GDOI & Isakmp profile issue

babababa23 · ‎03-08-2011

Hi all

I have an issue with my test setup

Basically, I have 3 routers

IAR1 which is DMVPN Spoke, IOS CA Server, and GDOI Key Server.

I have 2 routers (IAR2 and Site1) connected to this router through 2 different interfaces, one simulate internet and is routed, other is just switched net using private IP address.

IAR1: Public : 80.0.0.2 / GetVPN Private: 192.168.201.1

Site1: Public : 80.1.0.2 / GetVPN Private: 192.168.201.3

I have created a certificate map to that I match in an isakmp profile like this:

Site1#sh run | section isakmp profile
crypto isakmp profile IPF1
   self-identity fqdn
   ca trust-point caIAR1
   match certificate certmap1

Site1#sh run | section certmap1
crypto pki certificate map certmap1 1
issuer-name co cn = iar1

IAR2 has no isakmp profile.

on Site 1, for the DMVPN SA, everything works fine:

*Mar 8 21:34:20.663: ISAKMP:(1043): processing CERT payload. message ID = 0
*Mar 8 21:34:20.663: ISAKMP:(1043): processing a CT_X509_SIGNATURE cert
*Mar 8 21:34:20.663: ISAKMP:(1043): peer's pubkey is cached
*Mar 8 21:34:20.663: ISAKMP:(0): Creating CERT validation list: caIAR1,
*Mar 8 21:34:20.667: ISAKMP:(1043): Unable to get DN from certificate!
*Mar 8 21:34:20.667: ISAKMP:(1043): Cert presented by peer contains no OU field.
*Mar 8 21:34:20.667: ISAKMP:(0): certificate map matches IPF1 profile
*Mar 8 21:34:20.667: ISAKMP:(1043): processing SIG payload. message ID = 0
*Mar 8 21:34:20.671: ISAKMP:(1043):SA authentication status:
authenticated
*Mar 8 21:34:20.671: ISAKMP:(1043):SA has been authenticated with 80.0.0.2

When it comes to GDOI, I see the following:

Site1#sh run | sec gdoi

crypto gdoi group gdoi1
identity number 1
server address ipv4 192.168.201.1
crypto map gdoi1 isakmp-profile IPF1
crypto map gdoi1 1 gdoi
set group gdoi1
crypto map gdoi1

and upon authentication, I get:

*Mar 8 21:37:03.735: ISAKMP:(1044): processing CERT payload. message ID = 0
*Mar 8 21:37:03.735: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert
*Mar 8 21:37:03.739: ISAKMP:(1044): peer's pubkey is cached
*Mar 8 21:37:03.743: ISAKMP:(1044): Unable to get DN from certificate!
*Mar 8 21:37:03.743: ISAKMP:(1044): Cert presented by peer contains no OU field.
*Mar 8 21:37:03.743: ISAKMP:(0): certificate map matches IPF1 profile
*Mar 8 21:37:03.747: ISAKMP:(0): expected profile but matched IPF1 exchange aborted
*Mar 8 21:37:03.747: ISAKMP (1044): FSM action returned error: 2
*Mar 8 21:37:03.747: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 8 21:37:03.747: ISAKMP:(1044):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Mar 8 21:37:03.747: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 192.168.201.1

On IAR1, I see that ISAKMP P1 is ok:

Mar 8 21:43:53.735: ISAKMP:(1097): using the caIAR1_enroll trustpoint's keypair to sign
Mar 8 21:43:53.743: ISAKMP:(1097): sending packet to 192.168.201.3 my_port 848 peer_port 848 (R) MM_KEY_EXCH
...

Mar 8 21:43:53.747: ISAKMP:(1097):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 8 21:43:53.747: ISAKMP:(1097):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

My router IAR2, which has no isakmp profile works fine (not doing DMVPN).

Only difference between IAR2 and Site1 is that I added crypto map gdoi1 isakmp-profile IPF1.

It seem that ISAKMP expect a profile, but I thought I had defined it with the command above.

I shut/no shut and clear cry sa/sess/isakmp several times, with no luck.

I am using last IOS

Site1#sh ver | i IO
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2)

Any idea would be great

I can give more detail on configuration if needed,

babababa23 · ‎03-08-2011

As a workaround, I added in the profile

local-address F0/0 so that it doesn't match anymore the GDOI SA so no GDOI comes up, but I would like to know if I were wrong somewhere, as I defined the right profile in the crypto map ...