Configuring Client-to-Lan IPsec VPN using certificates between SRX and Windows Firewall with Advanced Security Version 1.0 December 2014
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net
© Juniper Networks, Inc.
1
Overview This example shows the configuration of a Client-to-Lan VPN between a Juniper Networks SRX device and Windows client using the Windows Firewall VPN client.
Setup Prerequisites
DEP (Dynamic End Point) configuration on SRX Tunnel mode in SRX IKEv1 (Win client supports only IKEv1) IPSec using certificates for authentication Perfect Forward Secrecy group2 Client using Windows firewall with Advanced Security Windows Machine Certificate Store SRX using separate zones for all interfaces SRX using St0 and LAN-side interfaces in default VR and gateway interface is in custom VR. Microsoft CA server for certificate signing
Included Platforms and Software Versions This document applies to Junos 11.4 and subsequent releases for all SRX devices
Topology
Configuration Steps
Enroll device certificate on SRX Configure SRX using a certificate-based VPN Configuring Windows certificate services (optional) Enrolling client CA certificate Enrolling client device certificate Creating dial-up VPN in Windows
© Juniper Networks, Inc.
2
Enroll Certificates on SRX 1.
Configure the CA [edit] root@srx# set security pki ca-profile ROOT ca-identity mscal root@srx# set security pki ca-profile ROOT enrollment url http://2.2.2.2/certsrv/mscep/mscep.dll root@srx# commit
Note: The system will use the CDP of the received client certificate for CRL validation by default. Refer: “Understanding Certificate Revocation Lists” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/concept/certificate-crl-understanding.html “Example: Manually loading a CRL onto the Device” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-manual-loading-cli.html “Example: Configuring a Certificate Authority Profile with CRL Locations” https://www.juniper.net/techpubs/en_US/junos12.1x47/topics/example/certificate-crl-validity-checking-cli.html
2.
Enroll the CA certificate root@srx> request security pki ca-certificate enroll ca-profile ROOT Type yes at the prompt to load the CA certificate
3.
Generate a key pair for Device certificate root@srx> request security pki generate-key-pair certificate-id ZTH_HUB
4.
Enroll the local certificate root@srx> request security pki local-certificate enroll ca-profile ROOT certificate-id ZTH_HUB domainname vpn-srx240-05.juniper.net email
[email protected] ip-address 1.1.1.1 subject “C=US,DC=juniper,ST=CA,L=Sunnyvale,O=Juniper,OU=engineering,CN=vpn-srx240-05”
Configure SRX 1.
Configure the interfaces root@srx# set interfaces ge-0/0/1.0 family inet address 1.1.1.1/24 root@srx# set interfaces ge-0/0/3.0 family inet address 192.168.10.1/24 root@srx# set interfaces st0.1 family inet
2.
Configure Ike Phase1 root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx# root@srx#
set set set set set set set set set set set set set set
security security security security security security security security security security security security security security
ike ike ike ike ike ike ike ike ike ike ike ike ike ike
proposal IKE_PROP authentication-method rsa-signatures proposal IKE_PROP dh-group group2 proposal IKE_PROP authentication-algorithm sha1 proposal IKE_PROP encryption-algorithm aes-128-cbc proposal IKE_PROP lifetime-seconds 3600 policy IKE_POL mode main policy IKE_POL proposals IKE_PROP policy IKE_POL certificate local-certificate ZTH_HUB policy IKE_POL certificate peer-certificate-type x509-signature gateway CORP_GW ike-policy IKE_POL gateway CORP_GW dynamic distinguished-name wildcard C=US gateway CORP_GW local-identity inet 1.1.1.1 gateway CORP_GW external-interface ge-0/0/1 gateway CORP_GW version v1-only
© Juniper Networks, Inc.
3
3.
Configure Ike Phase 2 root@srx# set root@srx# set root@srx# set root@srx# set root@srx# set root@srx# set root@srx# set root@srx# set root@srx# set
4.
5.
security security security security security security security security security
ipsec ipsec ipsec ipsec ipsec ipsec ipsec ipsec ipsec
proposal IPSEC_PROP protocol esp proposal IPSEC_PROP authentication-algorithm hmac-sha1-96 proposal IPSEC_PROP encryption-algorithm aes-128-cbc proposal IPSEC_PROP lifetime-seconds 3600 policy IPSEC_POL perfect-forward-secrecy keys group2 policy IPSEC_POL proposals IPSEC_PROP vpn CORP_VPN bind-interface st0.1 vpn CORP_VPN ike gateway CORP_GW vpn CORP_VPN ike ipsec-policy IPSEC_POL
Configure security policies root@srx# set root@srx# set root@srx# set root@srx# set
security security security security
policies policies policies policies
from-zone from-zone from-zone from-zone
vpn vpn vpn vpn
to-zone to-zone to-zone to-zone
root@srx# set root@srx# set root@srx# set root@srx# set
security security security security
policies policies policies policies
from-zone from-zone from-zone from-zone
trust trust trust trust
trust trust trust trust
to-zone to-zone to-zone to-zone
vpn vpn vpn vpn
policy policy policy policy
P1 P1 P1 P1
match source-address any match destination-address any match application any then permit
policy policy policy policy
P2 P2 P2 P2
match source-address any match destination-address any match application any then permit
Configure security zones root@srx# set security zones security-zone untrust host-inbound-traffic system-services ike root@srx# set security zones security-zone untrust host-inbound-traffic system-services ping root@srx# set security zones security-zone untrust interfaces ge-0/0/1.0 root@srx# set security zones security-zone trust host-inbound-traffic system-services all root@srx# set security zones security-zone trust host-inbound-traffic protocols all root@srx# set security zones security-zone trust interfaces ge-0/0/3.0 root@srx# set security zones security-zone vpn host-inbound-traffic system-services all root@srx# set security zones security-zone vpn host-inbound-traffic protocols all root@srx# set security zones security-zone vpn interfaces st0.1
6.
Configure routing-instance root@srx# set routing-instances INTERNET instance-type virtual-router root@srx# set routing-instances INTERNET interface ge-0/0/1.0 root@srx# set routing-instances INTERNET routing-options static route 0/0 next-hop 1.1.1.2
7.
Configure route back to VPN tunnel interface for peer IP address root@srx# set routing-options static route 2.2.2.2/32 next-hop st0.1
© Juniper Networks, Inc.
4
SRX Configuration Results root@srx# show interfaces ge-0/0/1 { unit 0 { family inet { address 1.1.1.1/24; } } } ge-0/0/3 { unit 0 { family inet { address 192.168.10.1/24; } } } st0 { unit 1 { family inet; } }
[edit] root@srx# show security pki { ca-profile ROOT { ca-identity msca1; enrollment { url http://2.2.2.2/certsrv/mscep/mscep.dll; } } } ike { proposal IKE_PROP { authentication-method rsa-signatures; dh-group group2; authentication-algorithm sha1; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IKE_POL { mode main; proposals IKE_PROP; certificate { local-certificate ZTH_HUB; peer-certificate-type x509-signature; } } gateway CORP_GW { ike-policy IKE_POL; dynamic { distinguished-name { wildcard C=US; } } local-identity inet 1.1.1.1; external-interface ge-0/0/1; version v1-only; }
© Juniper Networks, Inc.
5
} ipsec { proposal IPSEC_PROP { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-128-cbc; lifetime-seconds 3600; } policy IPSEC_POL { perfect-forward-secrecy { keys group2; } proposals IPSEC_PROP; } vpn CORP_VPN { bind-interface st0.1; ike { gateway CORP_GW; ipsec-policy IPSEC_POL; } } } policies { from-zone vpn to-zone trust { policy P1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone vpn { policy P2 { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { ike; ping; } } interfaces { ge-0/0/1.0; } } security-zone trust { host-inbound-traffic { system-services {
© Juniper Networks, Inc.
