close
keyboard_arrow_left
Table of Contents
- play_arrow Common Configuration for All VPNs
- play_arrow VPNs Overview
- play_arrow Assigning Routing Instances to VPNs
- play_arrow Distributing Routes in VPNs
- play_arrow Distributing VPN Routes with Target Filtering
- Configuring BGP Route Target Filtering for VPNs
- Example: BGP Route Target Filtering for VPNs
- Example: Configuring BGP Route Target Filtering for VPNs
- Configuring Static Route Target Filtering for VPNs
- Understanding Proxy BGP Route Target Filtering for VPNs
- Example: Configuring Proxy BGP Route Target Filtering for VPNs
- Example: Configuring an Export Policy for BGP Route Target Filtering for VPNs
- Reducing Network Resource Use with Static Route Target Filtering for VPNs
- play_arrow Configuring Forwarding Options for VPNs
- play_arrow Configuring Graceful Restart for VPNs
- play_arrow Configuring Class of Service for VPNs
- play_arrow Pinging VPNs
-
- play_arrow Common Configuration for Layer 2 VPNs and VPLS
- play_arrow Overview
- play_arrow Layer 2 VPNs Configuration Overview
- play_arrow Configuring Layer 2 Interfaces
- play_arrow Configuring Path Selection for Layer 2 VPNs and VPLS
- play_arrow Creating Backup Connections with Redundant Pseudowires
- play_arrow Configuring Class of Service for Layer 2 VPNs
- play_arrow Monitoring Layer 2 VPNs
- Configuring BFD for Layer 2 VPN and VPLS
- BFD Support for VCCV for Layer 2 VPNs, Layer 2 Circuits, and VPLS
- Configuring BFD for VCCV for Layer 2 VPNs, Layer 2 Circuits, and VPLS
- Connectivity Fault Management Support for EVPN and Layer 2 VPN Overview
- Configure a MEP to Generate and Respond to CFM Protocol Messages
-
- play_arrow Configuring Group VPNs
- play_arrow Configuring Layer 2 Circuits
- play_arrow Overview
- play_arrow Layer 2 Circuits Configuration Overview
- play_arrow Configuring Class of Service with Layer 2 Circuits
- play_arrow Configuring Pseudowire Redundancy for Layer 2 Circuits
- play_arrow Configuring Load Balancing for Layer 2 Circuits
- play_arrow Configuring Protection Features for Layer 2 Circuits
- Egress Protection LSPs for Layer 2 Circuits
- Configuring Egress Protection Service Mirroring for BGP Signaled Layer 2 Services
- Example: Configuring an Egress Protection LSP for a Layer 2 Circuit
- Example: Configuring Layer 2 Circuit Protect Interfaces
- Example: Configuring Layer 2 Circuit Switching Protection
- play_arrow Monitoring Layer 2 Circuits with BFD
- play_arrow Troubleshooting Layer 2 Circuits
-
- play_arrow Configuring VPWS VPNs
- play_arrow Overview
- play_arrow Configuring VPWS VPNs
- Understanding FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring MPLS Egress Protection Service Mirroring for BGP Signaled Layer 2 Services
- Understanding Multisegment Pseudowire for FEC 129
- Example: Configuring a Multisegment Pseudowire
- Configuring the FAT Flow Label for FEC 128 VPWS Pseudowires for Load-Balancing MPLS Traffic
- Configuring the FAT Flow Label for FEC 129 VPWS Pseudowires for Load-Balancing MPLS Traffic
-
- play_arrow Configuring VPLS
- play_arrow Overview
- play_arrow VPLS Configuration Overview
- play_arrow Configuring Signaling Protocols for VPLS
- VPLS Routing and Virtual Ports
- BGP Signaling for VPLS PE Routers Overview
- Control Word for BGP VPLS Overview
- Configuring a Control Word for BGP VPLS
- BGP Route Reflectors for VPLS
- Interoperability Between BGP Signaling and LDP Signaling in VPLS
- Configuring Interoperability Between BGP Signaling and LDP Signaling in VPLS
- Example: VPLS Configuration (BGP Signaling)
