Scep
These scenarios show how to configure the protocol SCEP to retrieve certificates from a PKI server; and then, establish a VPN site-to-site connection between two end-points.
Test SCEP Credentials Ready
Description
In this scenario, the credentials (X509 certificates) are retrieved before VPN settings are configured.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.622 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.622/0.622/0.622/0.000 ms
Step 4: Ping IP address 192.168.213.25 from DUT2:
admin@DUT2$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.667 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.667/0.667/0.667/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names 'DC=scep, DC=com, CN=entity1' set system certificate scep csr CSR encrypted-password U2FsdGVkX1+F1m05UNunrqleUM04hxe937FNSLYw4hyPezZFdd0vkCY/rtHI1g1KMKQ8YR3iSoMKMKSVUSzwdw== set system certificate scep csr CSR url 'http://192.168.213.25/'
Step 6: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 7: Modify the following configuration lines in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names 'DC=scep, DC=com, CN=entity2' set system certificate scep csr CSR encrypted-password U2FsdGVkX1+NGUwlWScQ/C7G/zgGb6TLIVvlcPQdQcs9ObZptOurb165p4iOYfMvNYO/tcZMmVst8KuVA1mRvw== set system certificate scep csr CSR url 'http://192.168.213.25/'
Step 8: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - May 14 08:07:24 2025 GMT May 14 12:07:24 2025 GMT
Step 9: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - May 14 08:07:26 2025 GMT May 14 12:07:26 2025 GMT
Note
Now, the credentials are ready, so let’s configure the VPN site-to-site tunnel.
Step 10: Modify the following configuration lines in DUT0 :
set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes256 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 11: Modify the following configuration lines in DUT2 :
set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes256 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 12: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b5305bb70e800308_i* 937d4657ba285540_r local 'DC=scep, DC=com, CN=entity1' @ 8.0.0.2[500] remote 'DC=scep, DC=com, CN=entity2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 19s ago, rekeying in 21754s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 19s ago, rekeying in 15282s, expires in 31661s in cd5da1d5, 0 bytes, 0 packets out cdb3c0eb, 0 bytes, 0 packets local 192.168.1.0/24 remote 192.168.2.0/24
Step 13: Run command vpn ipsec show sa at DUT2 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b5305bb70e800308_i 937d4657ba285540_r* local 'DC=scep, DC=com, CN=entity2' @ 9.0.0.2[500] remote 'DC=scep, DC=com, CN=entity1' @ 8.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 19s ago, rekeying in 21609s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 19s ago, rekeying in 23128s, expires in 31661s in cdb3c0eb, 0 bytes, 0 packets out cd5da1d5, 0 bytes, 0 packets local 192.168.2.0/24 remote 192.168.1.0/24
Step 14: Run command pki show remote-certificate site-to-site PEER filter-issuer TELDAT at DUT0 and check if output contains the following tokens:
DC = scep, DC = com, CN = entity2Show output
Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:78:95:52:85:a4:d5:19:bc:b0:00:00:00:00:da:78 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:07:24 2025 GMT Not After : May 14 12:07:24 2025 GMT Subject: DC = scep, DC = com, CN = entity1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:3b:20:65:0e:6b:5a:e0:5a:79:99:a2:7b:af: b6:d4:65:ea:06:2e:aa:38:94:fb:2e:39:70:f2:d4: 56:1e:70:14:3c:55:19:57:77:4d:ad:6f:88:5b:b7: 8f:68:a2:1b:3c:9f:0e:a5:a6:51:f5:d1:fb:f4:bb: 7a:14:37:37:92:24:f7:0b:22:ac:69:35:69:70:52: 81:6c:64:f3:7b:0e:34:a1:64:55:dc:99:d5:ab:d1: a2:6b:cf:84:4d:cf:dd:12:93:83:ee:f0:44:b9:7a: d3:3a:50:47:f5:cb:a4:83:d9:7f:45:ee:49:2e:32: 35:4c:c3:8e:16:9b:f1:22:c0:28:56:c0:d9:58:d5: 90:29:09:26:2f:a6:a0:37:7d:0d:c3:c9:5f:04:7b: b1:7d:9c:c9:4d:a0:7e:09:1d:f5:67:89:a9:78:41: 10:11:ef:42:b4:8a:80:06:7f:8b:b2:72:f5:82:88: df:9c:7b:88:9b:d9:b5:02:11:8a:6d:98:34:92:6a: 6c:4f:de:36:b6:e1:c9:e5:40:a3:9d:aa:6c:d3:56: 64:2a:44:7b:6c:45:38:84:74:73:c8:91:73:25:d0: 82:c2:07:ec:2f:e4:cb:c3:f6:ab:96:9a:32:d4:3e: 65:34:72:1a:ff:8d:6a:f1:0d:c9:8c:e7:a4:d1:c9: 9a:91 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2F:C0:60:6B:E6:CA:E0:0B:9A:A4:33:E9:E7:39:75:14:D2:94:99:3F X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 6b:cf:13:af:cc:7f:9d:51:59:d2:c5:4b:29:9c:ca:d9:5b:24: ef:4f:a7:44:36:5d:02:c8:3a:c4:f4:4f:79:88:72:cf:98:e4: 9d:56:dd:9e:02:4e:32:b1:f4:1d:3c:2a:66:8f:9f:f8:1d:01: 69:37:fa:1f:65:3f:9c:b0:c4:33:f6:c3:06:b2:fa:cc:3c:a1: ce:ef:4b:d7:86:8b:86:a8:d3:01:3b:71:c2:50:e5:89:6c:af: f6:85:95:4e:fa:51:59:25:a6:36:23:2a:77:d9:29:2a:23:0f: b2:eb:b5:33:96:2d:85:80:d1:1b:9a:f0:d5:ae:b5:50:69:e5: 3b:4e:b4:dd:ca:2f:9e:7b:a9:89:e6:8e:37:13:8a:61:77:43: 99:c5:14:31:d2:18:e1:13:b2:84:a2:3f:13:e3:0c:85:5d:7b: d5:f4:8c:0c:3d:ac:a5:60:54:d4:5a:9c:e8:85:77:4d:dd:7a: ac:75:ca:fc:58:04:a5:83:ac:d1:6b:88:f9:11:2f:af:e2:6b: f3:ad:7f:92:5a:25:e6:75:8a:26:ca:fa:39:01:ac:02:94:85: 60:3f:1e:16:7f:e5:38:cc:e8:ef:61:05:ac:99:5d:8b:a4:52: 09:95:33:cd:1e:46:ea:1d:7e:77:d5:a5:52:34:02:4a:b1:7b: 3f:71:87:43 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:79:5c:94:fd:9b:52:fe:ed:d5:00:00:00:00:da:79 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:07:26 2025 GMT Not After : May 14 12:07:26 2025 GMT Subject: DC = scep, DC = com, CN = entity2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:24:b8:ef:4a:76:4f:22:13:5d:21:00:78:8b: bc:7b:9f:40:5c:19:ab:8d:cb:3b:e1:ea:d4:21:8d: 6a:9d:e6:90:24:4b:d9:99:69:1b:9e:ff:c1:cc:3a: 09:27:b5:50:35:82:64:88:62:17:7e:5e:1f:d7:56: 06:92:39:80:e4:5f:38:e5:8b:5c:57:38:fe:64:0b: 11:df:c5:e0:58:ed:b5:86:5f:0b:df:b7:be:80:b4: 6b:f1:94:fe:ff:01:21:b6:2d:03:fb:5c:3f:3d:0b: 51:fa:58:44:c8:ad:dc:27:97:a4:86:14:b4:e6:f7: da:b7:a1:b7:89:e5:67:80:16:97:17:f2:e0:d2:3d: 8c:bb:72:c9:01:9c:ec:84:35:3e:a2:9b:db:e8:91: 74:bc:52:9f:b5:40:cb:3a:30:22:63:aa:1b:17:ff: 4c:b3:4b:d7:7c:21:ec:e7:ea:92:0a:04:ad:e8:25: 74:34:cd:72:46:eb:47:42:58:e4:18:c5:b5:d7:27: c6:08:a3:fa:22:7c:b0:77:ba:53:89:fa:05:23:b8: ae:1a:77:59:8e:dd:0f:2a:70:e3:9f:46:ca:53:af: 0f:07:60:a8:1a:70:71:84:2b:35:69:48:d7:a9:73: e0:c1:58:47:d2:28:cc:6a:63:c0:61:a1:6c:fa:b1: 4e:6d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F4:FA:A3:2D:3A:53:83:E2:96:C3:4A:C4:73:F2:FE:03:D5:A8:D7:BB X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 45:36:9d:93:19:27:7a:b8:ac:3f:b6:99:cb:d8:36:84:c2:20: 83:ae:14:24:51:0c:4c:6c:c0:2f:f6:ee:a9:94:d7:34:90:0e: ac:22:46:91:d3:3a:a3:64:b0:28:37:83:1c:32:31:ed:6e:ba: d1:30:dd:13:8e:5c:1c:c4:ef:67:a7:92:be:5e:e4:70:5f:f3: 6c:4c:62:3f:c8:c6:b2:96:3b:e7:e0:0e:f8:2c:dc:f7:10:04: 66:09:d3:03:58:24:d8:ba:d2:96:6e:e9:fd:eb:62:2c:d9:91: 58:60:81:05:e5:37:d9:b3:f3:02:54:f5:f3:2b:bf:e4:ca:3d: 80:62:60:10:e0:3b:7f:dc:cc:40:1c:c6:1a:81:ba:8f:10:eb: 4f:9e:51:39:7b:0f:22:35:24:c2:77:3e:77:5c:e1:b7:a4:15: 5b:2f:5d:1b:62:5e:65:e5:ec:a1:9d:c3:cf:4d:67:e8:e8:19: 6e:49:2f:f4:ff:88:a5:07:d1:19:7b:2f:96:dd:90:47:02:47: 67:5d:59:4a:ba:92:b9:29:92:00:6b:1f:cd:7a:76:b3:ec:6d: 7a:a9:fc:46:51:42:e8:28:39:50:58:9c:10:d0:25:69:b4:e8: a3:70:3f:ab:e5:02:16:0d:e0:35:d6:2a:86:2b:67:5e:55:70: 06:f5:4e:61 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1a:ea:6d:57:94:fe:a5:9c:42:14:81:ca:79:1b:75:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Dec 14 10:00:35 2023 GMT Not After : Dec 14 10:10:34 2053 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:c5:be:9a:32:e2:a5:42:6c:b8:42:b5:7b:21: e5:71:b0:79:46:b1:41:bd:25:c3:40:e1:33:8e:1a: 3b:12:ca:26:1e:f3:c9:44:d6:b5:9a:03:cb:14:f5: 82:6f:a8:7e:47:bc:e7:e0:b3:1f:c6:ff:84:54:2b: fd:b6:0d:e1:4f:c3:b7:6a:0f:98:99:c2:8a:b6:b8: 9d:f3:5d:36:f3:af:48:0f:7d:cd:5a:6c:a8:10:0c: 02:b2:0c:af:b3:d8:c3:b4:de:0e:b8:15:6d:4a:f0: 4e:67:7d:c2:3a:dd:03:f7:3d:80:69:63:2c:f9:97: fa:d3:4d:80:13:dd:24:ac:54:ad:f7:cc:25:94:41: fd:2d:e8:2a:8e:a8:91:96:89:d2:9f:0c:17:03:99: 11:f5:ce:2c:db:78:b7:09:75:d1:96:af:58:82:58: 62:86:63:01:16:68:fc:06:db:92:d0:c5:6d:9d:6d: fd:5d:13:b0:2b:37:2f:9c:ae:3b:e3:34:d6:42:7b: 12:01:93:da:ea:b4:c8:ba:9f:57:35:4f:6a:a1:95: c2:5f:40:9d:6b:c1:72:ec:91:9b:72:cc:6a:b8:9e: dc:08:f0:53:09:4f:d4:09:75:28:99:56:f5:66:be: 7d:ca:59:0e:9b:50:4d:be:98:04:20:4d:98:e6:5f: 58:c5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:44:b8:33:b1:75:08:00:07:7f:2b:a4:80:f2:6a:ff:94:4c: ee:85:cc:61:db:49:59:19:cc:01:2f:c5:45:4b:d2:8d:dc:77: 54:7d:3c:34:75:28:c9:16:28:94:15:51:3d:e6:f7:dc:9b:d8: cd:63:bb:d3:ec:fc:ae:32:7e:cd:be:50:c2:9f:f7:91:de:9e: bb:44:d3:24:09:4d:dd:5f:67:ad:58:ad:7e:cc:9e:9f:8f:c8: 48:f5:d9:03:9a:a3:df:cd:e5:8a:e0:03:9e:36:f9:ba:fd:ff: 0b:a0:15:8c:66:9f:49:bc:e8:94:3e:61:7d:78:ff:48:66:d1: 13:54:1d:41:61:63:28:ba:d9:f8:6a:c4:df:48:16:d2:69:39: c0:38:ea:54:84:e0:40:17:d9:2c:43:58:be:e4:a1:5d:e2:6c: e9:23:55:b7:6e:61:8f:4e:72:4f:c2:d5:c4:7a:74:f5:8e:b3: 0e:2c:bc:5d:7d:ba:f8:ae:3b:f0:d6:b0:2e:1f:3f:fd:2d:77: 7d:52:bf:f7:07:ba:9d:64:60:57:1d:68:34:bb:cb:44:ac:dd: 55:c2:40:a1:98:84:b7:74:50:a4:50:95:0e:12:59:96:b9:af: bc:b3:09:e6:67:39:26:7e:b0:41:07:90:57:72:40:2a:11:7a: 2e:ac:be:b8
