Certificate VPN: Public key lookup failed
During one of my IPSEC VPN tests using certificate authentication, I have received the following error which really baffled me:
ike_find_public_key: Find public key for 192.168.1.1:500, id = No Id -> 192.168.2.1:500, id = fqdn(any:0,[0..19]=srx1.example.com)
ikev2_fb_find_public_key_cb: Public key lookup failed, error 'Authentication failed'
ike_policy_reply_find_public_key: Start
192.168.1.1:500 (Responder) <-> 192.168.2.1:500 { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00 [-1] / 0x00000000 } IP; No public key found
ike_state_restart_packet: Start, restart packet SA = { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00}, nego = -1
192.168.1.1:500 (Responder) <-> 192.168.2.1:500 { b0c74fc4 ae9a22d3 - d1afb9e8 a67a0c00 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
IKE negotiation fail for local:192.168.1.1, remote:192.168.2.1 IKEv1 with status: Authentication failed
IKEv1 Error : Authentication failed
I had never seen this “Public key lookup failed” error message before. I thought I made a mistake during creation of my certificates. For this, I re-created certificates and this time I got the following private key error:
ike_find_private_key: Find private key for 192.168.2.1:500, id = fqdn(any:0,[0..19]=harmison.example.com) -> 192.168.1.1:500, id = No Id
ikev2_fb_request_certificates_cb: Private key/Certificate lookup failed, error 'Crypto operation failed'
ike_policy_reply_find_private_key: Start
192.168.2.1:500 (Initiator) <-> 192.168.1.1:500 { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236 [-1] / 0x00000000 } IP; No private key found
ike_state_restart_packet: Start, restart packet SA = { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236}, nego = -1
192.168.2.1:500 (Initiator) <-> 192.168.1.1:500 { b2b93e69 b9a6bc8f - 5ff9d1ee f2bff236 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
IKE negotiation fail for local:192.168.2.1, remote:192.168.1.1 IKEv1 with status: Authentication failed
IKEv1 Error : Authentication failed
Then I checked the installed certificate locally
root@FF1> show security pki local-certificate
Certificate identifier: srx-ff1-id
Issued to: Mr. Admin, Issued by: C = NL, ST = CA State, L = Prague, O = CA Internet Ltd, OU = CA Org, CN = ca.example.com, emailAddress = caadmin@example.com
Validity:
Not before: 02-23-2014 12:58 UTC
Not after: 02-19-2024 12:58 UTC
Public key algorithm: rsaEncryption(1024 bits)
Then the current time on the system
root@FF1> show system uptime Current time: 2014-02-22 16:26:04 UTC System booted: 2014-02-22 12:55:45 UTC (03:30:19 ago) Protocols started: 2014-02-22 12:56:25 UTC (03:29:39 ago) Last configured: 2014-02-22 16:17:30 UTC (00:08:34 ago) by root 4:26PM up 3:30, 2 users, load averages: 0.01, 0.01, 0.00
This is the problem! SRX system time is behind my certificate server’s time i.e “Not before: 02-23-2014 12:58 UTC ” time is still in the future, certificate is invalid . Once I set the time via NTP, IKE established with no issues. If you are receiving the same type of error, first make sure your system time is correct:-)
Me too encountered the same error and once time was synced it started working!!!!
Thanks a tone!!