- Example: VPLS Configuration (BGP and LDP Interworking)
- play_arrow Assigning Routing Instances to VPLS
- Configuring VPLS Routing Instances
- Configuring a VPLS Routing Instance
- Support of Inner VLAN List and Inner VLAN Range for Qualified BUM Pruning on a Dual-Tagged Interface for a VPLS Routing Instance Overview
- Configuring Qualified BUM Pruning for a Dual-Tagged Interface with Inner VLAN list and InnerVLAN range for a VPLS Routing Instance
- Configuring a Layer 2 Control Protocol Routing Instance
- PE Router Mesh Groups for VPLS Routing Instances
- Configuring VPLS Fast Reroute Priority
- Specifying the VT Interfaces Used by VPLS Routing Instances
- Understanding PIM Snooping for VPLS
- Example: Configuring PIM Snooping for VPLS
- VPLS Label Blocks Operation
- Configuring the Label Block Size for VPLS
- Example: Building a VPLS From Router 1 to Router 3 to Validate Label Blocks
- play_arrow Associating Interfaces with VPLS
- play_arrow Configuring Pseudowires
- Configuring Static Pseudowires for VPLS
- VPLS Path Selection Process for PE Routers
- BGP and VPLS Path Selection for Multihomed PE Routers
- Dynamic Profiles for VPLS Pseudowires
- Use Cases for Dynamic Profiles for VPLS Pseudowires
- Example: Configuring VPLS Pseudowires with Dynamic Profiles—Basic Solutions
- Example: Configuring VPLS Pseudowires with Dynamic Profiles—Complex Solutions
- Configuring the FAT Flow Label for FEC 128 VPLS Pseudowires for Load-Balancing MPLS Traffic
- Configuring the FAT Flow Label for FEC 129 VPLS Pseudowires for Load-Balancing MPLS Traffic
- Example: Configuring H-VPLS BGP-Based and LDP-Based VPLS Interoperation
- Example: Configuring BGP-Based H-VPLS Using Different Mesh Groups for Each Spoke Router
- Example: Configuring LDP-Based H-VPLS Using a Single Mesh Group to Terminate the Layer 2 Circuits
- Example: Configuring H-VPLS With VLANs
- Example: Configuring H-VPLS Without VLANs
- Configure Hot-Standby Pseudowire Redundancy in H-VPLS
- Sample Scenario of H-VPLS on ACX Series Routers for IPTV Services
- play_arrow Configuring Multihoming
- VPLS Multihoming Overview
- Advantages of Using Autodiscovery for VPLS Multihoming
- Example: Configuring FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring BGP Autodiscovery for LDP VPLS
- Example: Configuring BGP Autodiscovery for LDP VPLS with User-Defined Mesh Groups
- VPLS Multihoming Reactions to Network Failures
- Configuring VPLS Multihoming
- Example: VPLS Multihoming, Improved Convergence Time
- Example: Configuring VPLS Multihoming (FEC 129)
- Next-Generation VPLS for Multicast with Multihoming Overview
- Example: Next-Generation VPLS for Multicast with Multihoming
- play_arrow Configuring Point-to-Multipoint LSPs
- play_arrow Configuring Inter-AS VPLS and IRB VPLS
- play_arrow Configuring Load Balancing and Performance
- Configuring VPLS Load Balancing
- Configuring VPLS Load Balancing Based on IP and MPLS Information
- Configuring VPLS Load Balancing on MX Series 5G Universal Routing Platforms
- Example: Configuring Loop Prevention in VPLS Network Due to MAC Moves
- Understanding MAC Pinning
- Configuring MAC Pinning on Access Interfaces for Bridge Domains
- Configuring MAC Pinning on Trunk Interfaces for Bridge Domains
- Configuring MAC Pinning on Access Interfaces for Bridge Domains in a Virtual Switch
- Configuring MAC Pinning on Trunk Interfaces for Bridge Domains in a Virtual Switch
- Configuring MAC Pinning for All Pseudowires of the VPLS Routing Instance (LDP and BGP)
- Configuring MAC Pinning on VPLS CE Interface
