ScreenOS Firewalls (NOT SRX)
Reply
Trusted Contributor
stine
Posts: 435
Registered: ‎05-05-2008
0

certificate based VPN between NS-50 (ScreenOS 5.4R17) and SRX240H (Junos 10.3r1.9)

I have had no trouble building PSK authorized tunnels betweeen my SRX and NS50(s), but I cannot seem to get certificate based VPNS to work at all.   I have gone through all of the guides (including the one where the two devices' names are only one character different!!!), and still cannot make it work.. 

 

If someone has a working config of either end of this setup, tell me what you did and what the "gotcha's" are.

 

thanks.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
pkc
Contributor
pkc
Posts: 111
Registered: ‎09-24-2008
0

Re: certificate based VPN between NS-50 (ScreenOS 5.4R17) and SRX240H (Junos 10.3r1.9)

Hi, 

 

This works fine but I only tried with certs generated from the same server.

Please make sure to use dns names both devices can resolve in your certs.

 

which kind of error do you have in the logs ? (phase1 auth I assume, as psk works fine).

 

Did you try "debug pki"  commands ?

 

 

Trusted Contributor
stine
Posts: 435
Registered: ‎05-05-2008
0

Re: certificate based VPN between NS-50 (ScreenOS 5.4R17) and SRX240H (Junos 10.3r1.9)

right now, my two certs were issued by different CA's (both my internal CAs).   Both CA certificates have been loaded into both the NS50 and the SRX210.   I'll have to rerun the test to get any debug output, i had traceoptions all on the SRX running for a while, but nothing on the NS50.   I also registered at dyndns (for my aDSL ip/name resolution).

 

since i own both CA's I guess I can sign the device cert in both CAs.... I guess I'm going to have to break down and create my own internal subordinate CA....

 

thanks for the input

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.