SRX Services Gateway
SRX Services Gateway

SRX to SRX VPN with self signed certificates

‎03-23-2019 01:51 AM
Hi,

I’m looking to create a VPN between 2 SRX devices. I want to use self signed certificates to authenticate the VPN.

Does anyone know the procedure for this?
9 REPLIES 9
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-23-2019 06:56 PM

Self signed certificate will not work with certificate based VPN as it does not have trust level. You need external CA certifcate and it should be loaded on both SRX. You can configure your own local CA server on Windows Server or Linux and requests certificate from it or use certificate from Well known public CA certificate ($$$) . 

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 01:36 AM
Thanks for the reply,

I’m really trying to avoid using our main CA for this one, is there anyway I can use one of these SRX devices as the CA and sign itself and the other SRX?

So in effect, one SRX is the CA and they both get signed that way?

Thanks
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 02:13 AM

SRX can not be configured as root CA server to sign certificate request.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 03:07 AM
Can I create a self signed certificate and simply export the public key out to the other SRX?

Then do the same on the other SRX so essentially each SRX has the others public key to create trust?

I remember old Cisco world could do this ... thanks
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 03:34 AM

I personally use the XCA tool for all internal certifcate signing. IF you are sure these SRX's do not need to use the certificate with any external machine, you may setup your own CA with the XCA tool.

Regards,
Gokul
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 03:49 AM
Thanks for that.

Just to confirm, is that this tool:
https://sourceforge.net/projects/xca/

Can I export self signed certificates to this and then manage signing them between multiple SRX firewalls?

Don’t suppose you have anymore literature for this?

Thanks
SRX Services Gateway
Solution
Accepted by topic author oban3jimmy
‎03-24-2019 04:05 AM

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 04:01 AM

Yup, that's the one. I don't see a point in exporting self-signed certs into it.

 

What you can do is:

1. Setup a Root CA on the tool

2. Setup intermediates (which won't be necessary for your setup AFAIK)

3. Create certificate requests on both SRX boxes, export them to the tool and get them signed with the CA you set up

4. Export the certs and load them on individual SRX-es, along with the CA cert

5. Configure your VPNs

 

I don't have any guide for XCA, but it it a very simple to use GUI. It uses OpenSSL in the backend, powerful, easy to use.

(If you are a linux person, forget XCA - you can directly use OpenSL CLI Smiley Happy )

Feel free to share screenshots if you run into any trouble.

Regards,
Gokul
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 04:06 AM
Thanks very much
Highlighted
SRX Services Gateway

Re: SRX to SRX VPN with self signed certificates

‎03-24-2019 04:13 AM

You are Welcome - and thanks for the Kudos! Smiley Happy

Keep us posted on how it goes.

Regards,
Gokul