ON THIS PAGE
Example: Improving Digital Certificate Validation by Configuring Policy OIDs on an MX Series Device
In some situations, it might be desirable to only accept certificates with known policy object identifiers (OIDs) from peers. This optional configuration allows certificate validation to succeed only if the certificate chain received from the peer contains at least one policy OID that is configured on the MX Series device. This example shows how to configure policy OIDs in the IKE policy on an MX Series device.
You must ensure that at least one of the policy OIDs configured on the MX Series device is included in a peer’s certificate or certificate chain. Note that the policy-oids field in a peer’s certificate is optional. If you configure policy OIDs in an IKE policy and the peer’s certificate chain does not contain any policy OIDs, certificate validation for the peer fails.
Requirements
Before you begin:
Ensure that you are using Junos OS Release 16.1 or later for MX Series devices.
Configure an IPsec VPN tunnel.
Overview
This example shows an IKE policy configuration where policy OIDs 2.16.840.1.101.3.1.48.2 and 5.16.40.1.101.3.1.55.2 are specified. The IKE policy ike_cert_pol references the IKE proposal ike_cert_prop, which is not shown. The local certificate on the MX Series device is lc-igloo-root.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set services ipsec-vpn ike policy ike_cert_pol mode main set services ipsec-vpn ike policy ike_cert_pol proposals ike_cert_prop set services ipsec-vpn ike policy ike_cert_pol certificate local-certificate lc-igloo-root set services ipsec-vpn ike policy ike_cert_pol certificate policy-oids 2.16.840.1.101.3.1.48.2 set services ipsec-vpn ike policy ike_cert_pol certificate policy-oids 5.16.40.1.101.3.1.55.2
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure policy OIDs for certificate validation:
Configure the IKE policy:
[edit services ipsec-vpn ike policy ike_cert_pol] user@host# set mode main user@host# set proposals ike_cert_prop user@host# set certificate local-certificate lc-igloo-root user@host# set certificate policy-oids 2.16.840.1.101.3.1.48.2 user@host# set certificate policy-oids 5.16.40.1.101.3.1.55.2
Results
From configuration mode, confirm your configuration
by entering the show services ipsec-vpn ike policy ike_cert_pol command. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
user@host# show services ipsec-vpn ike policy ike_cert_pol
mode main;
proposals ike_cert_prop;
certificate {
local-certificate lc-igloo-root;
policy-oids [ 2.16.840.1.101.3.1.48.2 5.16.40.1.101.3.1.55.2 ];
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the CA Certificate
Purpose
Display the CA certificate configured on the device.
Action
From operational mode, enter the show security
pki ca-certificate ca-profile ca-tmp command.
user@host> show security pki ca-certificate ca-profile ca-tmp detail
Certificate identifier: ca-tmp
Certificate version: 3
Serial number: 00000047
Issuer:
Organization: U.S. Government,
Organizational unit: DoD, Organizational unit: Testing, Country: US,
Common name: Trust Anchor
Subject:
Organization: U.S. Government,
Organizational unit: Dod, Organizational unit: Testing, Country: US,
Common name: CA1-PP.01.03
Subject string:
C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-PP.01.03
Validity:
Not before: 07- 3-2015 10:54 UTC
Not after: 07- 1-2020 10:54 UTC
?Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:cb:fd:78:0c:be:87:ac:cd:c0:33:66:a3:18
9e:fd:40:b7:9b:bc:dc:66:ff:08:45:f7:7e:fe:8e:d6:32:f8:5b:75
db:76:f0:4d:21:9a:6e:4f:04:21:4c:7e:08:a1:f9:3d:ac:8b:90:76
44:7b:c4:e9:9b:93:80:2a:64:83:6e:6a:cd:d8:d4:23:dd:ce:cb:3b
b5:ea:da:2b:40:8d:ad:a9:4d:97:58:cf:60:af:82:94:30:47:b7:7d
88:c3:76:c0:97:b4:6a:59:7e:f7:86:5d:d8:1f:af:fb:72:f1:b8:5c
2a:35:1e:a7:9e:14:51:d4:19:ae:c7:5c:65:ea:f5:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Certificate Policy:
Policy Identifier = 2.16.840.1.101.3.1.48.2
Use for key: CRL signing, Certificate signing
Fingerprint:
e0:b3:2f:2e:a1:c5:ee:ad:af:dd:96:85:f6:78:24:c5:89:ed:39:40 (sha1)
f3:47:6e:55:bc:9d:80:39:5a:40:70:8b:10:0e:93:c5 (md5)
Verifying Policy OID Validation
Purpose
If the peer’s certificate is successfully validated, IKE and IPsec security associations are established. If the validation of the peer’s certificate fails, no IKE security association is established.
Action
From operational mode, enter the show services
ipsec-vpn ike security-associations and show services ipsec-vpn
ipsec security-associations commands.
user@host> show services ipsec-vpn ike security-associations node0: -------------------------------------------------------------------------- Index State Initiator cookie Responder cookie Mode Remote Address 821765168 UP 88875c981252c1d8 b744ac9c21bde57e IKEv2 192.0.2.1 1106977837 UP 1a09e32d1e6f20f1 e008278091060acb IKEv2 198.51.100.0
user@host> show services ipsec-vpn ipsec security-associations node0: -------------------------------------------------------------------------- Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <213909506 ESP:aes-cbc-192/sha256 8cb9e40a 1295/ unlim - root 500 192.0.2.1 >213909506 ESP:aes-cbc-192/sha256 8271d2b2 1295/ unlim - root 500 192.0.2.1 <218365954 ESP:aes-cbc-192/sha256 d0153bc0 1726/ unlim - root 1495 198.51.100.0 >218365954 ESP:aes-cbc-192/sha256 97611813 1726/ unlim - root 1495 198.51.100.0
Meaning
The show services ipsec-vpn ike security-associations command lists all active IKE Phase 1 SAs. If no SAs are listed,
there was a problem with Phase 1 establishment. In this case, check
for the PKID_CERT_POLICY_CHECK_FAIL message in the system logs. This
message indicates that the peer’s certificate chain does not
contain a policy OID that is configured on the MX Series device. Check
the policy-oids values in the peer’s
certificate chain with the values configured on the MX Series device.
It might also be that the peer’s certificate chain does not contain any policy-oids fields, which are optional fields. If this is the case, certificate validation fails if there are any policy OIDs configured on the MX Series device.