Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
Authenticating the Peer
Verifying CRLs
210
The router uses SCEP and HTTP to enroll with the specified CA and retrieve the
certificate that the router uses in IKE negotiations.
The ERX router validates X.509v3 certificates from the peer by confirming that the ID
payload passed in IKE matches the identifiers in the peer certificate. The router also
verifies that the signature is correct, based on the root CA public key.
The ERX router also validates the certificate based on its time window, so correct UTC
time on the router is essential. In addition to the certificate checks, the router confirms
that message data received from the peer has the correct signature based on the peer's
public key as found in its certificate. After the IKE authentication is done, quick-mode
negotiation of SAs can proceed.
You can control how the router handles CRLs during negotiation of IKE phase 1 signature
authentication. Both the offline and online digital certificate processes enable you to
verify CRLs.
To verify CRLs in the offline certificate process, you must copy CRL files that are published
by CAs to the ERX router. Using the ipsec crl command, you can control how the router
handles CRLs during negotiation of IKE phase 1 signature authentication.
In the online certificate method you use the crl command to control CRL verification. The
router uses HTTP to support CRL verification when the CRL distribution point that appears
in the certificate has an http://name Uniform Resource Indicator (URI) format.
The ipsec crl and crl commands have three possible settings:
Ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate
appears in the CRL; this is the most lenient setting.
Optional—If the router finds a valid CRL, the router uses it.
Required—Requires a valid CRL, and the certificates belonging to the E Series router
or the peer must not appear in the CRL; this is the strictest setting.
Based on the CRL setting, you can expect the phase 1 IKE negotiations to succeed or fail
depending on the following conditions:
CRL OK—The certificate revocation list is present for the CA and valid (not expired).
CRL expired—The CRL is present on the ERX router but is expired.
Missing CRL—There is no CRL on the router for the CA.
Peer Cert revoked—The CRL contains the peer certificate.
ERX Cert revoked—The CRL contains the E Series router's certificate.
Table 15 on page 211 presents how the CRL setting affects the outcome of IKE phase 1
negotiations. It lists common problem conditions such as ERX Cert revoked.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
