07-03-2018 07:17 PM - edited 03-12-2019 05:25 AM
This is my First time posting here so sorry if may be unclear in any way.
I am trying to setup a test a test VPN configuration using certificates. The CA that was used to obtain the certificates was not a Cisco CA but a custom CA. When the routers try to establish IKE I am unable to get passed the certificate validation portion. I have a trustpoint Test Intermediate CA which also contains the device x509. I also have a trustpoint for the Root CA; however, the debugs show that the peer is asking for these certs but they cannot be found.
07-04-2018 01:04 AM
Hi,
Have you authenticated and enrolled the certificate on the router?
Can you provide the output of "show crypto pki certificates"
Ta
07-04-2018 02:46 PM
Yes I did authenticate via EST which enrolled the device and gave me the Intermediate certificate as well as the x509 device certificate. I am not able to do a show crypto pki certificates command right now because I'm not currently able to use the router at my current location. However I did provide the trustpoints showing that the certificates are there (i cut the certificate data to shorten things).
Root CA
crypto pki certificate chain test-root-ca
certificate ca 01
3082037D…<long cert data>
Intermediate CA + x509 cert
crypto pki certificate chain tp-rsa2048-est
certificate 0832
308204A3…<long cert data>
quit
certificate ca 0591
308204B8…<long cert data>
quit
…
07-05-2018 07:15 PM
I looked again at the certificates on the router and I guess the device cert was no longer in the trustpoint so i re-issued the certificate via EST and received a knew device certificate.
I then tried to setup the connection again, but I am getting cannot build certificate chain.
CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.808: ISAKMP: (1477):PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Jul 6 01:05:39.809: ISAKMP: (1477):SA is doing
Jul 6 01:05:39.809: ISAKMP: (1477):RSA signature authentication using id type ID_IPV4_ADDR
Jul 6 01:05:39.809: ISAKMP: (1477):ID payload
next-payload : 6
type : 1
Jul 6 01:05:39.809: ISAKMP: (1477): address : 192.168.81.133
Jul 6 01:05:39.809: ISAKMP: (1477): protocol : 17
port : 500
length : 12
Jul 6 01:05:39.809: ISAKMP: (1477):Total payload length: 12
Jul 6 01:05:39.809: ISAKMP: (1477):IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP: (1477):PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):unable to build cert chain
Jul 6 01:05:39.810: ISAKMP-ERROR: (1477):(1477): FSM action returned error: 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide