Configure Certificate Based Authentication for IKE: ISSUE Cert

Reply
L2 Linker

Configure Certificate Based Authentication for IKE: ISSUE Cert

Hi all,

I config IPSec betwen two PA device: 1 PA5020 and 1 PA

I config as guide: How to Configure Certificate Based Authentication for IKE on PAN-OS 6.0

I generate CA on PA 5020 and import to PA 200

But on PA 200 i can't sign new  Cert with the imported CA certificate.

PA CA 01.PNG

I try generate all cert on PA 5020 ( root CA & signed CA) and import to PA 200.

But when config IKE gateaway, i can't chose CA

PA CA 02.PNG

Something wrong, but i don't where

Pls help me

Thanks

Tags (2)
Highlighted
bat
L5 Sessionator

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Hi dat.tran

Could you please show us the snapshot of the CA imported ?

Also can you try generating the certificate to be used on PA-200 on PA-5020 itself ?

Hope it helps !

L5 Sessionator

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Hello,

When you exported and imported certificate did you by any chance exported private key also?

Regards,

Hari Yadavalli

L6 Presenter

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Hi Dat,

Make sure you have imported private key of the certificate along with certificate. If that is done for sure you sign another certificate.

Export certificate : make sure you click on private key and put passphrase. Exa; Passphrase is "test123"

Export.png

Import Certificate : Make sure you click Import Private key. Put above specified passphrase "test123"

Import_Cert.PNG

Regards,

Hardik Shah

L2 Linker

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Thanks for support,

now, i can import and used Cert

But, my tunnel IPSEC can't UP

I don't know what wrong.

Thanks.

My config:

PA 5020

cert 1.PNG

cert 11.PNG

01.PNG

02.PNG

03.PNG

04.PNG

05.PNG

PA 200

p 01.PNG

p 05.PNG

p 07.PNG

L7 Applicator

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Hello dat.tran,

Could you please apply below mentioned CLI command to initiate the tunnel manually:

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.


After applying above CLI commands, i would request you to check MOnitor > Logs > System for more detail information (subtype= "vpn")


Hope this helps.


Thanks

L2 Linker

Re: Configure Certificate Based Authentication for IKE: ISSUE Cert

Thanks, Time on PA 200 fault :smileysad:

Now, IPSEC tunnel is UP>

Thanks for your help :smileygrin:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!