■
The router uses SCEP and HTTP to enroll with the specified CA and retrieve the
certificate that the router uses in IKE negotiations.
Authenticating the Peer
The ERX router validates X.509v3 certificates from the peer by confirming that the
ID payload passed in IKE matches the identifiers in the peer certificate. The router
also verifies that the signature is correct, based on the root CA public key.
The ERX router also validates the certificate based on its time window, so correct
UTC time on the router is essential. In addition to the certificate checks, the router
confirms that message data received from the peer has the correct signature based
on the peer's public key as found in its certificate. After the IKE authentication is
done, quick-mode negotiation of SAs can proceed.
Verifying CRLs
You can control how the router handles CRLs during negotiation of IKE phase 1
signature authentication. Both the offline and online digital certificate processes
enable you to verify CRLs.
To verify CRLs in the offline certificate process, you must copy CRL files that are
published by CAs to the ERX router. Using the
ipsec crl
command, you can control
how the router handles CRLs during negotiation of IKE phase 1 signature
authentication.
In the online certificate method you use the
crl
command to control CRL verification.
The router uses HTTP to support CRL verification when the CRL distribution point
that appears in the certificate has an http://
name
Uniform Resource Indicator (URI)
format.
The
ipsec crl
and
crl
commands have three possible settings:
■
Ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's
certificate appears in the CRL; this is the most lenient setting.
■
Optional—If the router finds a valid CRL, the router uses it.
■
Required—Requires a valid CRL, and the certificates belonging to the E Series
router or the peer must not appear in the CRL; this is the strictest setting.
Based on the CRL setting, you can expect the phase 1 IKE negotiations to succeed
or fail depending on the following conditions:
■
CRL OK—The certificate revocation list is present for the CA and valid (not
expired).
■
CRL expired—The CRL is present on the ERX router but is expired.
■
Missing CRL—There is no CRL on the router for the CA.
■
Peer Cert revoked—The CRL contains the peer certificate.
■
ERX Cert revoked—The CRL contains the E Series router's certificate.
218
■
IKE Authentication with Digital Certificates
JUNOSe 11.1.x IP Services Configuration Guide
Содержание IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Страница 6: ...vi...
Страница 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Страница 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Страница 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Страница 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Страница 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Страница 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Страница 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Страница 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Страница 357: ...Part 2 Index Index on page 333 Index 331...
Страница 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...