@srxa> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 32 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.2
운영 모드에서 show security ipsec security-associations
명령을 입력합니다.
user@srxa> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500033 ESP:aes-cbc-192/sha256 0x5f156c1b 2750/ unlim - root 500 192.168.1.2 >500033 ESP:aes-cbc-192/sha256 0x7ea065e7 2750/ unlim - root 500 192.168.1.2
운영 모드에서 show security ike security-associations detail
명령을 입력합니다.
user@srxa> show security ike security-associations detail IKE peer 192.168.1.2, Index 32, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: RSA-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Lifetime: Expires in 28165 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1346 Output bytes : 1887 Input packets: 3 Output packets: 4 Input fragmented packets: 2 Output fragmented packets: 3 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500033 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Local identity: 192.168.1.1 Remote identity: 192.168.1.2 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
운영 모드에서 show security ipsec security-associations detail
명령을 입력합니다.
user@srxa> show security ipsec security-associations detail ID: 500033 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 09 2023 22:41:36: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32 Direction: outbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32
운영 모드에서 show security pki local-certificate certificate-id r0_rsa_cr detail
명령을 입력합니다.
user@srxa> show security pki local-certificate certificate-id r0_rsa_crt detail LSYS: root-logical-system Certificate identifier: r0_rsa_crt Certificate version: 3 Serial number: hexadecimal: 0x0186a62478ae8f0cdd766eb38dbd53 decimal: 7923302907757301847007106226306387 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r0, Domain component: juniper Subject string: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r0@juniper.net", r0.juniper.net, 192.168.1.1 Cert-Chain: Root-CA Validity: Not before: 03- 3-2023 05:54 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:b0:e5:53:8d:7e:20:fa:6b:21:c2:d1 2b:48:8f:af:c3:eb:8b:23:4a:f7:c5:1f:cf:2c:6a:b3:2e:8a:ef:1b f7:97:aa:fd:1d:ab:1c:76:9b:40:a3:ac:bb:49:f6:93:f9:e1:4e:62 df:3d:ca:e5:d2:95:9c:a0:f4:2b:d7:7e:1d:20:94:69:a8:e4:cf:dc 15:90:4c:be:1d:d8:1c:52:08:3a:d1:05:a3:bb:2f:8f:31:0c:6b:21 ef:76:c3:c7:fb:be:4a:cb:da:cc:8d:04:3a:75:0c:eb:5d:e2:f6:13 50:fe:39:67:c0:77:2f:32:b0:5e:38:6f:9c:79:b3:5d:f3:57:f4:f8 42:f5:22:5b:6c:58:67:90:4e:1e:ec:6a:03:e2:c0:87:65:02:ca:da 6f:95:0a:8c:2a:fd:45:4f:3a:b5:ef:18:05:1c:54:e6:fe:45:bb:73 53:81:b2:c6:b7:36:36:57:6d:9c:d3:d9:80:e7:d6:85:92:74:32:88 16:01:03:27:57:76:8e:5e:d6:73:ac:bf:68:fd:6d:a1:2a:8f:f5:3a 29:b0:c9:44:9b:c8:46:c1:bf:c0:52:2a:f0:51:be:b5:f6:e1:f5:3e 96:1d:3a:42:29:28:d3:cf:60:b9:eb:24:04:47:d3:f1:3f:5e:38:fc 7f:33:f6:94:9d:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Fingerprint: 4d:f6:89:c5:d6:3c:74:73:db:3e:f6:4b:1e:26:6c:c1:1c:1d:a7:4d (sha1) 6b:1c:a8:1f:de:5a:9b:3e:d5:c4:85:29:af:3f:82:f2 (md5) 6b:7a:b5:d1:57:cf:75:9d:1f:63:b9:f6:49:e4:4e:b3:13:2c:83:f1:f7:25:44:6f:45:2f:0d:2f:ae:a8:80:85 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
운영 모드에서 show security pki ca-certificate ca-profile Root-CA detail
명령을 입력합니다.
user@srxa> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)
SRX_B 확인
표시된 샘플 출력은 SRX-B에 있습니다.
목적
IPsec 2단계 상태를 확인합니다.
작업
운영 모드에서 show security ike security-associations
명령을 입력합니다.
user@srxb> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 56042 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.1
운영 모드에서 show security ipsec security-associations
명령을 입력합니다.
user@srxb> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500230 ESP:aes-cbc-192/sha256 0x7ea065e7 2638/ unlim - root 500 192.168.1.1 >500230 ESP:aes-cbc-192/sha256 0x5f156c1b 2638/ unlim - root 500 192.168.1.1
운영 모드에서 show security ike security-associations detail
명령을 입력합니다.
user@srxb> show security ike security-associations detail IKE peer 192.168.1.1, Index 56042, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: ECDSA-384-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Lifetime: Expires in 18995 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 2934 Output bytes : 2379 Input packets: 10 Output packets: 9 Input fragmented packets: 3 Output fragmented packets: 2 IPSec security associations: 8 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500230 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 2 Response In : 1 Response Out : 2 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
운영 모드에서 show security ipsec security-associations detail
명령을 입력합니다.
user@srxb> show security ipsec security-associations detail ID: 500230 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 02 2023 22:26:16: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042 Direction: outbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042
운영 모드에서 show security pki local-certificate certificate-id r1_crt_ecdsa384 detail
명령을 입력합니다.
user@srxb> show security pki local-certificate certificate-id r1_crt_ecdsa384 detail LSYS: root-logical-system Certificate identifier: r1_crt_ecdsa384 Certificate version: 3 Serial number: hexadecimal: 0x0186a6254347a38063946d08595a55 decimal: 7923303152683216740296668848151125 Issuer: Organization: juniper, Country: India, Common name: root-ecdsa-384 Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r1_spk1, Domain component: juniper Subject string: DC=juniper, CN=r1_spk1, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r1_spk1@juniper.net", r1_spk1.juniper.net, 192.168.2 Cert-Chain: root-ecdsa-384 Validity: Not before: 03- 3-2023 05:55 UTC Not after: 06- 6-2027 13:21 UTC Public key algorithm: ecdsaEncryption(384 bits) 04:c2:ba:19:dc:0d:62:a7:94:7b:9b:1d:4d:ff:a1:e1:44:b5:57:a7 cb:7d:33:6b:35:87:b8:e4:ca:44:b1:6c:6d:63:ae:6f:3c:31:7c:7e 65:99:b3:2d:a3:76:30:23:e5:0e:34:e1:28:54:d6:3e:d3:8b:de:b6 b9:45:05:82:6f:1d:20:b7:6f:3c:ce:a2:13:a2:b4:37:0b:db:35:1e 20:54:b5:06:9d:f8:7f:19:7b:c5:d7:7b:57:8b:28:31:d3 Signature algorithm: ecdsa-with-SHA384 Fingerprint: 9b:cb:5a:57:a8:60:a0:ee:5c:be:59:4c:db:35:39:d3:b7:29:ef:b1 (sha1) ef:b5:e3:be:35:1b:6e:02:0b:61:11:a5:53:07:b4:89 (md5) 8f:86:d0:12:ea:bc:a8:81:a8:17:3a:f9:03:e4:91:57:20:9c:11:bc:a4:dd:d1:7f:d1:48:3f:5b:d9:fb:93:32 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
s
운영 모드에서 show security pki ca-certificate ca-profile Root-CA detail
명령을 입력합니다.
user@srxb> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)