SRX Services Gateway
Highlighted
SRX Services Gateway

SRX Certificate VPN

‎10-05-2018 01:05 AM

Hi,

 

Setting up a certificate based site-to-site VPN. 

 

I have -

  1. Created the key-pair.
  2. Generated a CSR.
  3. Had the CSR signed by our Windows CA.
  4. Uploaded the signed certificate to the firewall as a local certificate.
  5. Uploaded the intermediate CA certificate under one ca-profile.
  6. Uploaded the root CA certificate under a different ca-profile.
  7. Uploaded the CA certificate for the external site.

 

I am having IKE v1 authentication errors.

 

In the logs I can see " IP; No public key found".

 

Is there a step I have missed? I noticed on the SRX you cannot upload a certificate chain, so I had to upload the intermediate and root certificates under seperate ca-profiles, do I need to "link" these somehow?

 

Thanks.

 

 

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: SRX Certificate VPN

‎10-05-2018 01:23 AM

Please check below URL.

 

https://www.blackhole-networks.com/CertVPN/pki_setup.html

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: SRX Certificate VPN

‎10-05-2018 04:13 PM

Can you configure "set security ike gateway <gateway_name> general-ikeid" command for that VPN and let us know if it comes up?

 

 Info about the command: https://kb.juniper.net/InfoCenter/index?page=content&id=KB27302

 

Also, can you confirm the version of your certs, are they X509v3? I am trying to isolate a problem with the Subjetc Alternative Name field on the certs and the Remote-IKE-ID value set on the SRX.

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX Certificate VPN

‎10-05-2018 08:31 PM

Hello,

 

Can you tell me how many CA certificates are there in a chain that signed peer's certificate?

And how you installed them on the SRX?

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: SRX Certificate VPN

‎10-08-2018 02:13 AM

Hi 

 

 

 

 

 

 

 

 

Highlighted
SRX Services Gateway

Re: SRX Certificate VPN

[ Edited ]
‎10-08-2018 05:19 AM

Hello,

 

I do not think 'trust-ca-group' configuration is needed here.

Can you take the VPN and PKI traces during the negotiation & also the same on peer device?

What is the peer device though?

 

Regards,

 

Rushi

 

Highlighted
SRX Services Gateway

Re: SRX Certificate VPN

[ Edited ]
‎10-08-2018 09:00 AM

Can you also post the following commands from both peers:

 

> show security pki local-certificate detail
> show security pki ca-certificate detail
# show security ike
 
 
Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Feedback