configuring client-to-lan ipsec vpn using certificates ... · pdf fileconfiguring...
TRANSCRIPT
© Juniper Networks, Inc. 1
Configuring Client-to-Lan IPsec VPN using
certificates between SRX and Windows
Firewall with Advanced Security
Version 1.0 December 2014
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408.745.2000
1.888 JUNIPER
www.juniper.net
© Juniper Networks, Inc. 2
Overview This example shows the configuration of a Client-to-Lan VPN between a Juniper Networks SRX device and Windows client using the Windows
Firewall VPN client.
Setup Prerequisites
DEP (Dynamic End Point) configuration on SRX
Tunnel mode in SRX
IKEv1 (Win client supports only IKEv1)
IPSec using certificates for authentication
Perfect Forward Secrecy group2
Client using Windows firewall with Advanced Security
Windows Machine Certificate Store
SRX using separate zones for all interfaces
SRX using St0 and LAN-side interfaces in default VR and gateway interface is in custom VR.
Microsoft CA server for certificate signing
Included Platforms and Software Versions This document applies to Junos 11.4 and subsequent releases for all SRX devices
Topology
Configuration Steps Enroll device certificate on SRX
Configure SRX using a certificate-based VPN
Configuring Windows certificate services (optional)
Enrolling client CA certificate
Enrolling client device certificate
Creating dial-up VPN in Windows
© Juniper Networks, Inc. 3
Enroll Certificates on SRX
1. Configure the CA
[edit]
root@srx# set security pki ca-profile ROOT ca-identity mscal
root@srx# set security pki ca-profile ROOT enrollment url http://2.2.2.2/certsrv/mscep/mscep.dll
root@srx# commit
Note: The system will use the CDP of the received client certificate for CRL validation by default. Refer: “Understanding Certificate Revocation Lists” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/certificate-crl-understanding.html “Example: Manually loading a CRL onto the Device” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-manual-loading-cli.html “Example: Configuring a Certificate Authority Profile with CRL Locations” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-validity-checking-cli.html
2. Enroll the CA certificate root@srx> request security pki ca-certificate enroll ca-profile ROOT
Type yes at the prompt to load the CA certificate
3. Generate a key pair for Device certificate root@srx> request security pki generate-key-pair certificate-id ZTH_HUB
4. Enroll the local certificate
root@srx> request security pki local-certificate enroll ca-profile ROOT certificate-id ZTH_HUB domain-
name vpn-srx240-05.juniper.net email [email protected] ip-address 1.1.1.1 subject
“C=US,DC=juniper,ST=CA,L=Sunnyvale,O=Juniper,OU=engineering,CN=vpn-srx240-05”
Configure SRX
1. Configure the interfaces
root@srx# set interfaces ge-0/0/1.0 family inet address 1.1.1.1/24
root@srx# set interfaces ge-0/0/3.0 family inet address 192.168.10.1/24 root@srx# set interfaces st0.1 family inet
2. Configure Ike Phase1 root@srx# set security ike proposal IKE_PROP authentication-method rsa-signatures
root@srx# set security ike proposal IKE_PROP dh-group group2
root@srx# set security ike proposal IKE_PROP authentication-algorithm sha1
root@srx# set security ike proposal IKE_PROP encryption-algorithm aes-128-cbc
root@srx# set security ike proposal IKE_PROP lifetime-seconds 3600
root@srx# set security ike policy IKE_POL mode main
root@srx# set security ike policy IKE_POL proposals IKE_PROP
root@srx# set security ike policy IKE_POL certificate local-certificate ZTH_HUB
root@srx# set security ike policy IKE_POL certificate peer-certificate-type x509-signature
root@srx# set security ike gateway CORP_GW ike-policy IKE_POL
root@srx# set security ike gateway CORP_GW dynamic distinguished-name wildcard C=US
root@srx# set security ike gateway CORP_GW local-identity inet 1.1.1.1
root@srx# set security ike gateway CORP_GW external-interface ge-0/0/1
root@srx# set security ike gateway CORP_GW version v1-only
© Juniper Networks, Inc. 4
3. Configure Ike Phase 2 root@srx# set security ipsec proposal IPSEC_PROP protocol esp root@srx# set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96 root@srx# set security ipsec proposal IPSEC_PROP encryption-algorithm aes-128-cbc root@srx# set security ipsec proposal IPSEC_PROP lifetime-seconds 3600 root@srx# set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group2 root@srx# set security ipsec policy IPSEC_POL proposals IPSEC_PROP root@srx# set security ipsec vpn CORP_VPN bind-interface st0.1 root@srx# set security ipsec vpn CORP_VPN ike gateway CORP_GW root@srx# set security ipsec vpn CORP_VPN ike ipsec-policy IPSEC_POL
4. Configure security policies
root@srx# set security policies from-zone vpn to-zone trust policy P1 match source-address any root@srx# set security policies from-zone vpn to-zone trust policy P1 match destination-address any root@srx# set security policies from-zone vpn to-zone trust policy P1 match application any root@srx# set security policies from-zone vpn to-zone trust policy P1 then permit
root@srx# set security policies from-zone trust to-zone vpn policy P2 match source-address any root@srx# set security policies from-zone trust to-zone vpn policy P2 match destination-address any root@srx# set security policies from-zone trust to-zone vpn policy P2 match application any root@srx# set security policies from-zone trust to-zone vpn policy P2 then permit
5. Configure security zones
root@srx# set security zones security-zone untrust host-inbound-traffic system-services ike root@srx# set security zones security-zone untrust host-inbound-traffic system-services ping root@srx# set security zones security-zone untrust interfaces ge-0/0/1.0
root@srx# set security zones security-zone trust host-inbound-traffic system-services all root@srx# set security zones security-zone trust host-inbound-traffic protocols all root@srx# set security zones security-zone trust interfaces ge-0/0/3.0
root@srx# set security zones security-zone vpn host-inbound-traffic system-services all root@srx# set security zones security-zone vpn host-inbound-traffic protocols all root@srx# set security zones security-zone vpn interfaces st0.1
6. Configure routing-instance root@srx# set routing-instances INTERNET instance-type virtual-router root@srx# set routing-instances INTERNET interface ge-0/0/1.0 root@srx# set routing-instances INTERNET routing-options static route 0/0 next-hop 1.1.1.2
7. Configure route back to VPN tunnel interface for peer IP address root@srx# set routing-options static route 2.2.2.2/32 next-hop st0.1
© Juniper Networks, Inc. 5
SRX Configuration Results
root@srx# show interfaces
ge-0/0/1 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.10.1/24;
}
}
}
st0 {
unit 1 {
family inet;
}
}
[edit]
root@srx# show security
pki {
ca-profile ROOT {
ca-identity msca1;
enrollment {
url http://2.2.2.2/certsrv/mscep/mscep.dll;
}
}
}
ike {
proposal IKE_PROP {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IKE_POL {
mode main;
proposals IKE_PROP;
certificate {
local-certificate ZTH_HUB;
peer-certificate-type x509-signature;
}
}
gateway CORP_GW {
ike-policy IKE_POL;
dynamic {
distinguished-name {
wildcard C=US;
}
}
local-identity inet 1.1.1.1;
external-interface ge-0/0/1;
version v1-only;
}
© Juniper Networks, Inc. 6
}
ipsec {
proposal IPSEC_PROP {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POL {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC_PROP;
}
vpn CORP_VPN {
bind-interface st0.1;
ike {
gateway CORP_GW;
ipsec-policy IPSEC_POL;
}
}
}
policies {
from-zone vpn to-zone trust {
policy P1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy P2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
© Juniper Networks, Inc. 7
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1;
}
}
}
[edit]
root@srx# show routing-instances
INTERNET {
instance-type virtual-router;
interface ge-0/0/1.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.2
}
}
}
[edit]
root@srx# show routing-options
static {
route 2.2.2.2/32 next-hop st0.1;
}
Configuring Windows Certificate Services (optional)
The same Windows machine may be used as a VPN client and as a CA server. This depends on user requirements and if CA server functionality is
available on same Windows machine. It is possible to have the localcert signed by a different CA server as long as the CA is common to both the
Windows client certificate and the SRX device certificate.
How to create Microsoft CA in Windows:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
© Juniper Networks, Inc. 8
Enrolling Client CA Certificate
Refer to “Download the Trusted Root CA certificate” & “Import the Trusted Root (CA) Certificate” sections
http://technet.microsoft.com/en-us/library/hh467900.aspx
Enrolling Client Device Certificate
Refer to “How To: Install a Certificate for Use with IP Security”
http://support.microsoft.com/kb/253498
or
Refer to “Create a Custom Certificate Request” for submitting a PCKS file for submitting to CA.
http://technet.microsoft.com/en-us/library/cc730929.aspx
Note: For this example, the device certificate request must include Country of US to allow SRX wildcard matching of C=US in certificate.
Configuring VPN in Windows Firewall Client
1. Launch Windows Firewall with Advanced Security Click Windows Menu
Select Control Panel
Select Windows Firewall
Click Advanced Settings
2. Create new connection security rule
Select Connection Security Rules
Select ‘New Rule’ on right side
© Juniper Networks, Inc. 9
Select ‘Tunnel’ and click Next
Select ‘Client-to-Gateway’ and click Next
Select ‘Require authentication for inbound and outbound connections’ and click Next
© Juniper Networks, Inc. 10
Enter SRX gateway IP address for ‘Remote Tunnel Endpoint’ and click Next
Select ‘Computer Certificate’ and select the ‘Signing Algorithm as RSA and Certificate type (depends on
your CA setup). Click Browse.
© Juniper Networks, Inc. 11
Select CA certificate and click OK and then click Next.
In this example we are using WIN-5QR2LUTHF1-CA. This is the Root Certificate from the Windows Machine
store and is the CA used to sign both the SRX’s certificate and the Windows client device certificate.
NOTE: If you do not see your CA refer to the following Microsoft articles to add to list
Adding certificates to the Trusted Root Certification Authorities store for a local computer
http://technet.microsoft.com/en-us/library/cc754841.aspx
Adding certificates to the Trusted Root Certification Authorities store for a local computer
http://windows.microsoft.com/en-us/windows/import-export-certificates-private-keys#1TC=windows-7
Select all options and click Next
© Juniper Networks, Inc. 12
Enter a Name and Description and click Finish
3. Define the Protected network ranges
Select the newly created rule and click Properties under Actions
© Juniper Networks, Inc. 13
Select Computers tab
Enter Client NIC IP address as Endpoint 1
Enter Remote network behind SRX as Endpoint 2
4. Define the Tunnel Endpoints
Select Advanced Tab and click on Customize for Ipsec tunneling
© Juniper Networks, Inc. 14
Edit endpoints to reflect the Local tunnel endpoint being the Window client address and Remote tunnel
endpoint is the SRX’s external interface. Click OK then click Apply the OK.
5. Enable perfect forward secrecy
Open an Elevated CMD prompt
Click on Windows Menu
Enter search phrase CMD.exe into Search field
Right click on the resulting cmd.exe file
Select ‘Run as Administrator’
Enter the following command to enable PFS
C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmsecmethod= esp:sha1-
aes128
C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmpfs= dhgroup2
Windows Configuration Results
C:\Users\Administrator>netsh advfirewall consec show rule name="Test1"
Rule Name: Test1
----------------------------------------------------------------------
Enabled: Yes Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel LocalTunnelEndpoint: 2.2.2.2
RemoteTunnelEndpoint: 1.1.1.1
Endpoint1: 2.2.2.2/32 Endpoint2: 192.168.10.0/24
Protocol: Any
Action: RequireInRequireOut Auth1: ComputerCert
Auth1CAName: CN=WIN-5VQR2LUTHF1-CA
Auth1CertMapping: No Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
© Juniper Networks, Inc. 15
QuickModeSecMethods: ESP:SHA1-AES128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Verifying Setup and Usage
1) Verify the machine cert-store to make sure that private key is attached to required certificates as indicated by the presence of a small key on
the certificate icon.
Open Certificate Manager by clicking the Start button Picture of the Start button, typing certmgr.msc
into the Search box, and then pressing ENTER.
