Knowledge Search


×
 

Site-to-Site (Dial-Up) IPSec VPN between two SRX firewalls via PKI

  [KB24704] Show Article Properties


Summary:
This article provides information on how to configure Site to Site IPSec VPN, in which one SRX device receives the dynamic IP address from the DSL modem and the other SRX device has a statically assigned public IP address.
Symptoms:
 This setup is known as Dial-Up VPN, as the Responder (server) does not have any knowledge of the Initiator (Client).
Cause:
 
Solution:
Configuration on the Server (Responder) side:

juniper@SRX-A> show configuration security ike 
proposal prop_svr {
    authentication-method rsa-signatures;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
}
policy ike_pol_svr {
    mode main;
    proposals prop_svr;
    certificate {
        local-certificate Local_Cert_CA;
        peer-certificate-type x509-signature;
    }
}
gateway gw_svr {
    ike-policy ike_pol_svr;
    dynamic {
        distinguished-name {
            container CN=client-srx;
        }
    }
    external-interface fe-0/0/0.0;
}
                                        

juniper@SRX-A> show configuration security ipsec  
policy ipsec_pol_svr {
    perfect-forward-secrecy {
        keys group2;
    }
    proposal-set compatible;
}
vpn vpn_svr {
    bind-interface st0.1;
    ike {
        gateway gw_svr;
        ipsec-policy ipsec_pol_svr;
    }
}

juniper@SRX-A> show security pki ca-certificate detail 
Certificate identifier: CA_Cert
  Certificate version: 3
  Serial number: 00000001
  Issuer:
    Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
    Common name: Local_CA
  Subject:
    Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
    Common name: Local_CA
  Validity:
    Not before: 09-23-2008 19:27
    Not after: 09-20-2023 19:27
  Public key algorithm: rsaEncryption(1024 bits)
    30:81:89:02:81:81:00:9f:c9:a7:05:c6:ed:ff:a8:b6:de:c8:c4:6c
    5f:f6:1a:78:b8:c3:fb:ea:71:39:ac:2b:d8:cb:8e:38:32:14:1e:28
    9e:f1:04:92:9d:34:8c:f9:51:1a:43:20:54:df:63:e8:48:1b:60:d6
    2f:2a:c2:d0:f1:29:d1:97:6b:66:24:57:c6:4d:c1:52:61:3c:49:7a
    6f:84:fe:e7:e1:61:0f:79:60:4c:8b:15:43:4f:5a:8a:b5:83:11:9d
    d4:eb:01:75:7d:fe:fd:d0:ad:3c:ba:f3:25:1f:bf:a2:af:0a:25:06
    bd:a8:49:c8:d0:86:c5:1e:ef:91:d0:f9:2e:6f:81:02:03:01:00:01
  Signature algorithm: md5WithRSAEncryption
  Fingerprint:
    c5:41:d5:bb:d6:ec:22:d0:f6:4b:78:1a:a0:9b:ac:c4:56:1d:df:37 (sha1)
    4f:20:6f:1e:85:78:c6:60:e3:91:d0:23:b8:8d:9d:60 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

juniper@SRX-A> show security pki local-certificate detail    
Certificate identifier: Local_Cert_CA
  Certificate version: 3
  Serial number: 000000ce
  Issuer:
    Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
    Common name: Local_CA
  Subject:
    Organization: Sec-Domain, Organizational unit: Security, Country: US, State: California,
    Common name: 192.168.254.254
  Alternate subject: email empty, fqdn empty, 192.168.254.254
  Validity:
    Not before: 05-24-2012 20:38
    Not after: 05-24-2022 20:38
  Public key algorithm: rsaEncryption(1024 bits)
    30:81:89:02:81:81:00:bd:59:bd:1f:5d:ff:28:48:2c:17:57:26:5e
    92:a6:16:a3:3d:d6:da:4c:05:dd:61:d3:e9:7f:c3:c9:57:5e:64:e5
    c9:b6:27:b7:1b:a0:fc:f1:78:ad:30:c9:86:17:17:5a:0b:a7:db:b3
    04:a1:24:df:62:f7:0d:cd:5d:0f:e2:58:b1:53:4d:f7:1f:87:55:e3
    a5:47:1f:3b:f2:7b:7c:56:cb:71:1d:0d:00:2f:70:64:5c:57:48:3a
    d9:a9:b1:45:92:37:29:46:28:e8:2d:75:c9:93:7d:a7:c9:bd:06:2b
    77:e1:83:fc:5d:d2:00:60:d9:a6:15:6e:c8:47:89:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Use for key: Data encipherment, Key encipherment, Digital signature, IPSec End System, 1.3.6.1.5.5.7.3.5, 
  IPSec Tunnel, 1.3.6.1.5.5.7.3.6,
  IPSec User, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.8.2.2, 1.3.6.1.5.5.8.2.2, OCSP Signing, 1.3.6.1.5.5.7.3.9
  Fingerprint:
    8d:8f:08:c9:0e:bd:5e:cb:56:ff:d9:09:51:5b:10:4b:0b:be:95:84 (sha1)
    90:a9:37:54:d4:01:d7:6e:f5:28:2d:b0:03:9b:b5:5a (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started
Caution: You must make sure that the public IP Address is part of the Local Certificate on the Responder SRX device. In this case, the certificate contains the 192.168.254.254 IP address. The SRX device as a Responder (with Statically assigned IP Address) supports only the IP Address as the IKE ID; so, it will match the IP address that is contained in the Certificate with the IP address that is configured to be used for IKE communication (192.168.254.254).

Note: Junos supports Distinguished Name, Host Name, IP Address, and Email Address as IKE IDs. If the Local Certificate that is installed on the Responder SRX device does not have the IP address as part of IKE IDs, the tunnel will not be established and the following error message is generated, when traceoptions of [security pki traceoptions] is defined:
May 23 02:59:21 pkid_process_find_public_key_req Find Public Key
May 23 02:59:21 ike_cert_req_init: cert has no EE name<192.168.254.254> type<1>, len<4>, ret <-5>.
Configuration on the Client (Initiator) side:
juniper@SRX-B> show configuration security ike 
proposal prop_client {
    authentication-method rsa-signatures;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
}
policy ike_pol_client {
    mode main;
    proposals prop_client;
certificate {
    local-certificate Local_Cert_Client;
    peer-certificate-type x509-signature;
}
}
gateway gw_client {
    ike-policy ike_pol_client;
    address 192.168.254.254;
    nat-keepalive 200;
    local-identity distinguished-name;
    external-interface fe-0/0/0.0;
}

juniper@SRX-B> show configuration security ipsec 
policy ipsec_pol_client {
    perfect-forward-secrecy {
        keys group2;
}
proposal-set compatible;
}
vpn vpn_client {
    bind-interface st0.1;
    vpn-monitor;
    ike {
        gateway gw_client;
        ipsec-policy ipsec_pol_client;
    }
establish-tunnels immediately;
}

juniper@SRX-B> show security pki ca-certificate detail 
Certificate identifier: CA_Cert
Certificate version: 3
Serial number: 00000001
Issuer:
Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
Common name: Local_CA
Subject:
Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
Common name: Local_CA
Validity:
Not before: 09-23-2008 19:27
Not after: 09-20-2023 19:27
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:9f:c9:a7:05:c6:ed:ff:a8:b6:de:c8:c4:6c
5f:f6:1a:78:b8:c3:fb:ea:71:39:ac:2b:d8:cb:8e:38:32:14:1e:28
9e:f1:04:92:9d:34:8c:f9:51:1a:43:20:54:df:63:e8:48:1b:60:d6
2f:2a:c2:d0:f1:29:d1:97:6b:66:24:57:c6:4d:c1:52:61:3c:49:7a
6f:84:fe:e7:e1:61:0f:79:60:4c:8b:15:43:4f:5a:8a:b5:83:11:9d
d4:eb:01:75:7d:fe:fd:d0:ad:3c:ba:f3:25:1f:bf:a2:af:0a:25:06
bd:a8:49:c8:d0:86:c5:1e:ef:91:d0:f9:2e:6f:81:02:03:01:00:01
Signature algorithm: md5WithRSAEncryption
Fingerprint:
c5:41:d5:bb:d6:ec:22:d0:f6:4b:78:1a:a0:9b:ac:c4:56:1d:df:37 (sha1)
4f:20:6f:1e:85:78:c6:60:e3:91:d0:23:b8:8d:9d:60 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

juniper@SRX-B> show security pki local-certificate detail 
Certificate identifier: Local_Cert_Client
Certificate version: 3
Serial number: 000000c4
Issuer:
Organization: Global-Lab, Organizational unit: Security, Country: US, State: California,
Common name: Local_CA
Subject:
Organization: Lab, Organizational unit: JTAC, Country: US, State: California,
Common name: client-srx
Alternate subject: "support@abc.com", fqdn empty, ip empty
Validity:
Not before: 05-14-2012 18:12
Not after: 05-14-2022 18:12
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:c0:7c:a7:7f:58:e0:5c:3b:74:a9:ca:44:02
44:4f:c7:76:32:5e:8c:40:94:3b:1d:af:3a:b0:ff:ff:75:cb:58:f9
de:cf:5a:f8:ed:cc:04:af:79:03:87:17:6c:ba:91:8e:83:ce:a8:ba
b5:84:57:82:0c:c4:c4:56:0d:94:99:bf:14:27:ca:d9:0d:aa:d0:54
64:18:12:e6:27:72:20:d2:79:29:70:6f:4e:07:fa:37:8f:05:8e:da
33:ab:b1:2a:e0:87:c6:3d:00:a5:a1:48:af:bb:7d:21:e3:1c:1c:11
67:2e:de:76:34:97:7a:89:fb:ff:cf:b7:1e:af:3b:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Use for key: Data encipherment, Key encipherment, Digital signature, IPSec End System, 1.3.6.1.5.5.7.3.5, 
IPSec Tunnel, 1.3.6.1.5.5.7.3.6,IPSec User, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.8.2.2, 1.3.6.1.5.5.8.2.2, OCSP Signing,
1.3.6.1.5.5.7.3.9
Fingerprint:
4e:9f:5a:43:27:f9:04:1f:96:b0:6e:20:f6:67:88:b4:37:11:9f:db (sha1)
46:ac:66:c1:50:fc:52:29:60:c5:fc:75:be:1e:29:74 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
Verification:

  • show security ike security-association
  • show security ipsec security-association
  • show security ipsec statistics
Related Links: