Hi All!
I building pilot VPN project with AutoVPN techology on SRX 240 (Hub) and SRX 210 (Spokes) with software version 12.1X44-D40.2.
After configuration devices and install certificates VPN works fine, but after reboot Spoke devices IKE show error No private key found. When I re-install certificate on Spoke with command:
request security pki local-certificate load certificate-id cert-srx2 filename /var/home/xxxxx/certs/cert-srx2.cer
Local certificate loaded successfully
VPN resume to work.
Anyone have a similar problems? Thx.
KMD Log:
[Nov 21 17:25:02]iked_pm_ike_spd_notify_request: Sending Initial contact
[Nov 21 17:25:02]ssh_ike_connect: Start, remote_name = XXX.XXX.XXX.2:500, xchg = 2, flags = 00090000
[Nov 21 17:25:02]ike_sa_allocate: Start, SA = { b822e07c 17066316 - 00000000 00000000 }
[Nov 21 17:25:02]ike_init_isakmp_sa: Start, remote = XXX.XXX.XXX.2:500, initiator = 1
[Nov 21 17:25:02]ssh_ike_connect: SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1
[Nov 21 17:25:02]ike_st_o_sa_proposal: Start
[Nov 21 17:25:02]ike_policy_reply_isakmp_vendor_ids: Start
[Nov 21 17:25:02]ike_st_o_private: Start
[Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
[Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - 00000000 00000000 } / 00000000, nego = -1
[Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - 00000000 00000000}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
[Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7000 from freelist
[Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
[Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
[Nov 21 17:25:02]ike_sa_find: Not found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
[Nov 21 17:25:02]ike_sa_find_half: Found half SA = { b822e07c 17066316 - 00000000 00000000 }
[Nov 21 17:25:02]ike_sa_upgrade: Start, SA = { b822e07c 17066316 - 00000000 00000000 } -> { ... - fd9ba49a 67fb0246 }
[Nov 21 17:25:02]ike_decode_packet: Start
[Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
[Nov 21 17:25:02]ike_decode_payload_sa: Start
[Nov 21 17:25:02]ike_decode_payload_t: Start, # trans = 1
[Nov 21 17:25:02]ike_st_i_sa_value: Start
[Nov 21 17:25:02]ike_st_i_cr: Start
[Nov 21 17:25:02]ike_st_i_cert: Start
[Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Nov 21 17:25:02]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Nov 21 17:25:02]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Nov 21 17:25:02]ike_st_i_private: Start
[Nov 21 17:25:02]ike_st_o_ke: Start
[Nov 21 17:25:02]ike_st_o_nonce: Start
[Nov 21 17:25:02]ike_policy_reply_isakmp_nonce_data_len: Start
[Nov 21 17:25:02]ssh_policy_get_certificate_authority_recv_ipc context <00de7740>.
[Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
[Nov 21 17:25:02]got cert authority 1 callback<007d5774>.
[Nov 21 17:25:02]ike_policy_reply_get_cas: Start
[Nov 21 17:25:02]ike_st_o_private: Start
[Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
[Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
[Nov 21 17:25:02]ike_policy_reply_private_payload_out: Start
[Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, nego = -1
[Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1, dst = XXX.XXX.XXX.2:500, routing table id = 0
[Nov 21 17:25:02]ikev2_packet_allocate: Allocated packet da7400 from freelist
[Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
[Nov 21 17:25:02]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Nov 21 17:25:02]ike_get_sa: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246 } / 00000000, remote = XXX.XXX.XXX.2:500
[Nov 21 17:25:02]ike_sa_find: Found SA = { b822e07c 17066316 - fd9ba49a 67fb0246 }
[Nov 21 17:25:02]ike_decode_packet: Start
[Nov 21 17:25:02]ike_decode_packet: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246} / 00000000, nego = -1
[Nov 21 17:25:02]ike_st_i_nonce: Start, nonce[0..16] = 409e551a 405fb30b ...
[Nov 21 17:25:02]ike_st_i_ke: Ke[0..128] = ff81f3dc 35e967e2 ...
[Nov 21 17:25:02]ike_st_i_cr: Start
[Nov 21 17:25:02]ike_st_i_cert: Start
[Nov 21 17:25:02]ike_st_i_private: Start
[Nov 21 17:25:02]ike_st_o_id: Start
[Nov 21 17:25:02]ike_st_o_certs_base: Start
[Nov 21 17:25:02]ike_find_private_key: Find private key for XXX.XXX.XXX.42:500, id = der_asn1_dn(any:0,[0..135]=C=XX, DC=XXXXXX, DC=XX, L=XXXXXX, O=XXXXX, OU=XXXXXXX, CN=XXXXXX) -> XXX.XXX.XXX.2:500, id = No Id
[Nov 21 17:25:02]ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
[Nov 21 17:25:02]ike_policy_reply_find_private_key: Start
[Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; No private key found
[Nov 21 17:25:02]ike_state_restart_packet: Start, restart packet SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = -1
[Nov 21 17:25:02]IKE negotiation fail for local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status: Authentication failed
[Nov 21 17:25:02] IKEv1 Error : Authentication failed
[Nov 21 17:25:02]IPSec Rekey for SPI 0x0 failed
[Nov 21 17:25:02]IPSec SA done callback called for sa-cfg MF-IPSEC-VPN local:XXX.XXX.XXX.42, remote:XXX.XXX.XXX.2 IKEv1 with status Authentication failed
[Nov 21 17:25:02]XXX.XXX.XXX.42:500 (Initiator) <-> XXX.XXX.XXX.2:500 { b822e07c 17066316 - fd9ba49a 67fb0246 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
[Nov 21 17:25:02]ike_alloc_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}
[Nov 21 17:25:02]ike_encode_packet: Start, SA = { 0xb822e07c 17066316 - fd9ba49a 67fb0246 } / 88959731, nego = 0
[Nov 21 17:25:02]ike_send_packet: Start, send SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0, dst = XXX.XXX.XXX.2:500, routing table id = 0
[Nov 21 17:25:02]ike_delete_negotiation: Start, SA = { b822e07c 17066316 - fd9ba49a 67fb0246}, nego = 0
[Nov 21 17:25:02]ike_free_negotiation_info: Start, nego = 0
[Nov 21 17:25:02]ike_free_negotiation: Start, nego = 0
#AutoVPN#pki#SRX