Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
0
Helpful
5
Replies

DMVPN - Constructing a CERT payload with the wrong certificate.

michael.leblanc
Level 4
Level 4

‎12-12-2012 11:42 AM - edited ‎02-21-2020 06:33 PM

Forum:

I have a group of routers participating in two parallel NHRP Networks. One of the NHRP networks receives tunnel protection (DMVPN), the other does not. The DMVPN was using certificate maps, and worked well.

I want to apply tunnel protection to the second NHRP network, with each router using a different certificate for each DMVPN it participates in.

On each router I have defined two new trustpoints (same CA), each referencing different RSA key pairs. The two ISAKMP profiles each reference different trustpoints (same CA), and different certificate maps. The two certificate maps have some common criteria, but differ in the "ou" being matched.

At this point, tunnel protection has not been applied to the second NHRP Network, and I've shutdown the DMVPN tunnel interfaces on all spokes, but one.

I am trying to bring up a crypto tunnel between the hub and spoke, but I am encountering issues with the hub constructing a CERT payload with the wrong certificate. The certifcate received by the spoke then matches the wrong profile, and the ISAKMP exchange is aborted.

Attachments to this post include debugs for the hub and spoke, and a summary of relevant crytpo configs for each.

*******

Edit: My appologies for a typo in the file titled: ISAKMP Debug - Spoke.pdf

I needed to scrub the files of production labels, and missed a simple replacement. The spoke debug refers to the spoke as br08-edg01.domain.null, and the hub debug refers to the spoke as sp08-edg01.domain.null. It was the same spoke.

*******

Further Investigation (best read after familiarizing yourself with the configs)

Reminder - Trying to bring up VPN-0, with the correct certificate on each end.

When I removed the VPN-1 IPSec and ISAKMP profiles (VPN-1 cert map still present) from the hub, the hub continued to send the wrong cert (vpn-1).

When I removed the VPN-1 IPSec and ISAKMP profiles (VPN-1 cert map still present) from the spoke, the tunnel came up, even though the hub sent the wrong cert (vpn-1), and it does not match the VPN-0 cert map on the spoke.

Note: Before each attempt, I'm shutting down T0 interfaces, clearing crypto SAs (clear cry sa, clear cry isakmp), removing tunnel protection from T0, verifying SA the database is empty, re-applying tunnel protection, and bringing the T0 interface up, on both devices.

I'm trying to get the hub to send the correct certificate (vpn-0).

Any thoughts would be welcome.

Best Regards,

Mike

Labels:
Preview file
38 KB
Preview file
70 KB
Preview file
64 KB
0 Helpful
5 Replies 5

michael.leblanc
Level 4
Level 4

‎12-12-2012 12:17 PM

Forum:

The attachment titled "ISAKMP Debug - Spoke.pdf" contained a typo, as acknowledged in the edit.

I  needed to scrub the files of production labels, and missed a simple  replacement. The spoke debug refers to the spoke as  br08-edg01.domain.null, and the hub debug refers to the spoke as  sp08-edg01.domain.null. It was the same spoke.

I'm attaching a corrected file here titled: "ISAKMP Debug - Spoke (amended).pdf"

Sorry for the hassle.

Best Regards,

Mike

Preview file
64 KB
0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to michael.leblanc

‎12-13-2012 03:55 AM

MIke,

Check the debugs on hub side,

the isakmp profiles you have configured on the hub - you're not matching them correctly looking at the debugs.

I cannot copy for whatever reason but "Peer matches *none* of the profiles" is what you can see in the debug on hub.

May I suggest simplifying the cert maps used to match different certs to profiles?

Now regardign the ca trust-point:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c1.html#GUID-DE9B49BB-FB15-41D0-933A-35180A5BBB59

It's only used to restrict the number of trustpoints for validation it's not trully a way to say which cerrt should be sent.

I remember seeing something similar in the past, need to go through our archives to dig it out.

M.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎12-13-2012 05:46 AM

Mike,

The two tunnel interfaces configured - are they sourced from same interface?

M.

0 Helpful

michael.leblanc
Level 4
Level 4
In response to Marcin Latosiewicz

‎12-13-2012 09:18 AM

Marcin:

Yes, the two Tunnel interfaces (T0, T1), are using the same physical interface as the "tunnel source interface".

That is the primary reason that I have pursued the  dual certificate configuration, so that I could differentiate the two  crypto tunnels.

Best Regards,

Mike

0 Helpful

michael.leblanc
Level 4
Level 4
In response to Marcin Latosiewicz

‎12-13-2012 09:16 AM

Marcin:

The debug statement "Peer matches *none* of the profiles" is expected prior to processing of the CERT payload.

I've attached an excerpt from a Cisco document as a reference.

I will simplify the cert maps anyways, and reintroduce more complexity after achieving base functionality.

Best Regards,

Mike

Preview file
432 KB
0 Helpful
Customers Also Viewed These Support Documents