There was a task to change IPSec authentication method from Pre-share key to PKI Certification based. It used on SRX240H and SRX1400 firewalls. This post records the steps and troubleshooting the errors I met during the configuration.

1. On both firewalls generate Public/Private key pair:

{primary:node0}root@fw-1> request security pki generate-key-pair certificate-id PRO size 2048   

node0:

————————————————————————–
Generated key pair PRO, key size 2048 bits

2. Generating cert request from the key pair

{primary:node0}root@fw-1> request security pki generate-certificate-request certificate-id PRO subject “CN=Admin,CN=m.test.com,OU=IT,O=test,L=M,ST=ON,C=CA” email [email protected] filename ms-cert-req 

node0:

————————————————————————–Generated certificate request

—– BEGIN CERTIFICATE REQUEST—–MIIC7TCCAdUCAQAwdjERMA8GA1UEAxMISm9obiBZYWxGjAYBgNVBAMTEW1hcmtYW0uZ2ktZGUuY29tMQswCQYDVQQLEwJJVDEMMAoGA1UEChMDRyZEwDgYDVQQEwdNYXJraGFtMQswCQYDVQQIEwJPTjELMAkGA1UEBhMC0EwggEiMA0GCSqGSIbDQEBAQUAA4IBDwAwggEKAoIBAQDEoahBD7RjFBZacquplzFudJ3k+jf1EBcCxxkdDWJVeZEDzFMN6kQbMPKFBvSHhSZU/o+AnkqOzQgTh9Uy/ttdc3r23ZWFu1t/9B79kvoRdxCt43iYHNtTyKk4xN1/Nd2XJ1qV6iXB0OAYAQWnKYsNAz5rY9SRnH5/VU90WRvu5s/wXu+9GEoysI1sjm91Qq1FM5HDtH9ROxDzbtEb8hJ2SmfY/VPctlSI/Ql3ZRyxCexOG2Q93hvhMRKbCNLxj1muSHbnveQI3gM+4nT9PmslUEB3dx5389LH5viCio01039LEWjfydd4HsAdsgD5ZXtihn49BPZNfCIYyDAgMBAAGgMjAwBgkhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0CSqGSIb3DQEBBQUAA4IBAQAoRv0I1C5kklU2sRDGB4XCVnnJ/T34+Yn4ekIcGHADuB5kKbr+qc1xTVyelX09EqmGtCrREYSv/meseuco0+jMw9b9EogCfE7eZAw2EWltzA+NTjwcOexvTFYWhjD3YWPXwM/F/rKnS9vtCaaNJB+rpzjyjbJNRSPvFkYgRUsy3xnIJ7K76Jp03r5rD27KW2kaCCD2wXkr6vK97Nf+dgyM8sLBLy1FdUfeO2H5JnhxbodUD6FFGz50s8rqy2a4aUOCD1zCgOiMw/mjq3caFbS+WB2sb+09Kia19y9y2fOzG++v2Kud5luXYKMPuf4qEGSb6k1npNd8qadQf+

—–END CERTIFICATE REQUEST—– 

Fingerprint:c7:dd:83:11:d1:8a:54:6c:5c:1e:7e:cd:79:73:c0:71:b0:ba:a5:fc (sha1)f6:10:e3:1f:c0:07:3e:dc:5c:e5:8e:b5:51:2b:9a:1e (md5)

