Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: IKE Dynamic SA Configuration with Digital Certificates

Requirements

• Four M Series, MX Series, or T Series routers with multiservices interfaces installed in them.
• Junos OS Release 9.4 or later.

Before you configure this example you must request a CA certificate, create a local certificate, and load these digital certificates into the router. For details, see Requesting for and installing a digital certificates on your router

Overview

A security association (SA) is a simplex connection that enables two hosts to securely communicate with each other using IPsec. This example explains IKE dynamic SA configuration with digital certificates. The use of digital certificates provides additional security to your IKE tunnel. Using default values in the Services PIC, you do not need to configure an IPsec proposal or IPsec policy. However, you must configure an IKE proposal that specifies the use of digital certificates, reference the IKE proposal and local certificate in an IKE policy, and apply the CA profile to the service set.

Figure 1 shows an IPsec topology containing a group of four routers. This configuration requires Routers 2 and 3 to establish an IKE-based IPsec tunnel by using digital certificates in place of preshared keys. Routers 1 and 4 provide basic connectivity and are used to verify that the IPsec tunnel is operational.

Topology

Figure 1: MS PIC IKE Dynamic SA Topology Diagram

Configuration

To configure IKE dynamic SA with digital certificates, perform these tasks:

Note: The interface types shown in this example are for indicative purpose only. For example, you can use so- interfaces instead of ge- and sp- instead of ms-.

• Configuring Router 1
• Configuring Router 2
• Configuring Router 3
• Configuring Router 4

Configuring Router 1

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 1.

Step-by-Step Procedure

1. Configure an Ethernet interface and the loopback interface.
   [edit interfaces]user@router1# set ge-0/0/0 description "to R2 ge-0/0/0"user@router1# set ge-0/0/0 unit 0 family inet address 10.1.12.2/30user@router1# set lo0 unit 0 family inet address 10.0.0.1/32
2. Specify the OSPF area and associate the interfaces with the OSPF area.
   [edit protocols]user@router1# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router1# set ospf area 0.0.0.0 interface lo0.0
3. Configure the router ID.
   [edit routing-options]user@router1# set router-id 10.0.0.1
4. Commit the configuration.
   [edit]user@router1# commit

Results

From the configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Configuring Router 2

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 2.

Step-by-Step Procedure

1. Configure interface properties. In this step, you configure two Ethernet interfaces (ge-1/0/0 and ge-1/0/1), the loopback interface and a multiservices interface (ms-1/2/0).
   [edit interfaces]user@router2# set ge-0/0/0 description "to R1 ge-0/0/0"user@router2# set ge-0/0/0 unit 0 family inet address 10.1.12.1/30user@router2# set ge-0/0/1 description "to R3 ge-0/0/1"user@router2# set ge-0/0/1 unit 0 family inet address 10.1.15.1/30user@router2# set ms-1/2/0 services-options syslog host local services infouser@router2# set ms-1/2/0 unit 0 family inetuser@router2# set ms-1/2/0 unit 1 family inetuser@router2# set ms-1/2/0 unit 1 service-domain insideuser@router2# set ms-1/2/0 unit 2 family inetuser@router2# set ms-1/2/0 unit 2 service-domain outsideuser@router2# set lo0 unit 0 family inet address 10.0.0.2/32
2. Specify the OSPF area and associate the interfaces with the OSPF area.
   [edit protocols]user@router2# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router2# set ospf area 0.0.0.0 interface lo0.0user@router2# set ospf area 0.0.0.0 interface ms-1/2/0.1
3. Configure the router ID.
   [edit routing-options]user@router2# set router-ID 10.0.0.2
4. Configure an IKE proposal and policy. To enable an IKE proposal for digital certificates, include the rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name authentication-method] hierarchy level. To reference the local certificate in the IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. To identify the CA or RA in the service set, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

   Note: For information about creating and installing digital certificates, see Requesting for and installing a digital certificates on your router

   [edit services ipsec-vpn]user@router2# set ike proposal ike-demo-proposal authentication-method rsa-signaturesuser@router2# set ike policy ike-digital-certificates proposals ike-demo-proposaluser@router2# set ike policy ike-digital-certificates local-id fqdn router2.juniper.netuser@router2# set ike policy ike-digital-certificates local-certificate local-entrust2user@router2# set ike policy ike-digital-certificates remote-id fqdn router3.juniper.net
5. Configure an IPsec proposal and policy. Also, set the established-tunnels knob to immediately.
   [edit services ipsec-vpn]user@router2# set ipsec proposal ipsec-demo-proposal protocol espuser@router2# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96user@router2# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcuser@router2# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2user@router2# set ipsec proposals ipsec-demo-proposaluser@router2# set establish-tunnels immediately
6. Configure an IPsec rule.
   [edit services ipsec-vpn]user@router2# set rule rule-ike term term-ike then remote-gateway 10.1.15.2user@router2# set rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificatesuser@router2# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyuser@router2# set rule match-direction input
7. Configure a next-hop style service set, specify the local-gateway address, and associate the IPsec VPN rule with the service set.
   [edit services]user@router2# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1user@router2# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2user@router2# set service-set demo-service-set ipsec-vpn-options trusted-ca entrustuser@router2# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.1user@router2# set service-set demo-service-set ipsec-vpn-rules rule-ike
8. Commit the configuration.
   [edit]user@router2# commit

Results

From the configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, show routing-options, and show services commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

Configuring Router 3

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 3.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

Note: If the IPsec peers do not have a symmetrical configuration containing all the necessary components, they cannot establish a peering relationship. You need to request a CA certificate, create a local certificate, load these digital certificates into the router, and reference them in your IPsec configuration. For information about digital certification, see Requesting for and installing a digital certificates on your router

To configure OSPF connectivity and IPsec tunnel parameters on Router 3:

1. Configure interface properties. In this step, you configure two Ethernet interfaces (ge-1/0/0 and ge-1/0/1), the loopback interface, and a multiservices interface (ms-1/2/0).
   [edit interfaces]user@router3# set ge-0/0/0 description "to R4 ge-0/0/0"user@router3# set ge-0/0/0 unit 0 family inet address 10.1.56.1/30user@router3# set ge-0/0/1 description "to R2 ge-0/0/1"user@router3# set ge-0/0/1 unit 0 family inet address 10.1.15.2/30user@router3# set ms-1/2/0 services-options syslog host local services infouser@router3# set ms-1/2/0 unit 0 family inetuser@router3# set ms-1/2/0 unit 1 family inetuser@router3# set ms-1/2/0 unit 1 service-domain insideuser@router3# set ms-1/2/0 unit 2 family inetuser@router3# set ms-1/2/0 unit 2 service-domain outsideuser@router3# set lo0 unit 0 family inet address 10.0.0.3/32
2. Specify the OSPF area, associate the interfaces with the OSPF area.
   [edit protocols]user@router3# set ospf area 0.0.0.0 interface ge-0/0/0.0user@router3# set ospf area 0.0.0.0 interface lo0.0user@router3# set ospf area 0.0.0.0 interface ms-1/2/0.1
3. Configure a router ID.
   [edit routing-options]user@router3# set router-id 10.0.0.3
4. Configure an IKE proposal and policy. To enable an IKE proposal for digital certificates, include the rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name authentication-method] hierarchy level. To reference the local certificate in the IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. To identify the CA or RA in the service set, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.

   Note: For information about creating and installing digital certificates, see Requesting for and installing a digital certificates on your router

   [edit services ipsec-vpn]user@router3# set ike proposal ike-demo-proposal authentication-method rsa-signaturesuser@router3# set ike policy ike-digital-certificates proposals ike-demo-proposaluser@router3# set ike policy ike-digital-certificates local-id fqdn router2.juniper.netuser@router3# set ike policy ike-digital-certificates local-certificate local-entrust2user@router3# set ike policy ike-digital-certificates remote-id fqdn router3.juniper.net
5. Configure an IPsec proposal. Also, set the established-tunnels knob to immediately.
   [edit services ipsec-vpn]user@router3# set ipsec proposal ipsec-demo-proposal protocol espuser@router3# set ipsec proposal ipsec-demo-proposal authentication-algorithm hmac-sha1-96user@router3# set ipsec proposal ipsec-demo-proposal encryption-algorithm 3des-cbcuser@router3# set ipsec policy ipsec-demo-policy perfect-forward-secrecy keys group2user@router3# set ipsec proposals ipsec-demo-proposaluser@router3# set establish-tunnels immediately
6. Configure an IPsec rule.
   [edit services ipsec-vpn]user@router3# set rule rule-ike term term-ike then remote-gateway 10.1.15.2user@router3# set rule rule-ike term term-ike then dynamic ike-policy ike-digital-certificatesuser@router3# set rule rule-ike term term-ike then dynamic ipsec-policy ipsec-demo-policyuser@router3# set rule match-direction input
7. Configure a next-hop style service set, specify the local-gateway address, and associate the IPsec VPN rule with the service set.
   [edit services]user@router3# set service-set demo-service-set next-hop-service inside-service-interface ms-1/2/0.1user@router3# set service-set demo-service-set next-hop-service outside-service-interface ms-1/2/0.2user@router3# set service-set demo-service-set ipsec-vpn-options trusted-ca entrustuser@router3# set service-set demo-service-set ipsec-vpn-options local-gateway 10.1.15.2user@router3# set service-set demo-service-set ipsec-vpn-rules rule-ike
8. Commit the configuration.
   [edit]user@router3# commit

