Certificate based Site to Site VPN (IKEv2)

Reply
Highlighted
L0 Member

Certificate based Site to Site VPN (IKEv2)

Hello Folks, I am trying to build a site to site vpn between a Palo Alto firewall running 8.1.7 and a Checkpoint firewall. Settings are configured to use IKEv2 only with certificate based authentication.

 

While the logs below are from lab setup, but the actual client problem are the same. PA and Checkpoint firewall certificates are signed by the same CA, so that the Root CA and present on both firewall to build the chain.

 

When i am trying to establish the VPN tunnel with Checkpoint being the Initiator, I see below logs on the monitor tab.

'IKEv2 certificate authentication failed. Invalid SIG.'

IKEv2 IKE SA negotiation is failed as responder.

 

Running a debug on ike and viewing the ikemgr log, I see below errors on PA firewal.

2019-05-08 13:56:34.969 +0530 [DEBG]: building cert chain:
2019-05-08 13:56:34.969 +0530 [DEBG]: /CN=cplab.winlocal.com ->
2019-05-08 13:56:34.969 +0530 [DEBG]: /DC=local/DC=lab/CN=lab-WIN-LAB-AD-CA [root]
2019-05-08 13:56:34.969 +0530 debug: pan_ike_cert_check_chain(pan_mp_cert.c:2125): verify result: 1 [0:/CN=cplab.winlocal.com]
2019-05-08 13:56:34.970 +0530 [PERR]: RSA_verify failed: 140737127241472:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c:269:
2019-05-08 13:56:34.970 +0530 [PERR]: Invalid SIG.

 

When I make PA firewall as initiator, the VPN works without any issues. Tried looking around knowledge base, didn't find anything. Have anyone come across similar scenarios?

Tags (4)
L1 Bithead

Re: Certificate based Site to Site VPN (IKEv2)

Hello,

 

We've a VPN that was correctly running with certificate until we upgraded to 8.1.10; after this upgrade we have this problem too.

L1 Bithead

Re: Certificate based Site to Site VPN (IKEv2)

We have the exact same issue after upgrading to 8.1.10.

Is there already a solution or a known bug id or anything?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!