juniper的 ADVPN建立过程

测试用的VSRX版本为：20.3R1.8

root> show system license keys

E420588955 aeaqic adaf3t ycyigi ydcnjq gyzdkd aqozjv

           ewbnjj 2w42lq mvzek5 tbnqds q2z422 q2zhf6

           in4xyz khwmba spauzq 55cwig lifpsh vfs27g

           sjvovn ktxafq kji4r2 kf

什么是ADVPN,参考下面H3C的说明
http://www.h3c.com/cn/d_201311/804326_30008_0.htm

SCEP on windows 2016的安装,参考网址

https://blog.csdn.net/ly_6118/article/details/105833169

注意 AD证书服务不需要AD成为  根域或域成员

设备注册用以下URl

http://10.5.245.15/certsrv/mscep/mscep.dll

获得challenge-password的方法用以下URL(需提供administrator密码)

需单独为HUB SPOKE1 SPOKE2各申请challenge-password密码(challenge-password只能使用一次)

http://10.5.245.15/CertSrv/mscep_admin/

在SCEP配置完成后，接下来就该在设备上配置证书参数了
第一步:在HUB SPOKE1 SPOKE2上配置CA环境

set security pki ca-profile ROOT-CA ca-identity ROOT-CA

set security pki ca-profile ROOT-CA enrollment url http://10.5.245.15/certsrv/mscep/mscep.dll

set security pki ca-profile ROOT-CA enrollment retry 5

set security pki ca-profile ROOT-CA enrollment retry-interval 10

set security pki ca-profile ROOT-CA  revocation-check disable

commit

第二步:在HUB SPOKE1 SPOKE2上注册CA证书

root@VSRX-HUB> request security pki ca-certificate enroll ca-profile ROOT-CA

root@VSRX-SPOKE1> request security pki ca-certificate enroll ca-profile ROOT-CA

root@VSRX-SPOKE2> request security pki ca-certificate enroll ca-profile ROOT-CA

第三步:在HUB SPOKE1 SPOKE2上生成本地的key

root@VSRX-HUB> request security pki generate-key-pair certificate-id Suggester_Certificate_ID

root@VSRX-SPOKE1> request security pki generate-key-pair certificate-id Partner1_Certificate_ID

root@VSRX-SPOKE2> request security pki generate-key-pair certificate-id Partner2_Certificate_ID

第四步:在HUB SPOKE1 SPOKE2注册本地证书：

HUB上作

root@VSRX-HUB> request security pki local-certificate enroll ca-profile ROOT-CA certificate-id Suggester_Certificate_ID  \

domain-name 173ops.com \

subject "DC=173ops.com,CN=hub,O=XYZ,OU=Sales,L=BJ,ST=KA,C=IN" challenge-password  DCA977FC61224221

在SCEP上查看证书申请并为HUB颁发证书

SPOKE1上作

root@VSRX-SPOKE1> request security pki local-certificate enroll ca-profile ROOT-CA certificate-id Partner1_Certificate_ID \

domain-name 173ops.com \

subject "DC=173ops.com,CN=spoke1,O=XYZ,OU=Sales,L=SH,ST=KA,C=IN" challenge-password 

2528F86DF3756374

在SCEP上查看证书申请并为SPOKE1颁发证书(略，参照HUB)

SPOKE2上作

root@VSRX-SPOKE2> request security pki local-certificate enroll ca-profile ROOT-CA certificate-id Partner2_Certificate_ID \

domain-name 173ops.com \

subject "DC=173ops.com,CN=spoke2,O=XYZ,OU=Sales,L=FZ,ST=KA,C=IN" challenge-password9D6E6C4D1509F82F

在SCEP上查看证书申请并为SPOKE2颁发证书(略，参照HUB)

查验CA证书及本地证书是否成功

root@VSRX-HUB> request security pki ca-certificate verify ca-profile ROOT-CA

CA certificate ROOT-CA verified successfully

root@VSRX-HUB> request security pki local-certificate verify certificate-id Suggester_Certificate_ID

Local certificate Suggester_Certificate_ID verification success

root@VSRX-SPOKE1> request security pki ca-certificate verify ca-profile ROOT-CA

CA certificate ROOT-CA verified successfully

root@VSRX-SPOKE1> request security pki local-certificate verify certificate-id Partner1_Certificate_ID

Local certificate Partner1_Certificate_ID verification success

root@VSRX-SPOKE2> request security pki ca-certificate verify ca-profile ROOT-CA

CA certificate ROOT-CA verified successfully

root@VSRX-SPOKE2> request security pki local-certificate verify certificate-id Partner2_Certificate_ID

Local certificate Partner2_Certificate_ID verification success

验证查看：

root@VSRX-HUB> show security pki local-certificate detail

root@VSRX-SPOKE1> show security pki local-certificate detail

root@VSRX-SPOKE2> show security pki local-certificate detail

例如：

root@VSRX-SPOKE2> show security pki local-certificate detail

LSYS: root-logical-system

Certificate identifier: Partner2_Certificate_ID

  Certificate version: 3

  Serial number: 0x400000000610ff36169cf6b7a5000000000006

  Issuer:

    Common name: WIN2016

  Subject:

    Organization: XYZ, Organizational unit: Sales, Country: IN, State: KA, Locality: FZ, Common name: spoke2, Domain component: 173ops.com

  Subject string:

    C=IN, DC=173ops.com, ST=KA, L=FZ, O=XYZ, OU=Sales, CN=spoke2

  Alternate subject: email empty, 173ops.com, ipv4 empty, ipv6 empty

  Validity:

    Not before: 02- 9-2021 06:37 UTC

    Not after: 02- 9-2022 06:47 UTC

  Public key algorithm: rsaEncryption(2048 bits)

    30:82:01:0a:02:82:01:01:00:a8:d5:ca:8d:8b:33:30:b9:4f:7a:fb

    83:a5:e7:73:b8:a7:37:03:21:3c:97:26:8a:74:55:d1:3f:29:8e:05

    cb:7d:54:24:43:b7:4c:75:ef:fd:a1:59:73:79:35:8c:3a:de:e8:96

    4f:9d:9a:ca:83:06:82:88:2f:b2:31:1e:18:6e:43:b9:80:b5:88:ce

    ec:e8:30:22:c8:d9:33:8c:10:3e:6e:69:96:16:75:d1:02:63:67:e0

    2e:bb:b8:d4:43:4d:75:96:26:67:30:b3:8c:1a:7c:10:08:be:63:ba

    eb:a3:6d:90:d9:20:7b:ad:bc:ed:94:7c:b5:78:ed:e0:de:d7:e3:0d

    94:ee:41:64:10:b6:23:72:fe:7f:cc:ce:52:89:b7:68:ac:1c:96:5f

    b7:9d:79:46:6a:f8:ee:e3:17:2b:95:1c:e8:43:cc:13:74:1c:3f:21

    cf:8a:ab:d0:e5:58:66:a1:db:3d:25:2b:98:39:16:01:9f:02:21:a8

    b0:d9:73:8f:44:22:00:73:87:45:b1:fa:d7:df:f7:2e:99:56:ea:db

    35:9a:1c:dc:3f:6e:9e:3d:13:8e:cb:2b:09:c2:38:89:ce:a6:1f:90

    3f:c1:7e:7a:79:f7:af:ab:b8:1d:6c:3b:13:49:45:9d:c9:81:e9:6e

    91:c0:28:7a:e5:02:03:01:00:01

  Signature algorithm: sha256WithRSAEncryption

  Distribution CRL:

    file:////WIN-ID4QCNKTQPD/CertEnroll/WIN2016.crl

  Fingerprint:

    bf:f6:e2:cd:d5:d4:97:3f:1c:b4:03:9e:47:3a:a8:d7:0b:5d:cc:dc (sha1)

    16:80:3b:2c:1e:36:3d:2b:f6:79:2f:9a:55:f2:de:24 (md5)

  Auto-re-enrollment:                 

