SRX

last person joined: 8 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'

  • 1.  ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'

    Posted 12-25-2014 06:42

    Hello,

    We have a problem with VPN connectivity after reboot or accidental power loss of our SRX100.

    When device is booted, a VPN-tunnel is not reconnecting automaticaly, connection has state DOWN. After we perform a CLI command 'restart ipsec-key-management', everything becomes to normal state.

    How do we can solve this problem?

    P.S. The problem is not observed on the firmware version [11.4R12.4]

    Hardware: SRX100H
    Firmware: JUNOS Software Release [12.1X44-D40.2]

    SRX650 XXX.XXX.107.2 <- ipsec -> SRX100 YYY.YYY.130.86

    Config SRX650:

    [...]
security {
    ike {
        policy SLAV-EX {
            mode main;
            proposals AES-MD5;
            certificate {
                local-certificate vpn;
                peer-certificate-type x509-signature;
            }
        }
[...]
        gateway Regions-FW-01 {
            ike-policy SLAV-EX;
            dynamic {
                distinguished-name {
                    container "O=Company";
                }
            }
            nat-keepalive 5;
            local-identity distinguished-name;
            external-interface reth0.300;
        }
    }
}
[...]
     ipsec {
        policy SLAV-EX {
            perfect-forward-secrecy {
                keys group2;
        }
        proposals AES-MD5;
}
[...]
        vpn pri-USSUR-FW-01-pri {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway Regions-FW-01;
                proxy-identity {
                    remote 10.0.0.70/32;
                }
                ipsec-policy SLAV-EX;
            }
            establish-tunnels immediately;
        }
[...]

    verifity certificate:

    user@headqr.gate.slav-ex.ru> show security pki ca-certificate ca-profile ca-profile1
node0:
--------------------------------------------------------------------------

Certificate identifier: ca-profile1
  Issued to: Company, Issued by: CN = Company
  Validity:
    Not before: 01- 5-2010 12:54 UTC
    Not after: 12-24-2019 11:25 UTC
  Public key algorithm: rsaEncryption(2048 bits)

user@headqr.gate.slav-ex.ru> show security pki local-certificate certificate-id vpn
node0:
--------------------------------------------------------------------------

Certificate identifier: vpn
  Issued to: headqr-GW01, Issued by: CN = Company
  Validity:
    Not before: 10- 2-2014 12:54 UTC
    Not after: 01- 5-2015 13:04 UTC
  Public key algorithm: rsaEncryption(2048 bits)

user@headqr.gate.slav-ex.ru> request security pki local-certificate verify certificate-id vpn
node0:
--------------------------------------------------------------------------
Local certificate vpn verification success

     
    Config SRX100:

    security {
    ike {
        traceoptions {
            file ike-debug size 10m;
            flag all;
        }
        policy SLAV-EX {
            mode main;
            proposals AES-MD5;
            certificate {
                local-certificate vpn;
            }
        }
[...]
        gateway pri-hq-pri {
            ike-policy SLAV-EX;
            address XXX.XXX.107.2;
            local-identity distinguished-name;
            remote-identity distinguished-name container DC=headqr.gate.slav-ex.ru;
            external-interface fe-0/0/0.0;
        }
    }
}
[...]
     ipsec {
        traceoptions {
            flag all;
        }
        policy SLAV-EX {
            perfect-forward-secrecy {
                keys group2;
        }
        proposals AES-MD5;
}
[...]
        vpn pri-hq-pri {
            bind-interface st0.0;
            vpn-monitor;
            ike {
                gateway pri-hq-pri;
                proxy-identity {
                    remote 10.0.0.70/32;
                }
                ipsec-policy SLAV-EX;
            }
            establish-tunnels immediately;
        }
[...]

     

    verifity certificate:

    user@branch.domain.ru> show security pki ca-certificate ca-profile ca-profile1
Certificate identifier: ca-profile1
  Issued to: Company, Issued by: CN = Company
  Validity:
    Not before: 01- 5-2010 12:54 UTC
    Not after: 12-24-2019 11:25 UTC
  Public key algorithm: rsaEncryption(2048 bits)

user@branch.domain.ru> show security pki local-certificate certificate-id vpn
Certificate identifier: vpn
  Issued to: ussur-GW01, Issued by: CN = Company
  Validity:
    Not before: 12-24-2014 12:44 UTC
    Not after: 12-23-2016 12:44 UTC
  Public key algorithm: rsaEncryption(2048 bits)

user@branch.domain.ru> request security pki local-certificate vp
                                                                           ^
syntax error, expecting <command>.
user@branch.domain.ru> request security pki local-certificate verify certificate-id vpn
Local certificate vpn verification success

     
    Trace SRX100 (ike-debug)

    Spoiler
    [Dec 24 23:08:53]ikev2_packet_allocate: Allocated packet dc6800 from freelist
    [Dec 24 23:08:54]ike_sa_find: Not found SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba }
    [Dec 24 23:08:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Dec 24 23:08:54]ike_get_sa: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba } / 00000000, remote = XXX.XXX.107.2:500
    [Dec 24 23:08:54]ike_sa_find: Not found SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba }
    [Dec 24 23:08:54]ike_sa_find_half: Found half SA = { 61b428b3 0607af18 - 00000000 00000000 }
    [Dec 24 23:08:54]ike_sa_upgrade: Start, SA = { 61b428b3 0607af18 - 00000000 00000000 } -> { ... - d0d571c0 c6cbd0ba }
    [Dec 24 23:08:54]ike_decode_packet: Start
    [Dec 24 23:08:54]ike_decode_packet: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba} / 00000000, nego = -1
    [Dec 24 23:08:54]ike_decode_payload_sa: Start
    [Dec 24 23:08:54]ike_decode_payload_t: Start, # trans = 1
    [Dec 24 23:08:54]ike_st_i_sa_value: Start
    [Dec 24 23:08:54]ike_st_i_cr: Start
    [Dec 24 23:08:54]ike_st_i_cert: Start
    [Dec 24 23:08:54]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
    [Dec 24 23:08:54]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
    [Dec 24 23:08:54]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
    [Dec 24 23:08:54]ike_st_i_private: Start
    [Dec 24 23:08:54]ike_st_o_ke: Start
    [Dec 24 23:08:54]ike_st_o_nonce: Start
    [Dec 24 23:08:54]ike_policy_reply_isakmp_nonce_data_len: Start
    [Dec 24 23:08:54]ssh_policy_get_certificate_authority_recv_ipc context <00e90ac0>.
    [Dec 24 23:08:54]got cert authority 1 callback<007d5774>.
    [Dec 24 23:08:54]got cert authority 1 callback<007d5774>.
    [Dec 24 23:08:54]ike_policy_reply_get_cas: Start
    [Dec 24 23:08:54]ike_st_o_private: Start
    [Dec 24 23:08:54]ike_policy_reply_private_payload_out: Start
    [Dec 24 23:08:54]ike_policy_reply_private_payload_out: Start
    [Dec 24 23:08:54]ike_policy_reply_private_payload_out: Start
    [Dec 24 23:08:54]ike_encode_packet: Start, SA = { 0x61b428b3 0607af18 - d0d571c0 c6cbd0ba } / 00000000, nego = -1
    [Dec 24 23:08:54]ike_send_packet: Start, send SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba}, nego = -1, dst = XXX.XXX.107.2:500,  routing table id = 4
    [Dec 24 23:08:54]ikev2_packet_allocate: Allocated packet dc6c00 from freelist
    [Dec 24 23:08:54]ike_sa_find: Found SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b }
    [Dec 24 23:08:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Dec 24 23:08:54]ike_get_sa: Start, SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b } / 00000000, remote = XXX.XXX.107.2:500
    [Dec 24 23:08:54]ike_sa_find: Found SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b }
    [Dec 24 23:08:54]ike_decode_packet: Start
    [Dec 24 23:08:54]ike_decode_packet: Start, SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b} / 00000000, nego = -1
    [Dec 24 23:08:54]ike_st_i_nonce: Start, nonce[0..16] = 7d963359 9721ac8e ...
    [Dec 24 23:08:54]ike_st_i_ke: Ke[0..128] = f2f283b7 a324a65c ...
    [Dec 24 23:08:54]ike_st_i_cr: Start
    [Dec 24 23:08:54]ike_st_i_cert: Start
    [Dec 24 23:08:54]ike_st_i_private: Start
    [Dec 24 23:08:54]ike_st_o_id: Start
    [Dec 24 23:08:54]ike_st_o_certs_base: Start
    [Dec 24 23:08:54]ike_find_private_key: Find private key for YYY.YYY.130.86:500, id = der_asn1_dn(any:0,[0..141]=C=RU, DC=branch.domain.ru, ST=Vostok, O=Company, OU=IT Department, CN=ussur-GW01) -> XXX.XXX.107.2:500, id = No Id
    [Dec 24 23:08:54]ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
    [Dec 24 23:08:54]ike_policy_reply_find_private_key: Start
    [Dec 24 23:08:54]YYY.YYY.130.86:500 (Initiator) <-> XXX.XXX.107.2:500 { 1f44ec76 827e0a7a - f0fa338c 9290fa2b [-1] / 0x00000000 } IP; No private key found
    [Dec 24 23:08:54]ike_state_restart_packet: Start, restart packet SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b}, nego = -1
    [Dec 24 23:08:54]IKE negotiation fail for local:YYY.YYY.130.86, remote:XXX.XXX.107.2 IKEv1 with status: Authentication failed
    [Dec 24 23:08:54]  IKEv1 Error : Authentication failed
    [Dec 24 23:08:54]IPSec Rekey for SPI 0x0 failed
    [Dec 24 23:08:54]IPSec SA done callback called for sa-cfg sec-hq-pri local:YYY.YYY.130.86, remote:XXX.XXX.107.2 IKEv1 with status Authentication failed
    [Dec 24 23:08:54]YYY.YYY.130.86:500 (Initiator) <-> XXX.XXX.107.2:500 { 1f44ec76 827e0a7a - f0fa338c 9290fa2b [-1] / 0x00000000 } IP; Error = Authentication failed (24)
    [Dec 24 23:08:54]ike_alloc_negotiation: Start, SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b}
    [Dec 24 23:08:54]ike_encode_packet: Start, SA = { 0x1f44ec76 827e0a7a - f0fa338c 9290fa2b } / eeba5c0f, nego = 0
    [Dec 24 23:08:54]ike_send_packet: Start, send SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b}, nego = 0, dst = XXX.XXX.107.2:500,  routing table id = 5
    [Dec 24 23:08:54]ike_delete_negotiation: Start, SA = { 1f44ec76 827e0a7a - f0fa338c 9290fa2b}, nego = 0
    [Dec 24 23:08:54]ike_free_negotiation_info: Start, nego = 0
    [Dec 24 23:08:54]ike_free_negotiation: Start, nego = 0
    [Dec 24 23:08:54]ikev2_packet_allocate: Allocated packet dc7000 from freelist
    [Dec 24 23:08:54]ike_sa_find: Found SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba }
    [Dec 24 23:08:54]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
    [Dec 24 23:08:54]ike_get_sa: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba } / 00000000, remote = XXX.XXX.107.2:500
    [Dec 24 23:08:54]ike_sa_find: Found SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba }
    [Dec 24 23:08:54]ike_decode_packet: Start
    [Dec 24 23:08:54]ike_decode_packet: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba} / 00000000, nego = -1
    [Dec 24 23:08:54]ike_st_i_nonce: Start, nonce[0..16] = da0faeda 4854667f ...
    [Dec 24 23:08:54]ike_st_i_ke: Ke[0..128] = 0f7ece9e 1b5ea068 ...
    [Dec 24 23:08:54]ike_st_i_cr: Start
    [Dec 24 23:08:54]ike_st_i_cert: Start
    [Dec 24 23:08:54]ike_st_i_private: Start
    [Dec 24 23:08:54]ike_st_o_id: Start
    [Dec 24 23:08:54]ike_st_o_certs_base: Start
    [Dec 24 23:08:54]ike_find_private_key: Find private key for 37.28.190.46:500, id = der_asn1_dn(any:0,[0..141]=C=RU, DC=branch.domain.ru, ST=Vostok, O=Company, OU=IT Department, CN=ussur-GW01) -> XXX.XXX.107.2:500, id = No Id
    [Dec 24 23:08:54]ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
    [Dec 24 23:08:54]ike_policy_reply_find_private_key: Start
    [Dec 24 23:08:54]37.28.190.46:500 (Initiator) <-> XXX.XXX.107.2:500 { 61b428b3 0607af18 - d0d571c0 c6cbd0ba [-1] / 0x00000000 } IP; No private key found
    [Dec 24 23:08:54]ike_state_restart_packet: Start, restart packet SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba}, nego = -1
    [Dec 24 23:08:54]IKE negotiation fail for local:37.28.190.46, remote:XXX.XXX.107.2 IKEv1 with status: Authentication failed
    [Dec 24 23:08:54]  IKEv1 Error : Authentication failed
    [Dec 24 23:08:54]IPSec Rekey for SPI 0x0 failed
    [Dec 24 23:08:54]IPSec SA done callback called for sa-cfg pri-hq-pri local:37.28.190.46, remote:XXX.XXX.107.2 IKEv1 with status Authentication failed
    [Dec 24 23:08:54]37.28.190.46:500 (Initiator) <-> XXX.XXX.107.2:500 { 61b428b3 0607af18 - d0d571c0 c6cbd0ba [-1] / 0x00000000 } IP; Error = Authentication failed (24)
    [Dec 24 23:08:54]ike_alloc_negotiation: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba}
    [Dec 24 23:08:54]ike_encode_packet: Start, SA = { 0x61b428b3 0607af18 - d0d571c0 c6cbd0ba } / ac237ef5, nego = 0
    [Dec 24 23:08:54]ike_send_packet: Start, send SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba}, nego = 0, dst = XXX.XXX.107.2:500,  routing table id = 4
    [Dec 24 23:08:54]ike_delete_negotiation: Start, SA = { 61b428b3 0607af18 - d0d571c0 c6cbd0ba}, nego = 0

     



  • 2.  RE: ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
    Best Answer

    Posted 12-25-2014 21:59

    Hi Shai-Hulud ,


    I worked on similar issue last month and engineering has fixed this issue.

     

    This issue has been resolved in the upcoming Junos releases.

     

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1032840

     

    Following Junos releases has fix for this problem:

     

    12.1X44-D45 12.1X46-D30 12.1X47-D20 12.3X48-D10


    Regards,

    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too