Top Banner
© Juniper Networks, Inc. 1 Configuring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security Version 1.0 December 2014 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net
21

Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

Mar 13, 2018

Download

Documents

vuongnhu
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 1

Configuring Client-to-Lan IPsec VPN using

certificates between SRX and Windows

Firewall with Advanced Security

Version 1.0 December 2014

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408.745.2000

1.888 JUNIPER

www.juniper.net

Page 2: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 2

Overview This example shows the configuration of a Client-to-Lan VPN between a Juniper Networks SRX device and Windows client using the Windows

Firewall VPN client.

Setup Prerequisites

DEP (Dynamic End Point) configuration on SRX

Tunnel mode in SRX

IKEv1 (Win client supports only IKEv1)

IPSec using certificates for authentication

Perfect Forward Secrecy group2

Client using Windows firewall with Advanced Security

Windows Machine Certificate Store

SRX using separate zones for all interfaces

SRX using St0 and LAN-side interfaces in default VR and gateway interface is in custom VR.

Microsoft CA server for certificate signing

Included Platforms and Software Versions This document applies to Junos 11.4 and subsequent releases for all SRX devices

Topology

Configuration Steps Enroll device certificate on SRX

Configure SRX using a certificate-based VPN

Configuring Windows certificate services (optional)

Enrolling client CA certificate

Enrolling client device certificate

Creating dial-up VPN in Windows

Page 3: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 3

Enroll Certificates on SRX

1. Configure the CA

[edit]

root@srx# set security pki ca-profile ROOT ca-identity mscal

root@srx# set security pki ca-profile ROOT enrollment url http://2.2.2.2/certsrv/mscep/mscep.dll

root@srx# commit

Note: The system will use the CDP of the received client certificate for CRL validation by default. Refer: “Understanding Certificate Revocation Lists” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/certificate-crl-understanding.html “Example: Manually loading a CRL onto the Device” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-manual-loading-cli.html “Example: Configuring a Certificate Authority Profile with CRL Locations” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-validity-checking-cli.html

2. Enroll the CA certificate root@srx> request security pki ca-certificate enroll ca-profile ROOT

Type yes at the prompt to load the CA certificate

3. Generate a key pair for Device certificate root@srx> request security pki generate-key-pair certificate-id ZTH_HUB

4. Enroll the local certificate

root@srx> request security pki local-certificate enroll ca-profile ROOT certificate-id ZTH_HUB domain-

name vpn-srx240-05.juniper.net email [email protected] ip-address 1.1.1.1 subject

“C=US,DC=juniper,ST=CA,L=Sunnyvale,O=Juniper,OU=engineering,CN=vpn-srx240-05”

Configure SRX

1. Configure the interfaces

root@srx# set interfaces ge-0/0/1.0 family inet address 1.1.1.1/24

root@srx# set interfaces ge-0/0/3.0 family inet address 192.168.10.1/24 root@srx# set interfaces st0.1 family inet

2. Configure Ike Phase1 root@srx# set security ike proposal IKE_PROP authentication-method rsa-signatures

root@srx# set security ike proposal IKE_PROP dh-group group2

root@srx# set security ike proposal IKE_PROP authentication-algorithm sha1

root@srx# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc

root@srx# set security ike proposal IKE_PROP lifetime-seconds 3600

root@srx# set security ike policy IKE_POL mode main

root@srx# set security ike policy IKE_POL proposals IKE_PROP

root@srx# set security ike policy IKE_POL certificate local-certificate ZTH_HUB

root@srx# set security ike policy IKE_POL certificate peer-certificate-type x509-signature

root@srx# set security ike gateway CORP_GW ike-policy IKE_POL

root@srx# set security ike gateway CORP_GW dynamic distinguished-name wildcard C=US

root@srx# set security ike gateway CORP_GW local-identity inet 1.1.1.1

root@srx# set security ike gateway CORP_GW external-interface ge-0/0/1

root@srx# set security ike gateway CORP_GW version v1-only

Page 4: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 4

3. Configure Ike Phase 2 root@srx# set security ipsec proposal IPSEC_PROP protocol esp root@srx# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96 root@srx# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-128-cbc root@srx# set security ipsec proposal IPSEC_PROP lifetime-seconds 3600 root@srx# set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group2 root@srx# set security ipsec policy IPSEC_POL proposals IPSEC_PROP root@srx# set security ipsec vpn CORP_VPN bind-interface st0.1 root@srx# set security ipsec vpn CORP_VPN ike gateway CORP_GW root@srx# set security ipsec vpn CORP_VPN ike ipsec-policy IPSEC_POL

4. Configure security policies

root@srx# set security policies from-zone vpn to-zone trust policy P1 match source-address any root@srx# set security policies from-zone vpn to-zone trust policy P1 match destination-address any root@srx# set security policies from-zone vpn to-zone trust policy P1 match application any root@srx# set security policies from-zone vpn to-zone trust policy P1 then permit

root@srx# set security policies from-zone trust to-zone vpn policy P2 match source-address any root@srx# set security policies from-zone trust to-zone vpn policy P2 match destination-address any root@srx# set security policies from-zone trust to-zone vpn policy P2 match application any root@srx# set security policies from-zone trust to-zone vpn policy P2 then permit

5. Configure security zones

root@srx# set security zones security-zone untrust host-inbound-traffic system-services ike root@srx# set security zones security-zone untrust host-inbound-traffic system-services ping root@srx# set security zones security-zone untrust interfaces ge-0/0/1.0

root@srx# set security zones security-zone trust host-inbound-traffic system-services all root@srx# set security zones security-zone trust host-inbound-traffic protocols all root@srx# set security zones security-zone trust interfaces ge-0/0/3.0

root@srx# set security zones security-zone vpn host-inbound-traffic system-services all root@srx# set security zones security-zone vpn host-inbound-traffic protocols all root@srx# set security zones security-zone vpn interfaces st0.1

6. Configure routing-instance root@srx# set routing-instances INTERNET instance-type virtual-router root@srx# set routing-instances INTERNET interface ge-0/0/1.0 root@srx# set routing-instances INTERNET routing-options static route 0/0 next-hop 1.1.1.2

7. Configure route back to VPN tunnel interface for peer IP address root@srx# set routing-options static route 2.2.2.2/32 next-hop st0.1

Page 5: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 5

SRX Configuration Results

root@srx# show interfaces

ge-0/0/1 {

unit 0 {

family inet {

address 1.1.1.1/24;

}

}

}

ge-0/0/3 {

unit 0 {

family inet {

address 192.168.10.1/24;

}

}

}

st0 {

unit 1 {

family inet;

}

}

[edit]

root@srx# show security

pki {

ca-profile ROOT {

ca-identity msca1;

enrollment {

url http://2.2.2.2/certsrv/mscep/mscep.dll;

}

}

}

ike {

proposal IKE_PROP {

authentication-method rsa-signatures;

dh-group group2;

authentication-algorithm sha1;

encryption-algorithm aes-128-cbc;

lifetime-seconds 3600;

}

policy IKE_POL {

mode main;

proposals IKE_PROP;

certificate {

local-certificate ZTH_HUB;

peer-certificate-type x509-signature;

}

}

gateway CORP_GW {

ike-policy IKE_POL;

dynamic {

distinguished-name {

wildcard C=US;

}

}

local-identity inet 1.1.1.1;

external-interface ge-0/0/1;

version v1-only;

}

Page 6: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 6

}

ipsec {

proposal IPSEC_PROP {

protocol esp;

authentication-algorithm hmac-sha1-96;

encryption-algorithm aes-128-cbc;

lifetime-seconds 3600;

}

policy IPSEC_POL {

perfect-forward-secrecy {

keys group2;

}

proposals IPSEC_PROP;

}

vpn CORP_VPN {

bind-interface st0.1;

ike {

gateway CORP_GW;

ipsec-policy IPSEC_POL;

}

}

}

policies {

from-zone vpn to-zone trust {

policy P1 {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

from-zone trust to-zone vpn {

policy P2 {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

}

}

zones {

security-zone untrust {

host-inbound-traffic {

system-services {

ike;

ping;

}

}

interfaces {

ge-0/0/1.0;

}

}

security-zone trust {

host-inbound-traffic {

system-services {

Page 7: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 7

all;

}

protocols {

all;

}

}

interfaces {

ge-0/0/3.0;

