06-21-2016 08:25 AM - edited 02-21-2020 08:52 PM
Hi all,
i'm trying to migrate a lab DMVPN config from PSK to using certificates.
Installed Root-CA + certificates without issue.
I imagined it would just be a case of creating another ISAKMP policy on the hubs and spokes and phasing it in spoke by spoke but i'm receiving and error on the hub 'IKE message from x.x.x.x failed its sanity check or is malformed'
the issue disappears if I remove the ISAKMP policy from the hub, it reverts to the original PSK policy. I've checked the policies match a million times and the certificates are installed correctly.
I've included some of the config below. Policy 10 works fine.
any help appreciated. thanks
Solved! Go to Solution.
06-22-2016 10:02 AM
Your certificates look good. Tge time is very important. Just set by using service timestamps the log time match your ntp clock.
When everything is set correctly on time view, i would be very interested in getting all debugs.
This issue you have is based on key or certificate not authencating together, coukd be mtu, could be another thing.
Would you mind to provide all debugs and maybe a wireshark trace to see what's happening. Debugs are isakmp, ipsec and certificates as well.
Thanks
06-21-2016 11:24 AM
Hi
You get the message failed its sanity check or is malformed on debugs if the key (certificate) doesn't match between devices.
I assume you have generated your certificates and you have root certificate (including intermediate if you have one) + device certificate on each routers?
They're signed by the same CA authority?
It's not mandatory but you can create a certificate map in order to check certificates. Here a sample config: (let's assume your CA domain-name is test.com and all certificates for hub and spokes have been enrolled today at 9.00am). You can add other options as you wish
crypto pki trustpoint cacert
!
crypto pki certificate map certmap 10
valid-start ge Jun 21 2016 09:00:00 EDT
subject-name co test.com
crypto isakmp policy 10
encr aes
hash sha256
group 5auth rsa-sig
crypto isakmp profile DMVPN
ca trust-point cacert
match certificate certmapcrypto ipsec profile dmvpn
set transform-set XXXX
set isakmp-profile DMVPN
!
!
It could be fragmentation issue (you can see it with debugs and/or wireshark). Just for testing, you can try to add globally the command:
crypto isakmp fragmentation
crypto ipsec fragmentation after-encryption
Another thing, for DMVPN it's better to use mode transport as it saves 20 bytes overhead.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 01:30 AM
06-22-2016 04:38 AM
Hi
Yes inserting the profile will disrupt the actual DMVPN.
Again it isn't mandatory.
I always used user and/or ipsec template certificate from windows.
Does your ntp is correctly configured? Does the time is synced correctly between hosts?
Did you look on thebrouter certificate?
Could you paste the show certificate (change confidential names)
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue
06-22-2016 06:08 AM
Hi,
I've adjusted the templates to an IPsec V2 template,
ntp is pointing to a public time source, both router clocks match within 5 seconds
please see below the output from sh crypt pki cert commands on both routers
thanks
06-22-2016 09:22 AM
06-22-2016 10:02 AM
Your certificates look good. Tge time is very important. Just set by using service timestamps the log time match your ntp clock.
When everything is set correctly on time view, i would be very interested in getting all debugs.
This issue you have is based on key or certificate not authencating together, coukd be mtu, could be another thing.
Would you mind to provide all debugs and maybe a wireshark trace to see what's happening. Debugs are isakmp, ipsec and certificates as well.
Thanks
06-24-2016 04:43 AM
Hi,
managed to sort this issue out, left CRL checking on the spoke but the CRL's aren't published to an accessible URL in the lab. Should have been a bit more liberal with debugging to begin with. Thanks for the advice.
06-24-2016 08:05 AM
Nice to hear that!
07-06-2017 07:58 AM
Hi Darren,
We are trying to migrate our DMVPN fro PSK to Certificate based authentication. And we are having our own internal CA server. Could you please send me the steps and configuration template migrate from PSK to Certificate .
1.) Steps to be performed in CA server
2.) Steps to be performed in Hub router
3.) Steps to be performed in Spoke router
Thanks in Advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: