Hello,
I'm trying to establish LAN-to-LAN IPSec on digital certificates between IOS box and ASA. ASA is managed by other company and I don't have access to it.
While IKE enters cert exchane phase,
Old State = IKE_I_MM4 New State = IKE_I_MM5
I have got the message
Nov 5 17:39:35.806: ISAKMP:(1003): processing CERT payload. message ID = 0
Nov 5 17:39:35.806: ISAKMP:(1003): processing a CT_X509_SIGNATURE cert
Nov 5 17:39:35.806: ISAKMP:(1003): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35.810: ISAKMP:(1003): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35.810: ISAKMP:(1003): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35.810: ISAKMP:(1003): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35.810: ISAKMP:(1003): peer's pubkey isn't cached
Nov 5 17:39:35.810: ISAKMP:(0): Creating CERT validation list: trpoint,
Nov 5 17:39:35.810: ISAKMP:(1003): IKE->PKI Validate certificate chain state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35.810: ISAKMP:(1003): PKI->IKE Validate certificate chain state (I) MM_KEY_EXCH (peer X.X.X.X)
Nov 5 17:39:35: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from X.X.X.X is bad: unknown error returned in certificate validation
Nov 5 17:39:35.810: ISAKMP:(1003): Unknown error in cert validation, -1
Nov 5 17:39:35.810: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
As I can see:
1) it's not a time/clock issue. At least IOS box uses ntp and has a properly configured timezone. In any case certificate is not expired and certificate issue time is OK.
2) it's not a crl issue. I have configured trustpoint with "revocation-check none" and "revocation-check crl". CRL file is valid and accessible. CRL host can be reached from the IOS box via telnetting to port 80.
I'm really confused about this issue.
As I know in the messages MM5 my side sends it certificate while in the message MM6 remote side sends to me it certificate.
For some reasons IOS box couldn't work with it.
Can different key size cause this issue? Keys are 2048 on my side and 1024 on remote (ASA) side.
Config from my side
===========================
crypto pki trustpoint trpoint
enrollment url http://ca.domain:80/scep/
fqdn R1
subject-name CN=R1
revocation-check none
source interface GigabitEthernet0/1
auto-enroll
crypto isakmp policy 1
encr aes 256
group 5
crypto isakmp identity dn
crypto pki certificate map CERT-MAP 10
issuer-name co domain
crypto isakmp profile PROFILE
ca trust-point trpoint
match certificate CERT-MAP
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer X.X.X.X
set transform-set TS
set isakmp-profile PROFILE
match address CRYPTO-ACL
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac