Configuring PKI Based L2HA Link Encryption

date_range 31-Aug-23

arrow_backward

arrow_forward

Physically connect the two devices and ensure that they are the same models.
Connect the dedicated control ports on node 0 and node 1.
Connect the user defined fabricated ports on node 0 and node 1.

To configure two chassis in cluster mode, follow the below steps:

Zeroize both the SRX Series Firewalls before you use for cluster. If the devices are already in cluster mode please ensure you disable them before zeroize. For information on how to disable chassis cluster, see Disabling a Chassis Cluster.
Delete the web management services.
user@host# delete system services web-management https

Configure FIPS mode and bring up the devices in FIPS mode.

content_copy zoom_out_map
[edit] 
user@host# set groups global system fips level 2
[edit]
user@host# set groups global system root-authentication plain-textpassword
New password: type password here
Retype new password: retype password here 
[edit] 
user@host# commit
user@host> request system reboot

Configure device 1 with standard cluster commands for operating in cluster mode as node0. This requires a reboot.

content_copy zoom_out_map
[edit] 
user@host# set groups node0 system host-name node0-host-name 
user@host# set groups node0 system backup-router gateway-address 
user@host# set groups node0 system backup-router destination value
user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address 
user@host# set groups node1 system host-name node1-host-name 
user@host# set groups node1 system backup-router gateway-address 
user@host# set groups node1 system backup-router destination value
user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address 
user@host# set apply-groups global 
user@host# set apply-groups "$(node)" 
user@host# delete apply-groups re0 
user@host# set system ports console log-out-on-disconnect
user@host# set chassis cluster reth-count 5 
user@host# set chassis cluster redundancy-group 0 node 0 priority 254 
user@host# set chassis cluster redundancy-group 0 node 1 priority 1 
user@host# commit 
user@host> set chassis cluster cluster-id 1 node 0 reboot
          

See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

After the device 1 is up, configure HA link encryption as shown in sample configuration below, commit and reboot. device 1 needs to be configured with both node0 and node1 HA link encryption configuration before commit and reboot.

content_copy zoom_out_map
[edit] 
user@host# set groups node0 security ike traceoptions file ikelog 
user@host# set groups node0 security ike traceoptions file size 100m 
user@host# set groups node0 security ike traceoptions flag all 
user@host# set groups node0 security ike traceoptions level 15 
user@host# set groups node0 security pki traceoptions file pkilog 
user@host# set groups node0 security pki traceoptions file size 100m 
user@host# set groups node0 security pki traceoptions flag all 
user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-method rsa-signatures 
user@host# set groups node0 security ike proposal IKE_PROP_PKI dh-group group20 
user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 
user@host# set groups node0 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256-cbc 
user@host# set groups node0 security ike policy IKE_POL_PKI mode main 
user@host# set groups node0 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI 
user@host# set groups node0 security ike policy IKE_POL_PKI certificate local-certificate pkicert 
user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PKI 
user@host# set groups node0 security ike gateway S2S_GW version v2-only 
user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI protocol esp 
user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI authentication-algorithm hmac-sha1-96 
user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc 
user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 
user@host# set groups node0 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys group20 
user@host# set groups node0 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI 
user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption 
user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW 
user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI
user@host# set groups node0 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 
user@host# set groups node0 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> 
user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> 
user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check disable 
user@host# set groups node0 interfaces st0 unit 0 family inet 
user@host# set groups node1 security ike traceoptions file ikelog 
user@host# set groups node1 security ike traceoptions file size 100m 
user@host# set groups node1 security ike traceoptions flag all 
user@host# set groups node1 security ike traceoptions level 15 
user@host# set groups node1 security pki traceoptions file pkilog 
user@host# set groups node1 security pki traceoptions file size 100m 
user@host# set groups node1 security pki traceoptions flag all 
user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-method rsa-signatures 
user@host# set groups node1 security ike proposal IKE_PROP_PKI dh-group group20 
user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256 
user@host# set groups node1 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256-cbc 
user@host# set groups node1 security ike policy IKE_POL_PKI mode main 
user@host# set groups node1 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI 
user@host# set groups node1 security ike policy IKE_POL_PKI certificate local-certificate pkicert 
user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PKI 
user@host# set groups node1 security ike gateway S2S_GW version v2-only 
user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI protocol esp 
user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm hmac-sha1-96 
user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm aes-128-cbc 
user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200 
user@host# set groups node1 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys group20 
user@host# set groups node1 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI 
user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption 
user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW 
user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI 
user@host# set groups node1 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1 
user@host# set groups node1 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of certificate authority> 
user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check crl url <CRL distribution point for certificate authority> 
user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check disable 
user@host# set groups node1 interfaces st0 unit 0 family inet 
user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3 
user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3 
user@host# commit 
user@host> clear security pki node-local local-certificate all 
user@host> clear security pki node-local certificate-request all 
user@host> clear security pki node-local key-pair all 
user@host> clear security pki crl all 
user@host> clear security pki ca-certificate all
user@host> request security pki node-local generate-key-pair certificate-id pkicert type rsa size 2048
          

content_copy zoom_out_map
root@vm# curl "http://<PKI-Server-IP>/certsrv/certnew.cer?
ReqID=CACert=0=bin" -o /tmp/dut_ca.cer
root@vm# scp /tmp/dut_ca.cer root@node0-host-name:/var/tmp
user@host> request security pki ca-certificate load ca-profile S2S_PKI filename/var/tmp/ dut_ca.cer 
user@host> show security pki ca-certificate 

content_copy zoom_out_map
root@vm# curl "http://PKI-Server-IP/certsrv/certcrl.crl?Renewal=0=bin"
-o /tmp/dut.crl
root@vm# scp /tmp/dut.crl root@node0-host-name:/var/tmp
user@host> request security pki crl load ca-profile S2S_PKI filename /var/tmp/dut.crl 
user@host> show security pki crl
user@host> request security pki node-local generate-certificate-request certificate-id pkicert subject
 CN=testdut,OU=QA,O=JuniperNetworks,L=CNRD,ST=Beijing,C=CN domainname dut.juniper.net
 ip-address 129.16.0.1 email dut@juniper.net

content_copy zoom_out_map
root@vm# rm -rf /cert
root@vm# mkdir /cert
root@vm# chmod 777 /cert
root@vm# echo -----BEGIN CERTIFICATE REQUEST-----copy-generatedkey-----END CERTIFICATE REQUEST----- /cert/dsakey
root@vm# cat /cert/dsakey
root@vm# chmod 777 /cert/dsakey
root@vm# chmod o+w /tftpboot
root@vm# rm -f /etc/xinetd.d/tftp.org
root@vm# cp /etc/xinetd.d/tftp /etc/xinetd.d/tftp.org
root@vm# sed -e 's/server_args.*/server_args = -s \/tftpboot -c/g' /etc/xinetd.d/tftp  /etc/xinetd.d/tftp.mdf
root@vm# mv -f /etc/xinetd.d/tftp.mdf /etc/xinetd.d/tftp
root@vm# systemctl enable tftp.service
root@vm# /bin/systemctl restart xinetd.service
root@vm# mv -f /etc/xinetd.d/tftp.org /etc/xinetd.d/tftp
root@vm# dir /tftpboot/pki.tcl
root@vm# /bin/cp /tftpboot/pki.tcl /cert/
root@vm# chmod 775 /cert/pki.tcl
root@vm# /cert/pki.tcl PKI-Server-IP /cert/dsakey /cert/dut.cer
root@vm# scp /cert/dut.cer root@node0-host-name:/var/tmp

To proceed further with device 2 configuration and commit, you need to ensure device1 and device 2 are not reachable to each other. One way to achieve this is to power off device 1 at this point.
Configure device 2 with standard cluster command for operating in cluster mode as node1. This requires a reboot.
[edit]

user@host# set groups node0 system host-name node0-host-name

user@host# set groups node0 system backup-router gateway-address

user@host# set groups node0 system backup-router destination value

user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address

user@host# set groups node1 system host-name node1-host-name

user@host# set groups node1 system backup-router gateway-address

user@host# set groups node1 system backup-router destination value

user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address

user@host# set apply-groups global

user@host# set apply-groups “$(node)”

user@host# delete apply-groups re0

user@host# set system ports console log-out-on-disconnect

user@host# set chassis cluster reth-count 5

user@host# set chassis cluster redundancy-group 0 node 0 priority 254

user@host# set chassis cluster redundancy-group 0 node 1 priority 1

user@host# commit

user@host> set chassis cluster cluster-id 1 node 1 reboot

See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

[edit]

user@host# set groups node0 system host-name node0-host-name

user@host# set groups node0 system backup-router gateway-address

user@host# set groups node0 system backup-router destination value

user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address

user@host# set groups node1 system host-name node1-host-name

user@host# set groups node1 system backup-router gateway-address

user@host# set groups node1 system backup-router destination value

user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address

user@host# set apply-groups global

user@host# set apply-groups “$(node)”

user@host# delete apply-groups re0

user@host# set system ports console log-out-on-disconnect

user@host# set chassis cluster reth-count 5

user@host# set chassis cluster redundancy-group 0 node 0 priority 254

user@host# set chassis cluster redundancy-group 0 node 1 priority 1

user@host# commit

user@host> set chassis cluster cluster-id 1 node 1 reboot

See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html
After the device 2 is up, configure HA link encryption as shown in sample configuration below on device 2. Device 2 needs to be configured with both node0 and node1 HA link encryption configuration. Commit on node1 (device 2), and finally reboot node1 (device 2).
[edit]

user@host# set groups node0 security ike traceoptions file ikelog

user@host# set groups node0 security ike traceoptions file size 100m

user@host# set groups node0 security ike traceoptions flag all

user@host# set groups node0 security ike traceoptions level 15

user@host# set groups node0 security pki traceoptions file pkilog

user@host# set groups node0 security pki traceoptions file size 100m

user@host# set groups node0 security pki traceoptions flag all

user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-method

rsa-signatures

user@host# set groups node0 security ike proposal IKE_PROP_PKI dh-group group20

user@host# set groups node0 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256

user@host# set groups node0 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256-cbc

user@host# set groups node0 security ike policy IKE_POL_PKI mode main

user@host# set groups node0 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI

user@host# set groups node0 security ike policy IKE_POL_PKI certificate local-certificate pkicert

user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PKI

user@host# set groups node0 security ike gateway S2S_GW version v2-only

user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI protocol esp

user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm

hmac-sha1-96

user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm

aes-128-cbc

user@host# set groups node0 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200

user@host# set groups node0 security ipsec policy IPSEC_POL_PKI perfect-forwardsecrecy keys

group20

user@host# set groups node0 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI

user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption

user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW

user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI

user@host# set groups node0 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1

user@host# set groups node0 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of

certificate authority>

user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check crl url <CRL

distribution point for certificate authority>

user@host# set groups node0 security pki ca-profile S2S_PKI revocation-check disable

user@host# set groups node0 interfaces st0 unit 0 family inet

user@host# set groups node1 security ike traceoptions file ikelog

user@host# set groups node1 security ike traceoptions file size 100m

user@host# set groups node1 security ike traceoptions flag all

user@host# set groups node1 security ike traceoptions level 15

user@host# set groups node1 security pki traceoptions file pkilog

user@host# set groups node1 security pki traceoptions file size 100m

user@host# set groups node1 security pki traceoptions flag all

user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-method

rsa-signatures

user@host# set groups node1 security ike proposal IKE_PROP_PKI dh-group group20

user@host# set groups node1 security ike proposal IKE_PROP_PKI authentication-algorithm sha-256

user@host# set groups node1 security ike proposal IKE_PROP_PKI encryption-algorithm aes-256-cbc

user@host# set groups node1 security ike policy IKE_POL_PKI mode main

user@host# set groups node1 security ike policy IKE_POL_PKI proposals IKE_PROP_PKI

user@host# set groups node1 security ike policy IKE_POL_PKI certificate local-certificate pkicert

user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PKI

user@host# set groups node1 security ike gateway S2S_GW version v2-only

user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI protocol esp

user@host#set groups node1 security ipsec proposal IPSEC_PROP_PKI authenticationalgorithm

hmac-sha1-96

user@host> set groups node1 security ipsec proposal IPSEC_PROP_PKI encryptionalgorithm

aes-128-cbc

user@host# set groups node1 security ipsec proposal IPSEC_PROP_PKI lifetime-seconds 200

user@host# set groups node1 security ipsec policy IPSEC_POL_PKI perfect-forward-secrecy keys

