Configure IPsec to Juniper SSG Firewall using X.509 Authentication


#1

This guide covers configuration of IPSEC between Peplink and Juniper SSG firewall using X.509 authentication. The example assumes the following settings:

IPSEC VPN Settings

Peplink WAN IP Address: 210.211.10.5 Peplink LAN Network: 192.168.2.0/24 Peplink Certificate: Email: site20@company.com Juniper SSG WAN IP Address: 66.80.3.1 Juniper SSG LAN Network: 192.168.1.0/24 Juniper Certificate: Email: ssg@company.com IPSEC Phase 1 Authentication: SHA-1 ISPEC Phase 1 Encryption: AES-128 ISPEC Phase 1 DH Group: 2 IPSEC Phase 2 Authentication: SHA-1 ISPEC Phase 2 Encryption: AES-128 ISPEC Phase 2 PFS Group: 2

Configure Peplink device for X.509 authentication

The Peplink should have its own private key and certificate installed to use X.509 authentication. You can read Article to complete this process.

Configure Juniper SSG firewall

Setup date and time

Using X.509 authentication requires time and date are set correctly on all devices.

Time and date configuration for Juniper SSG can be found under Configuration => Date/Time. You can simply click Sync Clock With Client or point the SSG to an NTP server.

juniper-ipsec-x509-01

 

Prepare Local Certificates

Goto Objects => Certificates to begin:
  1. Click on New button to create local key and certificate request. juniper-ipsec-x509-02
  2. Click Generate and you will get the PEM encoded certificate request. Click Save To File and send this request to your certificate authority for signing.juniper-ipsec-x509-03
  3. After receiving the signed certificate from your CA, you must install it via the Web UI. Your local certificate status should now become Active.
  4. Install your CA certificate.

Configure IPSEC VPN Profile

Goto Wizards => Route Based VPN to begin:
  1. Select local and remote interfaces. juniper-ipsec-x509-04
  2. Bind the tunnel to untrust interface. juniper-ipsec-x509-04b
  3. Select LAN to LAN tunnel. juniper-ipsec-x509-04c
  4. Select Local Static IP <-> Remote Static IPjuniper-ipsec-x509-04d
  5. Enter remote IP address of Peplinkjuniper-ipsec-x509-04e
  6. Select 128 bit encryptionjuniper-ipsec-x509-04f
  7. Specify the local and remote networks of the IPSEC VPNjuniper-ipsec-x509-04g
  8. Pass all protocols over VPN in both directionsjuniper-ipsec-x509-04h
  9. Set logging options as neededjuniper-ipsec-x509-04i
  10. Set Schedule to Nonejuniper-ipsec-x509-04j
  11. Click Next then Finish to complete VPN configuration.juniper-ipsec-x509-04k

Modify IPSEC VPN configuration to use X.509 certificates

  1. Goto VPNs => AutoKey IKEjuniper-ipsec-x509-05
  2. Click Proxy ID and add a new entry as below, otherwise all traffic will be blocked between IPsec peers.juniper-ipsec-x509-06
  3. Then goto Edit and click Advanced. Set the Phase 2 proposal to "g2-esp-aes128-sha" to match the example settings. juniper-ipsec-x509-07
  4. Go to VPNs => AutoKey Advanced => Gateway Click Edit then Advanced. Set the Phase 1 Proposal as follows. Select the previously imported local and CA certificates. Check Use Distinguished Name for Peer ID. For this example will will only match against the email address set within the Peplink certificate

  5. juniper-ipsec-x509-09

Configure IPSEC Profile on Peplink device

  1. Goto Network -> Interfaces -> IPSEC VPN to create a new IPSEC profile. Give the VPN a meaningful Name and enter the Remote Gateway IP and Remote Networks of the Juniper SSG. Set Authentication to X.509 Certificate and paste the Juniper SSG cerficate into Remote Certificate. Select the matching Phase 1 and Phase 2 settings for VPN.juniper-ipsec-x509-10
  2. Click Save and the IPSEC configuration is now complete.

#2

Hi - Is the x509 certificate authentication checkbox available on all devices.
I can add a certificate ok but am not getting the authentication check box under the IPSEC VPN profile.
Am running firmware 7.0.1
cheers


#3

FYI, have just upgraded to latest release 7.1 but still no x509 certificate authentication button :frowning:


#4

A feature activation key is reqiured for X.509 authentication on some models. Please open a support ticket with us here and we can take care of this for you.