Certificate VPN: Public key lookup failed

During one of my IPSEC VPN tests using certificate authentication, I have received the following error which really baffled me:

ike_find_public_key: Find public key for 192.168.1.1:500, id = No Id -> 192.168.2.1:500, id = fqdn(any:0,[0..19]=srx1.example.com)
ikev2_fb_find_public_key_cb: Public key lookup failed, error 'Authentication failed'
ike_policy_reply_find_public_key: Start
192.168.1.1:500 (Responder) <-> 192.168.2.1:500 { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00 [-1] / 0x00000000 } IP; No public key found
ike_state_restart_packet: Start, restart packet SA = { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00}, nego = -1
192.168.1.1:500 (Responder) <-> 192.168.2.1:500 { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
IKE negotiation fail for local:192.168.1.1, remote:192.168.2.1 IKEv1 with status: Authentication failed
  IKEv1 Error : Authentication failed

I had never seen this “Public key lookup failed” error message before. I thought I made a mistake during creation of my certificates. For this, I re-created certificates and this time I got the following private key error:

ike_find_private_key: Find private key for 192.168.2.1:500, id = fqdn(any:0,[0..19]=harmison.example.com) -> 192.168.1.1:500, id = No Id
ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
ike_policy_reply_find_private_key: Start
192.168.2.1:500 (Initiator) <-> 192.168.1.1:500 { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236 [-1] / 0x00000000 } IP; No private key found
ike_state_restart_packet: Start, restart packet SA = { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236}, nego = -1
192.168.2.1:500 (Initiator) <-> 192.168.1.1:500 { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
IKE negotiation fail for local:192.168.2.1, remote:192.168.1.1 IKEv1 with status: Authentication failed
 IKEv1 Error : Authentication failed

Then I checked the installed certificate locally

root@FF1> show security pki local-certificate 
Certificate identifier: srx-ff1-id
  Issued to: Mr. Admin, Issued by: C = NL, ST = CA State, L = Prague, O = CA Internet Ltd, OU = CA Org, CN = ca.example.com, emailAddress = caadmin@example.com
  Validity:
    Not before: 02-23-2014 12:58 UTC
    Not after: 02-19-2024 12:58 UTC
  Public key algorithm: rsaEncryption(1024 bits)

Then the current time on the system

root@FF1> show system uptime                     
Current time: 2014-02-22 16:26:04 UTC
System booted: 2014-02-22 12:55:45 UTC (03:30:19 ago)
Protocols started: 2014-02-22 12:56:25 UTC (03:29:39 ago)
Last configured: 2014-02-22 16:17:30 UTC (00:08:34 ago) by root
 4:26PM  up 3:30, 2 users, load averages: 0.01, 0.01, 0.00

This is the problem! SRX system time is behind my certificate server’s time i.e “Not before: 02-23-2014 12:58 UTC ” time is still in the future, certificate is invalid . Once I set the time via NTP, IKE established with no issues. If you are receiving the same type of error, first make sure your system time is correct:-)

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “Certificate VPN: Public key lookup failed”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading