IPSEC VPN between Juniper SRXes using Certificates from CAcert

This is a simple IPSEC VPN that uses PKI for IKE key exchange using certificates from CAcert.org.

Topics

1. Initial Setup
2. VPN with Preshared Keys
3. Preparking for PKI
4. VPN with PKI

Adjusting our VPN Setup to use PKI

Adjust the configs to use our certificates for verification instead of a pre-shared key.

Create a new IKE proposal and polciy that uses the RSA keypairs we created, and uses X509 certificates for verification on each SRX.

[edit security ike]
juniper@SRX210-1# show 
proposal IKE-RSA {
    authentication-method rsa-signatures;
    dh-group group5;
    authentication-algorithm md5;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
}
policy IKE-POLICY-RSA {                 
    mode main;
    proposals IKE-RSA;
    certificate {
        local-certificate srx210-1;
        peer-certificate-type x509-signature;
    }
}
[edit security ike]
juniper@SRX210-1# 

Modify the IKE gateway to use the new IKE-POLICY-RSA. Configure the local and remote identities. These need to be something that can be referenced inthe certificates.

SRX210-1

[edit security ike]
gateway SRX210-2 {
    ike-policy IKE-POLICY-RSA;
    address 10.69.69.212;
    local-identity hostname srx210-1.blackhole-networks.com;
    remote-identity hostname srx210-2.blackhole-networks.com;
    external-interface fe-0/0/7.0;
}

[edit security ike]
juniper@SRX210-1# 

SRX210-2

[edit security ike]
gateway SRX210-1 {
    ike-policy IKE-POLICY-RSA;
    address 10.69.69.211;
    local-identity hostname srx210-2.blackhole-networks.com;
    remote-identity hostname srx210-1.blackhole-networks.com;
    external-interface fe-0/0/7.0;
}

[edit security ike]
juniper@SRX210-2# 

Commit everyting and check that the IKE SA is still up and using the certificates for IKE.

juniper@SRX210-1# run show security ike security-associations detail 
IKE peer 10.69.69.212, Index 136986, Gateway Name: SRX210-2
  Role: Responder, State: UP
  Initiator cookie: f51ebd78e02f40b7, Responder cookie: 18875c9948de984a
  Exchange type: Main, Authentication method: RSA-signatures
  Local: 10.69.69.211:500, Remote: 10.69.69.212:500
  Lifetime: Expires in 3334 seconds
  Peer ike-id: srx210-2.blackhole-networks.com
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-md5-96 
   Encryption            : aes128-cbc
   Pseudo random function: hmac-md5
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 2928
   Output bytes  :                 2724
   Input  packets:                    5
   Output packets:                    4
  Flags: IKE SA is created 
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 10.69.69.211:500, Remote: 10.69.69.212:500
    Local identity: srx210-1.blackhole-networks.com
    Remote identity: srx210-2.blackhole-networks.com
    Flags: IKE SA is created


[edit security ike]
juniper@SRX210-1# 

Enjoy a successful configuration!

Last page update 15 Dec 2013

IPSEC VPN between Juniper SRXes using Certificates from CAcert by Blackhole Networks is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Concerning comments and/or errors, please contact OSPF