SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  AutoVPN: No private key found after SRX is rebooted

    Posted 11-16-2014 21:31

    Hi All!

     

    I building pilot VPN project with AutoVPN techology on SRX 240 (Hub) and SRX 210 (Spokes) with software version 12.1X44-D40.2.

     

    After configuration devices and install certificates VPN works fine, but after reboot Spoke devices IKE show error No private key found. When I re-install certificate on Spoke with command:

     

    request security pki local-certificate load certificate-id cert-srx2 filename /var/home/xxxxx/certs/cert-srx2.cer
    Local certificate loaded successfully

     

    VPN resume to work.

     

    Anyone have a similar problems? Thx.

     

    KMD Log:

    [Nov 21 17:25:02]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Nov 21 17:25:02]ssh_ike_connect: Start, remote_name = XXX.XXX.XXX.2:500, xchg = 2, flags = 00090000
    [Nov 21 17:25:02]ike_sa_allocate: Start, SA = { b822e07c 17066316 - 00000000 00000000 }
    [Nov 21 17:25:02]ike_init_isakmp_sa: Start, remote = XXX.XXX.XXX.2:500, initiator = 1
    [Nov 21 17:25:02]ssh_ike_connect: SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1
    [Nov 21 17:25:02]ike_st_o_sa_proposal: Start
    [Nov 21 17:25:02]ike_policy_reply_isakmp_vendor_ids: Start
    [Nov 21 17:25:02]ike_st_o_private: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - 00000000 00000000 } / 00000000, nego = -1
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7000 from freelist
    [Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
    [Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_sa_find_half: Found half SA = { b822e07c 17066316 - 00000000 00000000 }
    [Nov 21 17:25:02]ike_sa_upgrade: Start, SA = { b822e07c 17066316 - 00000000 00000000 } -> { ... - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_decode_packet: Start
    [Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
    [Nov 21 17:25:02]ike_decode_payload_sa: Start
    [Nov 21 17:25:02]ike_decode_payload_t: Start, # trans = 1
    [Nov 21 17:25:02]ike_st_i_sa_value: Start
    [Nov 21 17:25:02]ike_st_i_cr: Start
    [Nov 21 17:25:02]ike_st_i_cert: Start
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
    [Nov 21 17:25:02]ike_st_i_private: Start
    [Nov 21 17:25:02]ike_st_o_ke: Start
    [Nov 21 17:25:02]ike_st_o_nonce: Start
    [Nov 21 17:25:02]ike_policy_reply_isakmp_nonce_data_len: Start
    [Nov 21 17:25:02]ssh_policy_get_certificate_authority_recv_ipc context <00de7740>.
    [Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
    [Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
    [Nov 21 17:25:02]ike_policy_reply_get_cas: Start
    [Nov 21 17:25:02]ike_st_o_private: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, nego = -1
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7400 from freelist
    [Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
    [Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_decode_packet: Start
    [Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
    [Nov 21 17:25:02]ike_st_i_nonce: Start, nonce[0..16] = 409e551a 405fb30b ...
    [Nov 21 17:25:02]ike_st_i_ke: Ke[0..128] = ff81f3dc 35e967e2 ...
    [Nov 21 17:25:02]ike_st_i_cr: Start
    [Nov 21 17:25:02]ike_st_i_cert: Start
    [Nov 21 17:25:02]ike_st_i_private: Start
    [Nov 21 17:25:02]ike_st_o_id: Start
    [Nov 21 17:25:02]ike_st_o_certs_base: Start
    [Nov 21 17:25:02]ike_find_private_key: Find private key for XXX.XXX.XXX.42:500, id = der_asn1_dn(any:0,[0..135]=C=XX, DC=XXXXXX, DC=XX, L=XXXXXX, O=XXXXX, OU=XXXXXXX, CN=XXXXXX) -> XXX.XXX.XXX.2:500, id = No Id
    [Nov 21 17:25:02]ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
    [Nov 21 17:25:02]ike_policy_reply_find_private_key: Start
    [Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; No private key found
    [Nov 21 17:25:02]ike_state_restart_packet: Start, restart packet SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1
    [Nov 21 17:25:02]IKE negotiation fail for local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status: Authentication failed
    [Nov 21 17:25:02] IKEv1 Error : Authentication failed
    [Nov 21 17:25:02]IPSec Rekey for SPI 0x0 failed
    [Nov 21 17:25:02]IPSec SA done callback called for sa-cfg MF-IPSEC-VPN local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status Authentication failed
    [Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
    [Nov 21 17:25:02]ike_alloc_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 88959731, nego = 0
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ike_delete_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0
    [Nov 21 17:25:02]ike_free_negotiation_info: Start, nego = 0
    [Nov 21 17:25:02]ike_free_negotiation: Start, nego = 0

     


    #AutoVPN
    #pki
    #SRX


  • 2.  RE: AutoVPN: No private key found after SRX is rebooted
    Best Answer

    Posted 04-28-2015 21:43

    This is a bug, confirmed by JTAC. Issue fix in 12.1X44-D45.