Junos
Junos

Verification local digital certificate failed

[ Edited ]
‎11-01-2019 04:57 AM

Hello,

 

I am trying to setup VPN using digital certificate for IKE negotiation, and honestly i am pretty much ignorant in this field..

VPN works fine if we use preshared keys.

 

What i did:

 

I generated a CSR (not on the juniper) and Godaddy singed it, i downloaded the certificate, pem key and gd_bundle and loaded them with WinsSCP into the juniper MX router.

I installed the certificates on the router with request securuty pki load command.

 

tech1@ar1> request security pki local-certificate verify certificate-id v1817.xxxxx.com
Local certificate v1817.xxxxx.com verification failed

 

i Dont know how my ca profile should be configured, for now i have this:

 

set security pki ca-profile ca-godaddy ca-identity ca.godaddy.com
set security pki ca-profile ca-godaddy enrollment url http://ocsp.godaddy.com/
set security pki ca-profile ca-godaddy revocation-check disable

 

 

I am getting this error in the log when i try to use the certificate for the Phase 1:

 

Nov 1 08:50:43 Using software for dh_comp operation
Nov 1 08:50:43 Inside kmd_sw_dh_comp...
Nov 1 08:50:43 kmd_pm_ike_get_certificates: certificate callback invoked

Nov 1 08:50:43 Start
Nov 1 08:50:43 kmd_policy_request_certificates: Requesting certs for 1 CA's
Nov 1 08:50:43 No chain present for for cert-id V1817.xxxxx.com
Nov 1 08:50:43 kmd_pm_ike_get_certificates: Get certificate from PKID

Nov 1 08:50:43 kmd_pkid_send_packet
Nov 1 08:50:43 kmd_pkid_send_packet
Nov 1 08:50:43 process_ipc_message_data: failed to get keypair
Nov 1 08:50:43 ikev2_reply_cb_get_certs: [1cc9c00/1cc8000] Error: Get certs failed: 65539
Nov 1 08:50:43 ikev2_state_error: [1cc9c00/1cc8000] Negotiation failed because of error Crypto operation failed (65539)
Nov 1 08:50:43 Removing DPD server entry for remote peer: 200.XXX.XXX.6:500
Nov 1 08:50:43 ikev2_ike_sa_abort: Initial IKE SA 1cc8000 exchange aborted 200.XXX.XXX.6;500
Nov 1 08:50:43 ikev2_packet_done: [1cc9c00/1cc8000] Scheduling packet (m-id=1) to be freed
Nov 1 08:50:43 ikev2_packet_done: [1cc9c00/1cc8000] Not destroyed; running to end state and terminating there.
Nov 1 08:50:43 ikev2_packet_done: [1ccbc00/0] Scheduling packet (m-id=0) to be freed
Nov 1 08:50:43 ikev2_packet_done: [1ccbc00/0] Destroyed already. Thread completed. Freeing now.
Nov 1 08:50:43 ikev2_packet_free: [1ccbc00/0] Freeing
Nov 1 08:50:43 IKE SA negotiation failed for remote-ip:200.XXX.XXX.6,do tunnel failover
Nov 1 08:50:43 DPD: Peer 200.XXX.XXX.6 is down, cleaning up all IPSec SAs
Nov 1 08:50:43 DPD: Peer 200.XXX.XXX.6 is down, cleaning up IKE SAs
Nov 1 08:50:43 Deleting IKE SA to peer: 200.XXX.XXX.6
Nov 1 08:50:43 IKE SA 1cc8000 is unusable
Nov 1 08:50:43 SA 1cc8000, ED 1ce1028 application context 1cc6000
Nov 1 08:50:43 p1_data removed for p1_local=ID(type = ipv4 (1), len = 4, value = 200.XXX.XXX.5) p1_remote=ID(type = ipv4 (1), len = 4, value = 200.XXX.XXX.6)
Nov 1 08:50:43 ikev2_packet_destroy: [1cc9c00/0] Destructor
Nov 1 08:50:43 ikev2_packet_free: [1cc9c00/0] Freeing

 

Any help would be really apreciatted.

 

Thanks.

 

Regards,

Ramiro.