ADVPN - Key pair not found for configured local certificate

1. ADVPN - Key pair not found for configured local certificate

Recommend

SZYMON CZARNECKI

Posted 12-12-2023 17:30

ADVPN - Key pair not found for configured local certificate

Hi guys,

I am trying to set up a Lab with ADVPN based on THIS article.

This is my first time deploying anything to do with certificates. I have spin up a Windows Server with CA within the same lab as the hub and spoke. All nodes are reachable form one another (hub can ping spokes etc) but it seems like the Phase 1 is not completing due to below:

Dec 12 14:03:58 kmd[12781]: IKE negotiation failed with error: Key pair not found for configured local certificate. Negotiation failed. IKE Version: 2, VPN: PARTNER_VPN Gateway: PARTNER_GW, Local: 21.1.1.2/500, Remote: 11.1.1.1/500, Local IKE-ID: Not-Available, Remote I

KE-ID: Not-Available, VR-ID: 0: Role: Initiator

Dec 12 14:03:58 kmd[12781]: IPSec negotiation failed with error: Key pair not found for configured local certificate. Negotiation failed. IKE Version: 2, VPN: PARTNER_VPN Gateway: PARTNER_GW, Local: 21.1.1.2/500, Remote: 11.1.1.1/500, Local IKE-ID: Not-Available, Remote

IKE-ID: Not-Available, VR-ID: 0

Please find a config on the Hub and one of the spokes:

Hub:

set version 23.2R1.13
set system root-authentication encrypted-password "$6$7viWIPpD$RZnbCFg1Bfh2ilb4WXoLph86zJ1mr2ttgN3MQ36qkj6NVqSr6bThQSy5WtdCHhYaMPwH/pBcP4U2p..Yq/4yW1"
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set security log mode event
set security pki ca-profile advpn ca-identity mylab.local
set security pki ca-profile advpn enrollment url http://10.0.0.5:80/certsrv/mscep/mscep.dll
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group5
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike policy IKE_POL proposals IKE_PROP
set security ike policy IKE_POL certificate local-certificate Suggester_Certificate_ID
set security ike gateway SUGGESTER_GW ike-policy IKE_POL
set security ike gateway SUGGESTER_GW dynamic distinguished-name wildcard OU=Sales
set security ike gateway SUGGESTER_GW dynamic ike-user-type group-ike-id
set security ike gateway SUGGESTER_GW dead-peer-detection
set security ike gateway SUGGESTER_GW local-identity distinguished-name
set security ike gateway SUGGESTER_GW external-interface ge-0/0/6.0
set security ike gateway SUGGESTER_GW local-address 11.1.1.1
set security ike gateway SUGGESTER_GW advpn suggester
set security ike gateway SUGGESTER_GW advpn partner disable
set security ike gateway SUGGESTER_GW version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC_POL proposals IPSEC_PROP
set security ipsec vpn SUGGESTER_VPN bind-interface st0.1
set security ipsec vpn SUGGESTER_VPN ike gateway SUGGESTER_GW
set security ipsec vpn SUGGESTER_VPN ike ipsec-policy IPSEC_POL
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces st0.1
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone unt
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/6.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/6 unit 0 family inet address 11.1.1.1/24
set interfaces st0 unit 1 multipoint
set interfaces st0 unit 1 family inet address 172.16.1.1/24
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 metric 10
set protocols ospf area 0.0.0.0 interface st0.1 retransmit-interval 1
set protocols ospf area 0.0.0.0 interface st0.1 dead-interval 40
set protocols ospf area 0.0.0.0 interface st0.1 demand-circuit
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf graceful-restart restart-duration 300
set protocols ospf graceful-restart notify-duration 300
set protocols ospf graceful-restart no-strict-lsa-checking
set routing-options router-id 172.16.1.1
set routing-options graceful-restart
set routing-options static route 10.0.0.0/24 next-hop 11.1.1.2
set routing-options static route 21.1.1.0/24 next-hop 11.1.1.2
set routing-options static route 31.1.1.0/24 next-hop 11.1.1.2

Spoke:

root# show | display set 
set version 23.2R1.13
set system root-authentication encrypted-password "$6$Qf7pLCCN$4voJeQgkb5ZNlm5SxA90ksUd8cW/UOg9U/T0PYQM9YIOJvMNeXVCwWY1xxgl8pbm0U2oLla7crfDg81bJE7cX0"
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set security log mode event
set security pki ca-profile advpn ca-identity advpn
set security pki ca-profile advpn enrollment url http://10.0.0.5:80/certsrv/mscep/mscep.dll
set security ike proposal IKE_PROP authentication-method rsa-signatures
set security ike proposal IKE_PROP dh-group group5
set security ike proposal IKE_PROP authentication-algorithm sha1
set security ike proposal IKE_PROP encryption-algorithm aes-256-cbc
set security ike policy IKE_POL proposals IKE_PROP
set security ike policy IKE_POL certificate local-certificate Partner1_Certificate_ID
set security ike gateway PARTNER_GW ike-policy IKE_POL
set security ike gateway PARTNER_GW address 11.1.1.1
set security ike gateway PARTNER_GW local-identity distinguished-name
set security ike gateway PARTNER_GW remote-identity distinguished-name container OU=Sales
set security ike gateway PARTNER_GW external-interface ge-0/0/6
set security ike gateway PARTNER_GW local-address 21.1.1.2
set security ike gateway PARTNER_GW advpn suggester disable
set security ike gateway PARTNER_GW advpn partner
set security ike gateway PARTNER_GW version v2-only
set security ipsec proposal IPSEC_PROP protocol esp
set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group5
set security ipsec policy IPSEC_POL proposals IPSEC_PROP
set security ipsec vpn PARTNER_VPN bind-interface st0.1
set security ipsec vpn PARTNER_VPN ike gateway PARTNER_GW
set security ipsec vpn PARTNER_VPN ike ipsec-policy IPSEC_POL
set security ipsec vpn PARTNER_VPN establish-tunnels immediately
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces st0.1
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/6.0
set interfaces ge-0/0/0 unit 0 family inet address 25.1.1.1/24
set interfaces ge-0/0/6 unit 0 family inet address 21.1.1.2/24
set interfaces st0 unit 1 multipoint    
set interfaces st0 unit 1 family inet address 172.16.1.2/24
set protocols ospf area 0.0.0.0 interface st0.1 interface-type p2mp
set protocols ospf area 0.0.0.0 interface st0.1 metric 15
set protocols ospf area 0.0.0.0 interface st0.1 retransmit-interval 1
set protocols ospf area 0.0.0.0 interface st0.1 dead-interval 40
set protocols ospf area 0.0.0.0 interface st0.1 demand-circuit
set protocols ospf area 0.0.0.0 interface st0.1 dynamic-neighbors
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set protocols ospf graceful-restart restart-duration 300
set protocols ospf graceful-restart notify-duration 300
set protocols ospf graceful-restart no-strict-lsa-checking
set routing-options router-id 172.16.1.2
set routing-options graceful-restart
set routing-options static route 10.0.0.0/24 next-hop 21.1.1.1
set routing-options static route 11.1.1.0/24 next-hop 21.1.1.1
set routing-options static route 31.1.1.0/24 next-hop 21.1.1.1

In terms of certificates, I have done the following (based on one of the documentation which I found online):

Enroll the CA certificate 
root@srx> request security pki ca-certificate enroll ca-profile advpn
Type yes at the prompt to load the CA certificate
3. Generate a key pair for Device certificate
root@srx> request security pki generate-key-pair certificate-id Partner1_Certificate_ID
4. Enroll the local certificate
root@srx> request security pki local-certificate enroll scep ca-profile advpn certificate-id certificate-id ip-address x.x.x.x subject "OU=Sales"

When looking at the CertServ on the Windows Server, I can see that the certificates are issued fine as they appear after I have requested the enrollment, however when checking KMD-Logs I am seeing below (thats from Spoke):

Dec 12 14:03:58   kmd[12781]: IKE negotiation failed with error: Key pair not found for configured local certificate. Negotiation failed. IKE Version: 2, VPN: PARTNER_VPN Gateway: PARTNER_GW, Local: 21.1.1.2/500, Remote: 11.1.1.1/500, Local IKE-ID: Not-Available, Remote I
KE-ID: Not-Available, VR-ID: 0: Role: Initiator
Dec 12 14:03:58   kmd[12781]: IPSec negotiation failed with error: Key pair not found for configured local certificate. Negotiation failed. IKE Version: 2, VPN: PARTNER_VPN Gateway: PARTNER_GW, Local: 21.1.1.2/500, Remote: 11.1.1.1/500, Local IKE-ID: Not-Available, Remote
 IKE-ID: Not-Available, VR-ID: 0

Any ideas what Im doing wrong? Thanks for any responses in advance.

------------------------------
SZYMON CZARNECKI
------------------------------

Labs