Verifying the PKI Configuration
Purpose
To verify the PKI configuration.
Action
Use the show configuration command to verify
PKI configuration.
user@host>show configuration system { host-name host; time-zone PST8PDT; root-authentication { encrypted-password "$1$wUchK29B$IACQWVtsyF2PBlKtl1Air."; ## SECRET-DATA } name-server { 4.2.2.1; 4.2.2.2; } services { ssh; telnet; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 10.10.10.1/24; } } } ge-0/0/3 { unit 0 { family inet { address 1.1.1.2/30; } } } } routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.1; } } security { ike { traceoptions { flag ike; flag policy-manager; flag routing-socket; flag certificates; } proposal rsa-prop1 { authentication-method rsa-signatures; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; } policy ike-policy1 { mode main; proposals rsa-prop1; certificate { local-certificate ms-cert; trusted-ca use-all; peer-certificate-type x509-signature; } } gateway ike-gate { ike-policy ike-policy1; dynamic hostname ssg5.juniper.net; external-interface ge-0/0/3; } } ipsec { policy vpn-policy1 { perfect-forward-secrecy { keys group2; } proposal-set standard; } vpn ike-vpn { ike { gateway ike-gate; ipsec-policy vpn-policy1; } } } zones { security-zone untrust { address-book { address remote-net 192.168.168.0/24; } host-inbound-traffic { system-services { ike; } } interfaces { ge-0/0/3.0; } } security-zone trust { address-book { address local-net 10.10.10.0/24; } host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/0.0; } } } policies { from-zone trust to-zone untrust { policy tunnel-policy-out { match { source-address local-net; destination-address remote-net; application any; } then { permit { tunnel { ipsec-vpn ike-vpn; pair-policy tunnel-policy-in; } } } } policy any-permit { match { source-address any; destination-address any; application any; } then { permit { source-nat { interface; } } } } } from-zone untrust to-zone trust { policy tunnel-policy-in { match { source-address remote-net; destination-address local-net; application any; } then { permit { tunnel { ipsec-vpn ike-vpn; pair-policy tunnel-policy-out; } } } } } } flow { tcp-mss { ipsec-vpn { mss 1350; } } } pki { ca-profile ms-ca { ca-identity labdomain.com; revocation-check { crl { url http://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl; } } }traceoptions {file size 1m;flag all;} } } }
Note:
In the show configuration command output, the
highlighted lines identify traceoption configuration for troubleshooting
purposes.