Configurar varios tipos de certificados para establecer SA de IKE e IPsec
En este ejemplo se muestra cómo configurar varios tipos de certificados para establecer IKE y SA IPsec.
A partir de Junos OS versión 22.4R1, puede establecer túneles independientemente del tipo de certificado utilizado en el iniciador y el respondedor si el método de autenticación está configurado como certificates
en la propuesta de IKE mediante el set security ike proposal ike_proposal_name authentication-method certificates
comando.
Puede ver el certificado inscrito mediante show security pki local-certificate certificate-id certificate-name detail
el comando.
Puede comprobar el certificado inscrito mediante el request security pki local-certificate verify certificate-id certificate-name
comando.
Requisitos
Antes de empezar:
-
Asegúrese de tener certificados inscritos en sus dispositivos, consulte Inscripción de certificados.
Puede verificar los certificados inscritos en sus dispositivos mediante el
request security pki local-certificate certificate-id certificate-name detail
comando. -
Asegúrese de que tiene instalado el paquete IKE, para comprobar el paquete IKE instalado, utilice el
show version | match ike
comando operativo.Si no tiene el paquete IKE instalado en el dispositivo, puede instalar el paquete IKE mediante el comando
request system software add optional://junos-ike.tgz
operativo , para obtener más información, consulte Habilitar el conjunto de características VPN IPsec.
Descripción general
En este ejemplo se configuran varios tipos de certificados para establecer SA de IKE e IPsec entre SRX_A y SRX_B.
En este ejemplo, hemos inscrito el certificado RSA en SRX_A y el certificado ECDSA en dispositivos SRX_B. Para obtener más información acerca de cómo instalar los certificados, consulte Inscripción de certificados.
Nombre del dispositivo | Interfaz utilizada | Dirección de puerta de enlace de IKE | Dirección IP local de la puerta de enlace IKE |
---|---|---|---|
SRX_A | ge-0/0/0 | 192.168.1.2 | 192.168.1.1 |
SRX_B | ge-0/0/0 | 192.168.1.1 | 192.168.1.2 |
Topología
El describe la topología para varios tipos de Figura 1 certificados que admiten la configuración.
Configuración
Configuración de SRX_A
Configuración rápida de CLI
Para configurar rápidamente este ejemplo, copie los siguientes comandos, péguelos en un archivo de texto, elimine los saltos de línea, cambie los detalles necesarios para que coincidan con su configuración de red, copie y pegue los comandos en la CLI en el nivel de jerarquía [edit]
y, luego, ingrese commit
desde el modo de configuración.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r0_rsa_crt set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.2 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.1 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Procedimiento paso a paso
En el ejemplo siguiente, debe explorar por varios niveles en la jerarquía de configuración. Para obtener instrucciones sobre cómo hacerlo, consulte Descripción del modo de configuración de CLI en la Guía del usuario de CLI.
Para configurar varios tipos de certificados para establecer SA de IKE e IPsec:
-
Vea los certificados inscritos en sus dispositivos con el
show security pki local-certificate certificate-id certificate-name detail
comando.Instale el certificado en su dispositivo si su dispositivo no tiene los certificados inscritos. Para obtener más información, consulte Inscripción de certificados.
-
Configurar interfaces.
user@srxa# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 user@srxa# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 user@srxa# set interfaces st0 unit 1 family inet
-
Configure las zonas de seguridad y la política de seguridad.
user@srxa# set security zones security-zone trust host-inbound-traffic system-services all user@srxa# set security zones security-zone trust host-inbound-traffic protocols all user@srxa# set security zones security-zone trust interfaces ge-0/0/1 user@srxa# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxa# set security zones security-zone untrust interfaces ge-0/0/0 user@srxa# set security zones security-zone VPN interfaces st0.1 user@srxa# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxa# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxa# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxa# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxa# set security policies default-policy deny-all
-
Configure la propuesta de IKE.
[edit] user@srxa# set security ike proposal IKE_PROP authentication-method certificates user@srxa# set security ike proposal IKE_PROP dh-group group5 user@srxa# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxa# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure la política de IKE.
[edit] user@srxa# set security ike policy IKE_POL proposals IKE_PROP user@srxa# set security ike policy IKE_POL certificate local-certificate r0_rsa_crt
-
Configure la puerta de enlace de IKE.
[edit] user@srxa# set security ike gateway IKE_GW ike-policy IKE_POL user@srxa# set security ike gateway IKE_GW address 192.168.1.2 user@srxa# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxa# set security ike gateway IKE_GW local-address 192.168.1.1 user@srxa# set security ike gateway IKE_GW version v2-only
-
Configure la propuesta IPsec.
[edit] user@srxa# set security ipsec proposal IPSEC_PROP protocol esp user@srxa# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxa# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure la directiva IPsec.
[edit] user@srxa# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure la VPN IPsec.
[edit] user@srxa# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxa# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxa# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxa# set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Resultados
Desde el modo de configuración, escriba los show interfaces
comandos y, show security ike
para confirmar la configuración. show security ipsec
Si el resultado no muestra la configuración deseada, repita las instrucciones de configuración en este ejemplo para corregirla.
[edit] user@srxa# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.16.1.1/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxa# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r0_crt_rsa; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.2; external-interface ge-0/0/0; local-address 192.168.1.1; version v2-only; } [edit] user@srxa# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels on-traffic; }
Cuando termine de configurar el dispositivo, ingrese commit
en el modo de configuración.
Configuración de SRX_B
Configuración rápida de CLI
Para configurar rápidamente este ejemplo, copie los siguientes comandos, péguelos en un archivo de texto, elimine los saltos de línea, cambie los detalles necesarios para que coincidan con su configuración de red, copie y pegue los comandos en la CLI en el nivel de jerarquía [edit]
y, luego, ingrese commit
desde el modo de configuración.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384 set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.1 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.2 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Procedimiento paso a paso
En el ejemplo siguiente, debe explorar por varios niveles en la jerarquía de configuración. Para obtener instrucciones sobre cómo hacerlo, consulte Descripción general del modo de configuración de CLI en la Guía del usuario de CLI.
Para configurar varios tipos de certificados para establecer SA de IKE e IPsec:
-
Vea los certificados inscritos en sus dispositivos con el
request security pki local-certificate certificate-id certificate-name detail
comando.Instale el certificado en su dispositivo si su dispositivo no tiene los certificados inscritos. Para obtener más información, consulte Inscripción de certificados.
-
Configurar interfaces.
user@srxb# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 user@srxb# set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 user@srxb# set interfaces st0 unit 1 family inet
-
Configure las zonas de seguridad y la política de seguridad.
user@srxb# set security zones security-zone trust host-inbound-traffic system-services all user@srxb# set security zones security-zone trust host-inbound-traffic protocols all user@srxb# set security zones security-zone trust interfaces ge-0/0/1 user@srxb# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxb# set security zones security-zone untrust interfaces ge-0/0/0 user@srxb# set security zones security-zone VPN interfaces st0.1 user@srxb# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxb# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxb# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxb# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxb# set security policies default-policy deny-all
-
Configure la propuesta de IKE.
[edit] user@srxb# set security ike proposal IKE_PROP authentication-method certificates user@srxb# set security ike proposal IKE_PROP dh-group group5 user@srxb# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxb# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure la política de IKE.
[edit] user@srxb# set security ike policy IKE_POL proposals IKE_PROP user@srxb# set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384
-
Configure la puerta de enlace de IKE.
[edit] user@srxb# set security ike gateway IKE_GW ike-policy IKE_POL user@srxb# set security ike gateway IKE_GW address 192.168.1.1 user@srxb# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxb# set security ike gateway IKE_GW local-address 192.168.1.2 user@srxb# set security ike gateway IKE_GW version v2-only
-
Configure la propuesta IPsec.
[edit] user@srxb# set security ipsec proposal IPSEC_PROP protocol esp user@srxb# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxb# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure la directiva IPsec.
[edit] user@srxb# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure la VPN IPsec.
[edit] user@srxb# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxb# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxb# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxb# set security ipsec vpn IPSEC_VPN establish-tunnels immediately
Resultados
Desde el modo de configuración, escriba los show interfaces
comandos y, show security ike
para confirmar la configuración. show security ipsec
Si el resultado no muestra la configuración deseada, repita las instrucciones de configuración en este ejemplo para corregirla.
[edit] user@srxb# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.2/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.18.1.2/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxb# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r1_crt_ecdsa384; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.1; external-interface ge-0/0/0; local-address 192.168.1.2; version v2-only; } [edit] user@srxb# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels immediately; }
Cuando termine de configurar el dispositivo, ingrese commit
en el modo de configuración.
Verificación
Confirme que la configuración funcione correctamente.
Verificar SRX_A
Las salidas de muestra que se muestran están en SRX-A.
Propósito
Compruebe el estado de fase 2 de IPsec.
Acción
Desde el modo operativo, ingrese el comando show security ike security-associations
.
user@srxa> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 32 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.2
Desde el modo operativo, ingrese el comando show security ipsec security-associations
.
user@srxa> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500033 ESP:aes-cbc-192/sha256 0x5f156c1b 2750/ unlim - root 500 192.168.1.2 >500033 ESP:aes-cbc-192/sha256 0x7ea065e7 2750/ unlim - root 500 192.168.1.2
Desde el modo operativo, ingrese el comando show security ike security-associations detail
.
user@srxa> show security ike security-associations detail IKE peer 192.168.1.2, Index 32, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: RSA-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Lifetime: Expires in 28165 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1346 Output bytes : 1887 Input packets: 3 Output packets: 4 Input fragmented packets: 2 Output fragmented packets: 3 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500033 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Local identity: 192.168.1.1 Remote identity: 192.168.1.2 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
Desde el modo operativo, ingrese el comando show security ipsec security-associations detail
.
user@srxa> show security ipsec security-associations detail ID: 500033 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 09 2023 22:41:36: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32 Direction: outbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32
Desde el modo operativo, ingrese el comando show security pki local-certificate certificate-id r0_rsa_cr detail
.
user@srxa> show security pki local-certificate certificate-id r0_rsa_crt detail LSYS: root-logical-system Certificate identifier: r0_rsa_crt Certificate version: 3 Serial number: hexadecimal: 0x0186a62478ae8f0cdd766eb38dbd53 decimal: 7923302907757301847007106226306387 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r0, Domain component: juniper Subject string: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r0@juniper.net", r0.juniper.net, 192.168.1.1 Cert-Chain: Root-CA Validity: Not before: 03- 3-2023 05:54 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:b0:e5:53:8d:7e:20:fa:6b:21:c2:d1 2b:48:8f:af:c3:eb:8b:23:4a:f7:c5:1f:cf:2c:6a:b3:2e:8a:ef:1b f7:97:aa:fd:1d:ab:1c:76:9b:40:a3:ac:bb:49:f6:93:f9:e1:4e:62 df:3d:ca:e5:d2:95:9c:a0:f4:2b:d7:7e:1d:20:94:69:a8:e4:cf:dc 15:90:4c:be:1d:d8:1c:52:08:3a:d1:05:a3:bb:2f:8f:31:0c:6b:21 ef:76:c3:c7:fb:be:4a:cb:da:cc:8d:04:3a:75:0c:eb:5d:e2:f6:13 50:fe:39:67:c0:77:2f:32:b0:5e:38:6f:9c:79:b3:5d:f3:57:f4:f8 42:f5:22:5b:6c:58:67:90:4e:1e:ec:6a:03:e2:c0:87:65:02:ca:da 6f:95:0a:8c:2a:fd:45:4f:3a:b5:ef:18:05:1c:54:e6:fe:45:bb:73 53:81:b2:c6:b7:36:36:57:6d:9c:d3:d9:80:e7:d6:85:92:74:32:88 16:01:03:27:57:76:8e:5e:d6:73:ac:bf:68:fd:6d:a1:2a:8f:f5:3a 29:b0:c9:44:9b:c8:46:c1:bf:c0:52:2a:f0:51:be:b5:f6:e1:f5:3e 96:1d:3a:42:29:28:d3:cf:60:b9:eb:24:04:47:d3:f1:3f:5e:38:fc 7f:33:f6:94:9d:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Fingerprint: 4d:f6:89:c5:d6:3c:74:73:db:3e:f6:4b:1e:26:6c:c1:1c:1d:a7:4d (sha1) 6b:1c:a8:1f:de:5a:9b:3e:d5:c4:85:29:af:3f:82:f2 (md5) 6b:7a:b5:d1:57:cf:75:9d:1f:63:b9:f6:49:e4:4e:b3:13:2c:83:f1:f7:25:44:6f:45:2f:0d:2f:ae:a8:80:85 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
Desde el modo operativo, ingrese el comando show security pki ca-certificate ca-profile Root-CA detail
.
user@srxa> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)
Verificar SRX_B
Las salidas de muestra que se muestran están en SRX-B.
Propósito
Compruebe el estado de fase 2 de IPsec.
Acción
Desde el modo operativo, ingrese el comando show security ike security-associations
.
user@srxb> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 56042 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.1
Desde el modo operativo, ingrese el comando show security ipsec security-associations
.
user@srxb> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500230 ESP:aes-cbc-192/sha256 0x7ea065e7 2638/ unlim - root 500 192.168.1.1 >500230 ESP:aes-cbc-192/sha256 0x5f156c1b 2638/ unlim - root 500 192.168.1.1
Desde el modo operativo, ingrese el comando show security ike security-associations detail
.
user@srxb> show security ike security-associations detail IKE peer 192.168.1.1, Index 56042, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: ECDSA-384-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Lifetime: Expires in 18995 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 2934 Output bytes : 2379 Input packets: 10 Output packets: 9 Input fragmented packets: 3 Output fragmented packets: 2 IPSec security associations: 8 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500230 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 2 Response In : 1 Response Out : 2 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
Desde el modo operativo, ingrese el comando show security ipsec security-associations detail
.
user@srxb> show security ipsec security-associations detail ID: 500230 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 02 2023 22:26:16: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042 Direction: outbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042
Desde el modo operativo, ingrese el comando show security pki local-certificate certificate-id r1_crt_ecdsa384 detail
.
user@srxb> show security pki local-certificate certificate-id r1_crt_ecdsa384 detail LSYS: root-logical-system Certificate identifier: r1_crt_ecdsa384 Certificate version: 3 Serial number: hexadecimal: 0x0186a6254347a38063946d08595a55 decimal: 7923303152683216740296668848151125 Issuer: Organization: juniper, Country: India, Common name: root-ecdsa-384 Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r1_spk1, Domain component: juniper Subject string: DC=juniper, CN=r1_spk1, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r1_spk1@juniper.net", r1_spk1.juniper.net, 192.168.2 Cert-Chain: root-ecdsa-384 Validity: Not before: 03- 3-2023 05:55 UTC Not after: 06- 6-2027 13:21 UTC Public key algorithm: ecdsaEncryption(384 bits) 04:c2:ba:19:dc:0d:62:a7:94:7b:9b:1d:4d:ff:a1:e1:44:b5:57:a7 cb:7d:33:6b:35:87:b8:e4:ca:44:b1:6c:6d:63:ae:6f:3c:31:7c:7e 65:99:b3:2d:a3:76:30:23:e5:0e:34:e1:28:54:d6:3e:d3:8b:de:b6 b9:45:05:82:6f:1d:20:b7:6f:3c:ce:a2:13:a2:b4:37:0b:db:35:1e 20:54:b5:06:9d:f8:7f:19:7b:c5:d7:7b:57:8b:28:31:d3 Signature algorithm: ecdsa-with-SHA384 Fingerprint: 9b:cb:5a:57:a8:60:a0:ee:5c:be:59:4c:db:35:39:d3:b7:29:ef:b1 (sha1) ef:b5:e3:be:35:1b:6e:02:0b:61:11:a5:53:07:b4:89 (md5) 8f:86:d0:12:ea:bc:a8:81:a8:17:3a:f9:03:e4:91:57:20:9c:11:bc:a4:dd:d1:7f:d1:48:3f:5b:d9:fb:93:32 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
s
Desde el modo operativo, ingrese el comando show security pki ca-certificate ca-profile Root-CA detail
.
user@srxb> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)