Solved: Hi

darren.hunter666 · ‎06-21-2016

Hi all,

i'm trying to migrate a lab DMVPN config from PSK to using certificates.

Installed Root-CA + certificates without issue.

I imagined it would just be a case of creating another ISAKMP policy on the hubs and spokes and phasing it in spoke by spoke but i'm receiving and error on the hub 'IKE message from x.x.x.x failed its sanity check or is malformed'

the issue disappears if I remove the ISAKMP policy from the hub, it reverts to the original PSK policy. I've checked the policies match a million times and the certificates are installed correctly.

I've included some of the config below. Policy 10 works fine.

any help appreciated. thanks

----Hub------

crypto isakmp policy 5
encr aes
hash md5
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set Main esp-3des esp-md5-hmac
mode tunnel
!

crypto ipsec profile ProfileName
set security-association lifetime seconds 900
set transform-set Main
!
!
!
!
!
!
!
interface Tunnel0
bandwidth 20480
ip address x.x.x.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip nhrp authentication Auth
ip nhrp map multicast dynamic
ip nhrp network-id ID
ip virtual-reassembly in
no ip split-horizon
ip tcp adjust-mss 1300
cdp enable
tunnel source Dialer
tunnel mode gre multipoint
tunnel key X
tunnel protection ipsec profile ProfileName

----Spoke----

crypto isakmp policy 5
encr aes
hash md5
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set main esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile IProfile
set security-association lifetime seconds 900
set transform-set main
!
!
!
!
!
!
!
interface Tunnel0
ip address x.x.x.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication Auth
ip nhrp map multicast dynamic
ip nhrp map x.x.x.x x.x.x.x
ip nhrp map multicast x.x.x.x
ip nhrp network-id X
ip nhrp nhs x.x.x.x
ip virtual-reassembly in
no ip split-horizon
ip tcp adjust-mss 1300
tunnel source Dialer
tunnel mode gre multipoint
tunnel key X
tunnel protection ipsec profile Iprofile

Francesco Molino · ‎06-22-2016

Your certificates look good. Tge time is very important. Just set by using service timestamps the log time match your ntp clock.

When everything is set correctly on time view, i would be very interested in getting all debugs.

This issue you have is based on key or certificate not authencating together, coukd be mtu, could be another thing.

Would you mind to provide all debugs and maybe a wireshark trace to see what's happening. Debugs are isakmp, ipsec and certificates as well.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-21-2016

Hi

You get the message failed its sanity check or is malformed on debugs if the key (certificate) doesn't match between devices.

I assume you have generated your certificates and you have root certificate (including intermediate if you have one) + device certificate on each routers?

They're signed by the same CA authority?

It's not mandatory but you can create a certificate map in order to check certificates. Here a sample config: (let's assume your CA domain-name is test.com and all certificates for hub and spokes have been enrolled today at 9.00am). You can add other options as you wish

crypto pki trustpoint cacert

!

crypto pki certificate map certmap 10
valid-start ge Jun 21 2016 09:00:00 EDT
subject-name co test.com

crypto isakmp policy 10
encr aes
hash sha256
group 5

auth rsa-sig

crypto isakmp profile DMVPN
ca trust-point cacert
match certificate certmap

crypto ipsec profile dmvpn
set transform-set XXXX
set isakmp-profile DMVPN
!
!

It could be fragmentation issue (you can see it with debugs and/or wireshark). Just for testing, you can try to add globally the command:

crypto isakmp fragmentation

crypto ipsec fragmentation after-encryption

Another thing, for DMVPN it's better to use mode transport as it saves 20 bytes overhead.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

darren.hunter666 · ‎06-22-2016

Hi, first of all thanks for the response.

Yes both devices have the CA cert and device certs in fact they are the only two certificates on each device, i removed the self-signed certs from both routers in case that was an issue.

they are both signed by the same CA, the CA is a Microsoft CA and the certificates were generated from the 'Web Server' template.

I've tried the fragmentation command suggested but no joy.

Will inserting the set isakmp profile statement in to the ipsec profile disrupt the existing DMVPN spokes still using a PSK? one of the key themes of the lab is for us to be able to phase in certificates with minimal disruption.

thanks again

Francesco Molino · ‎06-22-2016

Hi

Yes inserting the profile will disrupt the actual DMVPN.

