SRX

I have set up a cert based VPN using MS Win2008 as CA and it worked just fine. But then I tried to use certificates from EJBCA CA I got trouble - certificates enroll just fine, but then IKE Phase1 fails with error:

*** ike ***
Jul 24 10:42:26 ike_decode_packet: Start
Jul 24 10:42:26 ike_decode_packet: Start, SA = { 7d11bfe3 3f6e42a3 - ed614fa7 492895b9} / e07b607a, nego = 0
Jul 24 10:42:26 ike_st_i_n: Start, doi = 1, protocol = 1, code = Authentication failed (24), spi[0..16] = 7d11bfe3 3f6e42a3 ..., data[0..31] = 800c0001 00060013 ...
Jul 24 10:42:26 <none>:500 (Responder) <-> 1.1.1.2:500 { 7d11bfe3 3f6e42a3 - ed614fa7 492895b9 [0] / 0xe07b607a } Info; Notification data has attribute list
Jul 24 10:42:26 <none>:500 (Responder) <-> 1.1.1.2:500 { 7d11bfe3 3f6e42a3 - ed614fa7 492895b9 [0] / 0xe07b607a } Info; Notify message version = 1
Jul 24 10:42:26 <none>:500 (Responder) <-> 1.1.1.2:500 { 7d11bfe3 3f6e42a3 - ed614fa7 492895b9 [0] / 0xe07b607a } Info; Error text = No public key found
Jul 24 10:42:26 <none>:500 (Responder) <-> 1.1.1.2:500 { 7d11bfe3 3f6e42a3 - ed614fa7 492895b9 [0] / 0xe07b607a } Info;

Hi,

As per the App Note , only 3 CA vendors ( Entrust,Verisign and Microsoft) are supported by SRX . However others are also supported as long as they conform to X509 standard. 

"No public key found"  suggests some problem with CA Certificate . After pulling the IKE identity offered in IKE phase-1 from the peer and searching through the config to find a mathcing IKE gateway,SRX makes sure that it has not been tampered with by validating the digital signature on the remote's cert using the public key in the CA's cert.

Have you loaded and verified this CA certificate properly ? 

Show security pki ca-certificate ca-profile <ca-profile name>  detail
request security pki ca-certificate verify ca-profile <ca-profilename>

Thanks for help!

It was a CA certificate issue. Due to incorrect NTP settings a CA cert was to become valid in future. Totally forgot to update feed after resolving issue...