group20

user@host# set groups node1 security ipsec policy IPSEC_POL_PKI proposals IPSEC_PROP_PKI

user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption

user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW

user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PKI

user@host# set groups node1 security pki ca-profile S2S_PKI ca-identity S2S_PKI_CA1

user@host# set groups node1 security pki ca-profile S2S_PKI enrollment url <Enrollment URL of

certificate authority>

user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check crl url <CRL

distribution point for certificate authority>

user@host# set groups node1 security pki ca-profile S2S_PKI revocation-check disable

user@host# set groups node1 interfaces st0 unit 0 family inet

user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3

user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3

user@host# commit

user@host> clear security pki node-local local-certificate all

user@host> clear security pki node-local certificate-request all

user@host> clear security pki node-local key-pair all

user@host> clear security pki crl all

user@host> clear security pki ca-certificate all

user@host> request security pki node-local generate-key-pair certificate-id pkicert type rsa size

2048
```
root@vm# curl "http://PKI-Server-IP/certsrv/certnew.cer?
ReqID=CACert=0=bin" -o /tmp/aux_ca.cer
root@vm# scp /tmp/aux_ca.cer root@node1-host-name:/var/tmp
```
user@host> request security pki ca-certificate load ca-profile S2S_PKI filename/var/tmp/aux_ca.cer

user@host> show security pki ca-certificate
```
root@vm# curl "http://PKI-Server-IP/certsrv/certcrl.crl?Renewal=0=bin"
-o /tmp/aux.crl
root@vm# scp /tmp/aux.crl root@node1-host-name:/var/tmp
```
user@host> request security pki crl load ca-profile S2S_PKI filename /var/tmp/aux.crl

user@host> show security pki crl

user@host> request security pki node-local generate-certificate-request certificate-id pkicert subject

CN=testaux,OU=QA,O=JuniperNetworks,L=CNRD,ST=Beijing,C=CN domainname aux.juniper.net

ip-address 130.16.0.1 email aux@juniper.net
```
root@vm# rm -rf /cert
root@vm# mkdir /cert
root@vm# chmod 777 /cert
root@vm# echo -----BEGIN CERTIFICATE REQUEST-----copy-generatedkey-----
END CERTIFICATE REQUEST-----  /cert/dsakey
root@vm# cat /cert/dsakey
root@vm# chmod 777 /cert/dsakey
root@vm# chmod o+w /tftpboot
root@vm# rm -f /etc/xinetd.d/tftp.org
root@vm# cp /etc/xinetd.d/tftp /etc/xinetd.d/tftp.org
root@vm# sed -e 's/server_args.*/server_args = -s \/tftpboot -c/g' /etc/
xinetd.d/tftp  /etc/xinetd.d/tftp.mdf
root@vm# mv -f /etc/xinetd.d/tftp.mdf /etc/xinetd.d/tftp
root@vm# systemctl enable tftp.service
root@vm# /bin/systemctl restart xinetd.service
root@vm# mv -f /etc/xinetd.d/tftp.org /etc/xinetd.d/tftp
root@vm# dir /tftpboot/pki.tcl
root@vm# /bin/cp /tftpboot/pki.tcl /cert/
root@vm# chmod 775 /cert/pki.tcl
root@vm# /cert/pki.tcl PKI-Server-IP /cert/dsakey /cert/aux.cer
root@vm# scp /cert/aux.cer root@node1-host-name:/var/tmp
```
```
 user@host> clear security pki node-local local-certificate all
          user@host> request security pki node-local local-certificate load filename
            /var/tmp/aux.cer
          certificate-id pkicert
          user@host> request vmhost reboot
```
Power ON node0 (device 1).
Both the nodes will be in cluster mode with HA link encryption enabled.

Note: To enable HA link encryption on node1 in step 6, the other node must be in lost state for the commit to go through. Hence, manage the timing correctly, else step 6 must be redone until enabling HA link encryption on node1 commit goes through. The above example shows, configuring PKI based L2 HA link encryption tunnel with RSA. However, we can also use ECDSA with key size 256 and 384.

arrow_backward PREVIOUS Configuring L2 HA Link Encryption tunnel

NEXT arrow_forward Understanding FIPS Self-Tests

Common Criteria Guide for SRX380 Devices

Configuring PKI Based L2HA Link Encryption

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry