Certificate VPN troubleshooting

I am going to break my certificate VPN setup in this post and see what sort of log message we will get. If you are looking for how to set up a certificate based IPSEC VPN on SRX, you can check my other post.


I have already an established the tunnel between those two peers you can see in the topology.

Let’s check CO-A cluster side status first.

Now we have confirmed that Phase 1 and Phase 2 are UP.

If you can take a look at the IKE gateway config, we set remote IKE-ID as hostname. We don’t set our own IKE-ID hence our interface IP on CO-A will be selected. You can already see this on the ike SA output above.

BranchA gateway configuration is also as follows

Before the tunnel comes up, I have enabled IKE traceoptions on BranchA side. First interesting log snippet is the following;

On the first line “id = ipv4(any:0,[0..3]=” this line seems to be revealing the IKE-ID which is received from the remote side (CO-A) , now we will modify ike-id of CO-A in purpose to see what kind of error message we get.

Now let’s check the ike error log

As you can see on the 1st line, received IKE-ID is “id = fqdn(any:0,[0..15]=co-a.example.com)” i.e it is co-a.example.com which is what we set in the CO-A device config but this isn’t what is configured on branchA box. Now branchA side can’t match the public key received and returns the authentication failed error. IKE-ID can incorrectly exist in two locations I believe: one in the config the other one is the certificate itself as we embed our ike-id in the SubjectAlternative attribute i.e

Do you see the IKE id in the certificate itself? There we can make another mistake as well.

Another mistake I do is that from time to time, I do mess up signing the certificate. Openssl has a verification option for this purpose by which you can verify if certificate you have is signed by the CA currently loaded on the box or not.

Certificate validity period is also an important factor that we shouldn’t miss.

Last but not least is the CRL. If the cert is already revoked, that can also cause problem for the tunnel to come up. To get more log you can also enable PKI traceoptions under [security pki] which will give you bunch of info about cert you load and CRL.

I know that this post isn’t that nicely outlined as my mind is also a bit of a mess when it comes to certificate VPN. I just wanted to put couple of trouble points for cert VPN here.

You have a feedback?