Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Multiple Certificate Types to Establish IKE and IPsec SA

Learn how to configure and manage multiple certificate types.

This example shows how to configure multiple certificate types to establish IKE and IPsec SA.

Starting in Junos OS Release 22.4R1, you can establish tunnels irrespective of the certificate type used on the initiator and responder if authentication-method is configured as certificates in IKE proposal using the set security ike proposal ike_proposal_name authentication-method certificates command.

You can view the certificate enrolled using show security pki local-certificate certificate-id certificate-name detail command.

You can verify the enrolled certificate using the request security pki local-certificate verify certificate-id certificate-name command.

Requirements

Before you begin:

  • Ensure that you have certificates enrolled on your devices, see Certificate Enrollment.

    You can verify the certificates enrolled on your devices using the request security pki local-certificate certificate-id certificate-name detail command.

  • Ensure that you have IKE package installed, to verify the installed IKE package use the show version | match ike operational command.

    If you don't have the IKE package installed on the device, you can install the IKE package using the operational command request system software add optional://junos-ike.tgz, for more information, see Enabling IPsec VPN Feature Set.

Overview

This example configures multiple certificate types to establish IKE and IPsec SA between on SRX_A and on SRX_B.

In this example, we have enrolled the RSA certificate on SRX_A and the ECDSA certificate on SRX_B devices. For more information about how to install the certificates, see Certificate Enrollment.

Table 1: Topology Setup for SRX_A and SRX_B Devices
Device Name Interface Used IKE Gateway Address IKE Gateway Local IP Address
SRX_A ge-0/0/0 192.168.1.2 192.168.1.1
SRX_B ge-0/0/0 192.168.1.1 192.168.1.2

Topology

The Figure 1 describes topology for multiple certificate types support configuration.

Figure 1: Multiple Certificate Types Support Configuration ExampleMultiple Certificate Types Support Configuration Example

Configuration

Configuring SRX_A

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI Configuration Mode Overview in the CLI User Guide.

To configure multiple certificate types to establish IKE and IPsec SA:

  1. View the certificates enrolled on your devices using the show security pki local-certificate certificate-id certificate-name detail command.

    Install the certificate on your device if your device does not have the certificates enrolled. For more information, see Certificate Enrollment.

  2. Configure interfaces.

  3. Configure security zones and the security policy.

  4. Configure the IKE proposal.

  5. Configure the IKE policy.

  6. Configure the IKE gateway.

  7. Configure the IPsec proposal.

  8. Configure the IPsec policy.

  9. Configure the IPsec VPN.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike and, show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring SRX_B

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI Configuration Mode Overview in the CLI User Guide.

To configure multiple certificate types to establish IKE and IPsec SA:

  1. View the certificates enrolled on your devices using the request security pki local-certificate certificate-id certificate-name detail command.

    Install the certificate on your device if your device does not have the certificates enrolled. For more information, see Certificate Enrollment.

  2. Configure interfaces.

  3. Configure security zones and the security policy.

  4. Configure the IKE proposal.

  5. Configure the IKE policy.

  6. Configure the IKE gateway.

  7. Configure the IPsec proposal.

  8. Configure the IPsec policy.

  9. Configure the IPsec VPN.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security ike and, show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verify SRX_A

The sample outputs shown are on SRX-A.

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ike security-associations command.

From operational mode, enter the show security ipsec security-associations command.

From operational mode, enter the show security ike security-associations detail command.

From operational mode, enter the show security ipsec security-associations detail command.

From operational mode, enter the show security pki local-certificate certificate-id r0_rsa_cr detail command.

From operational mode, enter the show security pki ca-certificate ca-profile Root-CA detail command.

Verify SRX_B

The sample outputs shown are on SRX-B.

Purpose

Verify the IPsec Phase 2 status.

Action

From operational mode, enter the show security ike security-associations command.

From operational mode, enter the show security ipsec security-associations command.

From operational mode, enter the show security ike security-associations detail command.

From operational mode, enter the show security ipsec security-associations detail command.

From operational mode, enter the show security pki local-certificate certificate-id r1_crt_ecdsa384 detail command.

s

From operational mode, enter the show security pki ca-certificate ca-profile Root-CA detail command.