Configure Multiple Certificate Types to Establish IKE and IPsec SA
Learn how to configure and manage multiple certificate types.
This example shows how to configure multiple certificate types to establish IKE and IPsec SA.
Starting in Junos OS Release 22.4R1, you can establish tunnels irrespective of the
certificate type used on the initiator and responder if authentication-method is configured as
certificates
in IKE proposal using the set security ike proposal
ike_proposal_name authentication-method certificates
command.
You can view the certificate enrolled using show security pki local-certificate
certificate-id certificate-name detail
command.
You can verify the enrolled certificate using the request security pki
local-certificate verify certificate-id certificate-name
command.
Requirements
Before you begin:
-
Ensure that you have certificates enrolled on your devices, see Certificate Enrollment.
You can verify the certificates enrolled on your devices using the
request security pki local-certificate certificate-id certificate-name detail
command. -
Ensure that you have IKE package installed, to verify the installed IKE package use the
show version | match ike
operational command.If you don't have the IKE package installed on the device, you can install the IKE package using the operational command
request system software add optional://junos-ike.tgz
, for more information, see Enabling IPsec VPN Feature Set.
Overview
This example configures multiple certificate types to establish IKE and IPsec SA between on SRX_A and on SRX_B.
In this example, we have enrolled the RSA certificate on SRX_A and the ECDSA certificate on SRX_B devices. For more information about how to install the certificates, see Certificate Enrollment.
Device Name | Interface Used | IKE Gateway Address | IKE Gateway Local IP Address |
---|---|---|---|
SRX_A | ge-0/0/0 | 192.168.1.2 | 192.168.1.1 |
SRX_B | ge-0/0/0 | 192.168.1.1 | 192.168.1.2 |
Topology
The Figure 1 describes topology for multiple certificate types support configuration.
Configuration
Configuring SRX_A
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration mode.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r0_rsa_crt set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.2 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.1 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Step-by-step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI Configuration Mode Overview in the CLI User Guide.
To configure multiple certificate types to establish IKE and IPsec SA:
-
View the certificates enrolled on your devices using the
show security pki local-certificate certificate-id certificate-name detail
command.Install the certificate on your device if your device does not have the certificates enrolled. For more information, see Certificate Enrollment.
-
Configure interfaces.
user@srxa# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 user@srxa# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 user@srxa# set interfaces st0 unit 1 family inet
-
Configure security zones and the security policy.
user@srxa# set security zones security-zone trust host-inbound-traffic system-services all user@srxa# set security zones security-zone trust host-inbound-traffic protocols all user@srxa# set security zones security-zone trust interfaces ge-0/0/1 user@srxa# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxa# set security zones security-zone untrust interfaces ge-0/0/0 user@srxa# set security zones security-zone VPN interfaces st0.1 user@srxa# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxa# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxa# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxa# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxa# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxa# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxa# set security policies default-policy deny-all
-
Configure the IKE proposal.
[edit] user@srxa# set security ike proposal IKE_PROP authentication-method certificates user@srxa# set security ike proposal IKE_PROP dh-group group5 user@srxa# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxa# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure the IKE policy.
[edit] user@srxa# set security ike policy IKE_POL proposals IKE_PROP user@srxa# set security ike policy IKE_POL certificate local-certificate r0_rsa_crt
-
Configure the IKE gateway.
[edit] user@srxa# set security ike gateway IKE_GW ike-policy IKE_POL user@srxa# set security ike gateway IKE_GW address 192.168.1.2 user@srxa# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxa# set security ike gateway IKE_GW local-address 192.168.1.1 user@srxa# set security ike gateway IKE_GW version v2-only
-
Configure the IPsec proposal.
[edit] user@srxa# set security ipsec proposal IPSEC_PROP protocol esp user@srxa# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxa# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure the IPsec policy.
[edit] user@srxa# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure the IPsec VPN.
[edit] user@srxa# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxa# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxa# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxa# set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Results
From configuration mode, confirm your configuration by entering the show
interfaces
, show security ike
and, show security
ipsec
commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@srxa# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.1/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.16.1.1/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxa# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r0_crt_rsa; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.2; external-interface ge-0/0/0; local-address 192.168.1.1; version v2-only; } [edit] user@srxa# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels on-traffic; }
If you are done configuring the device, enter commit
from
configuration mode.
Configuring SRX_B
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration mode.
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 set interfaces st0 unit 1 family inet set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone VPN interfaces st0.1 set security policies from-zone VPN to-zone trust policy 1 match source-address any set security policies from-zone VPN to-zone trust policy 1 match destination-address any set security policies from-zone VPN to-zone trust policy 1 match application any set security policies from-zone VPN to-zone trust policy 1 then permit set security policies from-zone trust to-zone VPN policy 1 match source-address any set security policies from-zone trust to-zone VPN policy 1 match destination-address any set security policies from-zone trust to-zone VPN policy 1 match application any set security policies from-zone trust to-zone VPN policy 1 then permit set security policies default-policy deny-all set security ike proposal IKE_PROP authentication-method certificates set security ike proposal IKE_PROP dh-group group5 set security ike proposal IKE_PROP authentication-algorithm sha-256 set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc set security ike policy IKE_POL proposals IKE_PROP set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384 set security ike gateway IKE_GW ike-policy IKE_POL set security ike gateway IKE_GW address 192.168.1.1 set security ike gateway IKE_GW external-interface ge-0/0/0 set security ike gateway IKE_GW local-address 192.168.1.2 set security ike gateway IKE_GW version v2-only set security ipsec proposal IPSEC_PROP protocol esp set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc set security ipsec policy IPSEC_POL proposals IPSEC_PROP set security ipsec vpn IPSEC_VPN bind-interface st0.1 set security ipsec vpn IPSEC_VPN ike gateway IKE_GW set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL set security ipsec vpn IPSEC_VPN establish-tunnels on-traffic
Step-by-step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI Configuration Mode Overview in the CLI User Guide.
To configure multiple certificate types to establish IKE and IPsec SA:
-
View the certificates enrolled on your devices using the
request security pki local-certificate certificate-id certificate-name detail
command.Install the certificate on your device if your device does not have the certificates enrolled. For more information, see Certificate Enrollment.
-
Configure interfaces.
user@srxb# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24 user@srxb# set interfaces ge-0/0/1 unit 0 family inet address 172.18.1.2/24 user@srxb# set interfaces st0 unit 1 family inet
-
Configure security zones and the security policy.
user@srxb# set security zones security-zone trust host-inbound-traffic system-services all user@srxb# set security zones security-zone trust host-inbound-traffic protocols all user@srxb# set security zones security-zone trust interfaces ge-0/0/1 user@srxb# set security zones security-zone untrust host-inbound-traffic system-services ike user@srxb# set security zones security-zone untrust interfaces ge-0/0/0 user@srxb# set security zones security-zone VPN interfaces st0.1 user@srxb# set security policies from-zone VPN to-zone trust policy 1 match source-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match destination-address any user@srxb# set security policies from-zone VPN to-zone trust policy 1 match application any user@srxb# set security policies from-zone VPN to-zone trust policy 1 then permit user@srxb# set security policies from-zone trust to-zone VPN policy 1 match source-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match destination-address any user@srxb# set security policies from-zone trust to-zone VPN policy 1 match application any user@srxb# set security policies from-zone trust to-zone VPN policy 1 then permit user@srxb# set security policies default-policy deny-all
-
Configure the IKE proposal.
[edit] user@srxb# set security ike proposal IKE_PROP authentication-method certificates user@srxb# set security ike proposal IKE_PROP dh-group group5 user@srxb# set security ike proposal IKE_PROP authentication-algorithm sha-256 user@srxb# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
-
Configure the IKE policy.
[edit] user@srxb# set security ike policy IKE_POL proposals IKE_PROP user@srxb# set security ike policy IKE_POL certificate local-certificate r1_crt_ecdsa384
-
Configure the IKE gateway.
[edit] user@srxb# set security ike gateway IKE_GW ike-policy IKE_POL user@srxb# set security ike gateway IKE_GW address 192.168.1.1 user@srxb# set security ike gateway IKE_GW external-interface ge-0/0/0 user@srxb# set security ike gateway IKE_GW local-address 192.168.1.2 user@srxb# set security ike gateway IKE_GW version v2-only
-
Configure the IPsec proposal.
[edit] user@srxb# set security ipsec proposal IPSEC_PROP protocol esp user@srxb# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 user@srxb# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-192-cbc
-
Configure the IPsec policy.
[edit] user@srxb# set security ipsec policy IPSEC_POL proposals IPSEC_PROP
-
Configure the IPsec VPN.
[edit] user@srxb# set security ipsec vpn IPSEC_VPN bind-interface st0.1 user@srxb# set security ipsec vpn IPSEC_VPN ike gateway IKE_GW user@srxb# set security ipsec vpn IPSEC_VPN ike ipsec-policy IPSEC_POL user@srxb# set security ipsec vpn IPSEC_VPN establish-tunnels immediately
Results
From configuration mode, confirm your configuration by entering the show
interfaces
, show security ike
and, show security
ipsec
commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@srxb# show interfaces ge-0/0/0 { description untrust; unit 0 { family inet { address 192.168.1.2/24; } } } ge-0/0/1 { description trust; unit 0 { family inet { address 172.18.1.2/24; } } } st0 { unit 1 { family inet; } } [edit] user@srxb# show security ike proposal IKE_PROP { authentication-method certificates; dh-group group5; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy IKE_POL { proposals IKE_PROP; certificate { local-certificate r1_crt_ecdsa384; } } gateway IKE_GW { ike-policy IKE_POL; address 192.168.1.1; external-interface ge-0/0/0; local-address 192.168.1.2; version v2-only; } [edit] user@srxb# show security ipsec proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-192-cbc; } policy IPSEC_POL { proposals IPSEC_PROP; } vpn IPSEC_VPN { bind-interface st0.1; ike { gateway IKE_GW; ipsec-policy IPSEC_POL; } establish-tunnels immediately; }
If you are done configuring the device, enter commit
from
configuration mode.
Verification
Confirm that the configuration is working properly.
Verify SRX_A
The sample outputs shown are on SRX-A.
Purpose
Verify the IPsec Phase 2 status.
Action
From operational mode, enter the show security ike
security-associations
command.
user@srxa> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 32 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.2
From operational mode, enter the show security ipsec
security-associations
command.
user@srxa> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500033 ESP:aes-cbc-192/sha256 0x5f156c1b 2750/ unlim - root 500 192.168.1.2 >500033 ESP:aes-cbc-192/sha256 0x7ea065e7 2750/ unlim - root 500 192.168.1.2
From operational mode, enter the show security ike security-associations
detail
command.
user@srxa> show security ike security-associations detail IKE peer 192.168.1.2, Index 32, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: RSA-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Lifetime: Expires in 28165 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1346 Output bytes : 1887 Input packets: 3 Output packets: 4 Input fragmented packets: 2 Output fragmented packets: 3 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500033 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Local identity: 192.168.1.1 Remote identity: 192.168.1.2 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
From operational mode, enter the show security ipsec security-associations
detail
command.
user@srxa> show security ipsec security-associations detail ID: 500033 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 09 2023 22:41:36: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32 Direction: outbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2895 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2286 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 32
From operational mode, enter the show security pki local-certificate
certificate-id r0_rsa_cr detail
command.
user@srxa> show security pki local-certificate certificate-id r0_rsa_crt detail LSYS: root-logical-system Certificate identifier: r0_rsa_crt Certificate version: 3 Serial number: hexadecimal: 0x0186a62478ae8f0cdd766eb38dbd53 decimal: 7923302907757301847007106226306387 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r0, Domain component: juniper Subject string: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r0@juniper.net", r0.juniper.net, 192.168.1.1 Cert-Chain: Root-CA Validity: Not before: 03- 3-2023 05:54 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:b0:e5:53:8d:7e:20:fa:6b:21:c2:d1 2b:48:8f:af:c3:eb:8b:23:4a:f7:c5:1f:cf:2c:6a:b3:2e:8a:ef:1b f7:97:aa:fd:1d:ab:1c:76:9b:40:a3:ac:bb:49:f6:93:f9:e1:4e:62 df:3d:ca:e5:d2:95:9c:a0:f4:2b:d7:7e:1d:20:94:69:a8:e4:cf:dc 15:90:4c:be:1d:d8:1c:52:08:3a:d1:05:a3:bb:2f:8f:31:0c:6b:21 ef:76:c3:c7:fb:be:4a:cb:da:cc:8d:04:3a:75:0c:eb:5d:e2:f6:13 50:fe:39:67:c0:77:2f:32:b0:5e:38:6f:9c:79:b3:5d:f3:57:f4:f8 42:f5:22:5b:6c:58:67:90:4e:1e:ec:6a:03:e2:c0:87:65:02:ca:da 6f:95:0a:8c:2a:fd:45:4f:3a:b5:ef:18:05:1c:54:e6:fe:45:bb:73 53:81:b2:c6:b7:36:36:57:6d:9c:d3:d9:80:e7:d6:85:92:74:32:88 16:01:03:27:57:76:8e:5e:d6:73:ac:bf:68:fd:6d:a1:2a:8f:f5:3a 29:b0:c9:44:9b:c8:46:c1:bf:c0:52:2a:f0:51:be:b5:f6:e1:f5:3e 96:1d:3a:42:29:28:d3:cf:60:b9:eb:24:04:47:d3:f1:3f:5e:38:fc 7f:33:f6:94:9d:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Fingerprint: 4d:f6:89:c5:d6:3c:74:73:db:3e:f6:4b:1e:26:6c:c1:1c:1d:a7:4d (sha1) 6b:1c:a8:1f:de:5a:9b:3e:d5:c4:85:29:af:3f:82:f2 (md5) 6b:7a:b5:d1:57:cf:75:9d:1f:63:b9:f6:49:e4:4e:b3:13:2c:83:f1:f7:25:44:6f:45:2f:0d:2f:ae:a8:80:85 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
From operational mode, enter the show security pki ca-certificate ca-profile
Root-CA detail
command.
user@srxa> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)
Verify SRX_B
The sample outputs shown are on SRX-B.
Purpose
Verify the IPsec Phase 2 status.
Action
From operational mode, enter the show security ike
security-associations
command.
user@srxb> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 56042 UP 6723643250f0f357 f6295f11b0d7c8ab IKEv2 192.168.1.1
From operational mode, enter the show security ipsec
security-associations
command.
user@srxb> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500230 ESP:aes-cbc-192/sha256 0x7ea065e7 2638/ unlim - root 500 192.168.1.1 >500230 ESP:aes-cbc-192/sha256 0x5f156c1b 2638/ unlim - root 500 192.168.1.1
From operational mode, enter the show security ike security-associations
detail
command.
user@srxb> show security ike security-associations detail IKE peer 192.168.1.1, Index 56042, Gateway Name: IKE_GW Role: Responder, State: UP Initiator cookie: 6723643250f0f357, Responder cookie: f6295f11b0d7c8ab Exchange type: IKEv2, Authentication method: ECDSA-384-signatures Local gateway interface: ge-0/0/0.0 Routing instance: default Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Lifetime: Expires in 18995 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 192.168.1.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 2934 Output bytes : 2379 Input packets: 10 Output packets: 9 Input fragmented packets: 3 Output fragmented packets: 2 IPSec security associations: 8 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500230 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Local identity: 192.168.1.2 Remote identity: 192.168.1.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 2 Response In : 1 Response Out : 2 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
From operational mode, enter the show security ipsec security-associations
detail
command.
user@srxb> show security ipsec security-associations detail ID: 500230 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Thu Mar 02 2023 22:26:16: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x7ea065e7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042 Direction: outbound, SPI: 0x5f156c1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2633 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2002 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (192 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic IKE SA Index: 56042
From operational mode, enter the show security pki local-certificate
certificate-id r1_crt_ecdsa384 detail
command.
