Hello
I have gotten a couple of requierments from the infrastructure architects at my job, for the site2site vpn to our small offices.

- Cert authentication
- Ike V2

There are some offices that have a dynamic ip, when i did some googling i found this two articels that seems to contradict eachother.

https://kb.juniper.net/InfoCenter/index ... login=true here they are using aggressive mode (so i guess it wont work in ...

Before reading my article, the reader needs to get familiarized with ipsec concepts. Here is a good starting point: IPSEC Illustrated http://www.unixwiz.net/techtips/iguide-ipsec.html

Securing communication over public internet between two Linux endpoints can be performed in multiple ways via encryption at layer 3 or at layer 4/7. I'm using IPSEC wherever it is possible. This is layer 3/4 encryption (if NAT-T is performed).

With IPSEC there are two modes for phase 2 encapsulation: transport mode and ...

Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

Juniper SRX acting as an SRX hub complains when a dynamic IP address spoke is configured using preshared-key authentication and main mode (as per KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB5622).

Why is that ? Looking at ipsec ike phase 1 main mode, the standard states there are 6 messages (3 pairs):
Pair 1 of main mode (messages 1 and 2 - unencrypted): First isakmp ...

error: Failed to encode the certificate request in PKCS-10 format

This post is related to another error appearing in Juniper SRX firewalls when certificates are loaded. Please read
http://forum.ivorde.ro/error-error-load-certid-test-when-attempting-to-import-signed-certificate-in-juniper-srx-firewall-t19311.html and http://forum.ivorde.ro/pki-how-to-import-openssl-private-key-and-public-certificate-in-juniper-srx-t19301.html before going further.

Here, I will generate a private key on the Juniper SRX firewall, then I will overwrite it with one that is generated in a linux system with Openssl. One thing that needs to be known is that private key on the ...

99% of the cases when this error appears in Juniper SRX firewall is when the user attempts to load a public/signed certificate generated with a different private key than the one that SRX is aware of.

In many of these cases, users generate private key on the SRX, then they copy another key file generated on an external system ...

PKI: How to import OpenSSL private key and public certificate in Juniper SRX

One of SSL/TLS key/certificate pair usages is for authenticating IPSEC peers. How does it work ?

Each IPsec VPN endpoint posesses a private key and a public certificate. The public certificate was born from a certificate signing request (refered to as "csr" by many people) generated from the public key containing a public modulus.

The steps are:
- using private key with ...

The Juniper SRX firwewall is performs an IKE Phase 1 identity validation based on the "remote-identity" set for the specific ike gateway.

If upgrading from 10.4 where by default a default identity is used or if the remote host isn't sending one and the SRX, under Junos 11.4, fails to bring up IKE phase 1 due to id validation failure, it can be changed to accept generic ike ID, bypassing IKE ID validation in the ...

Since there are not many scenarios when the HUB is behind NAT, I've created an article that describes situations when two spokes are behind NAT and only one has a static NAT.

Most of the hub-and-spoke ipsec VPN environments have the HUB configured with a public IP address, but sometimes the HUB is behind static NAT (all packets to a public IP address on the NAT device are forwarded to the Ipsec HUB SRX device ...

Juniper SRX Spoke-to-Spoke IPSEC VPN when both spokes are behind NAT.

While researching on the Juniper SRX IPSEC VPN documentation and all the diverse scenarios, I noticed there is no documentation/kb article that describe the situation when one needs to connect two SRX spokes, two endpoints when both of them are behind NAT as in the above test diagram.

As a dependency, one of the spokes needs to be behind ...

While other browsers / OSes support PEM formatted SSL certificates for establishing Ipsec VPN authentication, IOS for Ipad and Iphone support pkcs12 certificate format.


Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

Step1: Generate SSL private key:


Step2: Create a CSR (Certificate Signing Request) using previous private key:


Step3: Sign ...