- play_arrow Common Configuration for All VPNs
- play_arrow VPNs Overview
- play_arrow Assigning Routing Instances to VPNs
- play_arrow Distributing Routes in VPNs
- play_arrow Distributing VPN Routes with Target Filtering
- Configuring BGP Route Target Filtering for VPNs
- Example: BGP Route Target Filtering for VPNs
- Example: Configuring BGP Route Target Filtering for VPNs
- Configuring Static Route Target Filtering for VPNs
- Understanding Proxy BGP Route Target Filtering for VPNs
- Example: Configuring Proxy BGP Route Target Filtering for VPNs
- Example: Configuring an Export Policy for BGP Route Target Filtering for VPNs
- Reducing Network Resource Use with Static Route Target Filtering for VPNs
- play_arrow Configuring Forwarding Options for VPNs
- play_arrow Configuring Graceful Restart for VPNs
- play_arrow Configuring Class of Service for VPNs
- play_arrow Pinging VPNs
-
- play_arrow Common Configuration for Layer 2 VPNs and VPLS
- play_arrow Overview
- play_arrow Layer 2 VPNs Configuration Overview
- play_arrow Configuring Layer 2 Interfaces
- play_arrow Configuring Path Selection for Layer 2 VPNs and VPLS
- play_arrow Creating Backup Connections with Redundant Pseudowires
- play_arrow Configuring Class of Service for Layer 2 VPNs
- play_arrow Monitoring Layer 2 VPNs
- Configuring BFD for Layer 2 VPN and VPLS
- BFD Support for VCCV for Layer 2 VPNs, Layer 2 Circuits, and VPLS
- Configuring BFD for VCCV for Layer 2 VPNs, Layer 2 Circuits, and VPLS
- Connectivity Fault Management Support for EVPN and Layer 2 VPN Overview
- Configure a MEP to Generate and Respond to CFM Protocol Messages
-
- play_arrow Configuring Group VPNs
- play_arrow Configuring Layer 2 Circuits
- play_arrow Overview
- play_arrow Layer 2 Circuits Configuration Overview
- play_arrow Configuring Class of Service with Layer 2 Circuits
- play_arrow Configuring Pseudowire Redundancy for Layer 2 Circuits
- play_arrow Configuring Load Balancing for Layer 2 Circuits
- play_arrow Configuring Protection Features for Layer 2 Circuits
- Egress Protection LSPs for Layer 2 Circuits
- Configuring Egress Protection Service Mirroring for BGP Signaled Layer 2 Services
- Example: Configuring an Egress Protection LSP for a Layer 2 Circuit
- Example: Configuring Layer 2 Circuit Protect Interfaces
- Example: Configuring Layer 2 Circuit Switching Protection
- play_arrow Monitoring Layer 2 Circuits with BFD
- play_arrow Troubleshooting Layer 2 Circuits
-
- play_arrow Configuring VPWS VPNs
- play_arrow Overview
- play_arrow Configuring VPWS VPNs
- Understanding FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring MPLS Egress Protection Service Mirroring for BGP Signaled Layer 2 Services
- Understanding Multisegment Pseudowire for FEC 129
- Example: Configuring a Multisegment Pseudowire
- Configuring the FAT Flow Label for FEC 128 VPWS Pseudowires for Load-Balancing MPLS Traffic
- Configuring the FAT Flow Label for FEC 129 VPWS Pseudowires for Load-Balancing MPLS Traffic
-
- play_arrow Configuring VPLS
- play_arrow Overview
- play_arrow VPLS Configuration Overview
- play_arrow Configuring Signaling Protocols for VPLS
- VPLS Routing and Virtual Ports
- BGP Signaling for VPLS PE Routers Overview
- Control Word for BGP VPLS Overview
- Configuring a Control Word for BGP VPLS
- BGP Route Reflectors for VPLS
- Interoperability Between BGP Signaling and LDP Signaling in VPLS
- Configuring Interoperability Between BGP Signaling and LDP Signaling in VPLS
- Example: VPLS Configuration (BGP Signaling)
- Example: VPLS Configuration (BGP and LDP Interworking)
- play_arrow Assigning Routing Instances to VPLS
- Configuring VPLS Routing Instances
- Configuring a VPLS Routing Instance
- Support of Inner VLAN List and Inner VLAN Range for Qualified BUM Pruning on a Dual-Tagged Interface for a VPLS Routing Instance Overview
- Configuring Qualified BUM Pruning for a Dual-Tagged Interface with Inner VLAN list and InnerVLAN range for a VPLS Routing Instance