Results

From the configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, show routing-options, and show services commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

Configuring Router 4

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI, at the [edit] hierarchy level, of Router 4.

Step-by-Step Procedure

1. Configure the interfaces. In this step, you configure an Ethernet interface (ge-1/0/1) and the loopback interface.
   [edit interfaces]user@router4# set ge-0/0/0 description "to R3 ge-0/0/0"user@router4# set ge-0/0/0 unit 0 family inet address 10.1.56.2/30user@router4# set lo0 unit 0 family inet address 10.0.0.4/32
2. Specify the OSPF area and associate the interfaces with the OSPF area.
   [edit protocols]user@router4# set ospf area 0.0.0.0 interface ge-0/0/0user@router4# set ospf area 0.0.0.0 interface lo0.0
3. Configure the router ID.
   [edit routing-options]user@router4# set router-id 10.0.0.4

Results

From the configuration mode, confirm your configuration by entering the show interfaces, show protocols ospf, and show routing-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration

Verification

Verifying Your Work on Router 1

Purpose

On Router 1, verify ping command to the so-0/0/0 interface on Router 4 to send traffic across the IPsec tunnel.

Action

From operational mode, enter ping 10.1.56.2.

PING 10.1.56.2 (10.1.56.2): 56 data bytes
64 bytes from 10.1.56.2: icmp_seq=0 ttl=254 time=1.351 ms
64 bytes from 10.1.56.2: icmp_seq=1 ttl=254 time=1.187 ms
64 bytes from 10.1.56.2: icmp_seq=2 ttl=254 time=1.172 ms
64 bytes from 10.1.56.2: icmp_seq=3 ttl=254 time=1.154 ms
64 bytes from 10.1.56.2: icmp_seq=4 ttl=254 time=1.156 ms
^C
--- 10.1.56.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.154/1.204/1.351/0.074 ms

If you ping the loopback address of Router 4, the operation succeeds because the address is part of the OSPF network configured on Router 4.

PING 10.0.0.4 (10.0.0.4): 56 data bytes
64 bytes from 10.0.0.4: icmp_seq=0 ttl=62 time=1.318 ms
64 bytes from 10.0.0.4: icmp_seq=1 ttl=62 time=1.084 ms
64 bytes from 10.0.0.4: icmp_seq=2 ttl=62 time=3.260 ms
^C
--- 10.0.0.4 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.084/1.887/3.260/0.975 ms

Verifying Your Work on Router 2

Purpose

To verify that matched traffic is being diverted to the bidirectional IPsec tunnel, view the IPsec statistics:

Action

From operational mode, enter the show services ipsec-vpn ipsec statistics.

PIC: sp-1/2/0, Service set: service-set-dynamic-demo-service-set
ESP Statistics:
Encrypted bytes: 162056
Decrypted bytes: 161896
Encrypted packets: 2215
Decrypted packets: 2216
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

To verify that the IKE SA negotiation is successful, issue the show services ipsec-vpn ike security-associations command:

Remote Address State Initiator cookie Responder cookie Exchange type
10.1.15.2 Matured d82610c59114fd37 ec4391f76783ef28 Main

To verify that the IPsec security association is active, issue the show services ipsec-vpn ipsec security-associations detail command. Notice that the SA contains the default settings inherent in the Services PIC, such as ESP for the protocol and HMAC-SHA1-96 for the authentication algorithm.

