Hi Guys,
We do have a dmvpn with IPSEC profile which certificate is being used for authentication and Would like to ask about how FQDN is being built, used and being presented to other routers?
crypto pki trustpoint TESTPKI
enrollment url http://x.x.x.x:80
fqdn rtrhostname.test.com
<cut>
3. How to show/check the fqdn being used for the router? Is this the correct command?
spoke1#show crypto pki certificates
Certificate
<>
Issuer:
cn=xyz
Subject:
Name: rtrhostname.test.com
hostname=rtrhostname.test.com
cn=xyz
4. From below logs from peer router why the fqdn present is different from the assigned fqdn on the certification "TESTPKI"?
ISAKMP:(2015):My ID configured as IPv4 Addr, but Addr not in Cert!
ISAKMP:(2015):Using FQDN as My ID
ISAKMP:(2015):SA is doing RSA signature authentication using id type ID_FQDN
ISAKMP (2015): ID payload
next-payload : 6
type : 2
FQDN name : spoke1 <------- Router hostname is presented by the router?Why?
Thanks
Hello,
post the full configs of hub and spoke, as it is unclear which hostnames are configured where. The match identity needs to match the hostname and the domain configured on the other side...
Router 1
hostname ROUTER1
ip domain-name test.com
Router 2
match identity host domain test.com
What happens if you use 'match identity host' instead of 'match identity host domain' ?
The command 'show crypto session detail' shows you the FQDN used in Phase 1:
show crypto session detail
--> Phase1_id: rtrhostname.test.com