6
all; } protocols { all; } } interfaces { ge-0/0/3.0; } } security-zone vpn { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { st0.1; } } } [edit] root@srx# show routing-instances INTERNET { instance-type virtual-router; interface ge-0/0/1.0; routing-options { static { route 0.0.0.0/0 next-hop 1.1.1.2 } } } [edit] root@srx# show routing-options static { route 2.2.2.2/32 next-hop st0.1; }
Configuring Windows Certificate Services (optional) The same Windows machine may be used as a VPN client and as a CA server. This depends on user requirements and if CA server functionality is available on same Windows machine. It is possible to have the localcert signed by a different CA server as long as the CA is common to both the Windows client certificate and the SRX device certificate.
How to create Microsoft CA in Windows: http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
© Juniper Networks, Inc.
7
Enrolling Client CA Certificate Refer to “Download the Trusted Root CA certificate” & “Import the Trusted Root (CA) Certificate” sections http://technet.microsoft.com/en-us/library/hh467900.aspx
Enrolling Client Device Certificate Refer to “How To: Install a Certificate for Use with IP Security” http://support.microsoft.com/kb/253498
or Refer to “Create a Custom Certificate Request” for submitting a PCKS file for submitting to CA. http://technet.microsoft.com/en-us/library/cc730929.aspx Note: For this example, the device certificate request must include Country of US to allow SRX wildcard matching of C=US in certificate.
Configuring VPN in Windows Firewall Client 1.
Launch Windows Firewall with Advanced Security Click Windows Menu Select Control Panel Select Windows Firewall Click Advanced Settings
2.
Create new connection security rule
Select Connection Security Rules Select ‘New Rule’ on right side
© Juniper Networks, Inc.
8
Select ‘Tunnel’ and click Next
Select ‘Client-to-Gateway’ and click Next
Select ‘Require authentication for inbound and outbound connections’ and click Next
© Juniper Networks, Inc.
9
Enter SRX gateway IP address for ‘Remote Tunnel Endpoint’ and click Next
Select ‘Computer Certificate’ and select the ‘Signing Algorithm as RSA and Certificate type (depends on your CA setup). Click Browse.
© Juniper Networks, Inc.
10
Select CA certificate and click OK and then click Next. In this example we are using WIN-5QR2LUTHF1-CA. This is the Root Certificate from the Windows Machine store and is the CA used to sign both the SRX’s certificate and the Windows client device certificate. NOTE:
If you do not see your CA refer to the following Microsoft articles to add to list Adding certificates to the Trusted Root Certification Authorities store for a local computer http://technet.microsoft.com/en-us/library/cc754841.aspx Adding certificates to the Trusted Root Certification Authorities store for a local computer http://windows.microsoft.com/en-us/windows/import-export-certificates-private-keys#1TC=windows-7
Select all options and click Next
© Juniper Networks, Inc.
11
Enter a Name and Description and click Finish
3.
Define the Protected network ranges
Select the newly created rule and click Properties under Actions
© Juniper Networks, Inc.
12
Select Computers tab Enter Client NIC IP address as Endpoint 1 Enter Remote network behind SRX as Endpoint 2
4.
Define the Tunnel Endpoints
Select Advanced Tab and click on Customize for Ipsec tunneling
© Juniper Networks, Inc.
13
Edit endpoints to reflect the Local tunnel endpoint being the Window client address and Remote tunnel endpoint is the SRX’s external interface. Click OK then click Apply the OK.
5.