Step 15: Run command pki show remote-certificate site-to-site PEER filter-issuer TELDAT at DUT2 and check if output contains the following tokens:
DC = scep, DC = com, CN = entity1Show output
Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:78:95:52:85:a4:d5:19:bc:b0:00:00:00:00:da:78 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:07:24 2025 GMT Not After : May 14 12:07:24 2025 GMT Subject: DC = scep, DC = com, CN = entity1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:3b:20:65:0e:6b:5a:e0:5a:79:99:a2:7b:af: b6:d4:65:ea:06:2e:aa:38:94:fb:2e:39:70:f2:d4: 56:1e:70:14:3c:55:19:57:77:4d:ad:6f:88:5b:b7: 8f:68:a2:1b:3c:9f:0e:a5:a6:51:f5:d1:fb:f4:bb: 7a:14:37:37:92:24:f7:0b:22:ac:69:35:69:70:52: 81:6c:64:f3:7b:0e:34:a1:64:55:dc:99:d5:ab:d1: a2:6b:cf:84:4d:cf:dd:12:93:83:ee:f0:44:b9:7a: d3:3a:50:47:f5:cb:a4:83:d9:7f:45:ee:49:2e:32: 35:4c:c3:8e:16:9b:f1:22:c0:28:56:c0:d9:58:d5: 90:29:09:26:2f:a6:a0:37:7d:0d:c3:c9:5f:04:7b: b1:7d:9c:c9:4d:a0:7e:09:1d:f5:67:89:a9:78:41: 10:11:ef:42:b4:8a:80:06:7f:8b:b2:72:f5:82:88: df:9c:7b:88:9b:d9:b5:02:11:8a:6d:98:34:92:6a: 6c:4f:de:36:b6:e1:c9:e5:40:a3:9d:aa:6c:d3:56: 64:2a:44:7b:6c:45:38:84:74:73:c8:91:73:25:d0: 82:c2:07:ec:2f:e4:cb:c3:f6:ab:96:9a:32:d4:3e: 65:34:72:1a:ff:8d:6a:f1:0d:c9:8c:e7:a4:d1:c9: 9a:91 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2F:C0:60:6B:E6:CA:E0:0B:9A:A4:33:E9:E7:39:75:14:D2:94:99:3F X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 6b:cf:13:af:cc:7f:9d:51:59:d2:c5:4b:29:9c:ca:d9:5b:24: ef:4f:a7:44:36:5d:02:c8:3a:c4:f4:4f:79:88:72:cf:98:e4: 9d:56:dd:9e:02:4e:32:b1:f4:1d:3c:2a:66:8f:9f:f8:1d:01: 69:37:fa:1f:65:3f:9c:b0:c4:33:f6:c3:06:b2:fa:cc:3c:a1: ce:ef:4b:d7:86:8b:86:a8:d3:01:3b:71:c2:50:e5:89:6c:af: f6:85:95:4e:fa:51:59:25:a6:36:23:2a:77:d9:29:2a:23:0f: b2:eb:b5:33:96:2d:85:80:d1:1b:9a:f0:d5:ae:b5:50:69:e5: 3b:4e:b4:dd:ca:2f:9e:7b:a9:89:e6:8e:37:13:8a:61:77:43: 99:c5:14:31:d2:18:e1:13:b2:84:a2:3f:13:e3:0c:85:5d:7b: d5:f4:8c:0c:3d:ac:a5:60:54:d4:5a:9c:e8:85:77:4d:dd:7a: ac:75:ca:fc:58:04:a5:83:ac:d1:6b:88:f9:11:2f:af:e2:6b: f3:ad:7f:92:5a:25:e6:75:8a:26:ca:fa:39:01:ac:02:94:85: 60:3f:1e:16:7f:e5:38:cc:e8:ef:61:05:ac:99:5d:8b:a4:52: 09:95:33:cd:1e:46:ea:1d:7e:77:d5:a5:52:34:02:4a:b1:7b: 3f:71:87:43 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:79:5c:94:fd:9b:52:fe:ed:d5:00:00:00:00:da:79 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:07:26 2025 GMT Not After : May 14 12:07:26 2025 GMT Subject: DC = scep, DC = com, CN = entity2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b9:24:b8:ef:4a:76:4f:22:13:5d:21:00:78:8b: bc:7b:9f:40:5c:19:ab:8d:cb:3b:e1:ea:d4:21:8d: 6a:9d:e6:90:24:4b:d9:99:69:1b:9e:ff:c1:cc:3a: 09:27:b5:50:35:82:64:88:62:17:7e:5e:1f:d7:56: 06:92:39:80:e4:5f:38:e5:8b:5c:57:38:fe:64:0b: 11:df:c5:e0:58:ed:b5:86:5f:0b:df:b7:be:80:b4: 6b:f1:94:fe:ff:01:21:b6:2d:03:fb:5c:3f:3d:0b: 51:fa:58:44:c8:ad:dc:27:97:a4:86:14:b4:e6:f7: da:b7:a1:b7:89:e5:67:80:16:97:17:f2:e0:d2:3d: 8c:bb:72:c9:01:9c:ec:84:35:3e:a2:9b:db:e8:91: 74:bc:52:9f:b5:40:cb:3a:30:22:63:aa:1b:17:ff: 4c:b3:4b:d7:7c:21:ec:e7:ea:92:0a:04:ad:e8:25: 74:34:cd:72:46:eb:47:42:58:e4:18:c5:b5:d7:27: c6:08:a3:fa:22:7c:b0:77:ba:53:89:fa:05:23:b8: ae:1a:77:59:8e:dd:0f:2a:70:e3:9f:46:ca:53:af: 0f:07:60:a8:1a:70:71:84:2b:35:69:48:d7:a9:73: e0:c1:58:47:d2:28:cc:6a:63:c0:61:a1:6c:fa:b1: 4e:6d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F4:FA:A3:2D:3A:53:83:E2:96:C3:4A:C4:73:F2:FE:03:D5:A8:D7:BB X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 45:36:9d:93:19:27:7a:b8:ac:3f:b6:99:cb:d8:36:84:c2:20: 83:ae:14:24:51:0c:4c:6c:c0:2f:f6:ee:a9:94:d7:34:90:0e: ac:22:46:91:d3:3a:a3:64:b0:28:37:83:1c:32:31:ed:6e:ba: d1:30:dd:13:8e:5c:1c:c4:ef:67:a7:92:be:5e:e4:70:5f:f3: 6c:4c:62:3f:c8:c6:b2:96:3b:e7:e0:0e:f8:2c:dc:f7:10:04: 66:09:d3:03:58:24:d8:ba:d2:96:6e:e9:fd:eb:62:2c:d9:91: 58:60:81:05:e5:37:d9:b3:f3:02:54:f5:f3:2b:bf:e4:ca:3d: 80:62:60:10:e0:3b:7f:dc:cc:40:1c:c6:1a:81:ba:8f:10:eb: 4f:9e:51:39:7b:0f:22:35:24:c2:77:3e:77:5c:e1:b7:a4:15: 5b:2f:5d:1b:62:5e:65:e5:ec:a1:9d:c3:cf:4d:67:e8:e8:19: 6e:49:2f:f4:ff:88:a5:07:d1:19:7b:2f:96:dd:90:47:02:47: 67:5d:59:4a:ba:92:b9:29:92:00:6b:1f:cd:7a:76:b3:ec:6d: 7a:a9:fc:46:51:42:e8:28:39:50:58:9c:10:d0:25:69:b4:e8: a3:70:3f:ab:e5:02:16:0d:e0:35:d6:2a:86:2b:67:5e:55:70: 06:f5:4e:61 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1a:ea:6d:57:94:fe:a5:9c:42:14:81:ca:79:1b:75:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Dec 14 10:00:35 2023 GMT Not After : Dec 14 10:10:34 2053 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:c5:be:9a:32:e2:a5:42:6c:b8:42:b5:7b:21: e5:71:b0:79:46:b1:41:bd:25:c3:40:e1:33:8e:1a: 3b:12:ca:26:1e:f3:c9:44:d6:b5:9a:03:cb:14:f5: 82:6f:a8:7e:47:bc:e7:e0:b3:1f:c6:ff:84:54:2b: fd:b6:0d:e1:4f:c3:b7:6a:0f:98:99:c2:8a:b6:b8: 9d:f3:5d:36:f3:af:48:0f:7d:cd:5a:6c:a8:10:0c: 02:b2:0c:af:b3:d8:c3:b4:de:0e:b8:15:6d:4a:f0: 4e:67:7d:c2:3a:dd:03:f7:3d:80:69:63:2c:f9:97: fa:d3:4d:80:13:dd:24:ac:54:ad:f7:cc:25:94:41: fd:2d:e8:2a:8e:a8:91:96:89:d2:9f:0c:17:03:99: 11:f5:ce:2c:db:78:b7:09:75:d1:96:af:58:82:58: 62:86:63:01:16:68:fc:06:db:92:d0:c5:6d:9d:6d: fd:5d:13:b0:2b:37:2f:9c:ae:3b:e3:34:d6:42:7b: 12:01:93:da:ea:b4:c8:ba:9f:57:35:4f:6a:a1:95: c2:5f:40:9d:6b:c1:72:ec:91:9b:72:cc:6a:b8:9e: dc:08:f0:53:09:4f:d4:09:75:28:99:56:f5:66:be: 7d:ca:59:0e:9b:50:4d:be:98:04:20:4d:98:e6:5f: 58:c5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:44:b8:33:b1:75:08:00:07:7f:2b:a4:80:f2:6a:ff:94:4c: ee:85:cc:61:db:49:59:19:cc:01:2f:c5:45:4b:d2:8d:dc:77: 54:7d:3c:34:75:28:c9:16:28:94:15:51:3d:e6:f7:dc:9b:d8: cd:63:bb:d3:ec:fc:ae:32:7e:cd:be:50:c2:9f:f7:91:de:9e: bb:44:d3:24:09:4d:dd:5f:67:ad:58:ad:7e:cc:9e:9f:8f:c8: 48:f5:d9:03:9a:a3:df:cd:e5:8a:e0:03:9e:36:f9:ba:fd:ff: 0b:a0:15:8c:66:9f:49:bc:e8:94:3e:61:7d:78:ff:48:66:d1: 13:54:1d:41:61:63:28:ba:d9:f8:6a:c4:df:48:16:d2:69:39: c0:38:ea:54:84:e0:40:17:d9:2c:43:58:be:e4:a1:5d:e2:6c: e9:23:55:b7:6e:61:8f:4e:72:4f:c2:d5:c4:7a:74:f5:8e:b3: 0e:2c:bc:5d:7d:ba:f8:ae:3b:f0:d6:b0:2e:1f:3f:fd:2d:77: 7d:52:bf:f7:07:ba:9d:64:60:57:1d:68:34:bb:cb:44:ac:dd: 55:c2:40:a1:98:84:b7:74:50:a4:50:95:0e:12:59:96:b9:af: bc:b3:09:e6:67:39:26:7e:b0:41:07:90:57:72:40:2a:11:7a: 2e:ac:be:b8
Step 16: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.465 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.465/0.465/0.465/0.000 ms
Step 17: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.426 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.426/0.426/0.426/0.000 ms
Step 18: Run command pki scep request-ca CSR at DUT0 and check if output contains the following tokens:
CA certificates acquisition completed successfullyShow output
CA certificates acquisition completed successfully for CSR 'CSR'
Step 19: Run command pki scep request-ca CSR at DUT2 and check if output contains the following tokens:
CA certificates acquisition completed successfullyShow output
CA certificates acquisition completed successfully for CSR 'CSR'
Test SCEP Credentials Not Ready
Description
In this scenario, the credentials (X509 certificates) are not available when the VPN configuration is committed. However, once the credentials are downloaded, the VPN tunnel is set-up automatically.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT2 :
set interfaces ethernet eth1 address 10.215.168.66/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.512 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.512/0.512/0.512/0.000 ms
Step 4: Ping IP address 192.168.213.25 from DUT2:
admin@DUT2$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.543 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.543/0.543/0.543/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set interfaces dummy dum0 address 192.168.1.1/24 set interfaces ethernet eth0 address 8.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 8.0.0.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names 'DC=scep, DC=com, CN=entity1' set system certificate scep csr CSR encrypted-password U2FsdGVkX1/LV4ldjObD3tDtcLjhek5g3Hdf+ADnJL8Ta3uZIv7gmm8ejxJNjk/rQtTzVNZv7HtVc5RFvOPqhA== set system certificate scep csr CSR port 443 set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes256 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type initiate set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 8.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 9.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.1.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.2.0/24
Step 6: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 8.0.0.1/24 set interfaces ethernet eth1 address 9.0.0.1/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 7: Modify the following configuration lines in DUT2 :
set interfaces dummy dum0 address 192.168.2.1/24 set interfaces ethernet eth0 address 9.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 9.0.0.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names 'DC=scep, DC=com, CN=entity2' set system certificate scep csr CSR encrypted-password U2FsdGVkX19k1hHObAXXDc7rCZKPV9hPGteRa3uMTnjbINA63DAqjHiBGWtmKCpt3IiknRE4Wl8K8UkjntziFw== set system certificate scep csr CSR port 443 set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn ipsec auth-profile AUTH local csr CSR set vpn ipsec auth-profile AUTH mirror-config false set vpn ipsec auth-profile AUTH mode x509 set vpn ipsec esp-group ESP-POLICY lifetime 28800 set vpn ipsec esp-group ESP-POLICY proposal 1 encryption null set vpn ipsec esp-group ESP-POLICY proposal 1 hash sha1 set vpn ipsec esp-group ESP-POLICY proposal 1 pfs dh-group15 set vpn ipsec ike-group IKE-POLICY key-exchange ikev2 set vpn ipsec ike-group IKE-POLICY lifetime 28800 set vpn ipsec ike-group IKE-POLICY proposal 1 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 1 encryption null set vpn ipsec ike-group IKE-POLICY proposal 1 hash sha1 set vpn ipsec ike-group IKE-POLICY proposal 2 dh-group 15 set vpn ipsec ike-group IKE-POLICY proposal 2 encryption aes256 set vpn ipsec ike-group IKE-POLICY proposal 2 hash sha1 set vpn ipsec logging log-types any log-level 1 set vpn ipsec site-to-site peer PEER auth-profile AUTH set vpn ipsec site-to-site peer PEER connection-type respond set vpn ipsec site-to-site peer PEER ike-group IKE-POLICY set vpn ipsec site-to-site peer PEER local-address 9.0.0.2 set vpn ipsec site-to-site peer PEER remote-address 8.0.0.2 set vpn ipsec site-to-site peer PEER tunnel 1 esp-group ESP-POLICY set vpn ipsec site-to-site peer PEER tunnel 1 local prefix 192.168.2.0/24 set vpn ipsec site-to-site peer PEER tunnel 1 remote prefix 192.168.1.0/24
Step 8: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Uninitialized usercert\s+UninitializedShow output
------------------------------------------------------ Certificate Status Usage NotBefore NotAfter ------------------------------------------------------ ca Uninitialized - - - usercert Uninitialized - - -
Step 9: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Uninitialized usercert\s+UninitializedShow output
------------------------------------------------------ Certificate Status Usage NotBefore NotAfter ------------------------------------------------------ ca Uninitialized - - - usercert Uninitialized - - -
Note
The credentials will not be downloaded because the port for the connection to PKI server is configured wrong on purpose. Once the credentials are ready, the VPN should be established automatically.
Step 10: Modify the following configuration lines in DUT2 :
set system certificate scep csr CSR port 80
Step 11: Modify the following configuration lines in DUT0 :
set system certificate scep csr CSR port 80
Step 12: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - May 14 08:08:58 2025 GMT May 14 12:08:58 2025 GMT
Step 13: Run command pki scep show CSR at DUT2 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - May 14 08:08:52 2025 GMT May 14 12:08:52 2025 GMT
Step 14: Run command vpn ipsec show sa at DUT0 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b72bb4bccb531cad_i* cfcce717cd2a2718_r local 'DC=scep, DC=com, CN=entity1' @ 8.0.0.2[500] remote 'DC=scep, DC=com, CN=entity2' @ 9.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 20s ago, rekeying in 14956s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 20s ago, rekeying in 18938s, expires in 31660s in c98235d2, 0 bytes, 0 packets out c4b21c73, 0 bytes, 0 packets local 192.168.1.0/24 remote 192.168.2.0/24
Step 15: Run command vpn ipsec show sa at DUT2 and check if output matches the following regular expressions:
vpn-peer-PEER: \#\d, ESTABLISHED, IKEv2Show output
vpn-peer-PEER: #1, ESTABLISHED, IKEv2, b72bb4bccb531cad_i cfcce717cd2a2718_r* local 'DC=scep, DC=com, CN=entity2' @ 9.0.0.2[500] remote 'DC=scep, DC=com, CN=entity1' @ 8.0.0.2[500] NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072 established 20s ago, rekeying in 20176s peer-PEER-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96 installed 20s ago, rekeying in 15552s, expires in 31660s in c4b21c73, 0 bytes, 0 packets out c98235d2, 0 bytes, 0 packets local 192.168.2.0/24 remote 192.168.1.0/24
Step 16: Run command pki show remote-certificate site-to-site PEER filter-issuer TELDAT at DUT0 and check if output contains the following tokens:
DC = scep, DC = com, CN = entity2Show output
Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:7c:06:7c:76:b8:2e:4e:80:c2:00:00:00:00:da:7c Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:08:58 2025 GMT Not After : May 14 12:08:58 2025 GMT Subject: DC = scep, DC = com, CN = entity1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:24:f4:4e:b1:3e:57:4d:9c:15:42:42:c4:19: cc:6e:d7:38:11:89:03:f2:6b:2e:7a:44:64:b1:d8: 9c:6c:ae:23:91:36:96:44:87:d0:dd:97:51:4d:a3: 17:07:5e:26:20:28:c4:da:cb:1a:ee:f2:03:e1:bd: 74:52:d1:b8:c6:d9:ac:fb:0e:cd:57:cf:12:a0:82: a9:bc:7f:84:b4:81:fa:19:3e:d8:20:86:45:9f:95: 59:29:ae:ca:85:bd:7c:3d:eb:f5:73:1d:31:47:31: d7:43:e2:15:65:66:a2:c8:32:1f:8e:27:32:99:66: 32:b1:66:46:09:84:81:6f:e6:58:a3:39:93:92:a0: c6:e9:c7:14:14:45:98:44:8e:95:9a:cd:8a:6a:b4: 38:b2:af:66:9f:fe:91:b9:87:c2:ee:e8:28:bc:de: a2:db:e4:0e:f0:dc:86:bc:76:fe:39:23:fc:77:15: b9:40:b5:bf:7e:4c:db:d2:f3:45:51:ef:48:f5:ad: 97:72:ae:77:a4:30:5e:05:23:30:26:d4:08:4f:70: d9:da:f1:da:07:23:fe:cb:7c:9b:4e:23:bd:3b:3d: 0a:cb:4c:04:3d:23:b6:86:0f:41:f4:eb:13:02:eb: e3:e7:89:e0:13:95:6a:f7:78:6c:76:fe:6a:6d:d1: 4f:49 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B9:C2:30:C4:26:FD:44:50:7D:C7:C9:32:DA:78:FC:8A:FE:24:F2:DA X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 59:1a:7d:0e:a8:15:72:04:38:f4:78:8d:22:cf:62:fa:9d:5d: 8b:75:5d:a2:af:c3:bb:b7:c1:06:af:55:34:8b:90:9c:41:b0: 53:3e:ef:4c:02:a5:4a:4e:8a:ea:8e:88:70:c3:62:4d:d9:6c: 09:8f:06:1f:b3:fc:bc:e3:b5:b1:53:b4:fe:bb:dd:f4:36:e2: 20:14:b4:5d:a7:36:da:4a:c2:d7:8f:40:f2:f1:44:35:33:1d: 73:99:b1:2c:89:97:9f:24:6d:51:8a:78:8e:3a:f0:c0:cf:9d: 46:63:8e:4c:cf:11:93:46:4b:6f:8f:b2:fe:6a:61:01:dd:fc: 0c:11:c7:55:b9:39:7a:c8:1c:67:f6:fe:e3:37:84:ad:82:03: 78:8e:f9:ef:bf:b0:dd:0c:36:69:ec:45:95:e3:eb:57:93:62: 16:e3:18:49:17:62:5e:7e:31:95:a2:ad:68:73:de:60:95:2b: a2:fc:d2:4e:ac:43:64:f1:4f:9f:7c:dd:df:a9:13:bc:bb:3d: c5:3e:a9:6f:21:bc:39:e5:38:84:03:85:45:07:17:61:c3:36: 9b:64:a4:2a:9f:d6:ed:ac:2e:86:aa:a9:63:0c:ed:4c:34:e8: ce:7b:5f:90:6b:03:cf:cc:21:5a:04:18:a0:58:c8:d0:c0:9c: fc:9d:2a:ea ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:7b:04:3f:6f:d9:91:73:4d:20:00:00:00:00:da:7b Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:08:52 2025 GMT Not After : May 14 12:08:52 2025 GMT Subject: DC = scep, DC = com, CN = entity2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:2f:82:98:36:c3:32:36:f6:8e:a5:0e:2f:73: c7:cb:65:bf:18:97:9a:fd:98:32:d7:a4:f9:44:7a: bf:a4:1e:a9:61:2a:66:91:d3:30:3d:37:8b:ca:f6: 8a:66:36:25:de:f8:0f:19:aa:d3:21:b8:d9:5c:b7: 7c:f9:93:dc:e8:43:a2:03:7b:bb:78:91:76:ea:5d: a4:ba:e6:53:13:6f:f9:22:5e:e2:16:94:e7:2c:5f: 11:f8:18:68:88:26:aa:b7:d5:9d:9e:1c:8f:ce:e7: 8b:62:76:5c:a8:a6:10:33:42:33:51:32:50:ee:d9: ac:56:88:dc:ac:52:9a:4e:35:a9:80:59:f6:5b:3b: a0:9f:52:8f:b0:f9:89:21:27:c9:c5:6a:bf:c6:64: d0:7b:37:9f:94:f3:71:4a:5f:e9:cd:7b:38:52:71: 3c:32:0c:0d:9f:11:f3:2f:c4:77:07:0d:46:02:67: 5d:83:57:74:53:fb:3e:d8:a0:d7:1d:61:2c:7b:5b: 2f:a9:e1:85:59:0c:45:d5:aa:87:1f:91:63:06:5c: d7:6b:c4:98:e5:94:42:fb:81:79:b5:c2:85:a6:9b: 91:ad:10:16:ad:8d:44:7e:60:fa:5b:2c:41:e0:05: 96:57:33:0f:75:e3:e4:52:a5:4d:32:24:bc:a3:5f: 54:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7C:91:FA:98:81:0D:72:E8:3D:61:2E:8F:32:23:4C:EF:4B:B5:4D:B3 X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: a8:1e:f3:fe:c1:ef:36:45:49:96:6d:1b:1e:c3:9f:c1:91:e5: 42:45:de:70:17:b4:ba:be:27:bf:c9:d1:6b:b4:69:ab:b3:24: 12:b8:33:84:bf:d4:ce:fc:84:19:58:d5:f3:2f:ce:97:a1:2c: 45:ae:f4:b6:e6:19:f8:9a:cd:15:77:46:4f:14:68:d1:3d:78: 21:4d:0a:75:68:50:4c:71:fa:a9:21:5d:ac:45:05:63:1c:6b: c6:a8:81:ee:c8:27:7e:f3:6e:be:aa:bc:8f:64:c1:3c:2a:8b: b7:cd:95:e1:d4:21:c6:b4:0d:07:f3:6e:cd:69:e4:d7:88:d0: d3:58:65:9b:e6:c7:12:a1:f7:1f:1e:e7:5a:cd:d3:34:ed:d4: 6f:e9:3e:76:74:3d:a9:05:dc:7c:e5:26:2e:05:81:07:09:4e: 3e:b6:5f:03:8f:b7:9e:ba:46:7c:da:15:2c:fb:51:95:ce:81: cc:31:32:97:a6:2d:a2:66:a4:7e:69:06:e1:e5:b8:fd:ed:fc: 48:39:ac:d7:36:12:0d:88:df:b3:19:fc:85:73:30:4e:b1:0e: e6:6b:e8:74:78:de:d6:94:d0:3e:c6:07:57:55:04:91:f3:00: 31:82:48:d6:3d:82:e9:f7:f5:1c:89:63:ce:af:fc:a7:fd:36: 80:0e:e5:71 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1a:ea:6d:57:94:fe:a5:9c:42:14:81:ca:79:1b:75:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Dec 14 10:00:35 2023 GMT Not After : Dec 14 10:10:34 2053 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:c5:be:9a:32:e2:a5:42:6c:b8:42:b5:7b:21: e5:71:b0:79:46:b1:41:bd:25:c3:40:e1:33:8e:1a: 3b:12:ca:26:1e:f3:c9:44:d6:b5:9a:03:cb:14:f5: 82:6f:a8:7e:47:bc:e7:e0:b3:1f:c6:ff:84:54:2b: fd:b6:0d:e1:4f:c3:b7:6a:0f:98:99:c2:8a:b6:b8: 9d:f3:5d:36:f3:af:48:0f:7d:cd:5a:6c:a8:10:0c: 02:b2:0c:af:b3:d8:c3:b4:de:0e:b8:15:6d:4a:f0: 4e:67:7d:c2:3a:dd:03:f7:3d:80:69:63:2c:f9:97: fa:d3:4d:80:13:dd:24:ac:54:ad:f7:cc:25:94:41: fd:2d:e8:2a:8e:a8:91:96:89:d2:9f:0c:17:03:99: 11:f5:ce:2c:db:78:b7:09:75:d1:96:af:58:82:58: 62:86:63:01:16:68:fc:06:db:92:d0:c5:6d:9d:6d: fd:5d:13:b0:2b:37:2f:9c:ae:3b:e3:34:d6:42:7b: 12:01:93:da:ea:b4:c8:ba:9f:57:35:4f:6a:a1:95: c2:5f:40:9d:6b:c1:72:ec:91:9b:72:cc:6a:b8:9e: dc:08:f0:53:09:4f:d4:09:75:28:99:56:f5:66:be: 7d:ca:59:0e:9b:50:4d:be:98:04:20:4d:98:e6:5f: 58:c5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:44:b8:33:b1:75:08:00:07:7f:2b:a4:80:f2:6a:ff:94:4c: ee:85:cc:61:db:49:59:19:cc:01:2f:c5:45:4b:d2:8d:dc:77: 54:7d:3c:34:75:28:c9:16:28:94:15:51:3d:e6:f7:dc:9b:d8: cd:63:bb:d3:ec:fc:ae:32:7e:cd:be:50:c2:9f:f7:91:de:9e: bb:44:d3:24:09:4d:dd:5f:67:ad:58:ad:7e:cc:9e:9f:8f:c8: 48:f5:d9:03:9a:a3:df:cd:e5:8a:e0:03:9e:36:f9:ba:fd:ff: 0b:a0:15:8c:66:9f:49:bc:e8:94:3e:61:7d:78:ff:48:66:d1: 13:54:1d:41:61:63:28:ba:d9:f8:6a:c4:df:48:16:d2:69:39: c0:38:ea:54:84:e0:40:17:d9:2c:43:58:be:e4:a1:5d:e2:6c: e9:23:55:b7:6e:61:8f:4e:72:4f:c2:d5:c4:7a:74:f5:8e:b3: 0e:2c:bc:5d:7d:ba:f8:ae:3b:f0:d6:b0:2e:1f:3f:fd:2d:77: 7d:52:bf:f7:07:ba:9d:64:60:57:1d:68:34:bb:cb:44:ac:dd: 55:c2:40:a1:98:84:b7:74:50:a4:50:95:0e:12:59:96:b9:af: bc:b3:09:e6:67:39:26:7e:b0:41:07:90:57:72:40:2a:11:7a: 2e:ac:be:b8
Step 17: Run command pki show remote-certificate site-to-site PEER filter-issuer TELDAT at DUT2 and check if output contains the following tokens:
DC = scep, DC = com, CN = entity1Show output
Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:7c:06:7c:76:b8:2e:4e:80:c2:00:00:00:00:da:7c Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:08:58 2025 GMT Not After : May 14 12:08:58 2025 GMT Subject: DC = scep, DC = com, CN = entity1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b1:24:f4:4e:b1:3e:57:4d:9c:15:42:42:c4:19: cc:6e:d7:38:11:89:03:f2:6b:2e:7a:44:64:b1:d8: 9c:6c:ae:23:91:36:96:44:87:d0:dd:97:51:4d:a3: 17:07:5e:26:20:28:c4:da:cb:1a:ee:f2:03:e1:bd: 74:52:d1:b8:c6:d9:ac:fb:0e:cd:57:cf:12:a0:82: a9:bc:7f:84:b4:81:fa:19:3e:d8:20:86:45:9f:95: 59:29:ae:ca:85:bd:7c:3d:eb:f5:73:1d:31:47:31: d7:43:e2:15:65:66:a2:c8:32:1f:8e:27:32:99:66: 32:b1:66:46:09:84:81:6f:e6:58:a3:39:93:92:a0: c6:e9:c7:14:14:45:98:44:8e:95:9a:cd:8a:6a:b4: 38:b2:af:66:9f:fe:91:b9:87:c2:ee:e8:28:bc:de: a2:db:e4:0e:f0:dc:86:bc:76:fe:39:23:fc:77:15: b9:40:b5:bf:7e:4c:db:d2:f3:45:51:ef:48:f5:ad: 97:72:ae:77:a4:30:5e:05:23:30:26:d4:08:4f:70: d9:da:f1:da:07:23:fe:cb:7c:9b:4e:23:bd:3b:3d: 0a:cb:4c:04:3d:23:b6:86:0f:41:f4:eb:13:02:eb: e3:e7:89:e0:13:95:6a:f7:78:6c:76:fe:6a:6d:d1: 4f:49 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B9:C2:30:C4:26:FD:44:50:7D:C7:C9:32:DA:78:FC:8A:FE:24:F2:DA X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 59:1a:7d:0e:a8:15:72:04:38:f4:78:8d:22:cf:62:fa:9d:5d: 8b:75:5d:a2:af:c3:bb:b7:c1:06:af:55:34:8b:90:9c:41:b0: 53:3e:ef:4c:02:a5:4a:4e:8a:ea:8e:88:70:c3:62:4d:d9:6c: 09:8f:06:1f:b3:fc:bc:e3:b5:b1:53:b4:fe:bb:dd:f4:36:e2: 20:14:b4:5d:a7:36:da:4a:c2:d7:8f:40:f2:f1:44:35:33:1d: 73:99:b1:2c:89:97:9f:24:6d:51:8a:78:8e:3a:f0:c0:cf:9d: 46:63:8e:4c:cf:11:93:46:4b:6f:8f:b2:fe:6a:61:01:dd:fc: 0c:11:c7:55:b9:39:7a:c8:1c:67:f6:fe:e3:37:84:ad:82:03: 78:8e:f9:ef:bf:b0:dd:0c:36:69:ec:45:95:e3:eb:57:93:62: 16:e3:18:49:17:62:5e:7e:31:95:a2:ad:68:73:de:60:95:2b: a2:fc:d2:4e:ac:43:64:f1:4f:9f:7c:dd:df:a9:13:bc:bb:3d: c5:3e:a9:6f:21:bc:39:e5:38:84:03:85:45:07:17:61:c3:36: 9b:64:a4:2a:9f:d6:ed:ac:2e:86:aa:a9:63:0c:ed:4c:34:e8: ce:7b:5f:90:6b:03:cf:cc:21:5a:04:18:a0:58:c8:d0:c0:9c: fc:9d:2a:ea ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:00:da:7b:04:3f:6f:d9:91:73:4d:20:00:00:00:00:da:7b Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: May 14 08:08:52 2025 GMT Not After : May 14 12:08:52 2025 GMT Subject: DC = scep, DC = com, CN = entity2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:2f:82:98:36:c3:32:36:f6:8e:a5:0e:2f:73: c7:cb:65:bf:18:97:9a:fd:98:32:d7:a4:f9:44:7a: bf:a4:1e:a9:61:2a:66:91:d3:30:3d:37:8b:ca:f6: 8a:66:36:25:de:f8:0f:19:aa:d3:21:b8:d9:5c:b7: 7c:f9:93:dc:e8:43:a2:03:7b:bb:78:91:76:ea:5d: a4:ba:e6:53:13:6f:f9:22:5e:e2:16:94:e7:2c:5f: 11:f8:18:68:88:26:aa:b7:d5:9d:9e:1c:8f:ce:e7: 8b:62:76:5c:a8:a6:10:33:42:33:51:32:50:ee:d9: ac:56:88:dc:ac:52:9a:4e:35:a9:80:59:f6:5b:3b: a0:9f:52:8f:b0:f9:89:21:27:c9:c5:6a:bf:c6:64: d0:7b:37:9f:94:f3:71:4a:5f:e9:cd:7b:38:52:71: 3c:32:0c:0d:9f:11:f3:2f:c4:77:07:0d:46:02:67: 5d:83:57:74:53:fb:3e:d8:a0:d7:1d:61:2c:7b:5b: 2f:a9:e1:85:59:0c:45:d5:aa:87:1f:91:63:06:5c: d7:6b:c4:98:e5:94:42:fb:81:79:b5:c2:85:a6:9b: 91:ad:10:16:ad:8d:44:7e:60:fa:5b:2c:41:e0:05: 96:57:33:0f:75:e3:e4:52:a5:4d:32:24:bc:a3:5f: 54:e9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7C:91:FA:98:81:0D:72:E8:3D:61:2E:8F:32:23:4C:EF:4B:B5:4D:B3 X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: a8:1e:f3:fe:c1:ef:36:45:49:96:6d:1b:1e:c3:9f:c1:91:e5: 42:45:de:70:17:b4:ba:be:27:bf:c9:d1:6b:b4:69:ab:b3:24: 12:b8:33:84:bf:d4:ce:fc:84:19:58:d5:f3:2f:ce:97:a1:2c: 45:ae:f4:b6:e6:19:f8:9a:cd:15:77:46:4f:14:68:d1:3d:78: 21:4d:0a:75:68:50:4c:71:fa:a9:21:5d:ac:45:05:63:1c:6b: c6:a8:81:ee:c8:27:7e:f3:6e:be:aa:bc:8f:64:c1:3c:2a:8b: b7:cd:95:e1:d4:21:c6:b4:0d:07:f3:6e:cd:69:e4:d7:88:d0: d3:58:65:9b:e6:c7:12:a1:f7:1f:1e:e7:5a:cd:d3:34:ed:d4: 6f:e9:3e:76:74:3d:a9:05:dc:7c:e5:26:2e:05:81:07:09:4e: 3e:b6:5f:03:8f:b7:9e:ba:46:7c:da:15:2c:fb:51:95:ce:81: cc:31:32:97:a6:2d:a2:66:a4:7e:69:06:e1:e5:b8:fd:ed:fc: 48:39:ac:d7:36:12:0d:88:df:b3:19:fc:85:73:30:4e:b1:0e: e6:6b:e8:74:78:de:d6:94:d0:3e:c6:07:57:55:04:91:f3:00: 31:82:48:d6:3d:82:e9:f7:f5:1c:89:63:ce:af:fc:a7:fd:36: 80:0e:e5:71 ---------------------------------------------------------------------- Certificate: Data: Version: 3 (0x2) Serial Number: 1a:ea:6d:57:94:fe:a5:9c:42:14:81:ca:79:1b:75:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Dec 14 10:00:35 2023 GMT Not After : Dec 14 10:10:34 2053 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:c5:be:9a:32:e2:a5:42:6c:b8:42:b5:7b:21: e5:71:b0:79:46:b1:41:bd:25:c3:40:e1:33:8e:1a: 3b:12:ca:26:1e:f3:c9:44:d6:b5:9a:03:cb:14:f5: 82:6f:a8:7e:47:bc:e7:e0:b3:1f:c6:ff:84:54:2b: fd:b6:0d:e1:4f:c3:b7:6a:0f:98:99:c2:8a:b6:b8: 9d:f3:5d:36:f3:af:48:0f:7d:cd:5a:6c:a8:10:0c: 02:b2:0c:af:b3:d8:c3:b4:de:0e:b8:15:6d:4a:f0: 4e:67:7d:c2:3a:dd:03:f7:3d:80:69:63:2c:f9:97: fa:d3:4d:80:13:dd:24:ac:54:ad:f7:cc:25:94:41: fd:2d:e8:2a:8e:a8:91:96:89:d2:9f:0c:17:03:99: 11:f5:ce:2c:db:78:b7:09:75:d1:96:af:58:82:58: 62:86:63:01:16:68:fc:06:db:92:d0:c5:6d:9d:6d: fd:5d:13:b0:2b:37:2f:9c:ae:3b:e3:34:d6:42:7b: 12:01:93:da:ea:b4:c8:ba:9f:57:35:4f:6a:a1:95: c2:5f:40:9d:6b:c1:72:ec:91:9b:72:cc:6a:b8:9e: dc:08:f0:53:09:4f:d4:09:75:28:99:56:f5:66:be: 7d:ca:59:0e:9b:50:4d:be:98:04:20:4d:98:e6:5f: 58:c5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:44:b8:33:b1:75:08:00:07:7f:2b:a4:80:f2:6a:ff:94:4c: ee:85:cc:61:db:49:59:19:cc:01:2f:c5:45:4b:d2:8d:dc:77: 54:7d:3c:34:75:28:c9:16:28:94:15:51:3d:e6:f7:dc:9b:d8: cd:63:bb:d3:ec:fc:ae:32:7e:cd:be:50:c2:9f:f7:91:de:9e: bb:44:d3:24:09:4d:dd:5f:67:ad:58:ad:7e:cc:9e:9f:8f:c8: 48:f5:d9:03:9a:a3:df:cd:e5:8a:e0:03:9e:36:f9:ba:fd:ff: 0b:a0:15:8c:66:9f:49:bc:e8:94:3e:61:7d:78:ff:48:66:d1: 13:54:1d:41:61:63:28:ba:d9:f8:6a:c4:df:48:16:d2:69:39: c0:38:ea:54:84:e0:40:17:d9:2c:43:58:be:e4:a1:5d:e2:6c: e9:23:55:b7:6e:61:8f:4e:72:4f:c2:d5:c4:7a:74:f5:8e:b3: 0e:2c:bc:5d:7d:ba:f8:ae:3b:f0:d6:b0:2e:1f:3f:fd:2d:77: 7d:52:bf:f7:07:ba:9d:64:60:57:1d:68:34:bb:cb:44:ac:dd: 55:c2:40:a1:98:84:b7:74:50:a4:50:95:0e:12:59:96:b9:af: bc:b3:09:e6:67:39:26:7e:b0:41:07:90:57:72:40:2a:11:7a: 2e:ac:be:b8
Step 18: Ping IP address 192.168.2.1 from DUT0:
admin@DUT0$ ping 192.168.2.1 local-address 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.466 ms --- 192.168.2.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.466/0.466/0.466/0.000 ms
Step 19: Ping IP address 192.168.1.1 from DUT2:
admin@DUT2$ ping 192.168.1.1 local-address 192.168.2.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) from 192.168.2.1 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.439 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.439/0.439/0.439/0.000 ms