Certificate based IPSEC VPN in SRX

Here I will share how I have connected two SRX boxes via IPSEC VPN by using
certificate authentication instead of pre-shared key. Here is the outline;

1) Create certificate authority in Linux
2) Create CA profile on SRX
3) Generate Certificate Request
4) Sign the certificate
5) Load the certificates
6) Configure IPSEC/VPN
7) Verification

certificate_based_vpn_srx


1) Create certificate authority in Linux
I assume you have already openssl installed in your Linux host.

a) Create necessary directories for CA

b) Prepare SSL config

c) Create CA certificate and private key

d) Edit openssl.srx.cnf file

2) Create a CA profile on SRX
All operations are done on host J24 and differences for J41 HUB device will be mentioned at the end of the post.

3) Generate Certificate Request

a) Generate public/private key pair

b) Generate cert request from this pair

Certificate request file is saved under : /cf/var/db/certs/common/certificate-request/srx-j24-id.req
Be careful domain-name j24.example.com is important. It will be used as the IKE-ID

4) Sign the certificate

a) Create a file named ext.cfg under /etc/pki_srx/CA1 with the following content

j24.example.com is our IKE-ID

b) Sign the certificate

c) Copy certs/srx-j24.crt and certs/ca.crt to the SRX box via scp to your srx user’s folder.

5) Load the certificate

a) Load local certificate

b) Load CA certificate

So far we have finished the SPOKE side of the certificate loading. Very same operations
must be done for the HUB as well but on this time we will use IP address as the IKE-ID.
Here are two differences;

Note: If you want to use hostname as IKE-ID, you need to use the local-identity in the configuration. (See the comments for a discussion)

1) Certificate request creation

Notice: instead of domain-name we specify IP of J41 device

2) ext.cfg file for certificate should be like below instead of hostname

6) Configure IPSEC/VPN
The only difference in configuration is phase1 (IKE). IPSEC config is the same as usual.
That is why I don’t even write them here.

J24 IKE

J41 (HUB)

7) Verification

As you can see authentication method is RSA-signatures.

12 thoughts on “Certificate based IPSEC VPN in SRX

  1. Lana B

    This manual is awful.
    1. Why do i need a Linux host?
    2. Why do I have to create CSR and keys on SRX host and what should I do with them on linux host?

    Reply
    1. rtoodtoo Post author

      Linux is an example, if you can use Windows CA as the host. You have to create CSR to get your certificate. Lastly, this isn’t a manual but it is a summary of how we
      can create Cert VPN on SRX. In order to understand this topic, you also need some background knowledge.

      Reply
  2. Waqar

    I don’t see you have copied locally generated certificate in CA ? you manually did alternate name and signed it. will this work?

    Reply
  3. rtoodtoo Post author

    I didn’t type the command but only mentioned scp to the device only. If you mean that. So you need to copy to the device.

    Reply
  4. ie

    Wonderful article!!! I was planning to write a blog on certificate based VPN on SRX. But after reading your blog I left out the idea and decided to promote this blog!!!

    Reply
  5. Robert Mckennon

    rtoodtoo,

    I have this up and running in our testlab and in production thanks to your page! But just one question: Does the Hub have to be IP based? Meaning, why can’t the spokes connect to the hub using a fqdn if the hub certificate is created that way? I know all the juniper docs say to use an IP, but doesn’t the rest of the world use fqdn’s?

    Rob.

    Reply
    1. rtoodtoo Post author

      Hi Robert,
      As the document is two years old, I don’t recall exactly why I wrote that. There is a good document at https://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_IPSecVPN_with_PKI_Certificates_Primer_v13.pdf but there seems to be an issue to download. If you can find it, it can help you better understand. I think during my tests FQDN didn’t work but for some reason I didn’t mention this. Shame on me:) It should be a lesson for me.

      Best Regards
      Genco.

      Reply
    1. rtoodtoo Post author

      Thanks for the feedback Robert. I have put a note on the case referring to the discussion here too.

      Genco.

      Reply

You have a feedback?