09-03-2010 05:43 PM
I have had no trouble building PSK authorized tunnels betweeen my SRX and NS50(s), but I cannot seem to get certificate based VPNS to work at all. I have gone through all of the guides (including the one where the two devices' names are only one character different!!!), and still cannot make it work..
If someone has a working config of either end of this setup, tell me what you did and what the "gotcha's" are.
09-06-2010 02:32 AM
This works fine but I only tried with certs generated from the same server.
Please make sure to use dns names both devices can resolve in your certs.
which kind of error do you have in the logs ? (phase1 auth I assume, as psk works fine).
Did you try "debug pki" commands ?
09-06-2010 02:57 PM
right now, my two certs were issued by different CA's (both my internal CAs). Both CA certificates have been loaded into both the NS50 and the SRX210. I'll have to rerun the test to get any debug output, i had traceoptions all on the SRX running for a while, but nothing on the NS50. I also registered at dyndns (for my aDSL ip/name resolution).
since i own both CA's I guess I can sign the device cert in both CAs.... I guess I'm going to have to break down and create my own internal subordinate CA....
thanks for the input