Shulou(Shulou.com)06/01 Report--

The security requirements of setting up ipsec are getting higher and higher, and the shared key method seems to be a little less secure.

It is a better method to use security certificate to exchange security information.

SSG comes from netscreen, and a long time ago (at least 5.0), it was possible to operate from the web management interface.

The operation is very simple.

Objects > Certificates > new

Fill in the relevant information, country, region, name, etc., decide by yourself, IP address is also an item, see need, but I personally think it is better not to fill in, so as not to change the IP in the future.

Key Pair Information: choose RSA, Microsoft's certificate issuing authority, RSA is supported, DSA does not support, ECDSA has not tried.

Encryption of the number of digits, of course, the higher the better, 2048 bits, Microsoft's windows2008R2 certificate issuing authority is no problem.

And then wait a minute, and there's a picture.

Save to file is just downloading a pile of garbled code in that box into a txt file, it doesn't matter.

Generate selfsigned cert do not click, that is a self-signed operation, not issued by other third-party offices.

At this time, open the Microsoft Certificate Application web screen directly and use an account with administrator privileges to apply.

Select the option to use PKCS#10 to apply, choose web server for the type of certificate, copy all the garbled text above to the Base64 column, and then apply, depending on the settings of the certificate service, whether it is issued immediately or manually. It is usually issued immediately.

Then you can see the download certificate, download it, pay attention to download two, and there is also a certificate bureau root certificate, go back to the certificate management screen of ssg.

Select Boot to upload the local certificate cert. After passing the root certificate, you will see the root certificate in the show- "CA" option.

The "show-" local will see that the pending certificate whose Serial# is all zero has been issued.

Root certificate is required, in ipsec*** two points, to use the same certificate authority, that is, the same root certificate, it ensures that both sides can prove that the corresponding certificate is legitimate.

In addition, I should emphasize that I suffered a great loss. When I set up the Microsoft Certificate Bureau, I used sha512, which is too high. Ssg, including srx, is currently only supported to sha256, so the certificate issued by the Microsoft Certificate Bureau will report an error as soon as it is uploaded to ssg, but fortigate can support sha512 instead. After looking up a lot of places, I found that it did not support it. In fact, when it comes to the first stage of ipsec configuration, you can see if you have selected sha512 to see if it is supported.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.