Junos
Highlighted
Junos

public_key failed: 24 (IPSec with RSA-Signatures)

[ Edited ]
‎02-06-2020 03:44 AM

Hello,

 

I am setting up IPsec tunnel using certificates for Phase 1 (tunnel already tested with PSK and working fine) but it won't come up (see log below). It seems to be related to remote-id check.. I have been trying setting up local-id and remote-id with different convinations but i cant make it come up. Any-remote-ID option is not allowed for some reason on this MX devices.

 

Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID ID(type = dn (9), len = 66, value = 30403121 301f0603 55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69 64617465 64311b30 19060355 04030c12 2a2e6d69 6e746572 696f722e 6775622e 7579) to IKEv1 ID
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID der_asn1_dn(any:0,[0..65]=OU=Domain Control Validated, CN=*.minterior.gub.uy)
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] kmd_pm_ike_match_remote_id: remote ID check failed
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] ikev2_reply_cb_public_key: [1c9ec00/e798800] Error: public_key failed: 24
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] ikev2_state_error: [1c9ec00/e798800] Negotiation failed because of error Authentication failed (24)
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] kmd_pm_ike_sa_done: UNUSABLE ike sa tunnel_id 20217
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] IKE SA negotiation failed for remote-ip:XXX.XXX.200.6,do tunnel failover
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] DPD: Peer XXX.XXX.200.6 is down, cleaning up all IPSec SAs
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] DPD: Peer XXX.XXX.200.6 is down, cleaning up all IPSec SAs
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] DPD: Peer XXX.XXX.200.6 is down, cleaning up all IPSec SAs
Feb 6 08:34:26 [XXX.XXX.200.5 <-> XXX.XXX.200.6] DPD: Peer XXX.XXX.200.6 is down, cleanin

 

I have converted that HEX value using this site: https://www.rapidtables.com/convert/number/hex-to-ascii.html

 

30403121 301f0603 55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69 64617465 64311b30 19060355 04030c12 2a2e6d69 6e746572 696f722e 6775622e 7579

 

and i get:

 

0@1!0U Domain Control Validated10U *.minterior.gub.uy

 

My config right now:

 

set services ipsec-vpn ike policy ike_policy_ms_0_0_0_new proposals ike_proposal_ms_0_0_0_new
set services ipsec-vpn ike policy ike_policy_ms_0_0_0_new local-id ipv4_addr XXX.XXX.200.5
set services ipsec-vpn ike policy ike_policy_ms_0_0_0_new local-certificate V1817.dedicado.com
set services ipsec-vpn ike policy ike_policy_ms_0_0_0_new remote-id ipv4_addr XXX.XXX.200.6
set services ipsec-vpn ike policy ike_policy_ms_0_0_0_new remote-id fqdn minterior.gub.uy

 

For some reason authentication-method shows "preshared key" i guess it's because rsa-signature is not working (?):

 

rperez@mvd.wtc4.ar2> show services ipsec-vpn ike security-associations detail 200.108.200.6
IKE peer XXX.XXX.200.6
Role: Initiator, State: Not matured
Initiator cookie: a6038784191b0e8c, Responder cookie: da44509c54e4eb7c
Exchange type: IKEv2, Authentication method: Pre-shared-keys
Local: XXX.XXX.200.5, Remote: XXX.XXX.200.6
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : 0
Traffic statistics:
Input bytes : 193
Output bytes : 2624
Input packets: 1
Output packets: 2
Flags: Waiting for done
IPSec security associations: 0 created, 0 deleted

 

My device:

 

Model: mx5-t
Junos: 13.3R1.8
JUNOS Base OS boot [13.3R1.8]
JUNOS Base OS Software Suite [13.3R1.8]
JUNOS Kernel Software Suite [13.3R1.8]
JUNOS Crypto Software Suite [13.3R1.8]
JUNOS Packet Forwarding Engine Support (MX80) [13.3R1.8]
JUNOS Online Documentation [13.3R1.8]
JUNOS Services Application Level Gateways [13.3R1.8]
JUNOS Services Jflow Container package [13.3R1.8]
JUNOS Services Stateful Firewall [13.3R1.8]
JUNOS Services NAT [13.3R1.8]
JUNOS Services RPM [13.3R1.8]
JUNOS Services Crypto [13.3R1.8]
JUNOS Services SSL [13.3R1.8]
JUNOS Services IPSec [13.3R1.8]
JUNOS Routing Software Suite [13.3R1.8]

 

I seem to be stuck.. any help would be really apreciatted.

 

Regards,

RP

2 REPLIES 2
Highlighted
Junos

Re: public_key failed: 24 (IPSec with RSA-Signatures)

‎03-07-2020 07:30 AM

Typically on the mx configuration the remote-id will be the configured destination address on that router.

Which must match the configured source address on the connected remote route.

And of course the reverse as well.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: public_key failed: 24 (IPSec with RSA-Signatures)

‎03-25-2020 02:20 PM

I had the same issue before setting up IPSec between an SRX300 and MX104 using RSA signatures.

 

Turns out, the MX104 accepts only fqdn and should match the DNS name on the peer certificate

 

Sample config (MX104 side)

aaa.png

 

Peer certificate (SRX300 RSA cert)

bbb.png

 

Feedback