Deprecated: Hook custom_css_loaded is deprecated since version jetpack-13.5! Use WordPress Custom CSS instead. Jetpack no longer supports Custom CSS. Read the documentation to learn how to apply custom styles to your site: in /var/www/ on line 6031
Certificate VPN troubleshooting –

Certificate VPN troubleshooting

I am going to break my certificate VPN setup in this post and see what sort of log message we will get. If you are looking for how to set up a certificate based IPSEC VPN on SRX, you can check my other post.


I have already an established the tunnel between those two peers you can see in the topology.

Let’s check CO-A cluster side status first.

root@CO-A-1> show security ike sa | match UP    
3497228 UP     099ec6b5648bd43c  344020d094568811  Main        

root@CO-A-1> show security ike sa detail index 3497228 
IKE peer, Index 3497228, Gateway Name: brancha-2
  Role: Initiator, State: UP
  Initiator cookie: 099ec6b5648bd43c, Responder cookie: 344020d094568811
  Exchange type: Main, Authentication method: RSA-signatures   <<<<--------

root@CO-A-1> show security ipsec sa 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  131083 ESP:3des/sha1 a95fdfaa 2220/ unlim   -   root 500 

Now we have confirmed that Phase 1 and Phase 2 are UP.

If you can take a look at the IKE gateway config, we set remote IKE-ID as hostname. We don’t set our own IKE-ID hence our interface IP on CO-A will be selected. You can already see this on the ike SA output above.

root@CO-A-1> show configuration security ike gateway brancha-2   
ike-policy brancha-2;
remote-identity hostname;
external-interface reth1.953;

BranchA gateway configuration is also as follows

gateway co-a {
    ike-policy pol-cert;
    local-identity hostname;
    external-interface ge-0/0/0.950;

Before the tunnel comes up, I have enabled IKE traceoptions on BranchA side. First interesting log snippet is the following;

[Mar 23 22:09:54]ike_find_public_key: Find public key for, id = No Id ->, id = ipv4(any:0,[0..3]=
[Mar 23 22:09:54]ike_policy_reply_find_public_key: Start
[Mar 23 22:09:54]ike_state_restart_packet: Start, restart packet SA = { 099ec6b5 648bd43c - 344020d0 94568811}, nego = -1
[Mar 23 22:09:54]ike_st_i_sig: Start, sig[0..128] = 03c5b328 4324ab67 ...
[Mar 23 22:09:54]ike_find_public_key: Find public key for, id = No Id ->, id = ipv4(any:0,[0..3]=

On the first line “id = ipv4(any:0,[0..3]=” this line seems to be revealing the IKE-ID which is received from the remote side (CO-A) , now we will modify ike-id of CO-A in purpose to see what kind of error message we get.

root@CO-A-1# set security ike gateway brancha-2 local-identity hostname 

Now let’s check the ike error log

[Mar 23 22:51:13]ike_find_public_key: Find public key for, id = No Id ->, id = fqdn(any:0,[0..15]
[Mar 23 22:51:13]ikev2_fb_find_public_key_cb: Public key lookup failed, error 'Authentication failed'
[Mar 23 22:51:13]ike_policy_reply_find_public_key: Start
[Mar 23 22:51:13] (Responder) { 95ec8728 cf2e470f - 71e8dd54 edb8f4b8 [-1] / 0x00000000 } IP; No public key found
[Mar 23 22:51:13]ike_state_restart_packet: Start, restart packet SA = { 95ec8728 cf2e470f - 71e8dd54 edb8f4b8}, nego = -1
[Mar 23 22:51:13] (Responder) { 95ec8728 cf2e470f - 71e8dd54 edb8f4b8 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
[Mar 23 22:51:13]  IKEv1 Error : Authentication failed

As you can see on the 1st line, received IKE-ID is “id = fqdn(any:0,[0..15]” i.e it is which is what we set in the CO-A device config but this isn’t what is configured on branchA box. Now branchA side can’t match the public key received and returns the authentication failed error. IKE-ID can incorrectly exist in two locations I believe: one in the config the other one is the certificate itself as we embed our ike-id in the SubjectAlternative attribute i.e

root@CO-A-1> show security pki local-certificate detail 

Certificate identifier: srx-co-id
  Certificate version: 3
  Serial number: 00000017
    Organization: CA Internet Ltd, Organizational unit: CA Org, Country: NL, State: CA State, Locality: Prague, Common name:
    Organizational unit: SRX Dept, Country: NL, Common name: Mr. Admin
  Subject string: 
    CN=Mr. Admin, OU=SRX Dept, C=NL
  Alternate subject: email empty, fqdn empty,     <<<<<<----   IKE-ID
    Not before: 03-18-2015 13:26 UTC
    Not after: 03-15-2025 13:26 UTC
  Public key algorithm: rsaEncryption(1024 bits)
  Signature algorithm: sha1WithRSAEncryption
    6b:a7:72:94:ed:f9:19:2f:bc:5f:b1:5c:1f:ec:0c:10:ca:38:a5:7f (sha1)
    25:4e:fc:ee:4e:69:2a:90:82:00:8c:55:40:bb:f1:6e (md5)
    Status: Disabled
    Next trigger time: Timer not started

Do you see the IKE id in the certificate itself? There we can make another mistake as well.

Another mistake I do is that from time to time, I do mess up signing the certificate. Openssl has a verification option for this purpose by which you can verify if certificate you have is signed by the CA currently loaded on the box or not.

root@debian1:/etc/pki_srx/CA1# openssl verify -CAfile certs/ca.crt certs/brancha.crt
certs/brancha.crt: OK

Certificate validity period is also an important factor that we shouldn't miss.

    Not before: 03-18-2015 13:26 UTC
    Not after: 03-15-2025 13:26 UTC

Last but not least is the CRL. If the cert is already revoked, that can also cause problem for the tunnel to come up. To get more log you can also enable PKI traceoptions under [security pki] which will give you bunch of info about cert you load and CRL.

I know that this post isn't that nicely outlined as my mind is also a bit of a mess when it comes to certificate VPN. I just wanted to put couple of trouble points for cert VPN here.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

You have a feedback?

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading