DMVPN certificate selection failed

Rene Mueller · ‎11-21-2024

Hi,

we have a running dmvpn hub spoke environment with cert based authentication of the routers. So far, so good. Now some of the branch offices routers are also configured for cube functionality and for that to work we needed to install a public signed machine certificate. However, until then DMVPN used an internal signed cert, but now with 2 certificates and trustpoints, DMVPN always tries to authenticate to other spokes with the public signed cert and then DMVPN failes.

Is there an configuration that tells the DMVPN setup to use a specific cert then it tries to establish a VPN to another spoke?

we tried using cert map and match criteria in isakmp profile, but that did not work. it looks like this is only in use for incoming cert requests.

crypto isakmp profile DMVPN
ca trust-point issuing
ca trust-point root
match certificate certmap

crypto ipsec profile ipsec-profile-dmvpn
set isakmp-profile DMVPN

crypto pki certificate map certmap 10
issuer-name co ABC

MHM Cisco World · ‎11-21-2024

Pleade check this

https://www.experts-exchange.com/articles/32370/Cradlepoint-and-Cisco-DMVPN-with-Certificate-Based-Authentication-Also-IOS-CA-OSPF-and-VRRP.html

MHM

Rene Mueller · ‎11-21-2024

Thanks for sharing your idea to this question. Unfortunatelly this example seems not to be helpful. We configured DMVPN that way and it working, until you have more than 1 available certificate on your router. in our case it picks the wrong cert all the time.

MHM Cisco World · ‎11-21-2024

multi cert. in the Spokes or Hub ?

MHM

Rene Mueller · ‎11-21-2024

what do you mean by "multi cert"?

MHM Cisco World · ‎11-21-2024

Hi Friend
the steps must done in below order ""this from link I share above""
the steps in brief you need to use identity for Authc DN and use isakmp profile and match cert. map and under this profile we use CA trust-point and finally we use isakmp profile in ipsec profile

BLDG42-RTR-VPN-01(config)#crypto pki certificate map CP-CERT-MAP 10
BLDG42-RTR-VPN-01(ca-certificate-map)# issuer-name eq CN=BLDG42-RTR-VPN-01.company.com O=COMPANY L=City ST=State C=US
BLDG42-RTR-VPN-01(config)#crypto isakmp policy 10
BLDG42-RTR-VPN-01(config-isakmp)# encr aes 256
BLDG42-RTR-VPN-01(config-isakmp)# hash sha256
BLDG42-RTR-VPN-01(config-isakmp)# group 14
BLDG42-RTR-VPN-01(config-isakmp)# lifetime 28800
BLDG42-RTR-VPN-01(config-isakmp)#crypto isakmp identity dn
BLDG42-RTR-VPN-01(config)#crypto isakmp profile cradlepoint-cert
BLDG42-RTR-VPN-01(conf-isa-prof)#ca trust-point CRADLEPOINTVPN.COMPANY.COM
BLDG42-RTR-VPN-01(conf-isa-prof)#match certificate CP-CERT-MAP
BLDG42-RTR-VPN-01(conf-isa-prof)#!
BLDG42-RTR-VPN-01(conf-isa-prof)#!
BLDG42-RTR-VPN-01(conf-isa-prof)#crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha256-hmac
BLDG42-RTR-VPN-01(cfg-crypto-trans)# mode tunnel
BLDG42-RTR-VPN-01(cfg-crypto-trans)#!
BLDG42-RTR-VPN-01(cfg-crypto-trans)#crypto ipsec profile DMVPN
BLDG42-RTR-VPN-01(ipsec-profile)# set transform-set ESP-AES-256-SHA
BLDG42-RTR-VPN-01(ipsec-profile)# set isakmp-profile cradlepoint-cert