Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Tue Jun 06, 2023 7:48 am


Author Message
debuser
Post  Post subject: OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices  |  Posted: Wed Feb 20, 2013 8:43 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

In this lab, I will create a OpenSSL certificate authority signed certificates based Ipsec VPN between Two Juniper SRX devices without certificate enrollment.

Based on config and information from official Juniper repositories:

J Series / SRX Series IPSec VPN with PKI Certificates Primer http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_IPSecVPN_with_PKI_Certificates_Primer_v13.pdf

How to generate a PKCS10 certificate request on a J Series or SRX Series device http://kb.juniper.net/InfoCenter/index?page=content&id=KB10175&cat=DIGITAL_CERTIFICATES&actp=LIST

How to load a PKI x.509 certificate on a J Series or SRX Series device http://kb.juniper.net/InfoCenter/index?page=content&id=KB10176&cat=AUTHENTICATION&actp=LIST&smlogin=true



Devices are named daniel and cameron:
Code:
root@daniel> show version
Hostname: daniel
Model: srx100h
JUNOS Software Release [12.1X44-D10.4]

root@cameron> show version
Hostname: cameron
Model: srx100h
JUNOS Software Release [12.1X44-D10.4]


Before I begin, i will list below the main steps that need to be taken:
- create an OpenSSL self-signed Certificate Authority in a Unix server (FreeBSD in my case) and create the CA profile in Junos config.
- import the newly created CA public certificate into the SRX firewalls
- generate private key and certificate signing requests on the firewall
- sign the certificate requests (csr) with the CA's public certificate and private key
- import the signed pem certificates into Junos
- set the Junos configuration that will use above generated certificate pairs (private keys and signed PEM certificates and the CA to

authenticate peer's certificate)

1. Creating the OpenSSL Certificate Authority

Modify /usr/local/openssl/openssl.cnf to have shell current working directory used by openssl
Code:
dir      = ./


Create a new CA - testCA directories
Code:
[root@homeserv /etc/ssl]# mkdir -p testCa/{certs,private,newcerts}
[root@homeserv /etc/ssl]# cd testCa/


Generate the new CA (password is mandatory):
Code:
[root@homeserv /etc/ssl/testCa]# openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out cacert.pem -config

/usr/local/openssl/openssl.cnf
Generating a 1024 bit RSA private key
.++++++
.....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RO]:
State or Province Name (full name) [Bucharest]:
Locality Name (eg, city) [Bucharest]:
Organization Name (eg, company) [Ivorde]:
Organizational Unit Name (eg, section) [IvordeCA]:
Common Name (eg, YOUR name) []:Andrei
andrei@ivorde.ro []:

Enter a starting serial number and certificate index file:
Code:
echo 1000 >serial; touch index.txt

Done generating our self signed openssl certificate authority.


2. Import the certificate authority public certificate into the SRX firewalls.
First, create the CA profile in the configuration on both firewalls:
Code:
# show security pki | display set
set security pki ca-profile CA_FR ca-identity asdf
set security pki ca-profile CA_FR revocation-check disable

Next, on each firewall, create a file named cacert.pem and paste the contents of the file from the CA Unix server

