Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring PKI Based L2HA Link Encryption

  • Physically connect the two devices and ensure that they are the same models.
  • Connect the dedicated control ports on node 0 and node 1.
  • Connect the user defined fabricated ports on node 0 and node 1.
To configure two chassis in cluster mode, follow the below steps:
  1. Zeroize both the SRX Series Firewalls before you use for cluster. If the devices are already in cluster mode please ensure you disable them before zeroize. For information on how to disable chassis cluster, see Disabling a Chassis Cluster.
    user@host> request system zeroize hypervisor
  2. Delete the web management services.

    user@host# delete system services web-management https

  3. Configure FIPS mode and bring up the devices in FIPS mode.
  4. Configure device 1 with standard cluster commands for operating in cluster mode as node0. This requires a reboot.
  5. After the device 1 is up, configure HA link encryption as shown in sample configuration below, commit and reboot. device 1 needs to be configured with both node0 and node1 HA link encryption configuration before commit and reboot.
  6. To proceed further with device 2 configuration and commit, you need to ensure device1 and device 2 are not reachable to each other. One way to achieve this is to power off device 1 at this point.
  7. Configure device 2 with standard cluster command for operating in cluster mode as node1. This requires a reboot.

    [edit]

    user@host# set groups node0 system host-name node0-host-name

    user@host# set groups node0 system backup-router gateway-address

    user@host# set groups node0 system backup-router destination value

    user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address

    user@host# set groups node1 system host-name node1-host-name

    user@host# set groups node1 system backup-router gateway-address

    user@host# set groups node1 system backup-router destination value

    user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address

    user@host# set apply-groups global

    user@host# set apply-groups “$(node)”

    user@host# delete apply-groups re0

    user@host# set system ports console log-out-on-disconnect

    user@host# set chassis cluster reth-count 5

    user@host# set chassis cluster redundancy-group 0 node 0 priority 254

    user@host# set chassis cluster redundancy-group 0 node 1 priority 1

    user@host# commit

    user@host> set chassis cluster cluster-id 1 node 1 reboot

    See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

  8. After the device 2 is up, configure HA link encryption as shown in sample configuration below on device 2. Device 2 needs to be configured with both node0 and node1 HA link encryption configuration. Commit on node1 (device 2), and finally reboot node1 (device 2).

    user@host> request security pki ca-certificate load ca-profile S2S_PKI filename/var/tmp/aux_ca.cer

    user@host> show security pki ca-certificate

    user@host> request security pki crl load ca-profile S2S_PKI filename /var/tmp/aux.crl

    user@host> show security pki crl

    user@host> request security pki node-local generate-certificate-request certificate-id pkicert subject

    CN=testaux,OU=QA,O=JuniperNetworks,L=CNRD,ST=Beijing,C=CN domainname aux.juniper.net

    ip-address 130.16.0.1 email aux@juniper.net

  9. Power ON node0 (device 1).
  10. Both the nodes will be in cluster mode with HA link encryption enabled.
    Note: To enable HA link encryption on node1 in step 6, the other node must be in lost state for the commit to go through. Hence, manage the timing correctly, else step 6 must be redone until enabling HA link encryption on node1 commit goes through. The above example shows, configuring PKI based L2 HA link encryption tunnel with RSA. However, we can also use ECDSA with key size 256 and 384.