PKI IPSec VPN – SRX to IOS

In this video, we’re going to update an existing IPSec VPN between Juniper SRX and Cisco IOS from pre-shared key to certificate authentication. We’re going to be looking at how IOS certificate configuration differs from SRX.

Video
Topology & Final Configs
TopologySRX0 PKI StepsSRX0IOS1 PKI StepsIOS1

  • At the configuration prompt (#), do the following:
  • If using a CRL, configure a DNS server: “set system name-server X.X.X.X”.
  • Configure a CA profile: “set security pki ca-profile CA_PROF ca-identity CA_CERT”.
  • Commit both
  • At the operational prompt (>), do the following:
  • Verify accurate date/time: “show system uptime”. If not accurate: “set date X”.
  • Make PKI directory: “file make-directory /var/tmp/PKI/”
  • Copy CA cert to PKI directory: “file copy http://X.X.X.X/ca.crt /var/tmp/PKI/”
  • Load CA cert into CA profile: “request security pki ca-certificate load ca-profile CA_PROF filename /var/tmp/PKI/ca.crt”
  • Verify CA cert: “show security pki ca-certificate detail”
  • Verify CRL, if applicable: “show security pki crl detail”
  • Generate keypair: “request security pki generate-key-pair certificate-id SRX0_CERT size 2048 type rsa”
  • Generate CSR: “request security pki generate-certificate-request certificate-id SRX0_CERT digest sha-256 domain-name SRX0.node9.lab filename /var/tmp/PKI/SRX0.csr subject “CN=SRX0.node9.lab,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US” “
  • Have CA sign CSR which generates local cert.
  • Copy local cert to PKI directory: “file copy http://X.X.X.X/SRX0.crt /var/tmp/PKI/”
  • Load local cert: “request security pki local-certificate load certificate-id SRX0_CERT filename /var/tmp/PKI/SRX0.crt”
  • Verify local cert: “show security pki local-certificate detail”
#
set system host-name SRX0
set system name-server 35.15.173.8
set security pki ca-profile CA_PROF ca-identity CA_CERT
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group14
set security ike proposal IKE_PROP authentication-algorithm sha-256
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal IKE_PROP lifetime-seconds 86400
set security ike policy IKE_POLI proposals IKE_PROP
set security ike policy IKE_POLI certificate local-certificate SRX0_CERT
set security ike gateway IOS1 ike-policy IKE_POLI
set security ike gateway IOS1 address 208.105.102.30
set security ike gateway IOS1 local-identity distinguished-name
set security ike gateway IOS1 remote-identity distinguished-name container CN=IOS1.node9.tech
set security ike gateway IOS1 external-interface ge-0/0/0.0
set security ike gateway IOS1 version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec proposal IPSEC_PROP lifetime-seconds 28800
set security ipsec policy IPSEC_POLI perfect-forward-secrecy keys group14
set security ipsec policy IPSEC_POLI proposals IPSEC_PROP
set security ipsec vpn IOS1 bind-interface st0.1
set security ipsec vpn IOS1 df-bit copy
set security ipsec vpn IOS1 ike gateway IOS1
set security ipsec vpn IOS1 ike ipsec-policy IPSEC_POLI
set security policies from-zone CORP to-zone CORP policy Permit_Any match source-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match destination-address any
set security policies from-zone CORP to-zone CORP policy Permit_Any match application any
set security policies from-zone CORP to-zone CORP policy Permit_Any then permit
set security zones security-zone WWW host-inbound-traffic system-services ping
set security zones security-zone WWW host-inbound-traffic system-services ike
set security zones security-zone WWW interfaces ge-0/0/0.0
set security zones security-zone CORP host-inbound-traffic system-services all
set security zones security-zone CORP host-inbound-traffic protocols all
set security zones security-zone CORP interfaces lo0.0
set security zones security-zone CORP interfaces st0.1
set interfaces ge-0/0/0 description WWW
set interfaces ge-0/0/0 unit 0 family inet address 107.22.138.98/29
set interfaces lo0 description Loopback
set interfaces lo0 unit 0 family inet address 10.0.0.0/32
set interfaces st0 unit 1 description IOS1
set interfaces st0 unit 1 family inet mtu 1400
set interfaces st0 unit 1 family inet address 172.16.31.0/31
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface st0.1
set routing-options static route 0.0.0.0/0 next-hop 107.22.138.97
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options router-id 10.0.0.0
#
  • At the configuration prompt (config)#, do the following:
  • If using a CRL, configure a DNS server: “ip name-server X.X.X.X”.
  • Configure the trustpoint:
    crypto pki trustpoint CA
    enrollment terminal pem
    subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
    revocation-check none
    rsakeypair IOS1 2048
    hash sha256
  • At the operational prompt (#), do the following:
  • Verify accurate date/time: “show clock”. If not accurate: “clock set X”.
  • Load CA cert into CA profile: “crypto pki authenticate CA”
  • Generate CSR: “crypto pki enroll CA”
  • Load local cert: “crypto pki import CA certificate”
  • Verify trustpoint: “show crypto pki trustpoints CA status”
  • Verify certificates: “show crypto pki certificates CA”
!
hostname IOS1
!
ip name-server 35.15.173.8
!
crypto pki trustpoint CA
enrollment terminal pem
subject-name CN=IOS1.node9.tech,OU=Lab,O=Node 9,L=Oahu,ST=HI,C=US
revocation-check none
rsakeypair IOS1 2048
hash sha256
!
crypto pki certificate map SRX0 10
subject-name co cn = SRX0.node9.tech
!
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy IKE_POLI
proposal IKE_PROP
match address local 208.105.102.30
!
crypto ikev2 profile SRX0
match certificate SRX0
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA
!
crypto ipsec transform-set IPSEC_PROP esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile SRX0
set ikev2-profile SRX0
set transform-set IPSEC_PROP
set pfs group14
set security-association lifetime seconds 28800
set security-association dfbit copy
!
interface Tunnel1
tunnel mode ipsec ipv4
description SRX0
ip address 172.16.1.1 255.255.255.254
ip mtu 1400
tunnel source 208.105.102.30
tunnel destination 107.22.138.98
tunnel protection ipsec profile SRX0
ip ospf cost 1
!
interface Loopback0
description Loopback
ip address 10.0.0.1 255.255.255.255
!
interface GigabitEthernet0/0
description WWW
ip address 208.105.102.30 255.255.255.224
!
router ospf 1
router-id 10.0.0.1
passive-interface Loopback0
network 10.0.0.1 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip route 0.0.0.0 0.0.0.0 208.105.102.1
!

Leave a Comment

Your email address will not be published. Required fields are marked *