cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1918
Views
25
Helpful
10
Replies

DMVPN CA ERROR

UCrypto
Level 1
Level 1

Dear All,

i setup DMVPN in Lab before operation. i can test easily DMVPN with preshare key but when i import MS CA and using CA authentication for DMVPN i got the

%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of Spoke-1.radiuslocal.com (type 2) and certificate fqdn with radiuslocal-CA error message.

PLease see the attachment files and help me.May i know is it my configuration error ? is it CA error ? please hlep me how can i solved it? 
 

crypto isakmp policy 100
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

int tunnel 1
tunnel protection ipsec profile DMVPN

10 Replies 10

Hi,
Please can you provide the output of "show crypto pki certificates" from both the hub and spokes?
Can you also run "debug crypto isakmp" and provide the output here

Dear sir,

Please see the below log and pleas advice me.

cbtme-HUB#sh crypto pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 3D000000092D5574E3DBA9931E000000000009
Certificate Usage: General Purpose
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
Name: radiuslocal-CA
cn=radiuslocal-CA
ou=IT
o=HUB
st=SG
c=SG
CRL Distribution Points:
ldap:///CN=radiuslocal-CA,CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=radiuslocal,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:32:10 UTC Sep 26 2018
end date: 01:32:10 UTC Sep 25 2020
Associated Trustpoints: radiuslocal-man

CA Certificate
Status: Available
Certificate Serial Number (hex): 1F78C201A5A6798A4FE931B28E154D66
Certificate Usage: Signature
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Validity Date:
start date: 14:39:26 UTC Sep 19 2018
end date: 14:49:24 UTC Sep 19 2028
Associated Trustpoints: radiuslocal-man


cbtme-HUB#

Hi,

Do you have spoke CA certificate enrolled in your DMVPN hub. The same thing
for the spoke (you need to have hub CA certificate imported).

Hi Mohammed al Baqari,

I only install root CA from MS CA Server and request CA to server and then installed their CA in their-self. 

if i need to install hub ca to spoke and spoke ca to hub , i need to import a lot of CA of spokes to my hub?

if i install spoke CA to HUB,i need to create other trust-point ? i didn't know how to import hub CA to spoke and Spoke CA in hub ? Please advice me

The Hub and the Spoke routers need have the the CA (root) certificate and also an identity certificate, it's easier if the same CA issues the certificates, they need to mutually trust the certificates used during authentication.

 

MS CA I've found is the most common CA for this scenario, this example shows you how to enrol for certificates using either SCEP or Manual enrollment. Follow this to authenticate and enrol a certificate for both hub and spoke.

 

HTH

Hi RJI,
I follow this example.Only different things is they request from CA from CA server by using CLI , I request from url.
I configure MS CA and create IPSec Certificate Template by using IPSec Offline Template like this example.I download MS root CA and install to router and enroll and the copy key enrollment request key from router and paste in url of MS CA (http://localhost/certsrv/certrqxt.asp ) and download key and import to router again.

Ok, so both the hub and the spokes have the CA certificate and an identity certificate issued from the same CA? Does authentication of the VPN tunnels work? If not, please provide debug output from both hub and spoke.

HI RJI,
Yes,Both the hub and the spokes have the CA certificate and an identity certificate issued from the same CA
I think authentication of the VPN tunnels doesn't work because when i assign ipsec to tunnel i got above error and tunnel is down. Please see debug log

This error in the latest logs from Hub

 

"ISAKMP:(0):Unable to match the certificate map configured in the profile"

 

In your configuration of the Hub from the original post you had this

 

crypto pki certificate map CERT-MAP-DMVPN 10
 subject-name co ou = azt cn=radisulocal-ca

 

Radius is spelt wrong so this certificate map would not match, assuming the CN of radius is spelt correctly on the certificate.

 

Can you double check the certificate map, modify if necessary and try again. If that does not work, please provide the latest configuration of both the hub and spoke AND also the output of "show crypto pki certificates" from both the hub and spoke.

 

HTH

dear sri,

My problem is if i using crypto pki certificate map ,i got the problem.

when i search the internet somebody aren't use crypto pki certificate map command .Let me know different between two command in DMVPN IPSec.

In previous configuration i use below command:
crypto isakmp policy 100 
encr 3des
hash md5
group 2
exit

crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit

crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport 
exit

crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit

crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit

but now i am using below without certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit

 

 
 
Everyone's tags (0)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: