I have a remote site that is connected to another site via a site to site tunnel using pki / cert based auth. My new firewall has the same config, etc., but I had to generate a new cert since the old hardware was dead and I could not export the original cert.
Everything looks good in my cert, but I'm getting an authentication error on the other end. I'm guessing this may have something to do with it seeing a different cert than it's expecting? I've deleted the tunnel config on the remote end, committed, and applied it back, hoping it would jar something loose. Is there some kind of a 'known hosts' type file that I need to clear?
Logs from the remote firewall. local_ip refers to the IP of this remote firewall:
[Apr 15 00:02:21][local_ip <-> remote_ip] ikev2_state_error: [da7c00/ae9800] Negotiation failed because of error Authentication failed (24) [Apr 15 00:02:21][local_ip <-> remote_ip] IKE negotiation fail for local:local_ip, remote:remote_ip IKEv2 with status: Authentication failed [Apr 15 00:02:21][local_ip <-> remote_ip] IPSec negotiation failed for SA-CFG remote_hostname for local:local_ip, remote:remote_ip IKEv2. status: Authentication failed [Apr 15 00:02:21][local_ip <-> remote_ip] P2 ed info: flags 0xc2, P2 error: Error ok [Apr 15 00:02:21][local_ip <-> remote_ip] IPSec SA done callback. ed ae8028. status: Authentication failed [Apr 15 00:02:21][local_ip <-> remote_ip] IPSec SA done callback with sa-cfg NULL in p2_ed. status: Authentication failed
On the local side, everything seems to be working fine. I'm getting ike + ipsec SA's establishing, then clearing, then establishing, over and over. But that tells me that the new firewall is okay with the attempts to establish a tunnel by the remote firewall.