SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Issues with signed certificate on Juniper Secure Connect (IKEv2)

    Posted 12 days ago
    Edited by Lars Kristensson 11 days ago

    I'm setting up a Juniper Secure Connect configuration for the first time.

    I've got it to work with IKEv1 and pre-shared-keys, but I'm now trying to get it to work with IKEv2 and a signed certificate.

    I've loaded the local and CA certificates on the SRX, and I've added the CA certificates to the Juniper Secure Connect client folder per this article:
    Install Juniper Secure Connect on Windows

    I've gotten it so far that it connects, but then it asks me for the "PIN of your certificate":

    No matter what PIN I enter, it then gives me the following screen:

    I'm not sure why this PIN is needed or which certificate file it can't find. I haven't set any PIN on any certificate.

    I'm using credentials for login, and not a user certificate, so there should be no additional certificate needed on the client side.

    The last lines in the client Log Book are:

    2024-09-28 19:19:25 - Configuration download: Login success
    2024-09-28 19:19:25 - Configuration download: Configuration time not changed
    2024-09-28 19:19:25 - Configuration download: Logout success
    2024-09-28 19:19:25 - Configuration download: Logout - no new configuration imported
    2024-09-28 19:19:26 - SUCCESS - MONITOR: Configuration download -> Configuration is up to date
    2024-09-28 19:19:26 - MONITOR: Configuration download -> Save credentials for "[censured]"
    2024-09-28 19:19:26 - INFO - MONITOR: Configuration download -> Start vpn connection
    2024-09-28 19:19:27 - System: Setting NCP virtual adapter linkstatus=0,laststate=0.
    2024-09-28 19:19:27 - ncpadapter: reset IP adapter properties
    2024-09-28 19:19:27 - ncpadapter: reset ipv4 properties,ip4adr=0.0.0.0
    2024-09-28 19:19:27 - ncpadapter: reset_ip4_properties, manual=0
    2024-09-28 19:19:27 - System: DNSHandling=0
    2024-09-28 19:19:27 - IPSec: Start building connection
    2024-09-28 19:19:27 - IPSec: Connecting and Pin is not entered

    What am I missing?


    ------------------------------
    Lars Kristensson
    ------------------------------



  • 2.  RE: Issues with signed certificate on Juniper Secure Connect (IKEv2)

    Posted 10 days ago

    Can you share some PKI traceoptions logs and also the "show configuration PKI" output?



    ------------------------------
    -Slicerpro
    ------------------------------



  • 3.  RE: Issues with signed certificate on Juniper Secure Connect (IKEv2)

    Posted 7 days ago

    I figured out what the problem was.

    I had not set the option no-eap-tls under [security remote-access client-config vpn-client-config].

    This caused the Juniper Secure Connect client to ask for a certificate PIN before checking the existence of such a certificate.



    ------------------------------
    Lars Kristensson
    ------------------------------