GET-VPN COOP Key server (invalid ISAKMP CERT?)

Sybren.Apiecionek_2 · ‎03-18-2010

Hi everyone, Here I am again with another question:

I am having trouble enabling the COOP KS feature in GETVPN.

Everything works as it should when I don't enable the redundancy feature, but when I enable the redundancy feature I get following message on both of my KS.

SUB_CS2#

Mar 18 16:37:53.546: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 1.1.1.2 is bad: CA request failed!
Mar 18 16:37:53.974: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 1.1.1.2 Unreachable in group GETVPN1

SUB_CS1#

Mar 18 16:37:51.294: %GDOI-3-COOP_KS_UNREACH: Cooperative KS 1.1.1.3 Unreachable in group GETVPN1
Mar 18 16:37:56.506: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 1.1.1.3 is bad: CA request failed!

Setup:

CA ROOT

| |

SUB_CS1 SUB_CS2

|______|

Client1 Client2

Attached you can find a lot of info (running configs of both my KS), Keys and certificates on both my KS, debug of ISAKMP on both my KS, a show clock (to show it is not a clock issue;-))

What I saw in the debugging was:

Mar 18 16:14:27.050: ISAKMP:(0): processing KE payload. message ID = 0
Mar 18 16:14:27.142: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 18 16:14:27.146: ISAKMP:(1016): processing CERT_REQ payload. message ID = 0
Mar 18 16:14:27.146: ISAKMP:(1016): peer wants a CT_X509_SIGNATURE cert
Mar 18 16:14:27.154: ISAKMP:(1016): peer wants cert issued by cn=SUB_CS1,ou=PKI,l=RTP,st=VB,c=BE
Mar 18 16:14:27.154: ISAKMP:(1016): issuer name is not a trusted root.
Mar 18 16:14:27.158: ISAKMP:(1016): processing CERT_REQ payload. message ID = 0
Mar 18 16:14:27.158: ISAKMP:(1016): peer wants a CT_X509_SIGNATURE cert
Mar 18 16:14:27.162: ISAKMP:(1016): peer wants cert issued by cn=ROOT.labo.be,ou=PKI,l=RTP,st=VB,c=US
Mar 18 16:14:27.166: Choosing trustpoint GETVPN as issuer
-a bit further i read-

Mar 18 16:14:27.550: ISAKMP:(1017): using the GETVPN trustpoint's keypair to sign

-again a bit further I see-

Mar 18 16:14:27.914: ISAKMP:(0):: peer matches *none* of the profiles
Mar 18 16:14:28.042: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 1.1.1.2 is bad: CA request failed!

It sais it is using the keypair of GETVPN. However, I created a special RSA key (called RSAREKEY) for rekeying.

I exported it from my primary KS and imported it in the secondary KS.

It makes me wonder if I should create a new trustpoint in which I authenticate both KS to each other.

I hope someone can help me with this one.

Thanks in advance.

Sybren.Apiecionek_2 · ‎03-19-2010

Solution:

As I already mentioned (but now had the time to test)

As my Keyserververs are also my subordinate certificate servers, I had to create trustpoints with each other in order for COOP to work.

Thanks for the people trying to help me.

jonathan.ruano · ‎06-22-2012

Just to add some info about the same error on more recent IOS versions (the output below is from a 15.1(4)M2:

Jun 22 09:39:24.121: ISAKMP:(8065): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer xxx.xx.77.94)

[..]

Jun 22 09:39:24.121: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jun 22 09:39:24.121: CRYPTO_PKI: Found a subject match

Jun 22 09:39:24.121: CRYPTO_PKI: validation path has 2 certs

Jun 22 09:39:24.121: CRYPTO_PKI: Check for identical certs

[..]

Jun 22 09:39:24.125: CRYPTO_PKI: Create a list of suitable trustpoints

Jun 22 09:39:24.125: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jun 22 09:39:24.125: CRYPTO_PKI: Found a issuer match

Jun 22 09:39:24.125: CRYPTO_PKI: No suitable trustpoints found

Jun 22 09:39:24.125: ISAKMP:(8065): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer xxx.xx.77.94)

Jun 22 09:39:24.125: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.168.77.94 is bad: unknown error returned in certificate validation