SRX

last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Crypto error in establishing IPsec tunnel with CA

    Posted 09-24-2014 03:55

    Hi Guys,

    We have some trouble here wiht an IPSec tunnel that doesn't work.

    In IKE logs we can see the following, that claims for a CA-CFG negotiation error, but not indicated which is the specific one:

     

    [Sep 24 12:04:51 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1242800 from freelist
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 124f800 from freelist
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [124f800/11e1c00] Setting ed pkt ctx from VR id 65535 to VR id 0)
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [124f800/11e1c00] Received packet: HDR, SA, KE, Nonce, Vid
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 124f400 from freelist
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_policy_get_certificate_authority_recv_ipc context <011f46c0>.
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]got cert authority 1 callback<00a39934>.
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]got cert authority 1 callback<00a39934>.
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1252000 from freelist
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload Initial contact from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload Set window size from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]Received Unauthenticated notification payload ESP TFC padding not supported from local:10.28.97.44 remote:10.0.3.10 IKEv2 for P1 SA 2155594065
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_decode_packet: [1252000/11e1c00] Received packet: HDR, N(INITIAL_CONTACT), N(SET_WINDOW_SIZE), N(ESP_TFC_PADDING_NOT_SUPPORTED), IDi, IDr, CERT, CERT, CERT, CERTREQ, AUTH, SA, TSi, TSr
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_policy_find_public_key_recv_ipc found 0, len<902> 1st<30> last<8e>.
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ssh_cm_cert_set_ber: Set certificate in ber.
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]Added (spi=0x854c56f8, protocol=0) entry to the spi table
    [Sep 24 12:04:52 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1247800 from freelist
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]ikev2_reply_cb_get_certs: [1247800/11e1c00] Error: Get certs failed: 65539
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]ikev2_state_error: [1247800/11e1c00] Negotiation failed because of error Crypto operation failed (65539)
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]IKE negotiation fail for local:10.28.97.44, remote:10.0.3.10 IKEv2 with status: Crypto operation failed
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]IPSec negotiation failed for SA-CFG hua_PY26T for local:10.28.97.44, remote:10.0.3.10 IKEv2. status: Crypto operation failed
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]   P2 ed info: flags 0x0, P2 error: Error ok
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]IKE SA delete called for p1 sa 2155594065 (ref cnt 1) local:10.28.97.44, remote:10.0.3.10, IKEv2
    [Sep 24 12:04:53 PIC 1/8/0 KMD1]iked_pm_p1_sa_destroy:  p1 sa 2155594065 (ref cnt 0), waiting_for_del 0x0
    [Sep 24 11:30:07 PIC 2/8/0 KMD1]Failed to find P1-SA for cookie SPI-I 161acfa5 a05b49e9 SPI-R 00000000 00000000 while processing phase 1 delete HA blob
    [Sep 24 12:04:57 PIC 1/2/0 KMD1]Skip DPD probe for remote peer 10.0.4.6. Still waiting for reply
    [Sep 24 12:04:57 PIC 1/1/1 KMD1]Skip DPD probe for remote peer 10.0.3.7. Still waiting for reply
    [Sep 24 12:04:55 PIC 1/8/0 KMD1]Skip DPD probe for remote peer 10.0.3.10. Still waiting for reply
    [Sep 24 12:04:59 PIC 1/8/0 KMD1]ikev2_packet_allocate: Allocated packet 1246800 from freelist

     

     

    any idea??

     

    Thanks

     

    Cristian



  • 2.  RE: Crypto error in establishing IPsec tunnel with CA

    Posted 09-24-2014 06:02

    Hi Cristian,

     

    Looks like you are setting up certificate based VPN tunnel.

     

    check this links that talks about crypto operation failed

     

    http://rtoodtoo.net/2014/02/25/certificate_vpn_public_key_lookup_failed/

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 3.  RE: Crypto error in establishing IPsec tunnel with CA

    Posted 09-25-2014 06:53

    Hi rpathi,

    Thanks for your feedback.

     

    After having enabled the debug mode under IKE, we found some more detailed log. It looks like the local certificate is not valid anymore, but the strange thing is that actually the certificate had been renewed recently, so the info that SRX is using looks to be wrong.

     

    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  Ignoring notification of type 16385
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  Received Initial contact notification message
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  ikev2_packet_allocate: Allocated packet 1245c00 from freelist
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  ikev2_packet_done: [124c400/0] Not destroyed; running to end state and terminating there.
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  ikev2_udp_window_update: [1245c00/11e1c00] Stored packet into window 11f44e0
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  iked_pm_ike_get_certificates: certificate callback invoked
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  iked_policy_request_certificates: Requesting certs for 1 CA's
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  iked_policy_request_certificates: got certificate info
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  iked_pm_ike_get_certificates: Cerificate found in local database

    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  Certificate valid from 2013 Sep 12th, 13:33:43 GMT to 2014 Sep 12th, 13:33:43 GMT
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  iked_pm_validate_certificate_expiry: certificate has expired
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  ssh_x509_cert_free: Decreasing reference count of certificate df5800 to 0
    [Sep 24 14:59:46 PIC 1/8/0 KMD1][10.28.97.44 <-> 10.0.3.10]  ikev2_reply_cb_get_certs: [1245c00/11e1c00] Error: Get certs failed: 65539
    [

     

     

     

     

     

    But the actual certificate is fine:

     


    {primary:node0}
    X0173146@SEG-PA001> show security pki local-certificate
    node0:
    --------------------------------------------------------------------------

    Certificate identifier: secgw-region-a
      Issued to: SEG-PA001, Issued by: C = IT, O = Telecom Italia, OU = Network Management, CN = Region A Device CA
      Validity:
        Not before: 09-23-2014 14:00 UTC
        Not after: 09-23-2015 14:00 UTC
      Public key algorithm: rsaEncryption(2048 bits)

     

     

     

    How can this be possible?

     

    Thanks

     

    Cristian

     



  • 4.  RE: Crypto error in establishing IPsec tunnel with CA

    Posted 09-26-2014 04:33

    Hi ,

     

    Thanks for the update.

     

    yes , it looks very strange.

     

    Please try deactivating the Ike and IPsec for this Tunnel , commit and then reactivate the vpn configuration.

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too