任务是将IPSec身份验证方法从“预共享密钥”更改为“基于PKI认证”。它用于SRX240H和SRX1400防火墙。这篇文章记录了我在配置过程中遇到的步骤并进行了故障排除。

1.在两个防火墙上生成公钥/私钥对:

{primary:node0}[电子邮件 protected]> request安全性pki生成密钥对中国体育彩票开奖ID 专业版大小2048  

node0:

————————————————————————
生成的密钥对PRO,密钥大小2048位

2. 从密钥对生成中国体育彩票开奖请求

{primary:node0}[电子邮件 protected]> 请求安全性pki生成中国体育彩票开奖请求中国体育彩票开奖id 专业版主题“ CN = Admin,CN = m.test.com,OU = IT,O = test,L = M,ST = ON,C = CA”电子邮件 [电子邮件 protected] 文件名ms-cert-req 

node0:

——————————————————————————中国体育彩票开奖生成请求

—– BEGIN CERTIFICATE REQUEST - MIIC7TCCAdUCAQAwdjERMA8GA1UEAxMISm9obiBZYWxGjAYBgNVBAMTEW1hcmtYW0uZ2ktZGUuY29tMQswCQYDVQQLEwJJVDEMMAoGA1UEChMDRyZEwDgYDVQQEwdNYXJraGFtMQswCQYDVQQIEwJPTjELMAkGA1UEBhMC0EwggEiMA0GCSqGSIbDQEBAQUAA4IBDwAwggEKAoIBAQDEoahBD7RjFBZacquplzFudJ3k + jf1EBcCxxkdDWJVeZEDzFMN6kQbMPKFBvSHhSZU / O + AnkqOzQgTh9Uy / ttdc3r23ZWFu1t / 9B79kvoRdxCt43iYHNtTyKk4xN1 / Nd2XJ1qV6iXB0OAYAQWnKYsNAz5rY9SRnH5 / VU90WRvu5s / wXu + 9GEoysI1sjm91Qq1FM5HDtH9ROxDzbtEb8hJ2SmfY / VPctlSI / Ql3ZRyxCexOG2Q93hvhMRKbCNLxj1muSHbnveQI3gM + 4nT9PmslUEB3dx5389LH5viCio01039LEWjfydd4HsAdsgD5ZXtihn49BPZNfCIYyDAgMBAAGgMjAwBgkhkiG9w0BCQ4xIzAhMB8GA1UdEQQYMBaBFCJqb2huLnlhbkBnaS1kZS5jb20iMA0CSqGSIb3DQEBBQUAA4IBAQAoRv0I1C5kklU2sRDGB4XCVnnJ / T34 + Yn4ekIcGHADuB5kKbr + qc1xTVyelX09EqmGtCrREYSv / meseuco0 + jMw9b9EogCfE7eZAw2EWltzA + NTjwcOexvTFYWhjD3YWPXwM / F / rKnS9vtCaaNJB + rpzjyjbJNRSPvFkYgRUsy3xnIJ7K76Jp03r5rD27KW2kaCCD2wXkr6vK97Nf + dgyM8sLBLy1FdUfeO2H5Jnhxb​​odUD6FFGz50s8rqy2a4aUOCD1zCgOiMw / mjq3caFbS + WB2sb + 09Kia19y9y2fOzG ++ v2Kud5luXYKMPuf4qEGSb6k1np Nd8qadQf +

-结束中国体育彩票开奖请求- 

指纹:c7:dd:83:11:d1:8a:54:6c:5c:1e:7e:cd:79:73:c0:71:b0:ba:a5:fc(sha1)f6:10:e3: 1f:c0:07:3e:dc:5c:e5:8e:b5:51:2b:9a:1e(md5)

3. 向CA提交中国体育彩票开奖请求并获取中国体育彩票开奖




4. 将本地中国体育彩票开奖,CA中国体育彩票开奖复制到本地防火墙

您可以使用ftp将文件传输到本地设备,也可以使用vi将中国体育彩票开奖复制/粘贴到本地文件夹,如下所示:

[电子邮件 protected]%cd / var / tmp
[电子邮件 protected]%vi中国体育彩票开奖

––BEGIN中国体育彩票开奖-
MIIFAjCCA + qgAwIBAgIQLW8DBB6T4el6zXWK6UDm2zANBgkqhkiG90BAQsFADB +
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE1MDEwOTAwMDAwMFoX
DTE4MDQwNTIzNTk1OVowgYwxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlv
MRAwDgYDVQQHDAdNYXJraGFtMS8wLQYDVQQKDCZHaWVzZWNrZSAmIERldnJpZW50
IFN5c3RlbXMgQ2FuYWRhIEluYzELMAkGA1UECwwCSVQxGzAZBNVBAMMEm1vbnRy
ZWFsLmdpLWRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ2W
x3bDZiXD7Fhh7smdgq7W3ib / UOixoM7NDxryWVaff0mq3oioXUxpClvwkadJ5Js7
3 + QOJH0j / jJLwJ6mN / 8Me64Caxy3fHkp43NNTz1aOEr2QwOLuY4Z6rvNUgBdqLWo
OpI8OAYTMlBWMT ++ aKK35PAtDKLxCyKz6iqeR3tbqsxDnfJO5YafyDf8AtRmNJPg
1ms1yV0lKZBtq4weAKHLeSe0 + SYu5CIgKHDhUbZ9SjQHyaNpSSY0agtm7gwppcYU
BPtkSTFyyxAVxMQrZrOMPSF2ND1qgwtQkv4ypAx70oLSP2FjWYxXS8eZCaBXRWzp
+ 2Q0gEbcQ85NG9DZCuMCAwEAAaOCAWswggFnMB0GA1UdEQQWMBSCEm1vbnRyZWFs
LmdpLWRlLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB / wQEAwIFoDArBgNVHR8EJDAi
MCCgHqAchhpodHRwOi8vc3Muc3ltY2IuY29tL3NzLmNybDBlBgNHSAEXjBcMFoG
CmCGSAGG + EUBBzYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9j
cHMwJQYIKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMaAFF9gz2GQVd + EQxSK
YCqy9Xr0QxjvMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3Nz
LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5j
cnQwDQYJKoZIhvcNAQELBQADggEBAGSmIK5nDbs0e1aryWxbrCp9vMC7dTiJYP9
7VlUZsP63WXTWmOs1CBcyxv1NiO2Ub + CgiynAjnBKzDjPM8EesaTLlHnFqjRD65d
jXwa5UnlQnuZLzdadThp2qmhQbTeGBmT / y4c3rSwHnXwjB0aMQzz7QrKEmNrv13o
2eYEMp2tvZVSemPWpABj265tu6RcD6If3oTxKJy10 / pKA / YU3xRLL9XB3NvU5NUO
Ej7ubdQsBTTBeJIE8 / C5coDLEZbxYpQVSnqDBrOXLG5R2pNi0hIebXFaVDG36gy
NCGfTTNr8Elo7RYMspaZZhyQRZzXefzCxJwqxu39MwTNRJAhTPA =
-结束中国体育彩票开奖-

[电子邮件 protected]%vi root.cer
––BEGIN中国体育彩票开奖-
MIIFODCCBCCgAwIBAgIQUT + 5dDhwtzRAQY0wkwaZ / zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEZEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB + MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ + aQihiw6UwU35VEYJb
A3oNL + F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid / sgN6nFMl6UgfRk / InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z / JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W + cRmvvW1Cdj / JwDNRHxvSz + w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH / BAgwBgEB / wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB / wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs + oHXXCMXIiw3k / eG7IXmsKP9H + IyqEVv4dn7ua / ScKAyQmW / hP4W
Ko8 / xabWo5N9Q + l0IZE1KPRj6S7t9 / Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf + YzguaoxX7 + 0AjiJVgIcWjmzaLmFN5OUiQt / eV5E1PnXi8t
TRttQBVSK / eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT + sjHLF + 8fk1A / yO0 + MKcc =
-结束中国体育彩票开奖-
––BEGIN中国体育彩票开奖-
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4 / TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2InbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1​​YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K + D + KQL5VwijZIUVJ / XxrcgxiV0i6CqqpkKzj / i5Vbext0uz / o9 + B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6 / WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO + QueQA5N06tRn /
Arr0PO7gi + s3i + z016zy9vA9r911kTMZHRxAy3QkGSGT2RT + rCpSx4 / VBEnkjWNH
iDxpg8v + R70rfk / Fla4OndTRQ8Bnc + MUCH7lP59zuDMKz10 / NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH / MDEGA1UdHwQqMCgwJqAkoCKGIGhh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB / wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j + XTGoasjY5rw8 + AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW / 9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ + xr3 /
-结束中国体育彩票开奖-

5.创建可信的CA配置文件并加载本地中国体育彩票开奖和CA中国体育彩票开奖

ca-profile rootverisign {
   ca-identity test.com;
    revocation-check {
        disable;
    }
    administrator {
        email-address “[电子邮件 protected]”;
    }
 }


{primary:node0}[电子邮件 protected]> 请求安全性pki本地中国体育彩票开奖加载中国体育彩票开奖ID 专业版文件名/var/tmp/cert.cer
node0:
————————————————————————
本地中国体育彩票开奖加载成功

{primary:node0}[电子邮件 protected]> 请求安全性pki ca中国体育彩票开奖加载ca配置文件rootverisign文件名/var/tmp/root.cer
node0:
————————————————————————
错误:命令已中止,因为CA中国体育彩票开奖已存在。清除现有的CA中国体育彩票开奖后重试

这个 错误与现有的CA中国体育彩票开奖有关。我们将首先通过以下命令清除它:

{primary:node0}
[电子邮件 protected]> 清除安全性pki ca-certificate ca-profile rootverisign 

或者您可以直接进入cert文件夹将其删除。

[电子邮件 protected]> 请求安全性pki ca中国体育彩票开奖加载ca配置文件Montreal-PRO文件名/var/tmp/root.cer 
node0:
————————————————————————
指纹:
 44:f4:34:20:3e:fa:be:7e:9e:c5:82:94:e3:b2:36:0b:4c:c5:c0:c0(sha1)
 1a:3e:85:80:2b:c7:57:86:c2:44:66:ff:89:ad:1e:c8(md5)
错误:无法将CA中国体育彩票开奖写入本地存储

此错误消息通常是由于无法识别的中国体育彩票开奖文件格式引起的。实际上,瞻博网络SRX并不采用这种CA认证,因为一个文件中包含两个认证。我们必须手动将此中国体育彩票开奖分为两部分,然后分别导入不同的CA配置文件,例如我们在下面创建的G4和G5。

pki {
    ca-profile G4 {
       ca-identity gi-de.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address “[电子邮件 protected]”;
        }
    }
    ca-profile G5 {
       ca-identity gi-de.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address “[电子邮件 protected]”;
        }
    }
    traceoptions {
       文件PKITRACE大小为1m;
        flag all;
    }
}

[电子邮件 protected]> request安全性pki ca中国体育彩票开奖加载ca配置文件G4文件名/var/tmp/g4.cer  
node0:
————————————————————————
指纹:
 ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35(sha1)
 23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5(md5)
配置文件G4的CA中国体育彩票开奖已成功加载

{primary:node0}
[电子邮件 protected]> 请求安全性pki ca中国体育彩票开奖加载ca配置文件G5文件名/var/tmp/g5.cer    
node0:
————————————————————————
指纹:
 32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27(sha1)
 f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a(md5)
配置文件G5的CA中国体育彩票开奖已成功加载

6.在IPsec 虚拟专用网配置中使用中国体育彩票开奖

ike {
   无效:traceoptions {
       文件IKELOG大小为1m;
       标记策略管理器;
        flag ike;
       标记路由套接字;
        flag certificates;
    }
   提案P1-AES_1_1_1 {
        身份验证方法rsa签名;
        dh-group group2;
       认证算法sha1;
       加密算法aes-128-cbc;
       寿命秒86400;
    }
   政策ike-pol-Myvpn {
        mode main;
       提案P1-AES_1_1_1;
        中国体育彩票开奖 {
           本地认证的Mark-PRO;
           对等中国体育彩票开奖类型x509签名;
        }
       非活动状态:预共享密钥ascii文本“ $ 9 $ 4xZGjqmT3nCHqp01IcSs2g4Uj”; ##秘密数据
    }
   网关gw-TheirGateway {
       ike-policy ike-pol-Myvpn;
        address 10.9.1.1;
       本地身份主机名mark.test.com;
       远程身份主机名mont.test.com;
       外部接口reth9.0;
       本地地址10.4.1.1;
    }
}
ipsec {
    proposal P2-AES_1 {
        description group2;
        protocol esp;
       认证算法hmac-sha1-96;
       加密算法aes-128-cbc;
       寿命秒3600;
    }
   策略ipsec-pol-1 {
       完美转发保密{
            keys group2;
        }
        proposals P2-AES_1;
    }
    vpn vpn-ToThem {
       绑定接口st0.0;
        ike {
           网关gw-TheirGateway;
            idle-time 1800;
           ipsec-policy ipsec-pol-1;
        }
    }

}

基于路由的IPSec 虚拟专用网的其他一些配置

介面 {
    st0 {
        unit 0 {
            family inet;
        }
    }
}

[电子邮件 protected]>显示配置路由实例 
vr_SRX2 {
   实例类型虚拟路由器;
    interface reth9.0;
    interface st0.0;
    routing-options {
        static {
           路由1.1.1.0/24下一跳10.4.1.2;
            路由10.9.0.0/16下一跳st0.0;
           路由10.9.1.1/32下一跳10.4.1.2;
        }
        aggregate {
            route 10.9.0.0/16 {
                preference 2;
            }
           路由192.168.0.0/16 {
                preference 2;
            }
        }
       实例导入from_all_to_SRXl;
    }

参考:

1.清除pki相关文件的命令

  • 清除安全性PKI密钥对中国体育彩票开奖ID 万锦PRO
  • 清除安全性PKI本地中国体育彩票开奖中国体育彩票开奖ID 万锦PRO
  • 清除安全性PKI密钥对中国体育彩票开奖ID 万锦PRO
  • 清除安全性pki ca-certificate ca-profile 万锦PRO
  • 清除安全性PKI中国体育彩票开奖请求中国体育彩票开奖ID 万锦PRO

2. J系列/ SRX系列 带有PKI中国体育彩票开奖入门的IPSec 虚拟专用网
3. 示例:在Junos OS中配置PKI
4. SRX中基于中国体育彩票开奖的IPSEC 虚拟专用网
5. 瞻博网络SRX – PKI –基于中国体育彩票开奖的VPN –第02部分– SRX配置&中国体育彩票开奖签名

笔记:

以下将在fe-0 / 0 / 0.0上安装已安装的SSL中国体育彩票开奖。您需要将此中国体育彩票开奖分配给
外部接口。该接口应设置为接受HTTPS。

设置安全区域安全区域不信任接口fe-0 / 0 / 0.0 host-inbound-traffic systemservices https
设置系统服务Web管理https pki-local-certificate 专业版 interface fe-0/0/0.0

通过 约翰

发表评论