- Configuring MAC Pinning for All Pseudowires of the VPLS Site in a BGP-Based VPLS Routing Instance
- Configuring MAC Pinning on All Pseudowires of a Specific Neighbor of LDP-Based VPLS Routing Instance
- Configuring MAC Pinning on Access Interfaces for Logical Systems
- Configuring MAC Pinning on Trunk Interfaces for Logical Systems
- Configuring MAC Pinning on Access Interfaces in Virtual Switches for Logical Systems
- Configuring MAC Pinning on Trunk Interfaces in Virtual Switches for Logical Systems
- Configuring MAC Pinning for All Pseudowires of the VPLS Routing Instance (LDP and BGP) for Logical Systems
- Configuring MAC Pinning on VPLS CE Interface for Logical Systems
- Configuring MAC Pinning for All Pseudowires of the VPLS Site in a BGP-Based VPLS Routing Instance for Logical Systems
- Configuring MAC Pinning on All Pseudowires of a Specific Neighbor of LDP-Based VPLS Routing Instance for Logical Systems
- Example: Prevention of Loops in Bridge Domains by Enabling the MAC Pinnning Feature on Access Interfaces
- Example: Prevention of Loops in Bridge Domains by Enabling the MAC Pinnning Feature on Trunk Interfaces
- Configuring Improved VPLS MAC Address Learning on T4000 Routers with Type 5 FPCs
- Understanding Qualified MAC Learning
- Qualified Learning VPLS Routing Instance Behavior
- Configuring Qualified MAC Learning
- play_arrow Configuring Class of Service and Firewall Filters in VPLS
- play_arrow Monitoring and Tracing VPLS
-
- play_arrow Connecting Layer 2 VPNs and Circuits to Other VPNs
- play_arrow Connecting Layer 2 VPNs to Other VPNs
- play_arrow Connecting Layer 2 Circuits to Other VPNs
- Using the Layer 2 Interworking Interface to Interconnect a Layer 2 Circuit to a Layer 2 VPN
- Applications for Interconnecting a Layer 2 Circuit with a Layer 2 Circuit
- Example: Interconnecting a Layer 2 Circuit with a Layer 2 VPN
- Example: Interconnecting a Layer 2 Circuit with a Layer 2 Circuit
- Applications for Interconnecting a Layer 2 Circuit with a Layer 3 VPN
- Example: Interconnecting a Layer 2 Circuit with a Layer 3 VPN
-
- play_arrow Configuration Statements and Operational Commands
list Table of Contents
ON THIS PAGE
Example: Improving Security by Configuring OCSP for Certificate Revocation Status
date_range
23-Nov-23
This example shows how to improve security by configuring two peers using the Online Certificate Status Protocol (OCSP) to check the revocation status of the certificates used in Phase 1 negotiations for the IPsec VPN tunnel.
Requirements
On each device:
Obtain and enroll a local certificate. This can be done either manually or by using the Simple Certificate Enrollment Protocol (SCEP).
Optionally, enable automatic renewal of the local certificate.
Configure security policies to permit traffic to and from the peer device.
Overview
On both peers, a certificate authority (CA) profile Root is configured with the following options:
CA name is Root.
Enrollment URL is http://10.1.1.1:8080/scep/Root/. This is the URL where SCEP requests to the CA are sent.
The URL for the OCSP server is http://10.157.88.56:8210/Root/.
OCSP is used first to check the certificate revocation status. If there is no response from the OCSP server, then the certificate revocation list (CRL) is used to check the status. The CRL URL is http://10.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45.
The CA certificate received in an OCSP response is not checked for certificate revocation. Certificates received in an OCSP response generally have shorter lifetimes and a revocation check is not required.
Table 1 shows the Phase 1 options used in this example.
Option | Peer A | Peer B |
|---|---|---|
IKE proposal | ike_policy_ms_2_2_0 | ike_proposal_ms_2_0_0 |
Authentication method | rsa-signatures | rsa-signatures |
DH group | group2 | group2 |
Authentication algorithm | SHA 1 | SHA 1 |
Encryption algorithm | 3des-cbc | 3des-cbc |
Lifetime seconds | 3000 | 3000 |
IKE policy | ike_policy_ms_2_2_0 | ike_policy_ms_2_0_0 |
Mode | main | main |
Proposal | ike_proposal_ms_2_2_0 | ike_proposal_ms_2_0_0 |
Certificate | local7_neg | local7_moji |
Policy | ike_policy | ike_policy |
Gateway address | 10.0.1.2 | 192.0.2.0 |
Remote identity | fqdn company.net | fqdn company.net |
Local identity | fqdn company.net | fqdn company.net |
External interface | ge-1/3/0 | ge-1/3/0 |
Version | 1 | 1 |
Table 2 shows the Phase 2 options used in this example.
Option | Peer A | Peer B |
|---|---|---|
IPsec proposal | ipsec_proposal_ms_2_2_0 | ipsec_proposal_ms_2_0_0 |
Protocol | esp | esp |
Authentication algorithm | hmac-sha1-96 | hmac-sha1-96 |
Encryption algorithm | 3des-cbc | 3des-cbc |
Lifetime seconds | 2000 | 2000 |
IPsec policy | ipsec_policy_ms_2_2_0 | ipsec_policy_ms_2_0_0 |
PFC keys | group2 | group2 |
Proposal | ipsec_proposal_ms_2_2_0 | ipsec_proposal_ms_2_0_0 |
VPN | test_vpn | test_vpn |
Policy | ipsec_policy | ipsec_policy |
Establish tunnels | - | immediately |
Topology
Figure 1 shows the peer devices that are configured in this example.
Figure 1: OCSP Configuration
Example
Configuration
Configuring Peer A
CLI Quick Configuration
To quickly configure VPN peer A to use OCSP,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit from
configuration mode.
content_copy zoom_out_map
set interfaces ge-1/3/0 unit 0 family inet address 10.0.1.2 set interfaces ms-2/2/0 unit 0 family inet set interfaces ms-2/2/0 unit 1 family inet set interfaces ms-2/2/0 unit 1 family inet6 set interfaces ms-2/2/0 unit 1 service-domain inside set interfaces ms-2/2/0 unit 2 family inet set interfaces ms-2/2/0 unit 2 family inet6 set interfaces ms-2/2/0 unit 2 service-domain outside set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl set services ipsec-vpn ike proposal ike_prop authentication-method rsa-signatures set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/2/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/2/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 10.0.1.2 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_2_01 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then remote-gateway 192.0.2.0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ike-policy ike_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 lifetime-seconds 2000 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0 proposals ipsec_proposal_ms_2_2_0 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 lifetime-seconds 3000 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_2_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 proposals ike_proposal_ms_2_2_0 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-certificate local7_neg set services ipsec-vpn ike policy ike_policy_ms_2_2_0 remote-id fqdn company.net set services ipsec-vpn traceoptions level all set services ipsec-vpn traceoptions flag all set services ipsec-vpn establish-tunnels immediately
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure VPN peer A to use OCSP:
Configure interfaces.
content_copy zoom_out_map[edit interfaces] set interfaces ge-1/3/0 unit 0 family inet address 10.0.1.2 set interfaces ms-2/2/0 unit 0 family inet set interfaces ms-2/2/0 unit 1 family inet set interfaces ms-2/2/0 unit 1 family inet6 set interfaces ms-2/2/0 unit 1 service-domain inside set interfaces ms-2/2/0 unit 2 family inet set interfaces ms-2/2/0 unit 2 family inet6 set interfaces ms-2/2/0 unit 2 service-domain outside
Configure the CA profile.
content_copy zoom_out_map[edit security pki ca-profile Root] set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl
Configure Phase 1 options.
content_copy zoom_out_map[edit services ipsec-vpn ike proposal ike_proposal_ms_2_2_0] set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_2_0 lifetime-seconds 3000 [edit services ipsec-vpn ike policy ike_policy_ms_2_2_0] set services ipsec-vpn ike policy ike_policy_ms_2_2_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_2_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 proposals ike_proposal_ms_2_2_0 set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_2_0 local-certificate local7_neg set services ipsec-vpn ike policy ike_policy_ms_2_2_0 remote-id fqdn company.net
Configure Phase 2 options.