user@srxb> show security pki local-certificate certificate-id r1_crt_ecdsa384 detail LSYS: root-logical-system Certificate identifier: r1_crt_ecdsa384 Certificate version: 3 Serial number: hexadecimal: 0x0186a6254347a38063946d08595a55 decimal: 7923303152683216740296668848151125 Issuer: Organization: juniper, Country: India, Common name: root-ecdsa-384 Subject: Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: r1_spk1, Domain component: juniper Subject string: DC=juniper, CN=r1_spk1, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Alternate subject: "r1_spk1@juniper.net", r1_spk1.juniper.net, 192.168.2 Cert-Chain: root-ecdsa-384 Validity: Not before: 03- 3-2023 05:55 UTC Not after: 06- 6-2027 13:21 UTC Public key algorithm: ecdsaEncryption(384 bits) 04:c2:ba:19:dc:0d:62:a7:94:7b:9b:1d:4d:ff:a1:e1:44:b5:57:a7 cb:7d:33:6b:35:87:b8:e4:ca:44:b1:6c:6d:63:ae:6f:3c:31:7c:7e 65:99:b3:2d:a3:76:30:23:e5:0e:34:e1:28:54:d6:3e:d3:8b:de:b6 b9:45:05:82:6f:1d:20:b7:6f:3c:ce:a2:13:a2:b4:37:0b:db:35:1e 20:54:b5:06:9d:f8:7f:19:7b:c5:d7:7b:57:8b:28:31:d3 Signature algorithm: ecdsa-with-SHA384 Fingerprint: 9b:cb:5a:57:a8:60:a0:ee:5c:be:59:4c:db:35:39:d3:b7:29:ef:b1 (sha1) ef:b5:e3:be:35:1b:6e:02:0b:61:11:a5:53:07:b4:89 (md5) 8f:86:d0:12:ea:bc:a8:81:a8:17:3a:f9:03:e4:91:57:20:9c:11:bc:a4:dd:d1:7f:d1:48:3f:5b:d9:fb:93:32 (sha256) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
s
From operational mode, enter the show security pki ca-certificate ca-profile
Root-CA detail
command.
user@srxb> show security pki ca-certificate ca-profile Root-CA detail LSYS: root-logical-system CA profile: Root-CA Certificate identifier: Root-CA Certificate version: 3 Serial number: hexadecimal: 0x00000440 decimal: 1088 Issuer: Organization: juniper, Country: India, Common name: Root-CA Subject: Organization: juniper, Country: India, Common name: Root-CA Subject string: C=India, O=juniper, CN=Root-CA Validity: Not before: 06- 7-2022 12:36 UTC Not after: 06- 6-2027 12:36 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:cd:9c:e6:9f:62:6c:49:15:c2:da:eb 8e:e6:e5:a1:88:40:d8:b5:2e:5b:1a:0e:de:96:d7:0b:19:f9:03:44 98:49:d5:cc:a8:90:2b:7f:1b:58:7b:1f:26:92:18:4c:2d:37:65:5c 9f:0f:6e:10:b5:34:6f:2d:b5:9c:27:3b:a6:b1:b5:a0:e2:a6:92:3d e4:68:fe:5d:71:06:6f:ce:e6:0f:0f:e3:94:2a:23:57:98:a0:6a:9c e0:52:a2:47:ff:ce:b0:47:bd:36:95:80:a7:af:d2:49:b1:5d:2a:3d 28:e4:95:06:b8:b3:d9:07:11:3c:13:af:c6:e2:51:08:22:82:2d:ec 4f:26:40:b0:b0:55:2d:6e:c0:c8:19:34:a7:99:5a:bc:58:98:69:ae 04:d6:6d:ec:4a:c9:55:a5:ff:00:cb:3b:02:85:fa:02:a1:5c:c1:9d 6d:44:b8:95:8f:77:c0:53:fc:7f:a4:09:a3:25:1c:4a:e2:9d:0c:81 08:b4:c8:b8:0d:bc:94:75:54:75:57:4f:d3:a4:17:0d:5d:1a:f3:c1 1d:5d:73:2f:fe:8b:cb:fc:1f:93:87:72:d6:be:df:86:d7:e6:d1:c7 0d:00:1a:6e:58:db:6a:1c:2f:1d:17:46:9a:f2:69:b4:21:db:08:5d 8d:ab:30:7d:7f:02:03:01:00:01 Signature algorithm: sha256WithRSAEncryption Distribution CRL: http://10.102.40.55:8080/crl-as-der/currentcrl-11.crl?id=11 Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature Fingerprint: 8b:84:60:2a:58:5b:80:f0:b9:ae:25:9f:67:3d:d6:81:ee:43:6c:d4 (sha1) ab:ec:4d:fe:d4:04:9c:c9:79:1d:9a:33:4e:6d:78:f6 (md5) 9d:f0:c0:a0:93:74:11:53:d3:4d:2d:75:d3:60:37:5f:fb:b7:a9:67:42:cd:7c:3c:0e:0f:9b:58:36:3c:14:f5 (sha256)