SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

AutoVPN: No private key found after SRX is rebooted

Jump to Best Answer
  • 1.  AutoVPN: No private key found after SRX is rebooted

    Posted 11-16-2014 21:31

    Hi All!

     

    I building pilot VPN project with AutoVPN techology on SRX 240 (Hub) and SRX 210 (Spokes) with software version 12.1X44-D40.2.

     

    After configuration devices and install certificates VPN works fine, but after reboot Spoke devices IKE show error No private key found. When I re-install certificate on Spoke with command:

     

    request security pki local-certificate load certificate-id cert-srx2 filename /var/home/xxxxx/certs/cert-srx2.cer
    Local certificate loaded successfully

     

    VPN resume to work.

     

    Anyone have a similar problems? Thx.

     

    KMD Log:

    [Nov 21 17:25:02]iked_pm_ike_spd_notify_request: Sending Initial contact
    [Nov 21 17:25:02]ssh_ike_connect: Start, remote_name = XXX.XXX.XXX.2:500, xchg = 2, flags = 00090000
    [Nov 21 17:25:02]ike_sa_allocate: Start, SA = { b822e07c 17066316 - 00000000 00000000 }
    [Nov 21 17:25:02]ike_init_isakmp_sa: Start, remote = XXX.XXX.XXX.2:500, initiator = 1
    [Nov 21 17:25:02]ssh_ike_connect: SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1
    [Nov 21 17:25:02]ike_st_o_sa_proposal: Start
    [Nov 21 17:25:02]ike_policy_reply_isakmp_vendor_ids: Start
    [Nov 21 17:25:02]ike_st_o_private: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - 00000000 00000000 } / 00000000, nego = -1
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7000 from freelist
    [Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
    [Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_sa_find_half: Found half SA = { b822e07c 17066316 - 00000000 00000000 }
    [Nov 21 17:25:02]ike_sa_upgrade: Start, SA = { b822e07c 17066316 - 00000000 00000000 } -> { ... - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_decode_packet: Start
    [Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
    [Nov 21 17:25:02]ike_decode_payload_sa: Start
    [Nov 21 17:25:02]ike_decode_payload_t: Start, # trans = 1
    [Nov 21 17:25:02]ike_st_i_sa_value: Start
    [Nov 21 17:25:02]ike_st_i_cr: Start
    [Nov 21 17:25:02]ike_st_i_cert: Start
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    [Nov 21 17:25:02]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
    [Nov 21 17:25:02]ike_st_i_private: Start
    [Nov 21 17:25:02]ike_st_o_ke: Start
    [Nov 21 17:25:02]ike_st_o_nonce: Start
    [Nov 21 17:25:02]ike_policy_reply_isakmp_nonce_data_len: Start
    [Nov 21 17:25:02]ssh_policy_get_certificate_authority_recv_ipc context <00de7740>.
    [Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
    [Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
    [Nov 21 17:25:02]ike_policy_reply_get_cas: Start
    [Nov 21 17:25:02]ike_st_o_private: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, nego = -1
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7400 from freelist
    [Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
    [Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
    [Nov 21 17:25:02]ike_decode_packet: Start
    [Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
    [Nov 21 17:25:02]ike_st_i_nonce: Start, nonce[0..16] = 409e551a 405fb30b ...
    [Nov 21 17:25:02]ike_st_i_ke: Ke[0..128] = ff81f3dc 35e967e2 ...
    [Nov 21 17:25:02]ike_st_i_cr: Start
    [Nov 21 17:25:02]ike_st_i_cert: Start
    [Nov 21 17:25:02]ike_st_i_private: Start
    [Nov 21 17:25:02]ike_st_o_id: Start
    [Nov 21 17:25:02]ike_st_o_certs_base: Start
    [Nov 21 17:25:02]ike_find_private_key: Find private key for XXX.XXX.XXX.42:500, id = der_asn1_dn(any:0,[0..135]=C=XX, DC=XXXXXX, DC=XX, L=XXXXXX, O=XXXXX, OU=XXXXXXX, CN=XXXXXX) -> XXX.XXX.XXX.2:500, id = No Id
    [Nov 21 17:25:02]ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
    [Nov 21 17:25:02]ike_policy_reply_find_private_key: Start
    [Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; No private key found
    [Nov 21 17:25:02]ike_state_restart_packet: Start, restart packet SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1
    [Nov 21 17:25:02]IKE negotiation fail for local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status: Authentication failed
    [Nov 21 17:25:02] IKEv1 Error : Authentication failed
    [Nov 21 17:25:02]IPSec Rekey for SPI 0x0 failed
    [Nov 21 17:25:02]IPSec SA done callback called for sa-cfg MF-IPSEC-VPN local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status Authentication failed
    [Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
    [Nov 21 17:25:02]ike_alloc_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}
    [Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 88959731, nego = 0
    [Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0, dst = XXX.XXX.XXX.2:500, routing table id = 0
    [Nov 21 17:25:02]ike_delete_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0
    [Nov 21 17:25:02]ike_free_negotiation_info: Start, nego = 0
    [Nov 21 17:25:02]ike_free_negotiation: Start, nego = 0

     


    #AutoVPN
    #pki
    #SRX


  • 2.  RE: AutoVPN: No private key found after SRX is rebooted
    Best Answer

    Posted 04-28-2015 21:43

    This is a bug, confirmed by JTAC. Issue fix in 12.1X44-D45.