3. Submit Cert Request to the CA and Retrieve Certs




4. Copying the Local Cert, CA Cert to local firewall

You can either use ftp to transfer file to local devices or using vi to copy/paste cert into local folder just like it shows below:

root@fw-1% cd /var/tmp
root@fw-1% vi cert.cer

—–BEGIN CERTIFICATE—–
MIIFAjCCA+qgAwIBAgIQLW8DBB6T4el6zXWK6UDm2zANBgkqhkiG90BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDEwOTAwMDAwMFoX
DTE4MDQwNTIzNTk1OVowgYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlv
MRAwDgYDVQQHDAdNYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IFN5c3RlbXMgQ2FuYWRhIEluYzELMAkGA1UECwwCSVQxGzAZBNVBAMMEm1vbnRy
ZWFsLmdpLWRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2W
x3bDZiXD7Fhh7smdgq7W3ib/UOixoM7NDxryWVaff0mq3oioXUxpClvwkadJ5Js7
3+QOJH0j/jJLwJ6mN/8Me64Caxy3fHkp43NNTz1aOEr2QwOLuY4Z6rvNUgBdqLWo
OpI8OAYTMlBWMT++aKK35PAtDKLxCyKz6iqeR3tbqsxDnfJO5YafyDf8AtRmNJPg
1ms1yV0lKZBtq4weAKHLeSe0+SYu5CIgKHDhUbZ9SjQHyaNpSSY0agtm7gwppcYU
BPtkSTFyyxAVxMQrZrOMPSF2ND1qgwtQkv4ypAx70oLSP2FjWYxXS8eZCaBXRWzp
+2Q0gEbcQ85NG9DZCuMCAwEAAaOCAWswggFnMB0GA1UdEQQWMBSCEm1vbnRyZWFs
LmdpLWRlLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDArBgNVHR8EJDAi
MCCgHqAchhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNybDBlBgNHSAEXjBcMFoG
CmCGSAGG+EUBBzYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9j
cHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMaAFF9gz2GQVd+EQxSK
YCqy9Xr0QxjvMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Nz
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5j
cnQwDQYJKoZIhvcNAQELBQADggEBAGSmIK5nDbs0e1aryWxbrCp9vMC7dTiJYP9
7VlUZsP63WXTWmOs1CBcyxv1NiO2Ub+CgiynAjnBKzDjPM8EesaTLlHnFqjRD65d
jXwa5UnlQnuZLzdadThp2qmhQbTeGBmT/y4c3rSwHnXwjB0aMQzz7QrKEmNrv13o
2eYEMp2tvZVSemPWpABj265tu6RcD6If3oTxKJy10/pKA/YU3xRLL9XB3NvU5NUO
Ej7ubdQsBTTBeJIE8/C5coDLEZbxYpQVSnqDBrOXLG5R2pNi0hIebXFaVDG36gy
NCGfTTNr8Elo7RYMspaZZhyQRZzXefzCxJwqxu39MwTNRJAhTPA=
—–END CERTIFICATE—–

root@fw-1% vi root.cer
—–BEGIN CERTIFICATE—–
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
—–END CERTIFICATE—–

5. Creating a Trusted CA Profile and load local certificate and CA Certificate

ca-profile rootverisign {
    ca-identity test.com;
    revocation-check {
        disable;
    }
    administrator {
        email-address “[email protected]”;
    }
 }


{primary:node0}root@fw-1> request security pki local-certificate load certificate-id PRO filename /var/tmp/cert.cer
node0:
————————————————————————–
Local certificate loaded successfully

{primary:node0}root@fw-1> request security pki ca-certificate load ca-profile rootverisign filename /var/tmp/root.cer
node0:
————————————————————————–
error: Command aborted as CA certificate already exists. Retry after clearing the existing CA certificate

This error is relating to existing CA certificate. We will clear it first by following command:

{primary:node0}
root@fw-1> clear security pki ca-certificate ca-profile rootverisign 

or You can directly go into cert folder to delete it.

root@fw-1> request security pki ca-certificate load ca-profile Montreal-PRO filename /var/tmp/root.cer 
node0:
————————————————————————–
Fingerprint:
  44:f4:34:20:3e:fa:be:7e:9e:c5:82:94:e3:b2:36:0b:4c:c5:c0:c0 (sha1)
  1a:3e:85:80:2b:c7:57:86:c2:44:66:ff:89:ad:1e:c8 (md5)
error: Failed to write the CA certificate to local store

This error message usaully caused by unrecognized certificate file format. Actually, Juniper SRX does not take this kind of CA certification which has two certifications inside one file. We have to manually split this Certification to two parts then separately import different CA Profile, such as G4 and G5 we created below.

pki {
    ca-profile G4 {
        ca-identity gi-de.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address “[email protected]”;
        }
    }
    ca-profile G5 {
        ca-identity gi-de.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address “[email protected]”;
        }
    }
    traceoptions {
        file PKITRACE size 1m;
        flag all;
    }
}

root@fw-1> request security pki ca-certificate load ca-profile G4 filename /var/tmp/g4.cer 
node0:
————————————————————————–
Fingerprint:
  ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
  23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
CA certificate for profile G4 loaded successfully

{primary:node0}
root@fw-1> request security pki ca-certificate load ca-profile G5 filename /var/tmp/g5.cer    
node0:
————————————————————————–
Fingerprint:
  32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
  f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
CA certificate for profile G5 loaded successfully

6. Using the Cert in IPsec VPN Configuration

ike {
    inactive: traceoptions {
        file IKELOG size 1m;
        flag policy-manager;
        flag ike;
        flag routing-socket;
        flag certificates;
    }
    proposal P1-AES_1_1_1 {
        authentication-method rsa-signatures;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 86400;
    }
    policy ike-pol-Myvpn {
        mode main;
        proposals P1-AES_1_1_1;
        certificate {
            local-certificate Mark-PRO;
            peer-certificate-type x509-signature;
        }
        inactive: pre-shared-key ascii-text “$9$4xZGjqmT3nCHqp01IcSs2g4Uj”; ## SECRET-DATA
    }
    gateway gw-TheirGateway {
        ike-policy ike-pol-Myvpn;
        address 10.9.1.1;
        local-identity hostname mark.test.com;
        remote-identity hostname mont.test.com;
        external-interface reth9.0;
        local-address 10.4.1.1;
    }
}
ipsec {
    proposal P2-AES_1 {
        description group2;
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy ipsec-pol-1 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals P2-AES_1;
    }
    vpn vpn-ToThem {
        bind-interface st0.0;
        ike {
            gateway gw-TheirGateway;
            idle-time 1800;
            ipsec-policy ipsec-pol-1;
        }
    }

}

Some Other Configuration for Route-Based IPSec VPN

Interfaces {
    st0 {
        unit 0 {
            family inet;
        }
    }
}

admin@fw-TEST1-2> show configuration routing-instances 
vr_SRX2{
    instance-type virtual-router;
    interface reth9.0;
    interface st0.0;
    routing-options {
        static {
            route 1.1.1.0/24 next-hop 10.4.1.2;
            route 10.9.0.0/16 next-hop st0.0;
            route 10.9.1.1/32 next-hop 10.4.1.2;
        }
        aggregate {
            route 10.9.0.0/16 {
                preference 2;
            }
            route 192.168.0.0/16 {
                preference 2;
            }
        }
        instance-import from_all_to_SRXl;
    }

Reference:

1. Commands to clear pki related files

  • clear security pki key-pair certificate-id Markham-PRO
  • clear security pki local-certificate certificate-id Markham-PRO
  • clear security pki key-pair certificate-id Markham-PRO
  • clear security pki ca-certificate ca-profile Markham-PRO
  • clear security pki certificate-request certificate-id Markham-PRO

2. J Series / SRX Series IPSec VPN with PKI Certificates Primer
3. Example: Configuring the PKI in Junos OS
4. Certificate based IPSEC VPN in SRX
5. Juniper SRX – PKI – Certificate-based VPNs – Part 02 – SRX Configuration & Certificate Signings

Notes:

The following will setup your installed SSL certificate on fe-0/0/0.0 You need to assign this to the
externally facing interface. The interface should be set to accept HTTPS.

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic systemservices https
set system services web-management https pki-local-certificate PRO interface fe-0/0/0.0

By Jon

Leave a Reply