09-25-2018 10:40 AM - edited 02-21-2020 09:28 PM
Dear All,
i setup DMVPN in Lab before operation. i can test easily DMVPN with preshare key but when i import MS CA and using CA authentication for DMVPN i got the
%CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of Spoke-1.radiuslocal.com (type 2) and certificate fqdn with radiuslocal-CA error message.
PLease see the attachment files and help me.May i know is it my configuration error ? is it CA error ? please hlep me how can i solved it?
crypto isakmp policy 100
encr 3des
hash md5
group 2
exit
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit
crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit
int tunnel 1
tunnel protection ipsec profile DMVPN
09-25-2018 10:49 AM
09-25-2018 07:40 PM
Dear sir,
Please see the below log and pleas advice me.
cbtme-HUB#sh crypto pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 3D000000092D5574E3DBA9931E000000000009
Certificate Usage: General Purpose
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
Name: radiuslocal-CA
cn=radiuslocal-CA
ou=IT
o=HUB
st=SG
c=SG
CRL Distribution Points:
ldap:///CN=radiuslocal-CA,CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=radiuslocal,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:32:10 UTC Sep 26 2018
end date: 01:32:10 UTC Sep 25 2020
Associated Trustpoints: radiuslocal-man
CA Certificate
Status: Available
Certificate Serial Number (hex): 1F78C201A5A6798A4FE931B28E154D66
Certificate Usage: Signature
Issuer:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Subject:
cn=radiuslocal-CA
dc=radiuslocal
dc=com
Validity Date:
start date: 14:39:26 UTC Sep 19 2018
end date: 14:49:24 UTC Sep 19 2028
Associated Trustpoints: radiuslocal-man
cbtme-HUB#
09-25-2018 07:57 PM
09-25-2018 10:40 PM - edited 09-25-2018 10:43 PM
I only install root CA from MS CA Server and request CA to server and then installed their CA in their-self.
if i need to install hub ca to spoke and spoke ca to hub , i need to import a lot of CA of spokes to my hub?
if i install spoke CA to HUB,i need to create other trust-point ? i didn't know how to import hub CA to spoke and Spoke CA in hub ? Please advice me
09-26-2018 01:55 AM
The Hub and the Spoke routers need have the the CA (root) certificate and also an identity certificate, it's easier if the same CA issues the certificates, they need to mutually trust the certificates used during authentication.
MS CA I've found is the most common CA for this scenario, this example shows you how to enrol for certificates using either SCEP or Manual enrollment. Follow this to authenticate and enrol a certificate for both hub and spoke.
HTH
09-26-2018 02:22 AM
09-26-2018 02:29 AM
09-26-2018 02:49 AM
HI RJI,
Yes,Both the hub and the spokes have the CA certificate and an identity certificate issued from the same CA
I think authentication of the VPN tunnels doesn't work because when i assign ipsec to tunnel i got above error and tunnel is down. Please see debug log
09-26-2018 04:07 AM
This error in the latest logs from Hub
"ISAKMP:(0):Unable to match the certificate map configured in the profile"
In your configuration of the Hub from the original post you had this
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = azt cn=radisulocal-ca
Radius is spelt wrong so this certificate map would not match, assuming the CN of radius is spelt correctly on the certificate.
Can you double check the certificate map, modify if necessary and try again. If that does not work, please provide the latest configuration of both the hub and spoke AND also the output of "show crypto pki certificates" from both the hub and spoke.
HTH
09-30-2018 07:04 AM
dear sri,
My problem is if i using crypto pki certificate map ,i got the problem.
when i search the internet somebody aren't use crypto pki certificate map command .Let me know different between two command in DMVPN IPSec.
In previous configuration i use below command:
crypto isakmp policy 100
encr 3des
hash md5
group 2
exit
crypto pki certificate map CERT-MAP-DMVPN 10
subject-name co ou = AZT cn=radiuslocal-CA
exit
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode transport
exit
crypto isakmp profile DMVPN
ca trust-point radiuslocal.com
match certificate CERT-MAP-DMVPN
exit
crypto ipsec profile DMVPN
set transform-set TSET
set isakmp-profile DMVPN
exit
but now i am using below without certificate map:
crypto isakmp policy 10
encr aes 256
hash sha256
authentication rsa-sig
group 2
exit
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha256-hmac
exit
!
crypto ipsec profile VPNPROF1
set transform-set TS1
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide