Configuring PKI Based L2HA Link Encryption
- Physically connect the two devices and ensure that they are the same models.
- Connect the dedicated control ports on node 0 and node 1.
- Connect the user defined fabricated ports on node 0 and node 1.
-
Zeroize both the SRX Series Firewalls before you use for cluster. If the devices are already in
cluster mode please ensure you disable them before zeroize. For information on how to
disable chassis cluster, see Disabling a Chassis Cluster.
user@host> request system zeroize hypervisor
-
Delete the web management services.
user@host# delete system services web-management https
-
Configure FIPS mode and bring up the devices in FIPS mode.
[edit] user@host# set groups global system fips level 2 [edit] user@host# set groups global system root-authentication plain-textpassword New password: type password here Retype new password: retype password here [edit] user@host# commit user@host> request system reboot
-
Configure device 1 with standard cluster commands for operating in cluster mode as
node0. This requires a reboot.
[edit] user@host# set groups node0 system host-name node0-host-name user@host# set groups node0 system backup-router gateway-address user@host# set groups node0 system backup-router destination value user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address user@host# set groups node1 system host-name node1-host-name user@host# set groups node1 system backup-router gateway-address user@host# set groups node1 system backup-router destination value user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address user@host# set apply-groups global user@host# set apply-groups "$(node)" user@host# delete apply-groups re0 user@host# set system ports console log-out-on-disconnect user@host# set chassis cluster reth-count 5 user@host# set chassis cluster redundancy-group 0 node 0 priority 254 user@host# set chassis cluster redundancy-group 0 node 1 priority 1 user@host# commit user@host> set chassis cluster cluster-id 1 node 0 reboot
-
After the device 1 is up, configure HA link encryption as shown in sample configuration
below, commit and reboot. device 1 needs to be configured with both node0 and node1 HA
link encryption configuration before commit and reboot.
[edit] user@host# set groups node0 security ike traceoptions file ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security pki traceoptions file pkilog user@host# set groups node0 security pki traceoptions file size 100m user@host# set groups node0 security pki traceoptions flag all user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-method rsasignatures user@host# set groups node0 security ike proposal IKE_PROP_PKI dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256- cbc user@host# set groups node0 security ike policy IKE_POL_PKI mode main user@host# set groups node0 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI user@host# set groups node0 security ike policy IKE_POL_PKI certificate local-certificate pkicert user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PKI user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI authentication-algorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI user@host# set groups node0 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 user@host# set groups node0 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check disable user@host# set groups node0 interfaces st0 unit 0 family inet user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security pki traceoptions file pkilog user@host# set groups node1 security pki traceoptions file size 100m user@host# set groups node1 security pki traceoptions flag all user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-method rsasignatures user@host# set groups node1 security ike proposal IKE_PROP_PKI dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256- cbc user@host# set groups node1 security ike policy IKE_POL_PKI mode main user@host# set groups node1 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI user@host# set groups node1 security ike policy IKE_POL_PKI certificate local-certificate pkicert user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PKI user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI protocol esp user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm hmac-sha1-96 user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI user@host# set groups node1 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 user@host# set groups node1 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check disable user@host# set groups node1 interfaces st0 unit 0 family inet user@host# set groups global interfaces fab0 fabric-options member-interfaces xe-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces xe-7/0/3 user@host# commit user@host> clear security pki node-local local-certificate all user@host> clear security pki node-local certificate-request all user@host> clear security pki node-local key-pair all user@host> clear security pki crl all user@host> clear security pki ca-certificate all user@host> request security pki node-local generate-key-pair certificate-id pkicert type rsa size 2048
root@vm# curl "http://<PKI-Server-IP>/certsrv/certnew.cer? ReqID=CACert=0=bin" -o /tmp/dut_ca.cer root@vm# scp /tmp/dut_ca.cer root@node0-host-name:/var/tmp user@host> request security pki ca-certificate load ca-profile S2S_PKI filename/var/tmp/ dut_ca.cer user@host> show security pki ca-certificate
root@vm# curl "http://PKI-Server-IP/certsrv/certcrl.crl?Renewal=0=bin" -o /tmp/dut.crl root@vm# scp /tmp/dut.crl root@node0-host-name:/var/tmp user@host> request security pki crl load ca-profile S2S_PKI filename /var/tmp/dut.crl user@host> show security pki crl user@host> request security pki node-local generate-certificate-request certificate-id pkicert subject CN=testdut,OU=QA,O=JuniperNetworks,L=CNRD,ST=Beijing,C=CN domainname dut.juniper.net ip-address 129.16.0.1 email dut@juniper.net
root@vm# rm -rf /cert root@vm# mkdir /cert root@vm# chmod 777 /cert root@vm# echo -----BEGIN CERTIFICATE REQUEST-----copy-generatedkey-----END CERTIFICATE REQUEST----- /cert/dsakey root@vm# cat /cert/dsakey root@vm# chmod 777 /cert/dsakey root@vm# chmod o+w /tftpboot root@vm# rm -f /etc/xinetd.d/tftp.org root@vm# cp /etc/xinetd.d/tftp /etc/xinetd.d/tftp.org root@vm# sed -e 's/server_args.*/server_args = -s \/tftpboot -c/g' /etc/xinetd.d/tftp /etc/xinetd.d/tftp.mdf root@vm# mv -f /etc/xinetd.d/tftp.mdf /etc/xinetd.d/tftp root@vm# systemctl enable tftp.service root@vm# /bin/systemctl restart xinetd.service root@vm# mv -f /etc/xinetd.d/tftp.org /etc/xinetd.d/tftp root@vm# dir /tftpboot/pki.tcl root@vm# /bin/cp /tftpboot/pki.tcl /cert/ root@vm# chmod 775 /cert/pki.tcl root@vm# /cert/pki.tcl PKI-Server-IP /cert/dsakey /cert/dut.cer root@vm# scp /cert/dut.cer root@node0-host-name:/var/tmp
- To proceed further with device 2 configuration and commit, you need to ensure device1 and device 2 are not reachable to each other. One way to achieve this is to power off device 1 at this point.
-
Configure device 2 with standard cluster command for operating in cluster mode as node1. This requires
a reboot.
[edit]
user@host# set groups node0 system host-name node0-host-name
user@host# set groups node0 system backup-router gateway-address
user@host# set groups node0 system backup-router destination value
user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address
user@host# set groups node1 system host-name node1-host-name
user@host# set groups node1 system backup-router gateway-address
user@host# set groups node1 system backup-router destination value
user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address
user@host# set apply-groups global
user@host# set apply-groups “$(node)”
user@host# delete apply-groups re0
user@host# set system ports console log-out-on-disconnect
user@host# set chassis cluster reth-count 5
user@host# set chassis cluster redundancy-group 0 node 0 priority 254
user@host# set chassis cluster redundancy-group 0 node 1 priority 1
user@host# commit
user@host> set chassis cluster cluster-id 1 node 1 reboot
- After the device 2 is up, configure HA link encryption as shown in sample configuration below on device
2. Device 2 needs to be configured with both node0 and node1 HA link encryption configuration.
Commit on node1 (device 2), and finally reboot node1 (device 2).
[edit] user@host# set groups node0 security ike traceoptions file ikelog user@host# set groups node0 security ike traceoptions file size 100m user@host# set groups node0 security ike traceoptions flag all user@host# set groups node0 security ike traceoptions level 15 user@host# set groups node0 security pki traceoptions file pkilog user@host# set groups node0 security pki traceoptions file size 100m user@host# set groups node0 security pki traceoptions flag all user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-method rsa-signatures user@host# set groups node0 security ike proposal IKE_PROP_PKI dh-group group20 user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 user@host# set groups node0 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256- cbc user@host# set groups node0 security ike policy IKE_POL_PKI mode main user@host# set groups node0 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI user@host# set groups node0 security ike policy IKE_POL_PKI certificate local-certificate pkicert user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PKI user@host# set groups node0 security ike gateway S2S_GW version v2-only user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI protocol esp user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm hmac-sha1-96 user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 user@host# set groups node0 security ipsec policy IPSEC_POL_PKI perfect-forwardsecrecy keys group20 user@host# set groups node0 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI user@host# set groups node0 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 user@host# set groups node0 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check disable user@host# set groups node0 interfaces st0 unit 0 family inet user@host# set groups node1 security ike traceoptions file ikelog user@host# set groups node1 security ike traceoptions file size 100m user@host# set groups node1 security ike traceoptions flag all user@host# set groups node1 security ike traceoptions level 15 user@host# set groups node1 security pki traceoptions file pkilog user@host# set groups node1 security pki traceoptions file size 100m user@host# set groups node1 security pki traceoptions flag all user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-method rsa-signatures user@host# set groups node1 security ike proposal IKE_PROP_PKI dh-group group20 user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 user@host# set groups node1 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256- cbc user@host# set groups node1 security ike policy IKE_POL_PKI mode main user@host# set groups node1 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI user@host# set groups node1 security ike policy IKE_POL_PKI certificate local-certificate pkicert user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PKI user@host# set groups node1 security ike gateway S2S_GW version v2-only user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI protocol esp user@host#set groups node1 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm hmac-sha1-96 user@host> set groups node1 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 user@host# set groups node1 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys group20 user@host# set groups node1 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI user@host# set groups node1 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 user@host# set groups node1 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check disable user@host# set groups node1 interfaces st0 unit 0 family inet user@host# set groups global interfaces fab0 fabric-options member-interfaces xe-0/0/3 user@host# set groups global interfaces fab1 fabric-options member-interfaces xe-7/0/3 user@host# commit user@host> clear security pki node-local local-certificate all user@host> clear security pki node-local certificate-request all user@host> clear security pki node-local key-pair all user@host> clear security pki crl all user@host> clear security pki ca-certificate all user@host> request security pki node-local generate-key-pair certificate-id pkicert type rsa size 2048
root@vm# curl "http://PKI-Server-IP/certsrv/certnew.cer? ReqID=CACert=0=bin" -o /tmp/aux_ca.cer root@vm# scp /tmp/aux_ca.cer root@node1-host-name:/var/tmp
user@host> request security pki ca-certificate load ca-profile S2S_PKI filename/var/tmp/aux_ca.cer
user@host> show security pki ca-certificate
root@vm# curl "http://PKI-Server-IP/certsrv/certcrl.crl?Renewal=0=bin" -o /tmp/aux.crl root@vm# scp /tmp/aux.crl root@node1-host-name:/var/tmp
user@host> request security pki crl load ca-profile S2S_PKI filename /var/tmp/aux.crl
user@host> show security pki crl
user@host> request security pki node-local generate-certificate-request certificate-id pkicert subject
CN=testaux,OU=QA,O=JuniperNetworks,L=CNRD,ST=Beijing,C=CN domainname aux.juniper.net
ip-address 130.16.0.1 email aux@juniper.net
root@vm# rm -rf /cert root@vm# mkdir /cert root@vm# chmod 777 /cert root@vm# echo -----BEGIN CERTIFICATE REQUEST-----copy-generatedkey----- END CERTIFICATE REQUEST----- /cert/dsakey root@vm# cat /cert/dsakey root@vm# chmod 777 /cert/dsakey root@vm# chmod o+w /tftpboot root@vm# rm -f /etc/xinetd.d/tftp.org root@vm# cp /etc/xinetd.d/tftp /etc/xinetd.d/tftp.org root@vm# sed -e 's/server_args.*/server_args = -s \/tftpboot -c/g' /etc/ xinetd.d/tftp /etc/xinetd.d/tftp.mdf root@vm# mv -f /etc/xinetd.d/tftp.mdf /etc/xinetd.d/tftp root@vm# systemctl enable tftp.service root@vm# /bin/systemctl restart xinetd.service root@vm# mv -f /etc/xinetd.d/tftp.org /etc/xinetd.d/tftp root@vm# dir /tftpboot/pki.tcl root@vm# /bin/cp /tftpboot/pki.tcl /cert/ root@vm# chmod 775 /cert/pki.tcl root@vm# /cert/pki.tcl PKI-Server-IP /cert/dsakey /cert/aux.cer root@vm# scp /cert/aux.cer root@node1-host-name:/var/tmp
user@host> clear security pki node-local local-certificate all user@host> request security pki node-local local-certificate load filename /var/tmp/aux.cer certificate-id pkicert user@host> request system reboot
- Power ON node0 (device 1).
-
Both the nodes will be in cluster mode with HA link encryption enabled.
Note: To enable HA link encryption on node1 in step 6, the other node must be in lost state for the commit to go through. Hence, manage the timing correctly, else step 6 must be redone until enabling HA link encryption on node1 commit goes through. The above example shows, configuring PKI based L2 HA link encryption tunnel with RSA. However, we can also use ECDSA with key size 256 and 384.