content_copy zoom_out_map[edit services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0] set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_2_0 lifetime-seconds 2000 [edit services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0] set services ipsec-vpn ipsec policy ipsec_policy_ms_2_2_0 proposals ipsec_proposal_ms_2_2_0 [edit services service-set ips_ss1] set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/2/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/2/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 10.0.1.2 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_2_01 [edit services ipsec-vpn rule vpn_rule_ms_2_2_01] set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then remote-gateway 192.0.2.0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ike-policy ike_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_2_0 set services ipsec-vpn rule vpn_rule_ms_2_2_01 match-direction input
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show security pki
ca-profile Root, show services ipsec-vpn ike, and show services ipsec-vpn ipsec commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-1/3/0 {
unit 0 {
family inet {
address 10.0.1.2/24;
}
}
}
ms-2/2/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain inside;
}
}
[edit]
user@host# show security pki ca-profile Root
ca-identity Root;
enrollment {
url http://10.1.1.1:8080/scep/Root/;
}
revocation-check {
ocsp {
url http://10.157.88.56:8210/Root/;
disable-responder-revocation-check;
connection-failure fallback-crl;
}
use-ocsp;
}
[edit]
user@host# show services ipsec-vpn ike
proposal ike_proposal_ms_2_2_0 {
authentication-method rsa-signatures;
dh-group group2;
lifetime-seconds 3000;
}
policy ike_policy_ms_2_2_0 {
mode main;
version 1;
proposals ike_proposal_ms_2_2_0;
local-id fqdn company.net;
local-certificate local7_neg;
remote-id fqdn company.net;
}
[edit]
user@host# show services ipsec-vpn ipsec
proposal ipsec_proposal_ms_2_2_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 2000;
}
policy ipsec_policy_ms_2_2_0 {
proposals ipsec_proposal_ms_2_2_0;
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Peer B
CLI Quick Configuration
To quickly configure VPN peer B to use OCSP,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit from
configuration mode.
content_copy zoom_out_map
set interfaces ge-1/3/0 unit 0 family inet address 192.0.2.0/24 set interfaces ms-2/0/0 unit 0 family inet set interfaces ms-2/0/0 unit 1 family inet set interfaces ms-2/0/0 unit 1 family inet6 set interfaces ms-2/0/0 unit 1 service-domain inside set interfaces ms-2/0/0 unit 2 family inet set interfaces ms-2/0/0 unit 2 family inet6 set interfaces ms-2/0/0 unit 2 service-domain outside set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/0/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/0/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 192.0.2.0 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_0_01 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then remote-gateway 10.0.1.2 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ike-policy ike_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 match-direction input set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 lifetime-seconds 2000 set services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0 proposals ipsec_proposal_ms_2_0_0 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 lifetime-seconds 3000 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_0_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 proposals ike_proposal_ms_2_0_0 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-certificate local7_moji set services ipsec-vpn ike policy ike_policy_ms_2_0_0 remote-id fqdn company.net set services ipsec-vpn traceoptions level all set services ipsec-vpn traceoptions flag all
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure VPN peer B to use OCSP:
Configure interfaces.
content_copy zoom_out_map[edit interfaces] set interfaces ge-1/3/0 unit 0 family inet address 192.0.2.0/24 set interfaces ms-2/0/0 unit 0 family inet set interfaces ms-2/0/0 unit 1 family inet set interfaces ms-2/0/0 unit 1 family inet6 set interfaces ms-2/0/0 unit 1 service-domain inside set interfaces ms-2/0/0 unit 2 family inet set interfaces ms-2/0/0 unit 2 family inet6 set interfaces ms-2/0/0 unit 2 service-domain outside
Configure the CA profile.
content_copy zoom_out_map[edit security pki ca-profile Root] set security pki ca-profile Root ca-identity Root set security pki ca-profile Root enrollment url http://10.1.1.1:8080/scep/Root/ set security pki ca-profile Root revocation-check ocsp url http://10.157.88.56:8210/Root/ set security pki ca-profile Root revocation-check use-ocsp set security pki ca-profile Root revocation-check ocsp disable-responder-revocation-check set security pki ca-profile Root revocation-check ocsp connection-failure fallback-crl
Configure Phase 1 options.
content_copy zoom_out_map[edit services ipsec-vpn ike proposal ike_proposal_ms_2_0_0] set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 authentication-method rsa-signatures set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 dh-group group2 set services ipsec-vpn ike proposal ike_proposal_ms_2_0_0 lifetime-seconds 3000 [edit services ipsec-vpn ike policy ike_policy_ms_2_0_0] set services ipsec-vpn ike policy ike_policy_ms_2_0_0 mode main set services ipsec-vpn ike policy ike_policy_ms_2_0_0 version 1 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 proposals ike_proposal_ms_2_0_0 set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-id fqdn company.net set services ipsec-vpn ike policy ike_policy_ms_2_0_0 local-certificate local7_moji set services ipsec-vpn ike policy ike_policy_ms_2_0_0 remote-id fqdn company.net
Configure Phase 2 options.
content_copy zoom_out_map[edit services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0] set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 protocol esp set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 authentication-algorithm hmac-sha1-96 set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 encryption-algorithm 3des-cbc set services ipsec-vpn ipsec proposal ipsec_proposal_ms_2_0_0 lifetime-seconds 2000 [edit services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0] set services ipsec-vpn ipsec policy ipsec_policy_ms_2_0_0 proposals ipsec_proposal_ms_2_0_0 [edit services service-set ips_ss1] set services service-set ips_ss1 next-hop-service inside-service-interface ms-2/0/0.1 set services service-set ips_ss1 next-hop-service outside-service-interface ms-2/0/0.2 set services service-set ips_ss1 ipsec-vpn-options local-gateway 192.0.2.0 set services service-set ips_ss1 ipsec-vpn-rules vpn_rule_ms_2_0_01 [edit services ipsec-vpn rule vpn_rule_ms_2_0_01] set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from source-address 203.0.113.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 from destination-address 198.51.100.0/24 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then remote-gateway 10.0.1.2 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ike-policy ike_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 term term11 then dynamic ipsec-policy ipsec_policy_ms_2_0_0 set services ipsec-vpn rule vpn_rule_ms_2_0_01 match-direction input
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show security pki
ca-profile Root, show services ipsec-vpn ike, and show services ipsec-vpn ipsec commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-1/3/0 {
unit 0 {
family inet {
address 192.0.2.0/24;
}
}
}
ms-2/0/0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
family inet6;
service-domain inside;
}
unit 2 {
family inet;
family inet6;
service-domain inside;
}
}
[edit]
user@host# show security pki ca-profile Root
ca-identity Root;
enrollment {
url http://10.1.1.1:8080/scep/Root/;
}
revocation-check {
ocsp {
url http://10.157.88.56:8210/Root/;
disable-responder-revocation-check;
connection-failure fallback-crl;
}
use-ocsp;
}
[edit]
user@host# show services ipsec-vpn ike
proposal ike_proposal_ms_2_0_0 {
authentication-method rsa-signatures;
dh-group group2;
lifetime-seconds 3000;
}
policy ike_policy_ms_2_0_0 {
mode main;
version 1;
proposals ike_proposal_ms_2_0_0;
local-id fqdn company.net;
local-certificate local7_moji;
remote-id fqdn company.net;
}
[edit]
user@host# show services ipsec-vpn ipsec
proposal ipsec_proposal_ms_2_0_0 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 2000;
}
policy ipsec_policy_ms_2_0_0 {
proposals ipsec_proposal_ms_2_0_0;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying CA Certificates
- Verifying Local Certificates
- Verifying IKE Phase 1 Status
- Verifying IPsec Phase 2 Status
Verifying CA Certificates
Purpose
Verify the validity of a CA certificate on each peer device.
Action
From operational mode, enter the show security
pki ca-certificate ca-profile Root or show security pki
ca-certificate ca-profile Root detail command.
content_copy zoom_out_map
user@host> show security pki ca-certificate ca-profile Root
Certificate identifier: Root
Issued to: Root, Issued by: C = US, O = Juniper, CN = Root
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(2048 bits)
user@host> show security pki ca-certificate ca-profile Root detail
Certificate identifier: Root
Certificate version: 3
Serial number: 0000a17f
Issuer:
Organization: Juniper, Country: US, Common name: Root
Subject:
Organization: Juniper, Country: US, Common name: Root
Subject string:
C=US, O=Juniper, CN=Root
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:c6:38:e9:03:69:5e:45:d8:a3:ea:3d
2e:e3:b8:3f:f0:5b:39:f0:b7:35:64:ed:60:a0:ba:89:28:63:29:e7
27:82:47:c4:f6:41:53:c8:97:d7:1e:3c:ca:f0:a0:b9:09:0e:3d:f8
76:5b:10:6f:b5:f8:ef:c5:e8:48:b9:fe:46:a3:c6:ba:b5:05:de:2d
91:ce:20:12:8f:55:3c:a6:a4:99:bb:91:cf:05:5c:89:d3:a7:dc:a4
d1:46:f2:dc:36:f3:f0:b5:fd:1d:18:f2:e6:33:d3:38:bb:44:8a:19
ad:e0:b1:1a:15:c3:56:07:f9:2d:f6:19:f7:cd:80:cf:61:de:58:b8
a3:f5:e0:d1:a3:3a:19:99:80:b0:63:03:1f:25:05:cc:b2:0c:cd:18
ef:37:37:46:91:20:04:bc:a3:4a:44:a9:85:3b:50:33:76:45:d9:ba
26:3a:3b:0d:ff:82:40:36:64:4e:ea:6a:d8:9b:06:ff:3f:e2:c4:a6
76:ee:8b:58:56:a6:09:d3:4e:08:b0:64:60:75:f3:e2:06:91:64:73
d2:78:e9:7a:cb:8c:57:0e:d1:9a:6d:3a:4a:9e:5b:d9:e4:a2:ef:31
5d:2b:2b:53:ab:a1:ad:45:49:fd:a5:e0:8b:4e:0b:71:52:ca:6b:fa
8b:0e:2c:7c:7b:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
http://10.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
Authority Information Access OCSP:
http://10.1.1.1:8090/Root/
Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
Fingerprint:
ed:ce:ec:13:1a:d2:ab:0a:76:e5:26:6d:2c:29:5d:49:90:57:f9:41 (sha1)
af:87:07:69:f0:3e:f7:c6:b8:2c:f8:df:0b:ae:b0:28 (md5)
Note:
In this example, IP addresses are used in the URLs in the CA profile configuration. If IP addresses are not used with CA-issued certificates or CA certificates, DNS must be configured in the device’s configuration. DNS must be able to resolve the host in the distribution CRL and in the CA URL in the CA profile configuration. Additionally, you must have network reachability to the same host to receive revocation checks.
Meaning
The output shows the details and validity of CA certificate on each peer as follows:
C—Country.O—Organization.CN—Common name.Not before—Begin date of validity.Not after—End date of validity.
Verifying Local Certificates
Purpose
Verify the validity of a local certificate on each peer device.
Action
From operational mode, enter the show security
pki local-certificate certificate-id localcert1 detail command.
content_copy zoom_out_map
user@host> show security pki local-certificate certificate-id local7_neg detail
Certificate identifier: local7_neg
Certificate version: 3
Serial number: 0007d964
Issuer:
Organization: juniper, Country: us, Common name: Subca2
Subject:
Organization: juniper, Organizational unit: marketing, State: california, Locality: sunnyvale, Common name: local, Domain component: juniper
Subject string:
DC=juniper, CN=local, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us
Alternate subject: "test@company.net", company.net, 10.0.0.2
Validity:
Not before: 04- 5-2016 03:30 UTC
Not after: 07- 1-2020 10:54 UTC
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:b9:44:42:0e:26:5a:46:8e:a7:9c:b9:15:a5
f1:38:e4:59:59:9d:84:75:ee:7a:64:ca:0a:a7:68:3b:2b:0c:dc:a8
de:60:df:07:80:23:58:7d:56:dd:4f:50:de:a4:57:f1:a0:df:a9:7a
6c:3d:e0:6d:7a:cf:ef:af:95:1b:12:7a:c4:54:61:12:db:65:0c:f9
25:40:2d:01:71:21:8a:fc:fc:f6:9d:db:5a:63:ca:1a:92:2b:a3:98
f6:6b:e4:23:67:53:92:6a:5e:ad:ae:d7:82:ab:32:c1:60:6f:01:14
fd:46:bd:3f:b3:6b:fd:e6:41:de:6d:94:0d:6f:ad:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Distribution CRL:
http://10.1.1.1:8080/crl-as-der/currentcrl-1925.crl?id=1925
Authority Information Access OCSP:
http://10.204.128.120:8090/Subca2/
Fingerprint:
69:00:fe:e1:81:37:ab:54:27:81:ce:57:11:a1:f2:d8:00:e7:e6:c7 (sha1)
1e:27:93:a1:96:eb:28:0c:dc:f3:50:20:bb:eb:ed:57 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not startedMeaning
The output shows the details and validity of a local certificate on each peer as follows:
DC—Domain component.CN—Common name.OU—Organizational unit.O—Organization.L—LocalityST—State.C—Country.Not before—Begin date of validity.Not after—End date of validity.
Verifying IKE Phase 1 Status
Purpose
Verify the IKE Phase 1 status on each peer device.
Action
From operational mode, enter the show services
ipsec-vpn ike security-associations command.
content_copy zoom_out_map
user@host> show services ipsec-vpn ike security-associations Remote Address State Initiator cookie Responder cookie Exchange type 192.0.2.0 Matured 63b3445edda507fb 2715ee5895ed244d Main
From operational mode, enter the show services ipsec-vpn
ike security-associations detail command.
content_copy zoom_out_map
user@host> show services ipsec-vpn ike security-associations detail IKE peer 192.0.2.0 Role: Initiator, State: Matured Initiator cookie: 63b3445edda507fb, Responder cookie: 2715ee5895ed244d Exchange type: Main, Authentication method: RSA-signatures Local: 10.0.1.2, Remote: 192.0.2.0 Lifetime: Expires in 788 seconds Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : 2 Traffic statistics: Input bytes : 3100 Output bytes : 4196 Input packets: 7 Output packets: 9 Flags: IKE SA created IPSec security associations: 4 created, 4 deleted
Meaning
The flags field in the output shows that,
IKE security association is created.
Verifying IPsec Phase 2 Status
Purpose
Verify the IPsec Phase 2 status on each peer device.
Action
From operational mode, enter the show services
ipsec-vpn ipsec security-associations command.
content_copy zoom_out_map
user@host> show services ipsec-vpn ipsec security-associations
Service set: ips_ss1, IKE Routing-instance: default
Rule: vpn_rule_ms_2_2_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.2, Remote gateway: 192.0.2.0
IPSec inside interface: ms-2/2/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Direction SPI AUX-SPI Mode Type Protocol
inbound 2151932129 0 tunnel dynamic ESP
outbound 4169263669 0 tunnel dynamic ESP From operational mode, enter the show services ipsec-vpn
ipsec security-associations detail command.
content_copy zoom_out_map
user@host> show services ipsec-vpn ipsec security-associations detail
Service set: ips_ss1, IKE Routing-instance: default
Rule: vpn_rule_ms_2_2_01, Term: term11, Tunnel index: 1
Local gateway: 10.0.1.2, Remote gateway: 192.0.2.0
IPSec inside interface: ms-2/2/0.1, Tunnel MTU: 1500
UDP encapsulate: Disabled, UDP Destination port: 0
Local identity: ipv4_subnet(any:0,[0..7]=80.0.0.0/16)
Remote identity: ipv4_subnet(any:0,[0..7]=30.0.0.0/16)
Direction: inbound, SPI: 3029124496, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 840 seconds
Hard lifetime: Expires in 1273 seconds
Anti-replay service: Enabled, Replay window size: 4096
Copy ToS: Disabled, ToS value: 0
Copy TTL: Disabled, TTL value: 64
Direction: outbound, SPI: 4046774180, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 840 seconds
Hard lifetime: Expires in 1273 seconds
Anti-replay service: Enabled, Replay window size: 4096
Copy ToS: Disabled, ToS value: 0
Copy TTL: Disabled, TTL value: 64Meaning
The output shows the ipsec security associations details.
