Re: About Cisco Router PKI FQDN?

Lost & Found · ‎02-21-2020

Hi Guys,

We do have a dmvpn with IPSEC profile which certificate is being used for authentication and Would like to ask about how FQDN is being built, used and being presented to other routers?

By default does Cisco IOS uses its hostname and ip domain name?
Once you have successfully completed the auth/enrollement process. Tho the fqdn that is configured below is being presented to other router for authentication.. If the peer router has configured "match identity host domain test**.com** " so it needs to match the test.com domain from certicate fqdn?

crypto pki trustpoint TESTPKI

enrollment url http://x.x.x.x:80

fqdn rtrhostname.test.com

<cut>

3. How to show/check the fqdn being used for the router? Is this the correct command?

spoke1#show crypto pki certificates

Certificate

<>

Issuer:

cn=xyz

Subject:

Name: rtrhostname.test.com

hostname=rtrhostname.test.com

cn=xyz

4. From below logs from peer router why the fqdn present is different from the assigned fqdn on the certification "TESTPKI"?

ISAKMP:(2015):My ID configured as IPv4 Addr, but Addr not in Cert!

ISAKMP:(2015):Using FQDN as My ID

ISAKMP:(2015):SA is doing RSA signature authentication using id type ID_FQDN

ISAKMP (2015): ID payload

next-payload : 6

type : 2

FQDN name : spoke1 <------- Router hostname is presented by the router?Why?

Thanks

Georg Pauwen · ‎02-22-2020

Hello,

post the full configs of hub and spoke, as it is unclear which hostnames are configured where. The match identity needs to match the hostname and the domain configured on the other side...

Router 1

hostname ROUTER1
ip domain-name test.com

Router 2

match identity host domain test.com

What happens if you use 'match identity host' instead of 'match identity host domain' ?

The command 'show crypto session detail' shows you the FQDN used in Phase 1:

show crypto session detail
--> Phase1_id: rtrhostname.test.com