Code:
[root@homeserv /etc/ssl/testCa]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJALo633jtqlL9MA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEP
MA0GA1UEChMGSXZvcmRlMREwDwYDVQQLEwhJdm9yZGVDQTEPMA0GA1UEAxMGQW5k
cmVpMB4XDTEzMDIyMDExNDkyM1oXDTIzMDIxODExNDkyM1owajELMAkGA1UEBhMC
Uk8xEjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYD
VQQKEwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1oEqzaFMDCxAoTLveQi7zZDlzd
X3rgxn9NaN/PVOGQwfc+E7GoFD1hvohRlRlWHmKFXvugeHQtOkYrtOgZYQozlre+
1utzCaor7krlvry7pwcu/SCFHDac4Z0+ch8Wd69skuDJEVXXFHZohZg1viqY1VHa
0zct3r7ytnmf71tPAgMBAAGjgc8wgcwwHQYDVR0OBBYEFIzyewi8Dxym9cXK+98W
ALkVJonAMIGcBgNVHSMEgZQwgZGAFIzyewi8Dxym9cXK+98WALkVJonAoW6kbDBq
MQswCQYDVQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MRIwEAYDVQQHEwlCdWNo
YXJlc3QxDzANBgNVBAoTBkl2b3JkZTERMA8GA1UECxMISXZvcmRlQ0ExDzANBgNV
BAMTBkFuZHJlaYIJALo633jtqlL9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMoqPAL7gLw993j8KTkCpgbivwTY27pq5TIuvKQbc21xABAch1ZTyRc1s
IKAMDsWe5O5vt/OyKAWHa/S3ILjgAL1AU6F10YUMmZc4Y6qKWCO6mkEJxdgD6Tz1
cHBJXc1XggrqJBr54l/k+ws39MVDMbo7YR7R+V30E1o/HgR2KdE=
-----END CERTIFICATE-----


Code:
root@daniel% vi cacert.pem
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJALo633jtqlL9MA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEP
MA0GA1UEChMGSXZvcmRlMREwDwYDVQQLEwhJdm9yZGVDQTEPMA0GA1UEAxMGQW5k
cmVpMB4XDTEzMDIyMDExNDkyM1oXDTIzMDIxODExNDkyM1owajELMAkGA1UEBhMC
Uk8xEjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYD
VQQKEwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1oEqzaFMDCxAoTLveQi7zZDlzd
X3rgxn9NaN/PVOGQwfc+E7GoFD1hvohRlRlWHmKFXvugeHQtOkYrtOgZYQozlre+
1utzCaor7krlvry7pwcu/SCFHDac4Z0+ch8Wd69skuDJEVXXFHZohZg1viqY1VHa
0zct3r7ytnmf71tPAgMBAAGjgc8wgcwwHQYDVR0OBBYEFIzyewi8Dxym9cXK+98W
ALkVJonAMIGcBgNVHSMEgZQwgZGAFIzyewi8Dxym9cXK+98WALkVJonAoW6kbDBq
MQswCQYDVQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MRIwEAYDVQQHEwlCdWNo
YXJlc3QxDzANBgNVBAoTBkl2b3JkZTERMA8GA1UECxMISXZvcmRlQ0ExDzANBgNV
BAMTBkFuZHJlaYIJALo633jtqlL9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMoqPAL7gLw993j8KTkCpgbivwTY27pq5TIuvKQbc21xABAch1ZTyRc1s
IKAMDsWe5O5vt/OyKAWHa/S3ILjgAL1AU6F10YUMmZc4Y6qKWCO6mkEJxdgD6Tz1
cHBJXc1XggrqJBr54l/k+ws39MVDMbo7YR7R+V30E1o/HgR2KdE=
-----END CERTIFICATE-----
~
~


Both firewalls need now to import this public CA certificate to the CA profile created earlier:
Code:
root@daniel> request security pki ca-certificate load ca-profile CA_FR filename /root/cacert.pem
Fingerprint:
  1b:d9:1d:2f:ca:02:40:d2:98:d9:d1:d6:0b:c6:5e:eb:c9:a6:b6:4e (sha1)
  2d:4b:c1:3a:64:9e:ce:4a:09:a9:4e:2e:8a:80:97:00 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile CA_FR loaded successfully

3. Generating device private key and Certificate Signing Requests on the SRX firewalls

Generating the private keys:
Code:
root@daniel> request security pki generate-key-pair type rsa size 1024 certificate-id key1
Generated key pair key1, key size 1024 bits

root@cameron> request security pki generate-key-pair type rsa size 1024 certificate-id key1
Generated key pair key1, key size 1024 bits