    Status: Disabled

    Next trigger time: Timer not started

-------------------------------------------------------------------------

HUB的配置:

set interfaces ge-0/0/0 unit 0 family inet address 192.168.15.1/24

set interfaces ge-0/0/2 unit 0 family inet address 1.1.1.254/24

set interfaces st0 unit 1 multipoint

set interfaces st0 unit 1 family inet address 172.16.1.1/24

set protocols ospf graceful-restart restart-duration 300

set protocols ospf graceful-restart notify-duration 300

set protocols ospf graceful-restart no-strict-lsa-checking

set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp

set protocols ospf area 0.0.0.0 interface st0.1 metric 10

set protocols ospf area 0.0.0.0 interface st0.1 retransmit-interval 1

set protocols ospf area 0.0.0.0 interface st0.1 dead-interval 40

set protocols ospf area 0.0.0.0 interface st0.1 demand-circuit

set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0

set routing-options graceful-restart

set routing-options static route 192.168.25.0/24 next-hop 192.168.15.254

set routing-options static route 192.168.35.0/24 next-hop 192.168.15.254

set routing-options router-id 172.16.1.1

set security ike proposal IKE_PROP authentication-method rsa-signatures

set security ike proposal IKE_PROP dh-group group5

set security ike proposal IKE_PROP authentication-algorithm sha1

set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc

set security ike policy IKE_POL mode main

set security ike policy IKE_POL proposals IKE_PROP

set security ike policy IKE_POL certificate local-certificate Suggester_Certificate_ID

set security ike gateway SUGGESTER_GW ike-policy IKE_POL

set security ike gateway SUGGESTER_GW dynamic distinguished-name wildcard O=XYZ,OU=Sales

set security ike gateway SUGGESTER_GW dynamic ike-user-type group-ike-id

set security ike gateway SUGGESTER_GW dead-peer-detection

set security ike gateway SUGGESTER_GW local-identity distinguished-name

set security ike gateway SUGGESTER_GW external-interface ge-0/0/0.0

set security ike gateway SUGGESTER_GW local-address 192.168.15.1

set security ike gateway SUGGESTER_GW advpn partner disable

set security ike gateway SUGGESTER_GW advpn suggester

set security ike gateway SUGGESTER_GW version v2-only

set security ipsec proposal IPSEC_PROP protocol esp

set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc

set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group5

set security ipsec policy IPSEC_POL proposals IPSEC_PROP

set security ipsec vpn SUGGESTER_VPN bind-interface st0.1

set security ipsec vpn SUGGESTER_VPN ike gateway SUGGESTER_GW

set security ipsec vpn SUGGESTER_VPN ike ipsec-policy IPSEC_POL

set security pki ca-profile ROOT-CA ca-identity ROOT-CA

set security pki ca-profile ROOT-CA enrollment url http://10.5.245.15/certsrv/mscep/mscep.dll

set security pki ca-profile ROOT-CA enrollment retry 5

set security pki ca-profile ROOT-CA enrollment retry-interval 10

set security pki ca-profile ROOT-CA revocation-check disable

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/2.0

set security zones security-zone trust interfaces st0.1

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone untrust interfaces ge-0/0/0.0

set security policies default-policy permit-all

SPOKE1的配置:

set interfaces ge-0/0/0 unit 0 family inet address 192.168.25.1/24

set interfaces ge-0/0/2 unit 0 family inet address 2.2.2.254/24

set interfaces st0 unit 1 multipoint

set interfaces st0 unit 1 family inet address 172.16.1.2/24

set protocols ospf graceful-restart restart-duration 300

set protocols ospf graceful-restart notify-duration 300

set protocols ospf graceful-restart no-strict-lsa-checking

set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp

set protocols ospf area 0.0.0.0 interface st0.1 metric 15

set protocols ospf area 0.0.0.0 interface st0.1 retransmit-interval 1

set protocols ospf area 0.0.0.0 interface st0.1 dead-interval 40

set protocols ospf area 0.0.0.0 interface st0.1 demand-circuit

set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0

set routing-options graceful-restart

set routing-options static route 192.168.15.0/24 next-hop 192.168.25.254

set routing-options static route 192.168.35.0/24 next-hop 192.168.25.254

set routing-options router-id 172.16.1.2

set security ike proposal IKE_PROP authentication-method rsa-signatures

set security ike proposal IKE_PROP dh-group group5

set security ike proposal IKE_PROP authentication-algorithm sha1

set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc

set security ike policy IKE_POL mode main

set security ike policy IKE_POL proposals IKE_PROP

set security ike policy IKE_POL certificate local-certificate Partner1_Certificate_ID

set security ike gateway PARTNER_GW ike-policy IKE_POL

set security ike gateway PARTNER_GW address 192.168.15.1

set security ike gateway PARTNER_GW local-identity distinguished-name

set security ike gateway PARTNER_GW remote-identity distinguished-name container O=XYZ,OU=Sales

set security ike gateway PARTNER_GW external-interface ge-0/0/0.0

set security ike gateway PARTNER_GW local-address 192.168.25.1

set security ike gateway PARTNER_GW advpn suggester disable

set security ike gateway PARTNER_GW advpn partner

set security ike gateway PARTNER_GW version v2-only

set security ipsec proposal IPSEC_PROP protocol esp

set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc

set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group5

set security ipsec policy IPSEC_POL proposals IPSEC_PROP

set security ipsec vpn PARTNER_VPN bind-interface st0.1

set security ipsec vpn PARTNER_VPN ike gateway PARTNER_GW

set security ipsec vpn PARTNER_VPN ike ipsec-policy IPSEC_POL

set security ipsec vpn PARTNER_VPN establish-tunnels immediately

set security pki ca-profile ROOT-CA ca-identity ROOT-CA

set security pki ca-profile ROOT-CA enrollment url http://10.5.245.15/certsrv/mscep/mscep.dll

set security pki ca-profile ROOT-CA enrollment retry 5

set security pki ca-profile ROOT-CA enrollment retry-interval 10

set security pki ca-profile ROOT-CA revocation-check disable

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces st0.1

set security zones security-zone trust interfaces ge-0/0/2.0

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone untrust interfaces ge-0/0/0.0

set security policies default-policy permit-all

SPOKE2的配置

set interfaces ge-0/0/0 unit 0 family inet address 192.168.35.1/24

set interfaces ge-0/0/2 unit 0 family inet address 3.3.3.254/24

set interfaces st0 unit 1 multipoint

set interfaces st0 unit 1 family inet address 172.16.1.3/24

set protocols ospf graceful-restart restart-duration 300

set protocols ospf graceful-restart notify-duration 300

set protocols ospf graceful-restart no-strict-lsa-checking

set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp

set protocols ospf area 0.0.0.0 interface st0.1 metric 15

set protocols ospf area 0.0.0.0 interface st0.1 retransmit-interval 1

set protocols ospf area 0.0.0.0 interface st0.1 dead-interval 40

set protocols ospf area 0.0.0.0 interface st0.1 demand-circuit

set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors

set protocols ospf area 0.0.0.0 interface ge-0/0/2.0

set routing-options graceful-restart

set routing-options static route 192.168.15.0/24 next-hop 192.168.35.254

set routing-options static route 192.168.25.0/24 next-hop 192.168.35.254

set routing-options router-id 172.16.1.3

set security ike proposal IKE_PROP authentication-method rsa-signatures

set security ike proposal IKE_PROP dh-group group5

set security ike proposal IKE_PROP authentication-algorithm sha1

set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc

set security ike policy IKE_POL mode main

set security ike policy IKE_POL proposals IKE_PROP

set security ike policy IKE_POL certificate local-certificate Partner2_Certificate_ID

set security ike gateway PARTNER_GW ike-policy IKE_POL

set security ike gateway PARTNER_GW address 192.168.15.1

set security ike gateway PARTNER_GW dead-peer-detection

set security ike gateway PARTNER_GW local-identity distinguished-name

set security ike gateway PARTNER_GW remote-identity distinguished-name container O=XYZ,OU=Sales