Enable perfect forward secrecy Open an Elevated CMD prompt Click on Windows Menu Enter search phrase CMD.exe into Search field Right click on the resulting cmd.exe file Select ‘Run as Administrator’ Enter the following command to enable PFS C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmsecmethod= esp:sha1aes128 C:\Users\Administrator>netsh advfirewall consec set rule name="Test1" new qmpfs= dhgroup2
Windows Configuration Results C:\Users\Administrator>netsh advfirewall consec show rule name="Test1" Rule Name: Test1 ---------------------------------------------------------------------Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: 2.2.2.2 RemoteTunnelEndpoint: 1.1.1.1 Endpoint1: 2.2.2.2/32 Endpoint2: 192.168.10.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCert Auth1CAName: CN=WIN-5VQR2LUTHF1-CA Auth1CertMapping: No Auth1ExcludeCAName: No Auth1CertType: Root Auth1HealthCert: No MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
© Juniper Networks, Inc.
14
QuickModeSecMethods: ExemptIPsecProtectedConnections: ApplyAuthorization:
ESP:SHA1-AES128+60min+100000kb No No
Verifying Setup and Usage 1)
Verify the machine cert-store to make sure that private key is attached to required certificates as indicated by the presence of a small key on the certificate icon.
Open Certificate Manager by clicking the Start button Picture of the Start button, typing certmgr.msc into the Search box, and then pressing ENTER.
2)
Verify logs in Windows firewall client:
© Juniper Networks, Inc.
15
Go to event viewer and check for security logs under Windows logs
3)
Verify SRX tunnel status root@srx# run show security ike sa Index State Initiator cookie Responder cookie 6646446 UP 6c5848b0dc4aeae8 6e722f256cb17955
Mode Main
Remote Address 2.2.2.2
[edit] root@srx# run show security ike sa detail IKE peer 2.2.2.2, Index 6646446, Gateway Name: ZTH_HUB_GW Role: Responder, State: UP Initiator cookie: 6c5848b0dc4aeae8, Responder cookie: 6e722f256cb17955 Exchange type: Main, Authentication method: RSA-signatures Local: 1.1.1.1:500, Remote: 2.2.2.2:500 Lifetime: Expires in 1789 seconds Peer ike-id: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1 Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 2596 Output bytes : 1896 Input packets: 5 Output packets: 4 IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 1.1.1.1:500, Remote: 2.2.2.2:500
© Juniper Networks, Inc.
16
Local identity: 1.1.1.1 Remote identity: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=mjain-win2k8-1 Flags: IKE SA is created [edit] root@srx# run show security ipsec sa Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway 268173314 ESP:aes-cbc-128/sha1 e80f1c05 3582/ 99999 - root 500 2.2.2.2 [edit] root@srx# run show security ipsec sa detail ID: 268173314 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 1.1.1.1, Remote Gateway: 2.2.2.2 Local Identity: ipv4_subnet(any:0,[0..7]=192.168.10.0/24) Remote Identity: ipv4(any:0,[0..3]=2.2.2.2) Version: IKEv1 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 10, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Wed Oct 08 2014 00:16:50 -0700: IPSec SA negotiation successfully completed (1 times) Wed Oct 08 2014 00:16:50 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Wed Oct 08 2014 00:16:50 -0700: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: 9d445798, AUX-SPI: 0 Hard lifetime: Expires in 3578 seconds Lifesize Remaining: 99999 kilobytes Soft lifetime: Expires in 3015 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: e80f1c05, AUX-SPI: 0 Hard lifetime: Expires in 3578 seconds Lifesize Remaining: 99999 kilobytes Soft lifetime: Expires in 3015 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
4)
Verify SRX Certificates [edit] root@srx# run show security pki ca-certificate Certificate identifier: ROOT Issued to: WIN-5VQR2LUTHF1-CA, Issued by: CN = WIN-5VQR2LUTHF1-CA Validity: Not before: 10- 3-2014 22:04 UTC Not after: 10- 3-2019 22:14 UTC Public key algorithm: rsaEncryption(2048 bits) Certificate identifier: ikev2natt Issued to: pond-win, Issued by: CN = pond-win Validity: Not before: 11-22-2013 23:26 UTC Not after: 11-22-2018 23:35 UTC Public key algorithm: rsaEncryption(2048 bits)
© Juniper Networks, Inc.
