Re: Dual-Hub DMVPN with PKI and 'subject-name' don't work - Page 2

Anton Pestov · ‎09-25-2011

I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!

In what there can be a problem?

Configuration example:

1. HUB:

--------------------------------------------------------------------------------

Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(15)T15, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 08-Mar-11 06:09 by prod_rel_team

--------------------------------------------------------------------------------

crypto pki trustpoint TRUSTPOINT-CA1

enrollment mode ra

enrollment url http://.../certsrv/mscep/mscep.dll

password ...

subject-name cn=HUB-CE1,dc=GL,o=Central Office

revocation-check none

rsakeypair TRUSTPOINT-CA1 1024 1024

!

crypto pki certificate chain TRUSTPOINT-CA1

certificate ... nvram:...#28.cer

certificate ... nvram:...#29.cer

certificate ca ... nvram:...#1111CA.cer

dot11 syslog

!

ip cef

!

password encryption aes

!

crypto isakmp policy 10

encr aes

hash md5

authentication rsa-encr

group 2

lifetime 43200

!

crypto isakmp policy 20

encr aes 192

hash md5

group 2

lifetime 43200

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

lifetime 21600

crypto isakmp key ... address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto isakmp nat keepalive 5

!

crypto ipsec transform-set TS-DMVPN1 esp-3des esp-md5-hmac

!

crypto ipsec profile PROFILE-DMVPN1

set transform-set TS-DMVPN1

!

interface Tunnel1

bandwidth 3200

ip address 172.20.254.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip flow egress

ip nhrp authentication nh10001

ip nhrp map multicast dynamic

ip nhrp network-id 10001

ip nhrp holdtime 300

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

ip ospf network point-to-multipoint

ip ospf cost 5

delay 1000

qos pre-classify

tunnel source FastEthernet0

tunnel mode gre multipoint

tunnel key 10001

tunnel protection ipsec profile PROFILE-DMVPN1

!

2. SPOKE (with 'subject-name'):

----------------------------------------------------------------------------------

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(4)M, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 24-Mar-11 13:12 by prod_rel_team

-----------------------------------------------------------------------------------

password encryption aes

crypto pki token default removal timeout 0

!

crypto pki trustpoint TRUSTPOINT-CA1

enrollment mode ra

enrollment url http://.../certsrv/mscep/mscep.dll

password ...

subject-name cn=SPOKE-CE1,dc=GL,o=Branch Office

revocation-check none

rsakeypair TRUSTPOINT-CA1 1024 1024

!

crypto pki certificate chain TRUSTPOINT-CA1

certificate ... nvram:...#96.cer

certificate ... nvram:...#97.cer

certificate ca ... nvram:...#118FCA.cer

!

crypto isakmp policy 10

encr aes

hash md5

authentication rsa-encr

group 2

lifetime 43200

!

crypto isakmp policy 20

encr aes 192

hash md5

group 2

lifetime 43200

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

lifetime 21600

crypto isakmp key ... address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto ipsec transform-set TS-DMVPN esp-3des esp-md5-hmac

!

crypto ipsec profile PROFILE-DMVPN

set security-association lifetime seconds 21600

set transform-set TS-DMVPN

!

interface Tunnel1

bandwidth 1600

ip address 172.20.254.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip flow egress

ip nhrp authentication nh10001

ip nhrp map 172.20.254.254 92.255.23.238

ip nhrp map multicast 92.255.23.238

ip nhrp network-id 10001

ip nhrp holdtime 300

ip nhrp nhs 172.20.254.254

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 5

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 10001

tunnel protection ipsec profile PROFILE-DMVPN shared

!

interface Tunnel2

bandwidth 1600

ip address 172.20.253.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip flow egress

ip nhrp authentication nh10002

ip nhrp map 172.20.253.254 83.242.229.102

ip nhrp map multicast 83.242.229.102

ip nhrp network-id 10002

ip nhrp holdtime 300

ip nhrp nhs 172.20.253.254

ip tcp adjust-mss 1360

ip ospf network point-to-multipoint

ip ospf cost 5

delay 1000

keepalive 10 5

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 10002

tunnel protection ipsec profile PROFILE-DMVPN shared

!

Marcin Latosiewicz · ‎10-05-2011

Anton,

How should I phrase this, I can open a TAC case, but I would need serial numbers and your contract.

Being a Cisco customer you should have the option to open a TAC case from the forum, based on the thread we had here ;-)

Normally we don't open TAC cases ourselves and leave it to our customers.

Marcin

Anton Pestov · ‎10-06-2011

Then I will try to open a case as there will be a free time. If I find the reason of all problems independently, I will write in a theme of this forum

Anton Pestov · ‎11-17-2011

The first problem is solved, remind...

...

IKE_PROCESS_COMPLETE

*Sep 26 14:26:23.055: ISAKMP:(2002):Old State = IKE_R_MM3 New State = IKE_R_MM4

HUB-CE1#

*Sep 26 14:26:33.055: ISAKMP:(2002): retransmitting phase 1 MM_KEY_EXCH...

*Sep 26 14:26:33.055: ISAKMP (0:2002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

...

this problem consisted in the ISP network (and command 'crypto isakmp fragmentation' аlso hasn't eliminated a problem).

The second problem (...HTTP revocation-check request to Microsoft ADCS without reply from this server...)

It is not eliminated yet.