}

}

security-zone vpn {

host-inbound-traffic {

system-services {

all;

}

protocols {

all;

}

}

interfaces {

st0.1;

}

}

}

[edit]

root@srx# show routing-instances

INTERNET {

instance-type virtual-router;

interface ge-0/0/1.0;

routing-options {

static {

route 0.0.0.0/0 next-hop 1.1.1.2

}

}

}

[edit]

root@srx# show routing-options

static {

route 2.2.2.2/32 next-hop st0.1;

}

Configuring Windows Certificate Services (optional)

The same Windows machine may be used as a VPN client and as a CA server. This depends on user requirements and if CA server functionality is

available on same Windows machine. It is possible to have the localcert signed by a different CA server as long as the CA is common to both the

Windows client certificate and the SRX device certificate.

How to create Microsoft CA in Windows:

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx

Page 8: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 8

Enrolling Client CA Certificate

Refer to “Download the Trusted Root CA certificate” & “Import the Trusted Root (CA) Certificate” sections

http://technet.microsoft.com/en-us/library/hh467900.aspx

Enrolling Client Device Certificate

Refer to “How To: Install a Certificate for Use with IP Security”

http://support.microsoft.com/kb/253498

or

Refer to “Create a Custom Certificate Request” for submitting a PCKS file for submitting to CA.

http://technet.microsoft.com/en-us/library/cc730929.aspx

Note: For this example, the device certificate request must include Country of US to allow SRX wildcard matching of C=US in certificate.

Configuring VPN in Windows Firewall Client

1. Launch Windows Firewall with Advanced Security Click Windows Menu

Select Control Panel

Select Windows Firewall

Click Advanced Settings

2. Create new connection security rule

Select Connection Security Rules

Select ‘New Rule’ on right side

Page 9: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 9

Select ‘Tunnel’ and click Next

Select ‘Client-to-Gateway’ and click Next

Select ‘Require authentication for inbound and outbound connections’ and click Next

Page 10: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 10

Enter SRX gateway IP address for ‘Remote Tunnel Endpoint’ and click Next

Select ‘Computer Certificate’ and select the ‘Signing Algorithm as RSA and Certificate type (depends on

your CA setup). Click Browse.

Page 11: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 11

Select CA certificate and click OK and then click Next.

In this example we are using WIN-5QR2LUTHF1-CA. This is the Root Certificate from the Windows Machine

store and is the CA used to sign both the SRX’s certificate and the Windows client device certificate.

NOTE: If you do not see your CA refer to the following Microsoft articles to add to list

Adding certificates to the Trusted Root Certification Authorities store for a local computer

http://technet.microsoft.com/en-us/library/cc754841.aspx

Adding certificates to the Trusted Root Certification Authorities store for a local computer

http://windows.microsoft.com/en-us/windows/import-export-certificates-private-keys#1TC=windows-7

Select all options and click Next

Page 12: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 12

Enter a Name and Description and click Finish

3. Define the Protected network ranges

Select the newly created rule and click Properties under Actions

Page 13: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 13

Select Computers tab

Enter Client NIC IP address as Endpoint 1

Enter Remote network behind SRX as Endpoint 2

4. Define the Tunnel Endpoints

Select Advanced Tab and click on Customize for Ipsec tunneling

Page 14: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 14

Edit endpoints to reflect the Local tunnel endpoint being the Window client address and Remote tunnel

endpoint is the SRX’s external interface. Click OK then click Apply the OK.

5. Enable perfect forward secrecy

Open an Elevated CMD prompt

Click on Windows Menu

Enter search phrase CMD.exe into Search field

Right click on the resulting cmd.exe file

Select ‘Run as Administrator’

Enter the following command to enable PFS

C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmsecmethod= esp:sha1-

aes128

C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmpfs= dhgroup2

Windows Configuration Results

C:\Users\Administrator>netsh advfirewall consec show rule name="Test1"

Rule Name: Test1

----------------------------------------------------------------------

Enabled: Yes Profiles: Domain,Private,Public

Type: Static

Mode: Tunnel LocalTunnelEndpoint: 2.2.2.2

RemoteTunnelEndpoint: 1.1.1.1

Endpoint1: 2.2.2.2/32 Endpoint2: 192.168.10.0/24

Protocol: Any

Action: RequireInRequireOut Auth1: ComputerCert

Auth1CAName: CN=WIN-5VQR2LUTHF1-CA

Auth1CertMapping: No Auth1ExcludeCAName: No

Auth1CertType: Root

Auth1HealthCert: No MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1

Page 15: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 15

QuickModeSecMethods: ESP:SHA1-AES128+60min+100000kb

ExemptIPsecProtectedConnections: No

ApplyAuthorization: No

Verifying Setup and Usage

1) Verify the machine cert-store to make sure that private key is attached to required certificates as indicated by the presence of a small key on

the certificate icon.

Open Certificate Manager by clicking the Start button Picture of the Start button, typing certmgr.msc

into the Search box, and then pressing ENTER.

2) Verify logs in Windows firewall client:

Page 16: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 16

Go to event viewer and check for security logs under Windows logs

3) Verify SRX tunnel status

root@srx# run show security ike sa

Index State Initiator cookie Responder cookie Mode Remote Address

6646446 UP 6c5848b0dc4aeae8 6e722f256cb17955 Main 2.2.2.2

[edit]

root@srx# run show security ike sa detail

IKE peer 2.2.2.2, Index 6646446, Gateway Name: ZTH_HUB_GW

Role: Responder, State: UP

Initiator cookie: 6c5848b0dc4aeae8, Responder cookie: 6e722f256cb17955

Exchange type: Main, Authentication method: RSA-signatures

Local: 1.1.1.1:500, Remote: 2.2.2.2:500

Lifetime: Expires in 1789 seconds

Peer ike-id: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1

Xauth user-name: not available

Xauth assigned IP: 0.0.0.0

Algorithms:

Authentication : hmac-sha256-128

Encryption : aes128-cbc

Pseudo random function: hmac-sha256

Diffie-Hellman group : DH-group-2

Traffic statistics:

Input bytes : 2596

Output bytes : 1896

Input packets: 5

Output packets: 4

IPSec security associations: 1 created, 0 deleted

Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Responder, Message ID: 0

Local: 1.1.1.1:500, Remote: 2.2.2.2:500

Page 17: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 17

Local identity: 1.1.1.1

Remote identity: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1

Flags: IKE SA is created

[edit]

root@srx# run show security ipsec sa

Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<268173314 ESP:aes-cbc-128/sha1 9d445798 3582/ 99999 - root 500 2.2.2.2

>268173314 ESP:aes-cbc-128/sha1 e80f1c05 3582/ 99999 - root 500 2.2.2.2

[edit]

root@srx# run show security ipsec sa detail

ID: 268173314 Virtual-system: root, VPN Name: ZTH_HUB_VPN

Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2

Local Identity: ipv4_subnet(any:0,[0..7]=192.168.10.0/24)

Remote Identity: ipv4(any:0,[0..3]=2.2.2.2)

Version: IKEv1

DF-bit: clear, Bind-interface: st0.1

Port: 500, Nego#: 10, Fail#: 0, Def-Del#: 0 Flag: 0x608a29

Tunnel events:

Wed Oct 08 2014 00:16:50 -0700: IPSec SA negotiation successfully completed (1 times)

Wed Oct 08 2014 00:16:50 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger

negotiation (1 times)

Wed Oct 08 2014 00:16:50 -0700: IKE SA negotiation successfully completed (1 times)

Direction: inbound, SPI: 9d445798, AUX-SPI: 0

Hard lifetime: Expires in 3578 seconds

Lifesize Remaining: 99999 kilobytes

Soft lifetime: Expires in 3015 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)

Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: e80f1c05, AUX-SPI: 0

Hard lifetime: Expires in 3578 seconds

Lifesize Remaining: 99999 kilobytes

Soft lifetime: Expires in 3015 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)

Anti-replay service: counter-based enabled, Replay window size: 64

4) Verify SRX Certificates

[edit]

root@srx# run show security pki ca-certificate

Certificate identifier: ROOT

Issued to: WIN-5VQR2LUTHF1-CA, Issued by: CN = WIN-5VQR2LUTHF1-CA

Validity:

Not before: 10- 3-2014 22:04 UTC

Not after: 10- 3-2019 22:14 UTC

Public key algorithm: rsaEncryption(2048 bits)

Certificate identifier: ikev2natt

Issued to: pond-win, Issued by: CN = pond-win

Validity:

Not before: 11-22-2013 23:26 UTC

Not after: 11-22-2018 23:35 UTC

Public key algorithm: rsaEncryption(2048 bits)

Page 18: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 18

root@srx# run show security pki ca-certificate ca-profile ROOT detail

Certificate identifier: ROOT

Certificate version: 3

Serial number: 2efe46115e3f418e46b1f7b7f648584e

Issuer:

Common name: WIN-5VQR2LUTHF1-CA

Subject:

Common name: WIN-5VQR2LUTHF1-CA

Subject string:

CN=WIN-5VQR2LUTHF1-CA

Validity:

Not before: 10- 3-2014 22:04 UTC

Not after: 10- 3-2019 22:14 UTC

Public key algorithm: rsaEncryption(2048 bits)

30:82:01:0a:02:82:01:01:00:b6:1e:6d:d6:d3:0f:ef:a6:2d:14:8c

d0:94:78:f1:87:e6:5b:20:40:3f:1d:68:56:a8:6a:f3:b3:79:4e:51

69:01:e7:5f:0a:dc:95:d8:ea:71:94:71:e6:93:b7:5a:6e:50:02:55

be:c8:5c:48:11:b8:7b:e4:f1:01:42:06:a5:8e:1a:4e:79:06:26:d0

e1:bc:52:79:7a:1f:af:d5:80:72:1a:4d:85:5e:5f:86:18:f6:bf:4e

36:af:e8:b8:3f:45:8f:ef:c0:65:7b:10:bd:51:c7:d4:d9:90:ea:60

9f:02:fb:5d:b9:1b:73:23:e0:b4:60:78:ce:ce:51:e9:f8:da:92:b2

4c:e2:32:e8:22:f9:4a:21:77:66:ab:2c:8f:15:83:7e:b2:d6:28:16

64:c8:59:0a:29:55:95:bf:dd:f4:15:bd:0f:54:7d:62:23:e0:78:55

37:4b:f7:5f:33:0c:d7:9a:1f:e4:34:fd:57:41:91:96:21:94:e7:70

38:b2:60:20:f9:9a:3a:2e:c8:61:6c:5b:37:b7:1b:52:26:4b:a2:9a

a0:66:36:5f:7f:be:d9:4d:63:52:d9:73:4f:e7:2d:78:e1:35:cf:ab

16:de:d3:fd:3c:3a:3c:ff:19:c1:82:c2:77:dc:92:f4:70:f0:0c:4c

f8:00:8d:51:c3:02:03:01:00:01

Signature algorithm: sha1WithRSAEncryption

Use for key: CRL signing, Certificate signing, Digital signature

Fingerprint:

94:e7:fb:b1:d1:f9:aa:3f:c2:95:e3:28:02:da:ed:9f:30:e2:59:d9 (sha1)

51:40:f8:a8:d5:dd:64:7a:ff:34:50:71:c5:92:47:dc (md5)

[edit]

root@srx# run show security pki local-certificate certificate-id ZTH_HUB detail

Certificate identifier: ZTH_HUB

Certificate version: 3

Serial number: 61053ed5000000000004

Issuer:

Common name: WIN-5VQR2LUTHF1-CA

Subject:

Organization: Juniper, Organizational unit: engineering, Country: US, State: CA, Locality: Sunnyvale,

Common name: vpn-srx240-05, Domain component: juniper

Subject string:

C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=vpn-srx240-05

Alternate subject: "[email protected]", vpn-srx240-05.juniper.net, 1.1.1.1

Validity:

Not before: 10- 3-2014 22:45 UTC

Not after: 10- 3-2015 22:55 UTC

Public key algorithm: rsaEncryption(1024 bits)

