(I am sorry if this is not the correct place to post this)
I have been asked to establish an IPSec connection using certificates between Juniper MX-5 (this is the endpoint I control) and other device (still do not have any details about the brand/model) in a remote place.
This new tunnel will replace and old one between this juniper and a checkpoing (tunnel only uses psk).
I still have really few experience with Juniper devices and use of certificates for IPsec tunnels.
Is this device capable of using certificates of IPsec tunnels?What kind of certificates can i use? would a GoDaddy SSL certificate work?
Thank you very much.
rp@AR1> show versionHostname: AR1Model: mx5-tJunos: 13.3R1.8JUNOS Base OS boot [13.3R1.8]JUNOS Base OS Software Suite [13.3R1.8]JUNOS Kernel Software Suite [13.3R1.8]JUNOS Crypto Software Suite [13.3R1.8]JUNOS Packet Forwarding Engine Support (MX80) [13.3R1.8]JUNOS Online Documentation [13.3R1.8]JUNOS Services Application Level Gateways [13.3R1.8]JUNOS Services Jflow Container package [13.3R1.8]JUNOS Services Stateful Firewall [13.3R1.8]JUNOS Services NAT [13.3R1.8]JUNOS Services RPM [13.3R1.8]JUNOS Services Crypto [13.3R1.8]JUNOS Services SSL [13.3R1.8]JUNOS Services IPSec [13.3R1.8]JUNOS Routing Software Suite [13.3R1.8]
rp@AR1> show system licenseLicense usage:Licenses Licenses Licenses ExpiryFeature name used installed neededscale-subscriber 0 1000 0 permanentscale-l2tp 0 1000 0 permanentscale-mobile-ip 0 1000 0 permanent
Licenses installed: none
You can use either CA-signed certificates for your IPSec VPN. Please find the following technical document for more understanding - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/using-digital-certificates-for-ipsec.html
Hello noobmaster! thank you very much for the quick response.
In that document it says that "Entrust, VeriSign, and Microsoft" it means I have to get my certificate from only these providers?
Do you know about any free to use certificate to test the VPN?
You can get the certificates from any provider you want. Even you can have your own CA to sign the certificate. However, it is not secure because someone has to validate your identity and in order to achieve that we will be involving CA.
I generally use the following website to generate the certificate for testing - https://getacert.com/ssl.html
Thank you very much for all your help