- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
IKE Policy for Digital Certificates on an ES PIC
Configuring an IKE Policy for Digital Certificates for an ES PIC
An IKE policy for digital certificates defines a combination of security parameters (IKE proposals) to be used during IKE negotiation. It defines a peer address and the proposals needed for that connection. During the IKE negotiation, IKE looks for an IKE policy that is the same on both peers. The peer that initiates the negotiation sends all its policies to the remote peer, and the remote peer tries to find a match.
To configure an IKE policy for digital certificates for an ES PIC, include the following statements at the [edit security ike policy ike-peer-address] hierarchy level:
[edit security ike] policy ike-peer-address{ encoding (binary | pem); identity identity-name; local-certificate certificate-filename; local-key-pair private-public-key-file; }
Tasks for configuring an IKE policy for digital certificates are:
- Configuring the Type of Encoding Your CA Supports
- Configuring the Identity to Define the Remote Certificate Name
- Specifying the Certificate Filename
- Specifying the Private and Public Key File
Configuring the Type of Encoding Your CA Supports
By default, the encoding is set to binary. Encoding specifies the file
format used for the local-certificate and local-key-pair statements.
By default, the binary (distinguished encoding rules) format is enabled. PEM is an ASCII base 64 encoded format. Check with your CA to determine which file formats it
supports.
To configure the file format that your CA supports, include the encoding statement and specify a binary or PEM format at the [edit security ike policy ike-peer-address] hierarchy level:
[edit security ike policy ike-peer-address ] encoding (binary | pem);
Configuring the Identity to Define the Remote Certificate Name
To define the remote certificate name, include the identity statement
at the [edit security ike policy ike-peer-address] hierarchy
level:
[edit security ike policy ike-peer-address] identity identity-name;
identity-name defines the identity of the
remote certificate name if the identity cannot be learned through IKE (ID payload or IP address).
Specifying the Certificate Filename
To configure the certificate filename from which to read the local certificate,
include the local-certificate statement at the [edit security ike policy ike-peer-address] hierarchy level:
[edit security ike policy ike-peer-address] local-certificate certificate-filename;
certificate-filename specifies the file
from which to read the local certificate.
Specifying the Private and Public Key File
To specify the filename from which to read the public and private key,
include the local key-pair statement at the [edit security ike policy ike-peer-address] hierarchy level:
[edit security ike policy ike-peer-address ] local-key-pair private-public-key-file;
private-public-key-file specifies the file from which to read the pair key.
See Also
Obtaining a Signed Certificate from the CA for an ES PIC
To obtain a signed certificate from the CA, issue the following command:
user@host> request security certificate enroll filename filename subject c=us,o=x alternative-subject certificate-ip-address certification-authority certificate-authority key-file key-file-name domain-name domain-name
The results are saved in a specified file to the /var/etc/ikecert directory.
The following example shows how to obtain a CA signed certificate
by referencing the configured certification-authority statement local . This statement is referenced by the request security certificate enroll filename filename subject subject alternative-subject alternative-subject certification-authority certification-authority command.
[edit]
security {
certificates {
certification-authority local {
ca-name xyz.company.com;
file l;
enrollment-url "http://www.xyzcompany.com";
}
}
}
To obtain a signed certificate from the CA, issue the following command:
user@host> request security certificate enroll filename I subject c=uk,o=london alternative-subject 10.50.1.4 certification-authority verisign key-file host-1.prv domain-name host.xyzcompany.com CA name: xyz.company.com CA file: ca_verisign local pub/private key pair: host.prv subject: c=uk,o=london domain name: host.example.com alternative subject: 10.50.1.4 Encoding: binary Certificate enrollment has started. To see the certificate enrollment status, check the key management process (kmd) log file at /var/log/kmd. <--------------
For information about how to use the operational mode commands to obtain a signed certificate, see the CLI Explorer.
Another way to obtain a signed certificate from the CA is to reference
the configured statements such as the URL, CA name, and CA certificate file by means of the certification-authority statement:
user@host> request security certificate enroll filename m subject c=us ,o=x alternative-subject 192.0.2.1 certification-authority local key-file y domain-name abc.company.com
See Also
Associating the Configured Security Association with a Logical Interface
Configuring the ES PIC associates the configured SA with a logical interface. This configuration defines the tunnel itself (logical subunit, tunnel addresses, maximum transmission unit [MTU], optional interface addresses, and the name of the SA to apply to traffic).
The addresses configured as the tunnel source and destination are the addresses in the outer IP header of the tunnel.
The tunnel source address must be configured locally on the router, and the tunnel destination address must be a valid address for the security gateway terminating the tunnel.
The M5, M10, M20, and M40 routers support the ES PIC.
The SA must be a valid tunnel-mode SA. The interface address and destination address listed are optional. The destination address allows the user to configure a static route to encrypt traffic. If a static route uses that destination address as the next hop, traffic is forwarded through the portion of the tunnel in which encryption occurs.
The following example shows how to configure an IPsec tunnel as a logical interface on the ES PIC. The logical interface specifies the tunnel through which the encrypted traffic travels. The ipsec-sa statement associates the security profile with the interface.
[edit interfaces]
es-0/0/0 {
unit 0 {
tunnel {
source tunnel 10.5.5.5; # tunnel source address
destination 10.6.6.6; # tunnel destination address
}
family inet {
ipsec-sa ipsec-sa; # name of security association to apply to packet
address 10.1.1.8/32 { # local interface address inside local VPN
destination 10.2.2.254; # destination address inside remote VPN
}
}
}