set security ike gateway PARTNER_GW external-interface ge-0/0/0.0

set security ike gateway PARTNER_GW local-address 192.168.35.1

set security ike gateway PARTNER_GW advpn suggester disable

set security ike gateway PARTNER_GW advpn partner

set security ike gateway PARTNER_GW version v2-only

set security ipsec proposal IPSEC_PROP protocol esp

set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc

set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group5

set security ipsec policy IPSEC_POL proposals IPSEC_PROP

set security ipsec vpn PARTNER_VPN bind-interface st0.1

set security ipsec vpn PARTNER_VPN ike gateway PARTNER_GW

set security ipsec vpn PARTNER_VPN ike ipsec-policy IPSEC_POL

set security ipsec vpn PARTNER_VPN establish-tunnels immediately

set security pki ca-profile ROOT-CA ca-identity ROOT-CA

set security pki ca-profile ROOT-CA enrollment url http://10.5.245.15/certsrv/mscep/mscep.dll

set security pki ca-profile ROOT-CA enrollment retry 5

set security pki ca-profile ROOT-CA enrollment retry-interval 10

set security pki ca-profile ROOT-CA revocation-check disable

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces ge-0/0/2.0

set security zones security-zone trust interfaces st0.1

set security zones security-zone untrust host-inbound-traffic system-services all

set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone untrust interfaces ge-0/0/0.0

set security policies default-policy permit-all

验证:

root@VSRX-SPOKE1> show security ike security-associations         

Index  State  Initiator cookie  Responder cookie  Mode          Remote Address 

3831619 UP    24124ccd0e6f8bf7  4d530e497b1dc80f  IKEv2          192.168.15.1   

3831620 UP    774b02b47e396aa8  775392a63c29aa58  IKEv2          192.168.35.1   

root@VSRX-SPOKE1> show security ipsec security-associations 

  Total active tunnels: 2    Total Ipsec sas: 2

  ID    Algorithm      SPI      Life:sec/kb  Mon lsys Port  Gateway 

  <67108866 ESP:aes-cbc-256/sha1 32d0bbd6 3366/ unlim - root 500 192.168.15.1   

  >67108866 ESP:aes-cbc-256/sha1 d8afc9f0 3366/ unlim - root 500 192.168.15.1   

  <67108868 ESP:aes-cbc-256/sha1 56eb1b46 3378/ unlim - root 500 192.168.35.1   

  >67108868 ESP:aes-cbc-256/sha1 3e8e5b51 3378/ unlim - root 500 192.168.35.1 

root@VSRX-SPOKE1> show security ike security-associations detail

  注意以下ike细节(Type: Shortcut)

IKE peer 192.168.15.1, Index 3831619, Gateway Name: PARTNER_GW

  Auto Discovery VPN:

Type: Static, Local Capability: Partner, Peer Capability: Suggester

  Partner Shortcut Suggestions Statistics:

    Suggestions received:    1

    Suggestions accepted:    1

    Suggestions declined:    0

  Role: Initiator, State: UP

  Initiator cookie: 24124ccd0e6f8bf7, Responder cookie: 4d530e497b1dc80f

  Exchange type: IKEv2, Authentication method: RSA-signatures

  Local: 192.168.25.1:500, Remote: 192.168.15.1:500

  Lifetime: Expires in 28636 seconds

  Reauth Lifetime: Disabled

  IKE Fragmentation: Enabled, Size: 576

  Remote Access Client Info: Unknown Client

  Peer ike-id: C=IN, DC=173ops.com, ST=KA, L=BJ, O=XYZ, OU=Sales, CN=hub

  AAA assigned IP: 0.0.0.0

  Algorithms:

  Authentication        : hmac-sha1-96

  Encryption            : aes256-cbc

  Pseudo random function: hmac-sha1

  Diffie-Hellman group  : DH-group-5

  Traffic statistics:

  Input  bytes  :                2875

  Output bytes  :                2610

  Input  packets:                    7

  Output packets:                    7

  Input  fragmentated packets:      4

  Output fragmentated packets:      4

  IPSec security associations: 2 created, 0 deleted

  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0

    Local: 192.168.25.1:500, Remote: 192.168.15.1:500

    Local identity: C=IN, DC=173ops.com, ST=KA, L=SH, O=XYZ, OU=Sales, CN=spoke1

    Remote identity: C=IN, DC=173ops.com, ST=KA, L=BJ, O=XYZ, OU=Sales, CN=hub

    Flags: IKE SA is created           

IKE peer 192.168.35.1, Index 3831620, Gateway Name: PARTNER_GW

  Auto Discovery VPN:

  Type: Shortcut, Local Capability: Partner, Peer Capability: Partner

  Role: Initiator, State: UP

  Initiator cookie: 774b02b47e396aa8, Responder cookie: 775392a63c29aa58

  Exchange type: IKEv2, Authentication method: RSA-signatures

  Local: 192.168.25.1:500, Remote: 192.168.35.1:500

  Lifetime: Expires in 28648 seconds

  Reauth Lifetime: Disabled

  IKE Fragmentation: Enabled, Size: 576

  Remote Access Client Info: Unknown Client

  Peer ike-id: C=IN, DC=173ops.com, ST=KA, L=FZ, O=XYZ, OU=Sales, CN=spoke2

  AAA assigned IP: 0.0.0.0

  Algorithms:

  Authentication        : hmac-sha1-96

  Encryption            : aes256-cbc

  Pseudo random function: hmac-sha1

  Diffie-Hellman group  : DH-group-5

  Traffic statistics:

  Input  bytes  :                2495

  Output bytes  :                2502

  Input  packets:                    6

  Output packets:                    6

  Input  fragmentated packets:      4

  Output fragmentated packets:      4

  IPSec security associations: 2 created, 0 deleted

  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0

    Local: 192.168.25.1:500, Remote: 192.168.35.1:500

    Local identity: C=IN, DC=173ops.com, ST=KA, L=SH, O=XYZ, OU=Sales, CN=spoke1

    Remote identity: C=IN, DC=173ops.com, ST=KA, L=FZ, O=XYZ, OU=Sales, CN=spoke2

    Flags: IKE SA is created

root@VSRX-SPOKE1> show security ipsec security-associations detail

（注意Shortcut字眼,即表示快捷VPN建立成功）

ID: 67108866 Virtual-system: root, VPN Name: PARTNER_VPN

  Local Gateway: 192.168.25.1, Remote Gateway: 192.168.15.1

  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Version: IKEv2

  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29

  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1

  Tunnel events:

    Wed Feb 10 2021 03:22:57: IPSec SA negotiation successfully completed (1 times)

    Wed Feb 10 2021 03:22:57: IKE SA negotiation successfully completed (1 times)

    Wed Feb 10 2021 03:22:02: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)

  Direction: inbound, SPI: 32d0bbd6, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 3264 seconds

    Lifesize Remaining:  Unlimited

    Soft lifetime: Expires in 2621 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

  Direction: outbound, SPI: d8afc9f0, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 3264 seconds

    Lifesize Remaining:  Unlimited

    Soft lifetime: Expires in 2621 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

ID: 67108870 Virtual-system: root, VPN Name: PARTNER_VPN

  Local Gateway: 192.168.25.1, Remote Gateway: 192.168.35.1

  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

  Auto Discovery VPN:

    Type: Shortcut, Shortcut Role: Initiator

  Version: IKEv2

  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29

  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1

  Tunnel events:

    Wed Feb 10 2021 03:28:21: IPSec SA negotiation successfully completed (1 times)

    Wed Feb 10 2021 03:28:21: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)

    Wed Feb 10 2021 03:28:21: IKE SA negotiation successfully completed (1 times)

  Direction: inbound, SPI: c235dcac, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 3588 seconds

    Lifesize Remaining:  Unlimited

    Soft lifetime: Expires in 2946 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

  Direction: outbound, SPI: 383769cc, AUX-SPI: 0

                              , VPN Monitoring: -

    Hard lifetime: Expires in 3588 seconds

    Lifesize Remaining:  Unlimited

    Soft lifetime: Expires in 2946 seconds

    Mode: Tunnel(0 0), Type: dynamic, State: installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

    Anti-replay service: counter-based enabled, Replay window size: 64

如果需要重做，则需在SCEP吊销证书，并在VSRX上删除证书及key

clear security pki ca-certificate all

clear security pki local-certificate all

clear security pki key-pair all 



参考:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-autovpn-on-hub-and-spoke-devices.html
https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-pki-local-certificate-enroll.html