Core issue
While using certificate for authentication in Dynamic Multipoint VPN (DMVPN) setup, the router displays these debugs:
- May 18 18:45:57.370: ISAKMP:(13025): processing CERT payload. message ID = 0
- May 18 18:45:57.370: ISAKMP:(13025): processing a CT_X509_SIGNATURE cert
- May 18 18:45:57.370: ISAKMP:(13025): peer's pubkey isn't cached
- May 18 18:45:57.370: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from ( ipaddress )is bad: CA request failed!
This issue is documented in Cisco bug ID CSCec14252.
Resolution
To resolve this issue, perform these steps:
- Create trust point on both sides.
- Syncronize date and time on the routers (Network Time Protocol (NTP) is preferred).
- Configure the hostname and domain.
- Make sure you have generated an RSA key.
- Define the Certification Authority (CA).
- Authenticate the CA.
- Enroll with the CA
For additional help, refer to Prerequisites for Cisco IOS Certificate Server and Dynamic Multipoint VPN.
For help enrolling a Cisco IOS router to another Cisco IOS router configured as a CA server, refer to Certificate enrollment.