This is a simple IPSEC VPN that uses PKI for IKE key exchange using certificates from CAcert.org.
Adjust the configs to use our certificates for verification instead of a pre-shared key.
Create a new IKE proposal and polciy that uses the RSA keypairs we created, and uses X509 certificates for verification on each SRX.
[edit security ike] juniper@SRX210-1# show proposal IKE-RSA { authentication-method rsa-signatures; dh-group group5; authentication-algorithm md5; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IKE-POLICY-RSA { mode main; proposals IKE-RSA; certificate { local-certificate srx210-1; peer-certificate-type x509-signature; } } [edit security ike] juniper@SRX210-1#
Modify the IKE gateway to use the new IKE-POLICY-RSA. Configure the local and remote identities. These need to be something that can be referenced inthe certificates.
[edit security ike] gateway SRX210-2 { ike-policy IKE-POLICY-RSA; address 10.69.69.212; local-identity hostname srx210-1.blackhole-networks.com; remote-identity hostname srx210-2.blackhole-networks.com; external-interface fe-0/0/7.0; } [edit security ike] juniper@SRX210-1#
[edit security ike] gateway SRX210-1 { ike-policy IKE-POLICY-RSA; address 10.69.69.211; local-identity hostname srx210-2.blackhole-networks.com; remote-identity hostname srx210-1.blackhole-networks.com; external-interface fe-0/0/7.0; } [edit security ike] juniper@SRX210-2#
Commit everyting and check that the IKE SA is still up and using the certificates for IKE.
juniper@SRX210-1# run show security ike security-associations detail IKE peer 10.69.69.212, Index 136986, Gateway Name: SRX210-2 Role: Responder, State: UP Initiator cookie: f51ebd78e02f40b7, Responder cookie: 18875c9948de984a Exchange type: Main, Authentication method: RSA-signatures Local: 10.69.69.211:500, Remote: 10.69.69.212:500 Lifetime: Expires in 3334 seconds Peer ike-id: srx210-2.blackhole-networks.com Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-md5-96 Encryption : aes128-cbc Pseudo random function: hmac-md5 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 2928 Output bytes : 2724 Input packets: 5 Output packets: 4 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 10.69.69.211:500, Remote: 10.69.69.212:500 Local identity: srx210-1.blackhole-networks.com Remote identity: srx210-2.blackhole-networks.com Flags: IKE SA is created [edit security ike] juniper@SRX210-1#
Enjoy a successful configuration!