30:81:89:02:81:81:00:d7:83:07:8c:cf:63:dc:da:d1:7f:92:52:5e

aa:cd:42:68:cb:1d:2d:c8:13:e1:2c:52:11:a9:f7:33:6c:d7:8d:98

a4:2f:be:3d:86:e2:de:c9:94:4c:11:51:4b:60:6f:c0:67:c5:12:03

60:3e:0c:ce:b9:9c:61:4c:af:9c:30:da:6d:60:d9:8e:5e:4b:ed:1f

8c:67:e5:10:2d:93:4d:40:93:5e:cf:d3:6e:58:bf:0c:52:98:c9:9a

99:44:28:db:5c:01:46:68:c8:b8:dc:14:c2:b6:a4:1d:70:36:63:7b

5e:ae:a7:c1:78:34:1f:a6:bf:3c:ae:6e:3f:7b:3d:02:03:01:00:01

Signature algorithm: sha1WithRSAEncryption

Distribution CRL:

file://WIN-5VQR2LUTHF1/CertEnroll/WIN-5VQR2LUTHF1-CA.crl

Fingerprint:

Page 19: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 19

e1:9d:5b:fa:66:f6:58:8f:b6:30:34:05:54:69:95:77:8a:26:66:9b (sha1)

b8:35:51:26:60:43:7f:20:ba:3a:ea:d6:b8:08:e9:3d (md5)

Auto-re-enrollment:

Status: Disabled

Next trigger time: Timer not started

5) Windows Tunnels status SRX Certificates

To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then

check the Audit success for Quick mode.

An IPsec quick mode security association was established.

Local Endpoint:

Network Address: 2.2.2.2

Network Address mask: 255.255.255.255

Port: 0

Tunnel Endpoint: 2.2.2.2

Remote Endpoint:

Network Address: 192.168.10.0

Network Address Mask: 255.255.255.0

Port: 0

Private Address: 0.0.0.0

Tunnel Endpoint: 1.1.1.1

Protocol: 0

Keying Module Name: -

Cryptographic Information:

Integrity Algorithm - AH: -

Integrity Algorithm - ESP: SHA-1

Encryption Algorithm: AES-128

Security Association Information:

Lifetime - seconds: 3600

Lifetime - data: 100000

Lifetime - packets: 2147483647

Mode: Tunnel

Role: Initiator

Quick Mode Filter ID: 83470

Main Mode SA ID: 2171

Quick Mode SA ID: 1108

Additional Information:

Inbound SPI: 3325224778

Outbound SPI: 717234676

Virtual Interface Tunnel ID: 0

Traffic Selector ID: 0

To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then

check the Audit success for Main mode.

An IPsec main mode security association was established. Extended mode was not enabled. A certificate

was used for authentication.

Local Endpoint:

Page 20: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 20

Principal Name: mjain-win2k8-1

Network Address: 2.2.2.2

Keying Module Port: 500

Local Certificate:

SHA Thumbprint: 11f73620578fa9b4b5a7359b48c29fb534b5f229

Issuing CA: WIN-5VQR2LUTHF1-CA

Root CA: CN=WIN-5VQR2LUTHF1-CA

Remote Endpoint:

Principal Name: vpn-srx240-05.juniper.net

Network Address: 1.1.1.1

Keying Module Port: 500

Remote Certificate:

SHA thumbprint: e19d5bfa66f6588fb6303405546995778a26669b

Issuing CA: WIN-5VQR2LUTHF1-CA

Root CA: CN=WIN-5VQR2LUTHF1-CA

Cryptographic Information:

Cipher Algorithm: AES-128

Integrity Algorithm: SHA 256

Diffie-Hellman Group: DH group 2

Security Association Information:

Lifetime (minutes): 30

Quick Mode Limit: 0

Main Mode SA ID: 2171

Additional Information:

Keying Module Name: IKEv1

Authentication Method: Certificate

Role: Initiator

Impersonation State: Not enabled

Main Mode Filter ID: 83452

EKU, SAN for IKE-ID:

Page 21: Configuring Client-to-Lan IPsec VPN using certificates ... · PDF fileConfiguring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security

© Juniper Networks, Inc. 21

VPN Server Certificate EKU Accepted by Windows Firewall Client

IP security IKE intermediate Yes

Server Authentication

IP security IKE intermediate No

IP security IKE intermediate No

Client Authentication

Server Authentication Yes

Client Authentication No

Server Authentication Yes

Client Authentication

IP security IKE intermediate Yes

Server Authentication

Client Authentication

None No