Generating the CSRs:
Code:
root@daniel> request security pki generate-certificate-request certificate-id key1 subject "DC=daniel.ivorde.ro,CN=daniel.ivorde.ro,OU=Ivorde-VPN,O=Ivorde,L=Test-DC,ST=Bucharest,C=RO" email andrei@vps.ivorde.ro
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIICCzCCAXQCAQAwgZYxIDAeBgoJkiaJk/IsZAEZFhBkYW5pZWwuaXZvcmRlLnJv
MRkwFwYDVQQDExBkYW5pZWwuaXZvcmRlLnJvMRMwEQYDVQQLEwpJdm9yZGUtVlBO
MQ8wDQYDVQQKEwZJdm9yZGUxEDAOBgNVBAcTB1Rlc3QtREMxEjAQBgNVBAgTCUJ1
Y2hhcmVzdDELMAkGA1UEBhMCUk8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O8GpKztUP0S1nQj5h
1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99jqDqIEw4rNa4aqq5
DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMBAAGgNDAyBgkqhkiG
9w0BCQ4xJTAjMCEGA1UdEQQaMBiBFiJhbmRyZWlAdnBzLml2b3JkZS5ybyIwDQYJ
KoZIhvcNAQEFBQADgYEAW80ZV8Tgob5CNEDYfmU+tte6W/fELZkI3uZ+iiJgoDd5
ePWMz3nneanxlC9sF1BWl7ArTSVBzpDeRLwXTPmp6fdI6rVCRwiY2RKnoy4SUVjP
FDqvrsV6WNrhWmD5SmAuwcgZ8EZZPU4B+y1Vm7N0Hq2doYKnGZvyZrojbZpRjMI=
-----END CERTIFICATE REQUEST-----
Fingerprint:
97:74:ac:02:6d:37:bd:a3:0d:3c:3f:45:b7:98:e6:48:df:a6:41:24 (sha1)
b8:bf:d1:53:20:db:92:94:c0:97:88:14:01:ca:8a:e6 (md5)

root@cameron> request security pki generate-certificate-request certificate-id key1 subject "DC=cameron.ivorde.ro,CN=cameron.ivorde.ro,OU=Ivorde-VPN,O=Ivorde,L=Test-DC,ST=Bucharest,C=RO" email andrei@vps.ivorde.ro
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIICDTCCAXYCAQAwgZgxITAfBgoJkiaJk/IsZAEZFhFjYW1lcm9uLml2b3JkZS5y
bzEaMBgGA1UEAxMRY2FtZXJvbi5pdm9yZGUucm8xEzARBgNVBAsTCkl2b3JkZS1W
UE4xDzANBgNVBAoTBkl2b3JkZTEQMA4GA1UEBxMHVGVzdC1EQzESMBAGA1UECBMJ
QnVjaGFyZXN0MQswCQYDVQQGEwJSTzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAyfdEfXSzTLei808nuWtUX3xpHLOqM1TeNCLeX8i68wOmflvU+qnzzQsARrcT
8H/0R8dH1djl2QmpKnmmiOPGjOi/g0tfr4QPKf0r4Ejg5be+tnd3LgkwnFnYc0of
+UJO5320wwVWdjRP7S27Kn2LArrKvn46Dt02597IoKHZGdkCAwEAAaA0MDIGCSqG
SIb3DQEJDjElMCMwIQYDVR0RBBowGIEWImFuZHJlaUB2cHMuaXZvcmRlLnJvIjAN
BgkqhkiG9w0BAQUFAAOBgQARSuje+Jmgs3d+Yz2TXan/ThyDEASncjZrocnp7A7k
Uhei51WIZPTqfIq9Shm6qoRik49Ba2VqsX7zBeg824gKRM3sjpjvSIVzwdpo0kCm
zLRW9tvYQrqr2P6R22oYe8QzBT/GzBunzuSlcriqaj1DauRbDdBSBP0+/9ZH1upr
6Q==
-----END CERTIFICATE REQUEST-----
Fingerprint:
fa:64:f7:af:e8:77:a0:1a:51:4d:82:74:8e:be:c1:7e:8e:a2:0a:eb (sha1)
99:f9:02:98:10:02:f9:cf:a0:c9:48:70:c1:db:45:46 (md5)


4. Now that we have the signing requests created, we will paste the contents (between ----BEGIN and ----END lines including) on the Unix box

holding the certificate authority and sign them using the x509 extensions subjectAlternativeName (subjectAltName):


Let's check the CSRs first
Code:
[root@homeserv /etc/ssl/testCa]# ls -la *csr
-rw-r--r--  1 root  wheel  790 Feb 20 11:59 cameron.csr
-rw-r--r--  1 root  wheel  785 Feb 20 11:59 daniel.csr


[root@homeserv /etc/ssl/testCa]# openssl req -noout -text -in daniel.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=daniel.ivorde.ro, CN=daniel.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
                    27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
                    35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
                    42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
                    58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
                    7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
                    ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
                    47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
                    e1:31:2b:55:c6:05:ba:87:a1
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                email:"andrei@vps.ivorde.ro"
    Signature Algorithm: sha1WithRSAEncryption
         5b:cd:19:57:c4:e0:a1:be:42:34:40:d8:7e:65:3e:b6:d7:ba:
         5b:f7:c4:2d:99:08:de:e6:7e:8a:22:60:a0:37:79:78:f5:8c:
         cf:79:e7:79:a9:f1:94:2f:6c:17:50:56:97:b0:2b:4d:25:41:
         ce:90:de:44:bc:17:4c:f9:a9:e9:f7:48:ea:b5:42:47:08:98:
         d9:12:a7:a3:2e:12:51:58:cf:14:3a:af:ae:c5:7a:58:da:e1:
         5a:60:f9:4a:60:2e:c1:c8:19:f0:46:59:3d:4e:01:fb:2d:55:
         9b:b3:74:1e:ad:9d:a1:82:a7:19:9b:f2:66:ba:23:6d:9a:51:
         8c:c2

In order for OpenSSL to enable subjectAltName, it needs an extension file that looks like below:
Code:
[root@homeserv /etc/ssl/testCa]# cat x509ext.txt
subjectAltName=email:andrei@vpn.ivorde.ro

Signing the cert requests using private CA key (password needed):
Code:
[root@homeserv /etc/ssl/testCa]# openssl ca -verbose -in cameron.csr -out certs/cameron.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt

Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
V       140219193809Z           1000            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V       140219194334Z           1001            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
2 entries loaded from the database
generating index
Successfully loaded extensions file x509ext.txt
message digest is sha1
policy is policy_match
next serial number is 1002
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=cameron.ivorde.ro, CN=cameron.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c9:f7:44:7d:74:b3:4c:b7:a2:f3:4f:27:b9:6b:
                    54:5f:7c:69:1c:b3:aa:33:54:de:34:22:de:5f:c8:
                    ba:f3:03:a6:7e:5b:d4:fa:a9:f3:cd:0b:00:46:b7:
                    13:f0:7f:f4:47:c7:47:d5:d8:e5:d9:09:a9:2a:79:
                    a6:88:e3:c6:8c:e8:bf:83:4b:5f:af:84:0f:29:fd:
                    2b:e0:48:e0:e5:b7:be:b6:77:77:2e:09:30:9c:59:
                    d8:73:4a:1f:f9:42:4e:e7:7d:b4:c3:05:56:76:34:
                    4f:ed:2d:bb:2a:7d:8b:02:ba:ca:be:7e:3a:0e:dd:
                    36:e7:de:c8:a0:a1:d9:19:d9
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                email:"andrei@vps.ivorde.ro"
    Signature Algorithm: sha1WithRSAEncryption
         11:4a:e8:de:f8:99:a0:b3:77:7e:63:3d:93:5d:a9:ff:4e:1c:
         83:10:04:a7:72:36:6b:a1:c9:e9:ec:0e:e4:52:17:a2:e7:55:
         88:64:f4:ea:7c:8a:bd:4a:19:ba:aa:84:62:93:8f:41:6b:65:
         6a:b1:7e:f3:05:e8:3c:db:88:0a:44:cd:ec:8e:98:ef:48:85:
         73:c1:da:68:d2:40:a6:cc:b4:56:f6:db:d8:42:ba:ab:d8:fe:
         91:db:6a:18:7b:c4:33:05:3f:c6:cc:1b:a7:ce:e4:a5:72:b8:
         aa:6a:3d:43:6a:e4:5b:0d:d0:52:04:fd:3e:ff:d6:47:d6:ea:
         6b:e9
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
        Serial Number: 4098 (0x1002)
        Validity
            Not Before: Feb 20 12:00:59 2013 GMT
            Not After : Feb 20 12:00:59 2014 GMT
        Subject:
            countryName               = RO
            stateOrProvinceName       = Bucharest
            organizationName          = Ivorde
            organizationalUnitName    = Ivorde-VPN
            commonName                = cameron.ivorde.ro
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                email:andrei@vpn.ivorde.ro
Certificate is to be certified until Feb 20 12:00:59 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/ivordeCA/newcerts/1002.pem
Data Base Updated



[root@homeserv /etc/ssl/testCa]# openssl ca -verbose -in daniel.csr -out certs/daniel.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt

Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
V       140219193809Z           1000            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V       140219194334Z           1001            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
V       140220120059Z           1002            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=cameron.ivorde.ro
3 entries loaded from the database
generating index
Successfully loaded extensions file x509ext.txt
message digest is sha1
policy is policy_match
next serial number is 1003
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=daniel.ivorde.ro, CN=daniel.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
                    27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
                    35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
                    42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
                    58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
                    7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
                    ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
                    47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
                    e1:31:2b:55:c6:05:ba:87:a1
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                email:"andrei@vps.ivorde.ro"
    Signature Algorithm: sha1WithRSAEncryption
         5b:cd:19:57:c4:e0:a1:be:42:34:40:d8:7e:65:3e:b6:d7:ba:
         5b:f7:c4:2d:99:08:de:e6:7e:8a:22:60:a0:37:79:78:f5:8c:
         cf:79:e7:79:a9:f1:94:2f:6c:17:50:56:97:b0:2b:4d:25:41:
         ce:90:de:44:bc:17:4c:f9:a9:e9:f7:48:ea:b5:42:47:08:98:
         d9:12:a7:a3:2e:12:51:58:cf:14:3a:af:ae:c5:7a:58:da:e1:
         5a:60:f9:4a:60:2e:c1:c8:19:f0:46:59:3d:4e:01:fb:2d:55:
         9b:b3:74:1e:ad:9d:a1:82:a7:19:9b:f2:66:ba:23:6d:9a:51:
         8c:c2
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
        Serial Number: 4099 (0x1003)
        Validity
            Not Before: Feb 20 12:01:39 2013 GMT
            Not After : Feb 20 12:01:39 2014 GMT
        Subject:
            countryName               = RO
            stateOrProvinceName       = Bucharest
            organizationName          = Ivorde
            organizationalUnitName    = Ivorde-VPN
            commonName                = daniel.ivorde.ro
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                email:andrei@vpn.ivorde.ro
Certificate is to be certified until Feb 20 12:01:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/ivordeCA/newcerts/1003.pem
Data Base Updated

Now that we have two certificates in our ./certs directory, we can see that the certificate index file was updated, as well as the serial one:
Code:
[root@homeserv /etc/ssl/testCa]# cat serial index.txt
1004
V       140219193809Z           1000            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V       140219194334Z           1001            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
V       140220120059Z           1002            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=cameron.ivorde.ro
V       140220120139Z           1003            unknown         /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=daniel.ivorde.ro

