GLaNET - Juniper IPSec Configuration

user@srx> file copy https://ca.alt.tf/altnet-root-ca.crt altnet-root-ca.crt
user@srx> file copy https://ca.alt.tf/altnet-tls-ca.crt altnet-tls-ca.crt
user@srx> configure
user@srx# set security pki ca-profile altnet-root-ca ca-identity altnet-root-ca revocation-check disable
user@srx# set security pki ca-profile altnet-tls-ca ca-identity altnet-tls-ca revocation-check disable
user@srx# commit and-quit
user@srx> request security pki ca-certificate load ca-profile altnet-root-ca filename altnet-root-ca.crt
user@srx> request security pki ca-certificate load ca-profile altnet-tls-ca filename altnet-tls-ca.crt

Generate private key

Only needed on new deployments.
user@srx> request security pki generate-key-pair type rsa size 4096 certificate-id as<YOUR_ASN>-altnet

Generate certificate signing request

On subsequent deployments, if subject or domain has changed you must clear the previous certificate signing request:
user@srx> clear security pki certificate-request certificate-id as<YOUR_ASN>-altnet
user@srx> request security pki generate-certificate-request certificate-id as<YOUR_ASN>-altnet digest sha-256 subject "CN=as<YOUR_ASN>.alt.tf" domain-name as<YOUR_ASN>.alt.tf
  • Send certificate signing request to bcollet.

Install signed certificate

  • Upload the signed certificate to your router (scp is still your friend).
On subsequent deployments, you must clear the previous certificate:
user@srx> clear security pki local-certificate certificate-id as<YOUR_ASN>-altnet
user@srx> request security pki local-certificate load certificate-id as<YOUR_ASN>-altnet filename as<YOUR_ASN>.alt.tf.crt
user@srx> request security pki local-certificate verify certificate-id as<YOUR_ASN>-altnet

IKE Proposal

set security ike proposal default-cert authentication-method rsa-signatures
set security ike proposal default-cert dh-group group5
set security ike proposal default-cert authentication-algorithm sha-384
set security ike proposal default-cert encryption-algorithm aes-256-cbc
set security ike proposal default-cert lifetime-seconds 28800

IKE Policy

set security ike policy default-cert mode main
set security ike policy default-cert proposals default-cert
set security ike policy default-cert certificate local-certificate as<YOUR_ASN>-altnet
set security ike policy default-cert certificate peer-certificate-type x509-signature

IKE Gateway

set security ike gateway as202945 ike-policy default
set security ike gateway as202945 address 163.172.212.105
set security ike gateway as202945 dead-peer-detection interval 20
set security ike gateway as202945 dead-peer-detection threshold 5
set security ike gateway as202945 local-identity hostname as<YOUR_ASN>.alt.tf
set security ike gateway as202945 remote-identity hostname ams-router.alt.tf
set security ike gateway as202945 external-interface <YOUR_EXTERNAL_INTERFACE>
set security ike gateway as202945 version v2-only

IPSec Proposal

set security ipsec proposal default protocol esp
set security ipsec proposal default authentication-algorithm hmac-sha-256-128
set security ipsec proposal default encryption-algorithm aes-256-cbc
set security ipsec proposal default lifetime-seconds 3600

IPSec Policy

set security ipsec policy default perfect-forward-secrecy keys group5
set security ipsec policy default proposals default

IPSec VPN

set security ipsec vpn as202945 bind-interface <YOUR_SECURE_TUNNEL_VIRTUAL_INTERFACE>
set security ipsec vpn as202945 ike gateway as202945
set security ipsec vpn as202945 ike ipsec-policy default
set security ipsec vpn as202945 establish-tunnels immediately
  • services/documentation/junos-glanet-ipsec.txt
  • Last modified: 2017/08/19 09:20
  • by Benjamin Collet