- Configuring a Layer 2 Control Protocol Routing Instance
- PE Router Mesh Groups for VPLS Routing Instances
- Configuring VPLS Fast Reroute Priority
- Specifying the VT Interfaces Used by VPLS Routing Instances
- Understanding PIM Snooping for VPLS
- Example: Configuring PIM Snooping for VPLS
- VPLS Label Blocks Operation
- Configuring the Label Block Size for VPLS
- Example: Building a VPLS From Router 1 to Router 3 to Validate Label Blocks
- play_arrow Associating Interfaces with VPLS
- play_arrow Configuring Pseudowires
- Configuring Static Pseudowires for VPLS
- VPLS Path Selection Process for PE Routers
- BGP and VPLS Path Selection for Multihomed PE Routers
- Dynamic Profiles for VPLS Pseudowires
- Use Cases for Dynamic Profiles for VPLS Pseudowires
- Example: Configuring VPLS Pseudowires with Dynamic Profiles—Basic Solutions
- Example: Configuring VPLS Pseudowires with Dynamic Profiles—Complex Solutions
- Configuring the FAT Flow Label for FEC 128 VPLS Pseudowires for Load-Balancing MPLS Traffic
- Configuring the FAT Flow Label for FEC 129 VPLS Pseudowires for Load-Balancing MPLS Traffic
- Example: Configuring H-VPLS BGP-Based and LDP-Based VPLS Interoperation
- Example: Configuring BGP-Based H-VPLS Using Different Mesh Groups for Each Spoke Router
- Example: Configuring LDP-Based H-VPLS Using a Single Mesh Group to Terminate the Layer 2 Circuits
- Example: Configuring H-VPLS With VLANs
- Example: Configuring H-VPLS Without VLANs
- Configure Hot-Standby Pseudowire Redundancy in H-VPLS
- Sample Scenario of H-VPLS on ACX Series Routers for IPTV Services
- play_arrow Configuring Multihoming
- VPLS Multihoming Overview
- Advantages of Using Autodiscovery for VPLS Multihoming
- Example: Configuring FEC 129 BGP Autodiscovery for VPWS
- Example: Configuring BGP Autodiscovery for LDP VPLS
- Example: Configuring BGP Autodiscovery for LDP VPLS with User-Defined Mesh Groups
- VPLS Multihoming Reactions to Network Failures
- Configuring VPLS Multihoming
- Example: VPLS Multihoming, Improved Convergence Time
- Example: Configuring VPLS Multihoming (FEC 129)
- Next-Generation VPLS for Multicast with Multihoming Overview
- Example: Next-Generation VPLS for Multicast with Multihoming
- play_arrow Configuring Point-to-Multipoint LSPs
- play_arrow Configuring Inter-AS VPLS and IRB VPLS
- play_arrow Configuring Load Balancing and Performance
- Configuring VPLS Load Balancing
- Configuring VPLS Load Balancing Based on IP and MPLS Information
- Configuring VPLS Load Balancing on MX Series 5G Universal Routing Platforms
- Example: Configuring Loop Prevention in VPLS Network Due to MAC Moves
- Understanding MAC Pinning
- Configuring MAC Pinning on Access Interfaces for Bridge Domains
- Configuring MAC Pinning on Trunk Interfaces for Bridge Domains
- Configuring MAC Pinning on Access Interfaces for Bridge Domains in a Virtual Switch
- Configuring MAC Pinning on Trunk Interfaces for Bridge Domains in a Virtual Switch
- Configuring MAC Pinning for All Pseudowires of the VPLS Routing Instance (LDP and BGP)
- Configuring MAC Pinning on VPLS CE Interface
- Configuring MAC Pinning for All Pseudowires of the VPLS Site in a BGP-Based VPLS Routing Instance
- Configuring MAC Pinning on All Pseudowires of a Specific Neighbor of LDP-Based VPLS Routing Instance
- Configuring MAC Pinning on Access Interfaces for Logical Systems
- Configuring MAC Pinning on Trunk Interfaces for Logical Systems
- Configuring MAC Pinning on Access Interfaces in Virtual Switches for Logical Systems
- Configuring MAC Pinning on Trunk Interfaces in Virtual Switches for Logical Systems
- Configuring MAC Pinning for All Pseudowires of the VPLS Routing Instance (LDP and BGP) for Logical Systems
- Configuring MAC Pinning on VPLS CE Interface for Logical Systems
- Configuring MAC Pinning for All Pseudowires of the VPLS Site in a BGP-Based VPLS Routing Instance for Logical Systems
- Configuring MAC Pinning on All Pseudowires of a Specific Neighbor of LDP-Based VPLS Routing Instance for Logical Systems
- Example: Prevention of Loops in Bridge Domains by Enabling the MAC Pinnning Feature on Access Interfaces
- Example: Prevention of Loops in Bridge Domains by Enabling the MAC Pinnning Feature on Trunk Interfaces
- Configuring Improved VPLS MAC Address Learning on T4000 Routers with Type 5 FPCs
- Understanding Qualified MAC Learning
- Qualified Learning VPLS Routing Instance Behavior
- Configuring Qualified MAC Learning
- play_arrow Configuring Class of Service and Firewall Filters in VPLS
- play_arrow Monitoring and Tracing VPLS
-
- play_arrow Connecting Layer 2 VPNs and Circuits to Other VPNs
- play_arrow Connecting Layer 2 VPNs to Other VPNs
- play_arrow Connecting Layer 2 Circuits to Other VPNs
- Using the Layer 2 Interworking Interface to Interconnect a Layer 2 Circuit to a Layer 2 VPN
- Applications for Interconnecting a Layer 2 Circuit with a Layer 2 Circuit
- Example: Interconnecting a Layer 2 Circuit with a Layer 2 VPN
- Example: Interconnecting a Layer 2 Circuit with a Layer 2 Circuit
- Applications for Interconnecting a Layer 2 Circuit with a Layer 3 VPN
- Example: Interconnecting a Layer 2 Circuit with a Layer 3 VPN
-
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
Example: Improving Digital Certificate Validation by Configuring Policy OIDs on an MX Series Device
In some situations, it might be desirable to only accept certificates with known policy object identifiers (OIDs) from peers. This optional configuration allows certificate validation to succeed only if the certificate chain received from the peer contains at least one policy OID that is configured on the MX Series device. This example shows how to configure policy OIDs in the IKE policy on an MX Series device.
You must ensure that at least one of the policy OIDs configured on the MX Series device is included in a peer’s certificate or certificate chain. Note that the policy-oids field in a peer’s certificate is optional. If you configure policy OIDs in an IKE policy and the peer’s certificate chain does not contain any policy OIDs, certificate validation for the peer fails.
Requirements
Before you begin:
Ensure that you are using Junos OS Release 16.1 or later for MX Series devices.
Configure an IPsec VPN tunnel.
Overview
This example shows an IKE policy configuration where policy OIDs 2.16.840.1.101.3.1.48.2 and 5.16.40.1.101.3.1.55.2 are specified. The IKE policy ike_cert_pol references the IKE proposal ike_cert_prop, which is not shown. The local certificate on the MX Series device is lc-igloo-root.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services ipsec-vpn ike policy ike_cert_pol mode main set services ipsec-vpn ike policy ike_cert_pol proposals ike_cert_prop set services ipsec-vpn ike policy ike_cert_pol certificate local-certificate lc-igloo-root set services ipsec-vpn ike policy ike_cert_pol certificate policy-oids 2.16.840.1.101.3.1.48.2 set services ipsec-vpn ike policy ike_cert_pol certificate policy-oids 5.16.40.1.101.3.1.55.2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure policy OIDs for certificate validation:
Configure the IKE policy:
content_copy zoom_out_map[edit services ipsec-vpn ike policy ike_cert_pol] user@host# set mode main user@host# set proposals ike_cert_prop user@host# set certificate local-certificate lc-igloo-root user@host# set certificate policy-oids 2.16.840.1.101.3.1.48.2 user@host# set certificate policy-oids 5.16.40.1.101.3.1.55.2
Results
From configuration mode, confirm your configuration
by entering the show services ipsec-vpn ike policy ike_cert_pol command. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@host# show services ipsec-vpn ike policy ike_cert_pol
mode main;
proposals ike_cert_prop;
certificate {
local-certificate lc-igloo-root;
policy-oids [ 2.16.840.1.101.3.1.48.2 5.16.40.1.101.3.1.55.2 ];
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the CA Certificate
Purpose
Display the CA certificate configured on the device.