2) Verify logs in Windows firewall client:
© Juniper Networks, Inc. 16
Go to event viewer and check for security logs under Windows logs
3) Verify SRX tunnel status
root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6646446 UP 6c5848b0dc4aeae8 6e722f256cb17955 Main 2.2.2.2
[edit]
root@srx# run show security ike sa detail
IKE peer 2.2.2.2, Index 6646446, Gateway Name: ZTH_HUB_GW
Role: Responder, State: UP
Initiator cookie: 6c5848b0dc4aeae8, Responder cookie: 6e722f256cb17955
Exchange type: Main, Authentication method: RSA-signatures
Local: 1.1.1.1:500, Remote: 2.2.2.2:500
Lifetime: Expires in 1789 seconds
Peer ike-id: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes128-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 2596
Output bytes : 1896
Input packets: 5
Output packets: 4
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 1.1.1.1:500, Remote: 2.2.2.2:500
© Juniper Networks, Inc. 17
Local identity: 1.1.1.1
Remote identity: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1
Flags: IKE SA is created
[edit]
root@srx# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<268173314 ESP:aes-cbc-128/sha1 9d445798 3582/ 99999 - root 500 2.2.2.2
>268173314 ESP:aes-cbc-128/sha1 e80f1c05 3582/ 99999 - root 500 2.2.2.2
[edit]
root@srx# run show security ipsec sa detail
ID: 268173314 Virtual-system: root, VPN Name: ZTH_HUB_VPN
Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2
Local Identity: ipv4_subnet(any:0,[0..7]=192.168.10.0/24)
Remote Identity: ipv4(any:0,[0..3]=2.2.2.2)
Version: IKEv1
DF-bit: clear, Bind-interface: st0.1
Port: 500, Nego#: 10, Fail#: 0, Def-Del#: 0 Flag: 0x608a29
Tunnel events:
Wed Oct 08 2014 00:16:50 -0700: IPSec SA negotiation successfully completed (1 times)
Wed Oct 08 2014 00:16:50 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger
negotiation (1 times)
Wed Oct 08 2014 00:16:50 -0700: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: 9d445798, AUX-SPI: 0
Hard lifetime: Expires in 3578 seconds
Lifesize Remaining: 99999 kilobytes
Soft lifetime: Expires in 3015 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: e80f1c05, AUX-SPI: 0
Hard lifetime: Expires in 3578 seconds
Lifesize Remaining: 99999 kilobytes
Soft lifetime: Expires in 3015 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
4) Verify SRX Certificates
[edit]
root@srx# run show security pki ca-certificate
Certificate identifier: ROOT
Issued to: WIN-5VQR2LUTHF1-CA, Issued by: CN = WIN-5VQR2LUTHF1-CA
Validity:
Not before: 10- 3-2014 22:04 UTC
Not after: 10- 3-2019 22:14 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: ikev2natt
Issued to: pond-win, Issued by: CN = pond-win
Validity:
Not before: 11-22-2013 23:26 UTC
Not after: 11-22-2018 23:35 UTC
Public key algorithm: rsaEncryption(2048 bits)
© Juniper Networks, Inc. 18
root@srx# run show security pki ca-certificate ca-profile ROOT detail
Certificate identifier: ROOT
Certificate version: 3
Serial number: 2efe46115e3f418e46b1f7b7f648584e
Issuer:
Common name: WIN-5VQR2LUTHF1-CA
Subject:
Common name: WIN-5VQR2LUTHF1-CA
Subject string:
CN=WIN-5VQR2LUTHF1-CA
Validity:
Not before: 10- 3-2014 22:04 UTC
Not after: 10- 3-2019 22:14 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:b6:1e:6d:d6:d3:0f:ef:a6:2d:14:8c
d0:94:78:f1:87:e6:5b:20:40:3f:1d:68:56:a8:6a:f3:b3:79:4e:51
69:01:e7:5f:0a:dc:95:d8:ea:71:94:71:e6:93:b7:5a:6e:50:02:55
be:c8:5c:48:11:b8:7b:e4:f1:01:42:06:a5:8e:1a:4e:79:06:26:d0
e1:bc:52:79:7a:1f:af:d5:80:72:1a:4d:85:5e:5f:86:18:f6:bf:4e
36:af:e8:b8:3f:45:8f:ef:c0:65:7b:10:bd:51:c7:d4:d9:90:ea:60
9f:02:fb:5d:b9:1b:73:23:e0:b4:60:78:ce:ce:51:e9:f8:da:92:b2
4c:e2:32:e8:22:f9:4a:21:77:66:ab:2c:8f:15:83:7e:b2:d6:28:16
64:c8:59:0a:29:55:95:bf:dd:f4:15:bd:0f:54:7d:62:23:e0:78:55
37:4b:f7:5f:33:0c:d7:9a:1f:e4:34:fd:57:41:91:96:21:94:e7:70
38:b2:60:20:f9:9a:3a:2e:c8:61:6c:5b:37:b7:1b:52:26:4b:a2:9a
a0:66:36:5f:7f:be:d9:4d:63:52:d9:73:4f:e7:2d:78:e1:35:cf:ab
16:de:d3:fd:3c:3a:3c:ff:19:c1:82:c2:77:dc:92:f4:70:f0:0c:4c
f8:00:8d:51:c3:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
94:e7:fb:b1:d1:f9:aa:3f:c2:95:e3:28:02:da:ed:9f:30:e2:59:d9 (sha1)
51:40:f8:a8:d5:dd:64:7a:ff:34:50:71:c5:92:47:dc (md5)
[edit]
root@srx# run show security pki local-certificate certificate-id ZTH_HUB detail
Certificate identifier: ZTH_HUB
Certificate version: 3
Serial number: 61053ed5000000000004
Issuer:
Common name: WIN-5VQR2LUTHF1-CA
Subject:
Organization: Juniper, Organizational unit: engineering, Country: US, State: CA, Locality: Sunnyvale,
Common name: vpn-srx240-05, Domain component: juniper
Subject string:
C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=vpn-srx240-05
Alternate subject: "[email protected]", vpn-srx240-05.juniper.net, 1.1.1.1
Validity:
Not before: 10- 3-2014 22:45 UTC
Not after: 10- 3-2015 22:55 UTC
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:d7:83:07:8c:cf:63:dc:da:d1:7f:92:52:5e
aa:cd:42:68:cb:1d:2d:c8:13:e1:2c:52:11:a9:f7:33:6c:d7:8d:98
a4:2f:be:3d:86:e2:de:c9:94:4c:11:51:4b:60:6f:c0:67:c5:12:03
60:3e:0c:ce:b9:9c:61:4c:af:9c:30:da:6d:60:d9:8e:5e:4b:ed:1f
8c:67:e5:10:2d:93:4d:40:93:5e:cf:d3:6e:58:bf:0c:52:98:c9:9a
99:44:28:db:5c:01:46:68:c8:b8:dc:14:c2:b6:a4:1d:70:36:63:7b
5e:ae:a7:c1:78:34:1f:a6:bf:3c:ae:6e:3f:7b:3d:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
file://WIN-5VQR2LUTHF1/CertEnroll/WIN-5VQR2LUTHF1-CA.crl
Fingerprint:
© Juniper Networks, Inc. 19
e1:9d:5b:fa:66:f6:58:8f:b6:30:34:05:54:69:95:77:8a:26:66:9b (sha1)
b8:35:51:26:60:43:7f:20:ba:3a:ea:d6:b8:08:e9:3d (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
5) Windows Tunnels status SRX Certificates
To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then
check the Audit success for Quick mode.
An IPsec quick mode security association was established.
Local Endpoint:
Network Address: 2.2.2.2
Network Address mask: 255.255.255.255
Port: 0
Tunnel Endpoint: 2.2.2.2
Remote Endpoint:
Network Address: 192.168.10.0
Network Address Mask: 255.255.255.0
Port: 0
Private Address: 0.0.0.0
Tunnel Endpoint: 1.1.1.1
Protocol: 0
Keying Module Name: -
Cryptographic Information:
Integrity Algorithm - AH: -
Integrity Algorithm - ESP: SHA-1
Encryption Algorithm: AES-128
Security Association Information:
Lifetime - seconds: 3600
Lifetime - data: 100000
Lifetime - packets: 2147483647
Mode: Tunnel
Role: Initiator
Quick Mode Filter ID: 83470
Main Mode SA ID: 2171
Quick Mode SA ID: 1108
Additional Information:
Inbound SPI: 3325224778
Outbound SPI: 717234676
Virtual Interface Tunnel ID: 0
Traffic Selector ID: 0
To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then
check the Audit success for Main mode.
An IPsec main mode security association was established. Extended mode was not enabled. A certificate
was used for authentication.
Local Endpoint:
© Juniper Networks, Inc. 20
Principal Name: mjain-win2k8-1
Network Address: 2.2.2.2
Keying Module Port: 500
Local Certificate:
SHA Thumbprint: 11f73620578fa9b4b5a7359b48c29fb534b5f229
Issuing CA: WIN-5VQR2LUTHF1-CA
Root CA: CN=WIN-5VQR2LUTHF1-CA
Remote Endpoint:
Principal Name: vpn-srx240-05.juniper.net
Network Address: 1.1.1.1
Keying Module Port: 500
Remote Certificate:
SHA thumbprint: e19d5bfa66f6588fb6303405546995778a26669b
Issuing CA: WIN-5VQR2LUTHF1-CA
Root CA: CN=WIN-5VQR2LUTHF1-CA
Cryptographic Information:
Cipher Algorithm: AES-128
Integrity Algorithm: SHA 256
Diffie-Hellman Group: DH group 2
Security Association Information:
Lifetime (minutes): 30
Quick Mode Limit: 0
Main Mode SA ID: 2171
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Certificate
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 83452
EKU, SAN for IKE-ID:
© Juniper Networks, Inc. 21
VPN Server Certificate EKU Accepted by Windows Firewall Client
IP security IKE intermediate Yes
Server Authentication
IP security IKE intermediate No
IP security IKE intermediate No
Client Authentication
Server Authentication Yes
Client Authentication No
Server Authentication Yes
Client Authentication
IP security IKE intermediate Yes
Server Authentication
Client Authentication
None No