Let's take a look at one of the certificates:
Code:
[root@homeserv /etc/ssl/testCa]# openssl x509 -noout -text -in certs/daniel.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4099 (0x1003)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IvordeCA, CN=Andrei
        Validity
            Not Before: Feb 20 12:01:39 2013 GMT
            Not After : Feb 20 12:01:39 2014 GMT
        Subject: C=RO, ST=Bucharest, O=Ivorde, OU=Ivorde-VPN, CN=daniel.ivorde.ro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
                    27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
                    35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
                    42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
                    58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
                    7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
                    ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
                    47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
                    e1:31:2b:55:c6:05:ba:87:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                email:andrei@vpn.ivorde.ro
    Signature Algorithm: sha1WithRSAEncryption
         34:9e:ac:8c:1e:af:e8:3e:53:97:3f:a3:ba:cf:28:de:10:53:
         02:29:4e:e0:b6:d1:69:11:ee:14:83:f4:76:c6:a9:ae:39:87:
         5b:4c:1f:ec:09:04:53:6f:06:84:b5:02:45:5f:a7:34:84:27:
         4f:27:52:26:a8:57:03:42:7e:8b:ee:2b:4f:07:c0:2b:db:7e:
         33:15:1f:2e:04:d0:bc:b8:50:18:1e:fb:79:93:e6:25:66:f1:
         75:1e:62:8b:fa:71:82:0e:32:5c:0b:4d:77:0b:1f:5a:7c:a3:
         54:30:32:cb:17:42:b2:bf:04:10:6b:58:5a:51:fd:1e:4f:b0:
         9e:a3

Ok
[root@homeserv /etc/ssl/testCa]# cat certs/daniel.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4099 (0x1003)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IvordeCA, CN=Andrei
        Validity
            Not Before: Feb 20 12:01:39 2013 GMT
            Not After : Feb 20 12:01:39 2014 GMT
        Subject: C=RO, ST=Bucharest, O=Ivorde, OU=Ivorde-VPN, CN=daniel.ivorde.ro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
                    27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
                    35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
                    42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
                    58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
                    7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
                    ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
                    47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
                    e1:31:2b:55:c6:05:ba:87:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                email:andrei@vpn.ivorde.ro
    Signature Algorithm: sha1WithRSAEncryption
         34:9e:ac:8c:1e:af:e8:3e:53:97:3f:a3:ba:cf:28:de:10:53:
         02:29:4e:e0:b6:d1:69:11:ee:14:83:f4:76:c6:a9:ae:39:87:
         5b:4c:1f:ec:09:04:53:6f:06:84:b5:02:45:5f:a7:34:84:27:
         4f:27:52:26:a8:57:03:42:7e:8b:ee:2b:4f:07:c0:2b:db:7e:
         33:15:1f:2e:04:d0:bc:b8:50:18:1e:fb:79:93:e6:25:66:f1:
         75:1e:62:8b:fa:71:82:0e:32:5c:0b:4d:77:0b:1f:5a:7c:a3:
         54:30:32:cb:17:42:b2:bf:04:10:6b:58:5a:51:fd:1e:4f:b0:
         9e:a3
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCUk8x
EjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQK
EwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkwHhcN
MTMwMjIwMTIwMTM5WhcNMTQwMjIwMTIwMTM5WjBiMQswCQYDVQQGEwJSTzESMBAG
A1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxEzARBgNVBAsTCkl2b3Jk
ZS1WUE4xGTAXBgNVBAMTEGRhbmllbC5pdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O
8GpKztUP0S1nQj5h1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99
jqDqIEw4rNa4aqq5DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMB
AAGjIzAhMB8GA1UdEQQYMBaBFGFuZHJlaUB2cG4uaXZvcmRlLnJvMA0GCSqGSIb3
DQEBBQUAA4GBADSerIwer+g+U5c/o7rPKN4QUwIpTuC20WkR7hSD9HbGqa45h1tM
H+wJBFNvBoS1AkVfpzSEJ08nUiaoVwNCfovuK08HwCvbfjMVHy4E0Ly4UBge+3mT
5iVm8XUeYov6cYIOMlwLTXcLH1p8o1QwMssXQrK/BBBrWFpR/R5PsJ6j
-----END CERTIFICATE-----

5. It is time to import the public certificates signed by our test CA into the srx firewalls.

On each node, create a file named <hostname>.pem and paste the contents of the pem files from CA server.
Code:
root@daniel% vi daniel.pem
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCUk8x
EjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQK
EwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkwHhcN
MTMwMjIwMTIwMTM5WhcNMTQwMjIwMTIwMTM5WjBiMQswCQYDVQQGEwJSTzESMBAG
A1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxEzARBgNVBAsTCkl2b3Jk
ZS1WUE4xGTAXBgNVBAMTEGRhbmllbC5pdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O
8GpKztUP0S1nQj5h1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99
jqDqIEw4rNa4aqq5DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMB
AAGjIzAhMB8GA1UdEQQYMBaBFGFuZHJlaUB2cG4uaXZvcmRlLnJvMA0GCSqGSIb3
DQEBBQUAA4GBADSerIwer+g+U5c/o7rPKN4QUwIpTuC20WkR7hSD9HbGqa45h1tM
H+wJBFNvBoS1AkVfpzSEJ08nUiaoVwNCfovuK08HwCvbfjMVHy4E0Ly4UBge+3mT
5iVm8XUeYov6cYIOMlwLTXcLH1p8o1QwMssXQrK/BBBrWFpR/R5PsJ6j
-----END CERTIFICATE-----
~
~
~
~
~
~
~
~

Importing and verifying the public certificates that correspond to key1 private key:
Code:
root@daniel> request security pki local-certificate load certificate-id key1 filename /root/daniel.pem
Local certificate loaded successfully

root@daniel> request security pki local-certificate verify certificate-id key1
Local certificate key1 verification success


6. Configuring the ike proposal/policy/gateway and ipsec proposal/policy/vpns on Junos inside the srx. Below is my config.
Code:
root@daniel> show configuration security ike
proposal cert-vpn-ike-prop {
    authentication-method rsa-signatures;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}

policy cert-vpn-pol {
    mode main;
    proposals cert-vpn-ike-prop;
    certificate {
        local-certificate key1;
        peer-certificate-type x509-signature;
    }
}
gateway cert-vpn-gw {
    ike-policy cert-vpn-pol;
    address 10.1.1.54;
    local-identity user-at-hostname "andrei@vpn.ivorde.ro";
    remote-identity user-at-hostname "andrei@vpn.ivorde.ro";
    external-interface vlan.10;
}

root@cameron> show configuration security ike
proposal cert-vpn-ike-prop {
    authentication-method rsa-signatures;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 86400;
}
policy cert-vpn-pol {
    mode main;
    proposals cert-vpn-ike-prop;
    certificate {
        local-certificate key1;
        peer-certificate-type x509-signature;
    }
}
gateway cert-vpn-gw {
    ike-policy cert-vpn-pol;
    address 10.1.1.53;
    local-identity user-at-hostname "andrei@vpn.ivorde.ro";
    remote-identity user-at-hostname "andrei@vpn.ivorde.ro";
    external-interface vlan.10;
}


root@daniel> show configuration security ipsec
proposal cert-vpn-prop {
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 36000;
}
policy cert-vpn-pol {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals cert-vpn-prop;
}
vpn cert-vpn {
    bind-interface st0.200;
    ike {
        gateway cert-vpn-gw;
        ipsec-policy cert-vpn-pol;
    }
    establish-tunnels immediately;
}

root@cameron> show configuration security ipsec
proposal cert-vpn-prop {
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm 3des-cbc;
    lifetime-seconds 36000;
}
policy cert-vpn-pol {
    perfect-forward-secrecy {
        keys group2;
    }
    proposals cert-vpn-prop;
}
vpn cert-vpn {
    bind-interface st0.200;
    ike {
        gateway cert-vpn-gw;
        ipsec-policy cert-vpn-pol;
    }
    establish-tunnels immediately;
}

