Thursday 27 March 2014

Juniper SRX - PKI - Certificate-based VPNs - Part 03 - SRX Configuration

Continuing on with Part 03 of this series (Part 02 found here), we'll finish the SRX configuration and bring up the tunnel:

set security ike proposal CERT_PROP authentication-method rsa-signatures
set security ike proposal CERT_PROP dh-group group2
set security ike proposal CERT_PROP authentication-algorithm sha1
set security ike proposal CERT_PROP encryption-algorithm aes-128-cbc
set security ike proposal CERT_PROP lifetime-seconds 86400

set security ike policy vSRX_02_CERT mode main
set security ike policy vSRX_02_CERT proposals CERT_PROP
set security ike policy vSRX_02_CERT certificate local-certificate SRX210_key_01
set security ike policy vSRX_02_CERT certificate peer-certificate-type x509-signature

set security ike gateway vSRX_02 ike-policy vSRX_02_CERT
set security ike gateway vSRX_02 address 10.0.0.102
set security ike gateway vSRX_02 external-interface reth2.0
set security ike gateway vSRX_02 local-identity user-at-hostname "your.email@domain.com"
set security ike gateway vSRX_02 remote-identity user-at-hostname "your.email@domain.com"

root@SRX210_A# run show security ike sa 10.0.0.102 detail
node0:
--------------------------------------------------------------------------
IKE peer 10.0.0.102, Index 1917721, Gateway Name: vSRX_02
  Role: Responder, State: UP
  Initiator cookie: 1bb59a819ce8e2df, Responder cookie: 4daa2c9906f66705
  Exchange type: Main, Authentication method: RSA-signatures
  Local: 192.168.0.211:500, Remote: 10.0.0.102:500
  Lifetime: Expires in 86381 seconds
  Peer ike-id: your.email@domain.com
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 2516
   Output bytes  :                 2296
   Input  packets:                    5
   Output packets:                    4
  Flags: IKE SA is created
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 192.168.0.211:500, Remote: 10.0.0.102:500
    Local identity: your.email@domain.com
    Remote identity: your.email@domain.com
    Flags: IKE SA is created