•
The router uses SCEP and HTTP to enroll with the specified CA and retrieve the
certificate that the router uses in IKE negotiations.
Authenticating the Peer
The ERX router validates X.509v3 certificates from the peer by confirming that the ID
payload passed in IKE matches the identifiers in the peer certificate. The router also
verifies that the signature is correct, based on the root CA public key.
The ERX router also validates the certificate based on its time window, so correct UTC
time on the router is essential. In addition to the certificate checks, the router confirms
that message data received from the peer has the correct signature based on the peer's
public key as found in its certificate. After the IKE authentication is done, quick-mode
negotiation of SAs can proceed.
Verifying CRLs
You can control how the router handles CRLs during negotiation of IKE phase 1 signature
authentication. Both the offline and online digital certificate processes enable you to
verify CRLs.
To verify CRLs in the offline certificate process, you must copy CRL files that are published
by CAs to the ERX router. Using the
ipsec crl
command, you can control how the router
handles CRLs during negotiation of IKE phase 1 signature authentication.
In the online certificate method you use the
crl
command to control CRL verification. The
router uses HTTP to support CRL verification when the CRL distribution point that appears
in the certificate has an http://
name
Uniform Resource Indicator (URI) format.
The
ipsec crl
and
crl
commands have three possible settings:
•
Ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate
appears in the CRL; this is the most lenient setting.
•
Optional—If the router finds a valid CRL, the router uses it.
•
Required—Requires a valid CRL, and the certificates belonging to the E Series router
or the peer must not appear in the CRL; this is the strictest setting.
Based on the CRL setting, you can expect the phase 1 IKE negotiations to succeed or fail
depending on the following conditions:
•
CRL OK—The certificate revocation list is present for the CA and valid (not expired).
•
CRL expired—The CRL is present on the ERX router but is expired.
•
Missing CRL—There is no CRL on the router for the CA.
•
Peer Cert revoked—The CRL contains the peer certificate.
•
ERX Cert revoked—The CRL contains the E Series router's certificate.
Table 15 on page 211 presents how the CRL setting affects the outcome of IKE phase 1
negotiations. It lists common problem conditions such as ERX Cert revoked.
Copyright © 2010, Juniper Networks, Inc.
210
JunosE 11.2.x IP Services Configuration Guide
Summary of Contents for JUNOSE 11.2.X IP SERVICES
Page 6: ...Copyright 2010 Juniper Networks Inc vi...
Page 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...
Page 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...
Page 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...
Page 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...
Page 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...
Page 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...
Page 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...
Page 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...
Page 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...
Page 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...
Page 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...
Page 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...
Page 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...