17
root@srx# run show security pki ca-certificate ca-profile ROOT detail Certificate identifier: ROOT Certificate version: 3 Serial number: 2efe46115e3f418e46b1f7b7f648584e Issuer: Common name: WIN-5VQR2LUTHF1-CA Subject: Common name: WIN-5VQR2LUTHF1-CA Subject string: CN=WIN-5VQR2LUTHF1-CA Validity: Not before: 10- 3-2014 22:04 UTC Not after: 10- 3-2019 22:14 UTC Public key algorithm: rsaEncryption(2048 bits) 30:82:01:0a:02:82:01:01:00:b6:1e:6d:d6:d3:0f:ef:a6:2d:14:8c d0:94:78:f1:87:e6:5b:20:40:3f:1d:68:56:a8:6a:f3:b3:79:4e:51 69:01:e7:5f:0a:dc:95:d8:ea:71:94:71:e6:93:b7:5a:6e:50:02:55 be:c8:5c:48:11:b8:7b:e4:f1:01:42:06:a5:8e:1a:4e:79:06:26:d0 e1:bc:52:79:7a:1f:af:d5:80:72:1a:4d:85:5e:5f:86:18:f6:bf:4e 36:af:e8:b8:3f:45:8f:ef:c0:65:7b:10:bd:51:c7:d4:d9:90:ea:60 9f:02:fb:5d:b9:1b:73:23:e0:b4:60:78:ce:ce:51:e9:f8:da:92:b2 4c:e2:32:e8:22:f9:4a:21:77:66:ab:2c:8f:15:83:7e:b2:d6:28:16 64:c8:59:0a:29:55:95:bf:dd:f4:15:bd:0f:54:7d:62:23:e0:78:55 37:4b:f7:5f:33:0c:d7:9a:1f:e4:34:fd:57:41:91:96:21:94:e7:70 38:b2:60:20:f9:9a:3a:2e:c8:61:6c:5b:37:b7:1b:52:26:4b:a2:9a a0:66:36:5f:7f:be:d9:4d:63:52:d9:73:4f:e7:2d:78:e1:35:cf:ab 16:de:d3:fd:3c:3a:3c:ff:19:c1:82:c2:77:dc:92:f4:70:f0:0c:4c f8:00:8d:51:c3:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Use for key: CRL signing, Certificate signing, Digital signature Fingerprint: 94:e7:fb:b1:d1:f9:aa:3f:c2:95:e3:28:02:da:ed:9f:30:e2:59:d9 (sha1) 51:40:f8:a8:d5:dd:64:7a:ff:34:50:71:c5:92:47:dc (md5) [edit] root@srx# run show security pki local-certificate certificate-id ZTH_HUB detail Certificate identifier: ZTH_HUB Certificate version: 3 Serial number: 61053ed5000000000004 Issuer: Common name: WIN-5VQR2LUTHF1-CA Subject: Organization: Juniper, Organizational unit: engineering, Country: US, State: CA, Locality: Sunnyvale, Common name: vpn-srx240-05, Domain component: juniper Subject string: C=US, DC=juniper, ST=CA, L=Sunnyvale, O=Juniper, OU=engineering, CN=vpn-srx240-05 Alternate subject: "
[email protected]", vpn-srx240-05.juniper.net, 1.1.1.1 Validity: Not before: 10- 3-2014 22:45 UTC Not after: 10- 3-2015 22:55 UTC Public key algorithm: rsaEncryption(1024 bits) 30:81:89:02:81:81:00:d7:83:07:8c:cf:63:dc:da:d1:7f:92:52:5e aa:cd:42:68:cb:1d:2d:c8:13:e1:2c:52:11:a9:f7:33:6c:d7:8d:98 a4:2f:be:3d:86:e2:de:c9:94:4c:11:51:4b:60:6f:c0:67:c5:12:03 60:3e:0c:ce:b9:9c:61:4c:af:9c:30:da:6d:60:d9:8e:5e:4b:ed:1f 8c:67:e5:10:2d:93:4d:40:93:5e:cf:d3:6e:58:bf:0c:52:98:c9:9a 99:44:28:db:5c:01:46:68:c8:b8:dc:14:c2:b6:a4:1d:70:36:63:7b 5e:ae:a7:c1:78:34:1f:a6:bf:3c:ae:6e:3f:7b:3d:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Distribution CRL: file://WIN-5VQR2LUTHF1/CertEnroll/WIN-5VQR2LUTHF1-CA.crl Fingerprint:
© Juniper Networks, Inc.
18
e1:9d:5b:fa:66:f6:58:8f:b6:30:34:05:54:69:95:77:8a:26:66:9b (sha1) b8:35:51:26:60:43:7f:20:ba:3a:ea:d6:b8:08:e9:3d (md5) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
5)
Windows Tunnels status SRX Certificates To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then check the Audit success for Quick mode. An IPsec quick mode security association was established. Local Endpoint: Network Address: 2.2.2.2 Network Address mask: 255.255.255.255 Port: 0 Tunnel Endpoint: 2.2.2.2 Remote Endpoint: Network Address: 192.168.10.0 Network Address Mask: 255.255.255.0 Port: 0 Private Address: 0.0.0.0 Tunnel Endpoint: 1.1.1.1 Protocol: Keying Module Name:
0 -
Cryptographic Information: Integrity Algorithm - AH: Integrity Algorithm - ESP: SHA-1 Encryption Algorithm: AES-128 Security Association Information: Lifetime - seconds: 3600 Lifetime - data: 100000 Lifetime - packets: 2147483647 Mode: Tunnel Role: Initiator Quick Mode Filter ID: 83470 Main Mode SA ID: 2171 Quick Mode SA ID: 1108 Additional Information: Inbound SPI: 3325224778 Outbound SPI: 717234676 Virtual Interface Tunnel ID: 0 Traffic Selector ID: 0
To check the tunnel status on Win client please go to event viewer -> windows logs -> security and then check the Audit success for Main mode. An IPsec main mode security association was established. Extended mode was not enabled. was used for authentication.
A certificate
Local Endpoint:
© Juniper Networks, Inc.
19
Principal Name: Network Address: Keying Module Port:
mjain-win2k8-1 2.2.2.2 500
Local Certificate: SHA Thumbprint: Issuing CA: Root CA:
11f73620578fa9b4b5a7359b48c29fb534b5f229 WIN-5VQR2LUTHF1-CA CN=WIN-5VQR2LUTHF1-CA
Remote Endpoint: Principal Name: Network Address: Keying Module Port:
vpn-srx240-05.juniper.net 1.1.1.1 500
Remote Certificate: SHA thumbprint: Issuing CA: Root CA:
e19d5bfa66f6588fb6303405546995778a26669b WIN-5VQR2LUTHF1-CA CN=WIN-5VQR2LUTHF1-CA
Cryptographic Information: Cipher Algorithm: AES-128 Integrity Algorithm: SHA 256 Diffie-Hellman Group: DH group 2 Security Association Information: Lifetime (minutes): 30 Quick Mode Limit: 0 Main Mode SA ID: 2171 Additional Information: Keying Module Name: IKEv1 Authentication Method: Certificate Role: Initiator Impersonation State: Not enabled Main Mode Filter ID: 83452
EKU, SAN for IKE-ID:
© Juniper Networks, Inc.
20
VPN Server Certificate EKU
Accepted by Windows Firewall Client
IP security IKE intermediate
Yes
Server Authentication IP security IKE intermediate
No
IP security IKE intermediate
No
Client Authentication Server Authentication
Yes
Client Authentication
No
Server Authentication
Yes
Client Authentication IP security IKE intermediate
Yes
Server Authentication Client Authentication None
No
© Juniper Networks, Inc.
21