Action
From operational mode, enter the show security
pki ca-certificate ca-profile ca-tmp command.
user@host> show security pki ca-certificate ca-profile ca-tmp detail
Certificate identifier: ca-tmp
Certificate version: 3
Serial number: 00000047
Issuer:
Organization: U.S. Government,
Organizational unit: DoD, Organizational unit: Testing, Country: US,
Common name: Trust Anchor
Subject:
Organization: U.S. Government,
Organizational unit: Dod, Organizational unit: Testing, Country: US,
Common name: CA1-PP.01.03
Subject string:
C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-PP.01.03
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
?Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:cb:fd:78:0c:be:87:ac:cd:c0:33:66:a3:18
9e:fd:40:b7:9b:bc:dc:66:ff:08:45:f7:7e:fe:8e:d6:32:f8:5b:75
db:76:f0:4d:21:9a:6e:4f:04:21:4c:7e:08:a1:f9:3d:ac:8b:90:76
44:7b:c4:e9:9b:93:80:2a:64:83:6e:6a:cd:d8:d4:23:dd:ce:cb:3b
b5:ea:da:2b:40:8d:ad:a9:4d:97:58:cf:60:af:82:94:30:47:b7:7d
88:c3:76:c0:97:b4:6a:59:7e:f7:86:5d:d8:1f:af:fb:72:f1:b8:5c
2a:35:1e:a7:9e:14:51:d4:19:ae:c7:5c:65:ea:f5:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Certificate Policy:
Policy Identifier = 2.16.840.1.101.3.1.48.2
Use for key: CRL signing, Certificate signing
Fingerprint:
e0:b3:2f:2e:a1:c5:ee:ad:af:dd:96:85:f6:78:24:c5:89:ed:39:40 (sha1)
f3:47:6e:55:bc:9d:80:39:5a:40:70:8b:10:0e:93:c5 (md5)
Verifying Policy OID Validation
Purpose
If the peer’s certificate is successfully validated, IKE and IPsec security associations are established. If the validation of the peer’s certificate fails, no IKE security association is established.
Action
From operational mode, enter the show services
ipsec-vpn ike security-associations and show services ipsec-vpn
ipsec security-associations commands.
user@host> show services ipsec-vpn ike security-associations node0: -------------------------------------------------------------------------- Index State Initiator cookie Responder cookie Mode Remote Address 821765168 UP 88875c981252c1d8 b744ac9c21bde57e IKEv2 192.0.2.1 1106977837 UP 1a09e32d1e6f20f1 e008278091060acb IKEv2 198.51.100.0
user@host> show services ipsec-vpn ipsec security-associations node0: -------------------------------------------------------------------------- Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <213909506 ESP:aes-cbc-192/sha256 8cb9e40a 1295/ unlim - root 500 192.0.2.1 >213909506 ESP:aes-cbc-192/sha256 8271d2b2 1295/ unlim - root 500 192.0.2.1 <218365954 ESP:aes-cbc-192/sha256 d0153bc0 1726/ unlim - root 1495 198.51.100.0 >218365954 ESP:aes-cbc-192/sha256 97611813 1726/ unlim - root 1495 198.51.100.0
Meaning
The show services ipsec-vpn ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed,
there was a problem with Phase 1 establishment. In this case, check
for the PKID_CERT_POLICY_CHECK_FAIL message in the system logs. This
message indicates that the peer’s certificate chain does not
contain a policy OID that is configured on the MX Series device. Check
the policy-oids values in the peer’s
certificate chain with the values configured on the MX Series device.
It might also be that the peer’s certificate chain does not contain any policy-oids fields, which are optional fields. If this is the case, certificate validation fails if there are any policy OIDs configured on the MX Series device.