Service set: service-set-dynamic-demo-service-set
Rule: rule-ike, Term: term-ike, Tunnel index: 1
Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2
IPsec inside interface: sp-1/2/0.1
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Direction: inbound, SPI: 857451461, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 9052 seconds
Hard lifetime: Expires in 9187 seconds
Anti-replay service: Enabled, Replay window size: 64
Direction: outbound, SPI: 1272330309, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 9052 seconds
Hard lifetime: Expires in 9187 seconds
Anti-replay service: Enabled, Replay window size: 64

To display the digital certificates that are used to establish the IPsec tunnel, issue the show services ipsec-vpn certificates command:

Service set: service-set-dynamic-demo-service-set, Total entries: 3
Certificate cache entry: 3
Flags: Non-root Trusted
Issued to: router3.juniper.net, Issued by: juniper
Alternate subject: router3.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Certificate cache entry: 2
Flags: Non-root Trusted
Issued to: router2.juniper.net, Issued by: juniper
Alternate subject: router2.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Certificate cache entry: 1
Flags: Root Trusted
Issued to: juniper, Issued by: juniper
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT

To display the CA certificate, issue the show security pki ca-certificate detail command. Notice that there are three separate certificates: one for certificate signing, one for key encipherment, and one for the CA’s digital signature.

Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 9235
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT
Public key algorithm: rsaEncryption(1024 bits)
cb:9e:2d:c0:70:f8:ea:3c:f2:b5:f0:02:48:87:dc:68:99:a3:57:4f
0e:b9:98:0b:95:47:0d:1f:97:7c:53:17:dd:1a:f8:da:e5:08:d1:1c
78:68:1f:2f:72:9f:a2:cf:81:e3:ce:c5:56:89:ce:f0:97:93:fa:36
19:3e:18:7d:8c:9d:21:fe:1f:c3:87:8d:b3:5d:f3:03:66:9d:16:a7
bf:18:3f:f0:7a:80:f0:62:50:43:83:4f:0e:d7:c6:42:48:c0:8a:b2
c7:46:30:38:df:9b:dc:bc:b5:08:7a:f3:cd:64:db:2b:71:67:fe:d8
04:47:08:07:de:17:23:13
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1)
71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: CRL signing, Certificate signing
Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 925c
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us, Common name: First Officer
Validity:
Not before: 2005 Oct 18th, 23:55:59 GMT
Not after: 2008 Oct 19th, 00:25:59 GMT
Public key algorithm: rsaEncryption(1024 bits)
c0:a4:21:32:95:0a:cd:ec:12:03:d1:a2:89:71:8e:ce:4e:a6:f9:2f
1a:9a:13:8c:f6:a0:3d:c9:bd:9d:c2:a0:41:77:99:1b:1e:ed:5b:80
34:46:f8:5b:28:34:38:2e:91:7d:4e:ad:14:86:78:67:e7:02:1d:2e
19:11:b7:fa:0d:ba:64:20:e1:28:4e:3e:bb:6e:64:dc:cd:b1:b4:7a
ca:8f:47:dd:40:69:c2:35:95:ce:b8:85:56:d7:0f:2d:04:4d:5d:d8
42:e1:4f:6b:bf:38:c0:45:1e:9e:f0:b4:7f:74:6f:e9:70:fd:4a:78
da:eb:10:27:bd:46:34:33
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17 (sha1)
23:79:40:c9:6d:a6:f0:ca:e0:13:30:d4:29:6f:86:79 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Key encipherment
Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 925b
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us, Common name: First Officer
Validity:
Not before: 2005 Oct 18th, 23:55:59 GMT
Not after: 2008 Oct 19th, 00:25:59 GMT
Public key algorithm: rsaEncryption(1024 bits)
ea:75:c4:f3:58:08:ea:65:5c:7e:b3:de:63:0a:cf:cf:ec:9a:82:e2
d7:e8:b9:2f:bd:4b:cd:86:2f:f1:dd:d8:a2:95:af:ab:51:a5:49:4e
00:10:c6:25:ff:b5:49:6a:99:64:74:69:e5:8c:23:5b:b4:70:62:8e
e4:f9:a2:28:d4:54:e2:0b:1f:50:a2:92:cf:6c:8f:ae:10:d4:69:3c
90:e2:1f:04:ea:ac:05:9b:3a:93:74:d0:59:24:e9:d2:9d:c2:ef:22
b9:32:c7:2c:29:4f:91:cb:5a:26:fe:1d:c0:36:dc:f4:9c:8b:f5:26
af:44:bf:53:aa:d4:5f:67
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f (sha1)
ee:cc:c7:f4:5d:ac:65:33:0a:55:db:59:72:2c:dd:16 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature

To display the local certificate request, issue the show security pki certificate-request command:

Certificate identifier: local-entrust2
Issued to: router2.juniper.net
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed

To display the local certificate, issue the show security pki local-certificate command:

Certificate identifier: local-entrust2
Issued to: router2.juniper.net, Issued by: juniper
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed

Verifying Your Work on Router 3

Purpose

To verify that matched traffic is being diverted to the bidirectional IPsec tunnel, view the IPsec statistics:

Action

From operational mode, enter the show services ipsec-vpn ipsec statistics.

PIC: sp-1/2/0, Service set: service-set-dynamic-demo-service-set
ESP Statistics:
Encrypted bytes: 161896
Decrypted bytes: 162056
Encrypted packets: 2216
Decrypted packets: 2215
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

To verify that the IKE SA negotiation is successful, issue the show services ipsec-vpn ike security-associations command. To be successful, the SA on Router 3 must contain the same settings you specified on Router 2.

From operational mode, enter the show services ipsec-vpn ike security-associations.

Remote Address State Initiator cookie Responder cookie Exchange type
10.1.15.1 Matured d82610c59114fd37 ec4391f76783ef28 Main

To verify that the IPsec SA is active, issue the show services ipsec-vpn ipsec security-associations detail command. To be successful, the SA on Router 3 must contain the same settings you specified on Router 2.

From operational mode, enter the show services ipsec-vpn ipsec security-associations detail.

Service set: service-set-dynamic-demo-service-set
Rule: rule-ike, Term: term-ike, Tunnel index: 1
Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1
IPsec inside interface: sp-1/2/0.1
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Direction: inbound, SPI: 1272330309, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 7219 seconds
Hard lifetime: Expires in 7309 seconds
Anti-replay service: Enabled, Replay window size: 64
Direction: outbound, SPI: 857451461, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 7219 seconds
Hard lifetime: Expires in 7309 seconds
Anti-replay service: Enabled, Replay window size: 64

To display the digital certificates that are used to establish the IPsec tunnel, issue the show services ipsec-vpn certificates command:

From operational mode, enter the show services ipsec-vpn certificates.

Service set: service-set-dynamic-demo-service-set, Total entries: 3
Certificate cache entry: 3
Flags: Non-root Trusted
Issued to: router3.juniper.net, Issued by: juniper
Alternate subject: router3.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Certificate cache entry: 2
Flags: Non-root Trusted
Issued to: router2.juniper.net, Issued by: juniper
Alternate subject: router2.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Certificate cache entry: 1
Flags: Root Trusted
Issued to: juniper, Issued by: juniper
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT

To display the CA certificate, issue the show security pki ca-certificate detail command. Notice that there are three separate certificates: one for certificate signing, one for key encipherment, and one for the CA’s digital signature.

From operational mode, enter the show security pki ca-certificate detail.

Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 9235
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT
Public key algorithm: rsaEncryption(1024 bits)
cb:9e:2d:c0:70:f8:ea:3c:f2:b5:f0:02:48:87:dc:68:99:a3:57:4f
0e:b9:98:0b:95:47:0d:1f:97:7c:53:17:dd:1a:f8:da:e5:08:d1:1c
78:68:1f:2f:72:9f:a2:cf:81:e3:ce:c5:56:89:ce:f0:97:93:fa:36
19:3e:18:7d:8c:9d:21:fe:1f:c3:87:8d:b3:5d:f3:03:66:9d:16:a7
bf:18:3f:f0:7a:80:f0:62:50:43:83:4f:0e:d7:c6:42:48:c0:8a:b2
c7:46:30:38:df:9b:dc:bc:b5:08:7a:f3:cd:64:db:2b:71:67:fe:d8
04:47:08:07:de:17:23:13
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1)
71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: CRL signing, Certificate signing
Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 925c
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us, Common name: First Officer
Validity:
Not before: 2005 Oct 18th, 23:55:59 GMT
Not after: 2008 Oct 19th, 00:25:59 GMT
Public key algorithm: rsaEncryption(1024 bits)
c0:a4:21:32:95:0a:cd:ec:12:03:d1:a2:89:71:8e:ce:4e:a6:f9:2f
1a:9a:13:8c:f6:a0:3d:c9:bd:9d:c2:a0:41:77:99:1b:1e:ed:5b:80
34:46:f8:5b:28:34:38:2e:91:7d:4e:ad:14:86:78:67:e7:02:1d:2e
19:11:b7:fa:0d:ba:64:20:e1:28:4e:3e:bb:6e:64:dc:cd:b1:b4:7a
ca:8f:47:dd:40:69:c2:35:95:ce:b8:85:56:d7:0f:2d:04:4d:5d:d8
42:e1:4f:6b:bf:38:c0:45:1e:9e:f0:b4:7f:74:6f:e9:70:fd:4a:78
da:eb:10:27:bd:46:34:33
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17 (sha1)
23:79:40:c9:6d:a6:f0:ca:e0:13:30:d4:29:6f:86:79 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Key encipherment
Certificate identifier: entrust
Certificate version: 3
Serial number: 4355 925b
Issuer:
Organization: juniper, Country: us
Subject:
Organization: juniper, Country: us, Common name: First Officer
Validity:
Not before: 2005 Oct 18th, 23:55:59 GMT
Not after: 2008 Oct 19th, 00:25:59 GMT
Public key algorithm: rsaEncryption(1024 bits)
ea:75:c4:f3:58:08:ea:65:5c:7e:b3:de:63:0a:cf:cf:ec:9a:82:e2
d7:e8:b9:2f:bd:4b:cd:86:2f:f1:dd:d8:a2:95:af:ab:51:a5:49:4e
00:10:c6:25:ff:b5:49:6a:99:64:74:69:e5:8c:23:5b:b4:70:62:8e
e4:f9:a2:28:d4:54:e2:0b:1f:50:a2:92:cf:6c:8f:ae:10:d4:69:3c
90:e2:1f:04:ea:ac:05:9b:3a:93:74:d0:59:24:e9:d2:9d:c2:ef:22
b9:32:c7:2c:29:4f:91:cb:5a:26:fe:1d:c0:36:dc:f4:9c:8b:f5:26
af:44:bf:53:aa:d4:5f:67
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f (sha1)
ee:cc:c7:f4:5d:ac:65:33:0a:55:db:59:72:2c:dd:16 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature

To display the local certificate request, issue the show security pki certificate-request command:

From operational mode, enter the show security pki certificate-request.

Certificate identifier: local-entrust3
Issued to: router3.juniper.net
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed

To display the local certificate, issue the show security pki local-certificate command:

From operational mode, enter the show security pki local-certificate.

Certificate identifier: local-entrust3
Issued to: router3.juniper.net, Issued by: juniper
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Public key algorithm: rsaEncryption(1024 bits)
Public key verification status: Passed

Verifying Your Work on Router 4

Purpose

On Router 4, issue a ping command to the so-0/0/0 interface on Router 1 to send traffic across the IPsec tunnel.

Action

From operational mode, enter ping 10.1.12.2.

PING 10.1.12.2 (10.1.12.2): 56 data bytes
64 bytes from 10.1.12.2: icmp_seq=0 ttl=254 time=1.350 ms
64 bytes from 10.1.12.2: icmp_seq=1 ttl=254 time=1.161 ms
64 bytes from 10.1.12.2: icmp_seq=2 ttl=254 time=1.124 ms
64 bytes from 10.1.12.2: icmp_seq=5 ttl=254 time=1.116 ms
^C
--- 10.1.12.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.116/1.172/1.350/0.081 ms

The final way you can confirm that traffic travels over the IPsec tunnel is by issuing the traceroute command to the so-0/0/0 interface on Router 1. Notice that the physical interface between Routers 2 and 3 is not referenced in the path; traffic enters the IPsec tunnel through the adaptive services IPsec inside interface on Router 3, passes through the loopback interface on Router 2, and ends at the so-0/0/0 interface on Router 1.

From operational mode, enter the traceroute 10.1.12.2.

traceroute to 10.1.12.2 (10.1.12.2), 30 hops max, 40 byte packets
1 10.1.15.2 (10.1.15.2) 0.987 ms 0.630 ms 0.563 ms
2 10.0.0.2 (10.0.0.2) 1.194 ms 1.058 ms 1.033 ms
3 10.1.12.2 (10.1.12.2) 1.073 ms 0.949 ms 0.932 ms