SRX Services Gateway
Highlighted
SRX Services Gateway

SRX - Can system-generated-certificate be used as part of an IPSEC tunnel config?

‎08-25-2018 03:22 AM

SRX -  I have a requirement for a single tunnel between 2 SRX routers but can't select system-generated-certificate within the ike policy xxx certificate local certificate command. Is this possible?

Can I rename take a copy of the system-generated-certificate and rename it? Please let me know if there's another way? Thanks

1 REPLY 1
Highlighted
SRX Services Gateway

Re: SRX - Can system-generated-certificate be used as part of an IPSEC tunnel config?

[ Edited ]
‎08-30-2018 01:23 AM

Hi, Ian

 

You cant used the system-generated certificate for VPN authentication. I even tried creating a local self-signed certificate to the same result.

 

[Aug 30 07:55:26]IKED-PKID-IPC Failed to delete cert chain patricia node system-generated
[Aug 30 07:55:26]iked_pm_ike_get_certificates_callback: CA certificate find failed
[Aug 30 07:55:26]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'

 

(above output is from a IKE traceoptions)

 

When using certificates in a VPN you need to certificates per each SRX:

 

  1.  A local certificate (signed by a CA)
  2. A CA certificate (provided by the CA that signed your local certificate and used to validate that local cert)

 

The local certificate is to be loaded in the local SRX and the CA certificate is to be loaded in the remote SRX.

 

The problem when using the system-generated certificate or a local self-signed certificate in your VPN is that these certs will count as the local certificate but then we dont have a CA certificate to be loaded in the remote SRX because no real CA signed those certs nor the local SRX provides a CA certificate when it signed those local certs.

 

You may want to create a CA for signing your local certs as showed in the following link with the use of a linux machine:

 

http://rtodto.net/certificate-based-ipsec-vpn-in-srx/

 

or using a free CA as it is shown in the following post:

 

https://www.blackhole-networks.com/CertVPN/pki_setup.html

 

I hope this info is useful. Please mark is as Resolved it was helpful.

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback