■
RFC 2409—The Internet Key Exchange (IKE) (November 1998)
■
RFC 2459—Internet X.509 Public Key Infrastructure Certificate and CRL Profile
(January 1999)
■
RFC 2986—PKCS #10: Certification Request Syntax Specification Version 1.7
(November 2000)
■
RFC 3280—Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile (April 2002)
■
RFC 3447—Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1 (February 2003)
For more information about IPSec and IKE, see “Configuring IPSec” on page 125.
IKE Authentication with Digital Certificates
As part of the IKE protocol, one security gateway needs to authenticate another
security gateway to make sure that IKE SAs are established with the intended party.
The router supports two authentication methods:
■
Digital certificates (using RSA algorithms)
For digital certificate authentication, an initiator signs message interchange data
using his private key, and a responder uses the initiator's public key to verify
the signature. Typically, the public key is exchanged via messages containing
an X.509v3 certificate. This certificate provides a level of assurance that a peer's
identity—as represented in the certificate—is associated with a particular public
key. E Series Broadband Services Routers provide both an offline (manual) and
an online (automatic) process when using digital certificates.
■
Preshared keys
With preshared key authentication, the same secret must be configured on both
security gateways before the gateways can authenticate each other.
The following sections provide information about digital certificates. For information
about using preshared keys, see “IKE Overview” on page 140.
You can also use public keys for RSA authentication without having to obtain a digital
certificate. For details, see “IKE Authentication Using Public Keys Without Digital
Certificates” on page 220
.
Signature Authentication
The following are key steps for using public key cryptography to authenticate a peer.
These steps are described in more detail in the following sections.
1.
Generating a private/public key pair
Before the router can place a digital signature on messages, it requires a private
key to sign, and requires a public key so that message receivers can verify the
signature.
2.
Obtaining a root CA certificate
IKE Authentication with Digital Certificates
■
215
Chapter 8: Configuring Digital Certificates
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...