Routing
Routing

Digital certificate

[ Edited ]
‎10-25-2019 10:26 AM

Hello,

 

I am trying to use my digital certificate recently purchased from godaddy for a IPSec Site to Site VPN with other organization.

 

where should i upload my private key (which was generated when i created de csr to upload to godaddy) and the files i got from godaddy (2 .crt files and a .pem file) to the MX5?

 

Thank you.

 

Ramiro.

2 REPLIES 2
Routing

Re: Digital certificate

‎10-26-2019 12:09 AM

Hello,

Please see if these links help

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/digital-certification-ik...

https://www.juniper.net/documentation/en_US/junos/topics/example/configuring-ike-dynamic-sa-digital-...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Routing

Re: Digital certificate

‎10-31-2019 07:29 AM

Hello aarseniev,

 

i have loaded the certificates issued by godaddy to the router but i cant get phase 1 to come up, i get this log:

any ideas of where the problem could be?

Thank you.

 

tech@mvd.router> show log kmd | last
Oct 31 11:24:32 Allocated SA payload 1ccac00
Oct 31 11:24:32 Initiator's proposing IKE SA payload SA([0](id = 1) protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA256 PRF, 256 bit ECP; )
Oct 31 11:24:32 Using software for dh_gen operation
Oct 31 11:24:32 Inside kmd_sw_dh_gen...
Oct 31 11:24:32 Parsing notify payloads for ed 1cd2028, IKE SA 1ccc400
Oct 31 11:24:32 ikev2_packet_st_send_request_address: [1ccbc00/1ccc400] Sending packet/request address pair
Oct 31 11:24:32 ikev2_packet_st_send: [1ccbc00/1ccc400] Sending packet/Do
Oct 31 11:24:32 ikev2_udp_send_packet: [1ccbc00/1ccc400] Sending packet using VR id 0
Oct 31 11:24:32 ikev2_packet_st_send: Registering timeout at 5000 (5.0)
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Looking up instance for server: 200.108.XXX.5 and routing instance id: 0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] instance: ipsec_ss_ms_0_0_01_new found for server: 200.108.XXX.5 in routing instance id: 0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_recv: *** Packet RX (len 249) from 200.108.XXX.6:500, VR id 0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_allocate: Allocated packet 1cc9400 from freelist
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_allocate: [1cc9400/0] Allocating
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Looking up instance for server: 200.108.XXX.5 and routing instance id: 0
Oct 31 11:24:32 [200.108.XXX.5 <->200.108.XXX.6] instance: ipsec_ss_ms_0_0_01_new found for server: 200.108.XXX.5 in routing instance id: 0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Returning SA 1ccc400
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_check: [1cc9400/1ccc400] Window check (fwd=1cd03a0 rev=1cd0340): m-id 0 R; received
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_st_forward: [1cc9400/1ccc400] R: IKE SA REFCNT: 3
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Allocated SA payload 1cca000
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Enter SA 1ccc400, ED 1cd2028, state 0, received notification message NAT detection source IP authenticated=0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Plain-text notification `NAT detection source IP' (16388) from 200.108.XXX.6:500 for protocol None. Initiator SPI fdd5d03e b08f994d Responder SPI 00000000 00000000
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Enter SA 1ccc400, ED 1cd2028, state 0, received notification message NAT detection destination IP authenticated=0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] Plain-text notification `NAT detection destination IP' (16389) from 200.108.XXX.6:500 for protocol None. Initiator SPI fdd5d03e b08f994d Responder SPI 00000000 00000000
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_decode_packet: [1cc9400/1ccc400] Updating responder IKE SPI to IKE SA 1ccc400 I fdd5d03e b08f994d R 6a09ebb6 57ecb315
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_decode_packet: [1cc9400/1ccc400] Received packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), CERTREQ
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_update: [1cc9400/1ccc400] Window update (fwd=1cd03a0, rev=1cd0340): m-id 0 R; received
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_update: [1cc9400/1ccc400] STOP-RETRANSMIT: Response to request 1ccbc00 with m-id 0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_update: [1cc9400/1ccc400] Stored packet into window 1cd03a0
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_allocate_id: Allocated m-id 1 SA 1ccc400
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_allocate: Allocated packet 1cc9c00 from freelist
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_allocate: [1cc9c00/0] Allocating
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_update: [1cc9c00/1ccc400] Window update (fwd=1cd0340, rev=1cd03a0): m-id 1 I ; sent
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_udp_window_update: [1cc9c00/1ccc400] Stored packet into window 1cd0340
Oct 31 11:24:32 [200.108.XXX.5 <-> 200.108.XXX.6] ikev2_packet_destroy: [1cc9400/0] Destructor
Oct 31 11:24:32 ikev2_packet_st_send_request_address: [1ccbc00/0] Sending packet/request address pair
Oct 31 11:24:32 ikev2_packet_st_send: [1ccbc00/0] Sending packet/Do
Oct 31 11:24:32 ikev2_packet_destroy: [1ccbc00/0] Destructor
Oct 31 11:24:32 ikev2_packet_free: [1ccbc00/0] Freeing
Oct 31 11:24:32 Using software for dh_comp operation
Oct 31 11:24:32 Inside kmd_sw_dh_comp...
Oct 31 11:24:32 kmd_pm_ike_get_certificates: certificate callback invoked

Oct 31 11:24:32 Start
Oct 31 11:24:32 kmd_policy_request_certificates: Requesting certs for 1 CA's
Oct 31 11:24:32 No chain present for for cert-id 6424c641364ca7db
Oct 31 11:24:32 kmd_pm_ike_get_certificates: Get certificate from PKID

Oct 31 11:24:32 kmd_pkid_send_packet
Oct 31 11:24:32 kmd_pkid_send_packet
Oct 31 11:24:32 process_ipc_message_data: failed to get keypair
Oct 31 11:24:32 ikev2_reply_cb_get_certs: [1cc9c00/1ccc400] Error: Get certs failed: 65539
Oct 31 11:24:32 ikev2_state_error: [1cc9c00/1ccc400] Negotiation failed because of error Crypto operation failed (65539)
Oct 31 11:24:32 Removing DPD server entry for remote peer: 200.108.XXX.6:500
Oct 31 11:24:32 ikev2_ike_sa_abort: Initial IKE SA 1ccc400 exchange aborted 200.108.XXX.6;500
Oct 31 11:24:32 ikev2_packet_done: [1cc9c00/1ccc400] Scheduling packet (m-id=1) to be freed
Oct 31 11:24:32 ikev2_packet_done: [1cc9c00/1ccc400] Not destroyed; running to end state and terminating there.
Oct 31 11:24:32 ikev2_packet_done: [1cc9400/0] Scheduling packet (m-id=0) to be freed
Oct 31 11:24:32 ikev2_packet_done: [1cc9400/0] Destroyed already. Thread completed. Freeing now.
Oct 31 11:24:32 ikev2_packet_free: [1cc9400/0] Freeing
Oct 31 11:24:32 IKE SA negotiation failed for remote-ip:200.108.XXX.6,do tunnel failover
Oct 31 11:24:32 DPD: Peer 200.108.XXX.6 is down, cleaning up all IPSec SAs
Oct 31 11:24:32 DPD: Peer 200.108.XXX.6 is down, cleaning up IKE SAs
Oct 31 11:24:32 Deleting IKE SA to peer: 200.108.XXX.6
Oct 31 11:24:32 IKE SA 1ccc400 is unusable
Oct 31 11:24:32 SA 1ccc400, ED 1cd2028 application context 1cc6000
Oct 31 11:24:32 p1_data removed for p1_local=ID(type = ipv4 (1), len = 4, value = 200.108.XXX.5) p1_remote=ID(type = ipv4 (1), len = 4, value = 200.108.XXX.6)
Oct 31 11:24:32 ikev2_packet_destroy: [1cc9c00/0] Destructor
Oct 31 11:24:32 ikev2_packet_free: [1cc9c00/0]