Again it isn't mandatory.

I always used user and/or ipsec template certificate from windows.

Does your ntp is correctly configured? Does the time is synced correctly between hosts?

Did you look on thebrouter certificate?

Could you paste the show certificate (change confidential names)

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

darren.hunter666 · ‎06-22-2016

Hi,

I've adjusted the templates to an IPsec V2 template,

ntp is pointing to a public time source, both router clocks match within 5 seconds

please see below the output from sh crypt pki cert commands on both routers

thanks

Hub

Certificate
Status: Available
Certificate Serial Number (hex): xxxxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Issuer:
    cn=CA
    dc=domain
    dc=domain
Subject:
    Name: hub.domain.domain
    cn=hub.domain.domain
    ou=OU
    o=Org
    c=Country
CRL Distribution Points:
    ldap:///Path
    http://path
Validity Date:
    start date: 12:34:50 UTC Jun 22 2016
    end   date: 12:34:50 UTC Jun 22 2018
Associated Trustpoints: Trustpoint

CA Certificate
Status: Available
Certificate Serial Number (hex): xxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Issuer:
    cn=CA
    dc=domain
    dc=domain
Subject:
    cn=RootCA
    dc=domain
    dc=domain
Validity Date:
    start date: 14:46:49 UTC Oct 3 2014
    end   date: 14:56:42 UTC Oct 3 2024
Associated Trustpoints: Trustpoint
Storage: nvram:Cer.Cer

Spoke

Certificate
Status: Available
Certificate Serial Number (hex): xxxxxxxxxxxxxxxxx
Certificate Usage: General Purpose
Issuer:
    cn=CA
    dc=domain
    dc=domain
Subject:
    Name: spoke.domain.domain
    cn=spoke.domain.domain
    ou=OU
    o=Org
    c=Country
CRL Distribution Points:
   ldap:///Path
    http://path
Validity Date:
    start date: 12:37:04 UTC Jun 22 2016
    end   date: 12:37:04 UTC Jun 22 2018
Associated Trustpoints: Trustpoint
Storage: nvram:Cer.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): xxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate Usage: Signature
Issuer:
    cn=CA
    dc=domain
    dc=domain
Subject:
    cn=RootCA
    dc=domain
    dc=domain
Validity Date:
    start date: 14:46:49 UTC Oct 3 2014
    end   date: 14:56:42 UTC Oct 3 2024
Associated Trustpoints: Trustpoint
Storage: nvram:Cer.Cer

darren.hunter666 · ‎06-22-2016

Hi,

i think this may be a time issue but. I'm not sure why..... the time stamp of the debug message is roughly an hour early and doesn't reflect the time of either of the routers (which are both correct)

I've also checked the time on the CA which is correct. Both routers are set to automatically update for daylight savings time. I'm not sure if this has any impact?

the debug error from the spoke router is

Certificate received from x.x.x.x is bad: certificate invalid

Francesco Molino · ‎06-22-2016

Your certificates look good. Tge time is very important. Just set by using service timestamps the log time match your ntp clock.

When everything is set correctly on time view, i would be very interested in getting all debugs.

This issue you have is based on key or certificate not authencating together, coukd be mtu, could be another thing.

Would you mind to provide all debugs and maybe a wireshark trace to see what's happening. Debugs are isakmp, ipsec and certificates as well.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

darren.hunter666 · ‎06-24-2016

Hi,

managed to sort this issue out, left CRL checking on the spoke but the CRL's aren't published to an accessible URL in the lab. Should have been a bit more liberal with debugging to begin with. Thanks for the advice.

Francesco Molino · ‎06-24-2016

Nice to hear that!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

abushayeed.anwarali · ‎07-06-2017

Hi Darren,

We are trying to migrate our DMVPN fro PSK to Certificate based authentication. And we are having our own internal CA server. Could you please send me the steps and configuration template migrate from PSK to Certificate .

1.) Steps to be performed in CA server

2.) Steps to be performed in Hub router

3.) Steps to be performed in Spoke router

Thanks in Advance.

DMVPN - Move from PSK to RSA-Sig Auth