Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
260
Views
0
Helpful
1
Replies
Lost & Found
Beginner
Beginner
‎02-21-2020 07:48 AM
‎02-21-2020 07:48 AM

About Cisco Router PKI FQDN?

Hi Guys,

 

We do have a dmvpn with IPSEC profile which certificate is being used for authentication and Would like to ask about how FQDN is being built, used and being presented to other routers?

 

  1. By default does Cisco IOS uses its hostname and ip domain name?
  2. Once you have successfully completed the auth/enrollement process. Tho the fqdn that is configured below is being presented to other router for authentication.. If the peer router has configured "match identity host domain test**.com** " so it needs to match the test.com domain from certicate fqdn?

crypto pki trustpoint TESTPKI

enrollment url http://x.x.x.x:80

fqdn rtrhostname.test.com

<cut>

 

3. How to show/check the fqdn being used for the router? Is this the correct command?

spoke1#show crypto pki certificates

Certificate

<>

Issuer:

cn=xyz

Subject:

Name: rtrhostname.test.com

hostname=rtrhostname.test.com

cn=xyz

 

4. From below logs from peer router why the fqdn present is different from the assigned fqdn on the certification "TESTPKI"?

ISAKMP:(2015):My ID configured as IPv4 Addr, but Addr not in Cert!

ISAKMP:(2015):Using FQDN as My ID

ISAKMP:(2015):SA is doing RSA signature authentication using id type ID_FQDN

ISAKMP (2015): ID payload

next-payload : 6

type : 2

FQDN name : spoke1 <------- Router hostname is presented by the router?Why?

 

Thanks

Labels:
0 Helpful
1 REPLY 1
Georg Pauwen
VIP Expert VIP Expert
VIP Expert
‎02-22-2020 02:11 AM
‎02-22-2020 02:11 AM

Hello,

 

post the full configs of hub and spoke, as it is unclear which hostnames are configured where. The match identity needs to match the hostname and the domain configured on the other side...

 

Router 1

 

hostname ROUTER1
ip domain-name test.com

 

Router 2

 

match identity host domain test.com

 

What happens if you use 'match identity host' instead of 'match identity host domain' ?

 

The command 'show crypto session detail' shows you the FQDN used in Phase 1:

 

show crypto session detail
--> Phase1_id: rtrhostname.test.com

0 Helpful
Latest Contents
SD-WAN Advanced Deployment | Part.1
Created by Mohamed Alhenawy on 04-16-2021 12:13 AM
0
15
0
15
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN.  What is SD-WAN?   SD-WAN is Software define wide area network and SD-WAN is key part of the technology o... view more
Cisco Meraki IoT specialist will introduce you to new and in...
Created by sullskog on 04-15-2021 01:09 AM
0
0
0
0
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.         Meraki Vision Session MV smart camera range is getting big... view more
Dynamic Routing Protocols with IPv6: Configuration, Verifica...
Created by ciscomoderator on 04-13-2021 02:39 PM
0
5
0
5
To participate in this event, please use the  button to ask your questions Dynamic Routing Protocols & IPv6 Have any questions on dynamic routing protocols with IPv6? In this event we will answer all your questions related to dynamic routing pro... view more
SD-WAN Advanced Deployment | Part.1
Created by Mohamed Alhenawy on 04-13-2021 09:24 AM
0
15
0
15
Today I'm going to talk about SD-wan including SD-WAN advanced , first thing let's take a small brief about the SD_WAN.What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology of software-definednetworking ... view more
Living on the Edge with the Secure Cats
Created by almuench on 04-07-2021 01:34 PM
0
0
0
0
The cat's out of the bag! In October 2020, Cisco announced the Next Generation of Enterprising Routing Platforms: the Catalyst 8000 Edge Platforms Family including the Catalyst 8200, Catalyst 8300, Catalyst 8500, and Catalyst 8000V. The new family of Cats... view more
Content for Community-Ad