7. Checking ipsec tunnels coming up

root@cameron> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5615382 UP     f4bb13f4d68e16f2  80710b5239d85e4e  Main           10.1.1.53

root@cameron> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1 438d37f2 35896/unlim   -   root 500   10.1.1.53
  >131073 ESP:3des/sha1 d1ca3c4d 35896/unlim   -   root 500   10.1.1.53



root@cameron> show security ike security-associations detail
IKE peer 10.1.1.53, Index 5615382, Gateway Name: cert-vpn-gw
  Role: Responder, State: UP
  Initiator cookie: f4bb13f4d68e16f2, Responder cookie: 80710b5239d85e4e
  Exchange type: Main, Authentication method: RSA-signatures
  Local: 10.1.1.54:500, Remote: 10.1.1.53:500
  Lifetime: Expires in 86267 seconds
  Peer ike-id: andrei@vpn.ivorde.ro
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 2273
   Output bytes  :                 2061
   Input  packets:                    8
   Output packets:                    5
  Flags: IKE SA is created
  IPSec security associations: 2 created, 1 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 10.1.1.54:500, Remote: 10.1.1.53:500
    Local identity: andrei@vpn.ivorde.ro
    Remote identity: andrei@vpn.ivorde.ro
    Flags: IKE SA is created


root@cameron> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: cert-vpn
  Local Gateway: 10.1.1.54, Remote Gateway: 10.1.1.53
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.200

  Port: 500, Nego#: 8, Fail#: 0, Def-Del#: 0 Flag: 600a29
  Tunnel Down Reason: Delete payload received
    Direction: inbound, SPI: 438d37f2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 35889 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 35326 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: d1ca3c4d, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 35889 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 35326 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64


One more important thing to do in order to force the tunnels to come up ( I noticed in my setup ) is to assign the tunnel interfaces to a security zone:
Code:
root@cameron# set security zones security-zone dmz-zone interfaces st0.200
root@cameron# commit and-quit


Do not copy paste the commands into your configuration !!!





Top
debuser
Post  Post subject: Re: OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices  |  Posted: Wed Feb 20, 2013 8:45 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
Useful links:
J Series / SRX Series IPSec VPN with PKI Certificates Primer http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_IPSecVPN_with_PKI_Certificates_Primer_v13.pdf

How to generate a PKCS10 certificate request on a J Series or SRX Series device http://kb.juniper.net/InfoCenter/index?page=content&id=KB10175&cat=DIGITAL_CERTIFICATES&actp=LIST


Top
mandrei99
Post  Post subject: Re: OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices  |  Posted: Thu Jun 27, 2013 10:40 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 250

Offline
Unless you are using automatic certification enrollment, it's important to have:
Code:
peer-certificate-type x509-signature;
in IKE policy and
Code:
revocation-check disable
in pki CA configuration


Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

mandrei99

0

5573

Wed Apr 10, 2013 5:42 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

mandrei99

0

3936

Fri Jan 09, 2015 11:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall

mandrei99

0

4781

Fri Dec 12, 2014 10:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

42547

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

3100

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

27515

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

4703

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

5087

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools

mandrei99

0

15821

Tue Jan 13, 2015 6:26 am

mandrei99 View the latest post

There are no new unread posts for this topic. Site2Site Ipsec/Dialup/ike v2

balzac123

0

2538

Wed Sep 16, 2015 9:07 am

balzac123 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO