Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
4
Replies

DMPVN isakmp authentication issue with PKI out of band certificate.

Kach
Level 1
Level 1

‎05-10-2019 06:58 AM

Hi all, 

 

I have a DMVPN architecture and I want to use PKI certificate for the authentication. 

1- I manually generated the Certificate Signing Requests on the Hub and spokes. 

2- I sent the certificate for signing to the CA team by email

3- When I received the signed certificates back by email, I added them on the routers

 

The problem is that my IPsec tunnel does not come UP. The process stuck in phase 1 ( IKE ). 
When I test the preshared key, it works. But when I use the certificates, it does not work. 


Did anyone have an idea and can help me? 

Here are the debug attached to the post. 

 

PS: I have configured the NTP and it is synchronized.

 

configuration (only IPSEC part)

=======================

 

HUB_DMVPN
=========

crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp fragmentation
crypto isakmp aggressive-mode disable
crypto ipsec transform-set TRANSFORM_SET esp-des esp-md5-hmac
mode transport
crypto ipsec fragmentation after-encryption
crypto ipsec profile DMVPN
set transform-set TRANSFORM_SET


SPOKE2
======

crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp fragmentation
crypto ipsec transform-set TRANSFORM_SET esp-des esp-md5-hmac
mode transport
crypto ipsec fragmentation after-encryption
crypto ipsec profile DMVPN
set transform-set TRANSFORM_SET

 

Thank you!

 

 

 

Labels:
Preview file
10 KB
Preview file
15 KB
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2019 07:31 AM

Looks like you have certificate issue, check the domain name other parameter

 

here is example guide can help you.

 

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/117688-config-dmvpn-00.html

https://juantron.wixsite.com/my-networking-online/dmvpn-with-pki

https://www.m00nie.com/2011/11/dmvpn-with-pki-authentication-gns3-lab/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Kach
Level 1
Level 1
In response to balaji.bandi

‎05-14-2019 06:06 AM

Thank you Balaji for the feedback. I have checked the links but they did not really help me. My certificates are generated and installed manually for the first establishment of tunnels. 

 

0 Helpful

Rob Ingram
VIP
VIP

‎05-10-2019 08:08 AM

Hi,
Please can you provide the output of "show crypto pki certificates verbose" command and the full configuration of both routers.
0 Helpful

Kach
Level 1
Level 1
In response to Rob Ingram

‎05-14-2019 06:42 AM

Thank you RJI for your feedback. The devices are using the customer's CA so there is sensitive information I cannot put here. 

I am trying to find a way to attached necessary output but nothing compromising the customer. 

 

thank ! 

Kach!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card