- Cisco Community
- Technology and Support
- Security
- VPN
- Re: How to specify the digital cert used in IKE phase 1 authentication
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2020 06:52 AM
Hi All
We use PKI and Digital Certs for IPsec tunnels. Each box has three tunnels and three certs have been created as the original plan must have been to use a cert per tunnel. However I dont think this principle is working.
I need to understand if there is a way to specify a particular cert for authenitication on a tunnel. It appears that the IPsec profile can be references per tunnel, but this only covers the phase 2 negotiation. While the IKE phase 1 appears to use anything configured on the device, and the IKE Phase 1 config does not appear to have a command to specify a particular cert.
As we are moving to a new PKI infrastucture I want to sure I can control which cert is in use.
Thanks in advance.
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2020 07:54 PM
Here an example of config working fine.
SPOKE#sh cryp pki certificates Certificate Status: Available Certificate Serial Number (hex): 7D000000F5C67031029CAEA3A10001000000F5 Certificate Usage: General Purpose Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: Name: spoke.mydomainname.com cn=SPOKE ou=TEST o=mydomainname hostname=spoke.mydomainname.com CRL Distribution Points: ldap:///CN=mydomainname-WINSRV-CA(1),CN=WINSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://crl.mydomainname.com/crld/mydomainname-WINSRV-CA(1).crl Validity Date: start date: 04:21:06 EET Jun 29 2020 end date: 04:21:06 EET Jun 29 2022 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#F5.cer CA Certificate Status: Available Certificate Serial Number (hex): 5A60DA43CF62528548F2CA5D71B8A3A1 Certificate Usage: Signature Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Validity Date: start date: 20:01:02 EET May 31 2020 end date: 20:11:02 EET Jun 1 2030 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#A3A1CA.cer
HUB#sh crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 7D000000F4A84BAA7D638C1A650001000000F4 Certificate Usage: General Purpose Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: Name: hub.mydomainname.com cn=hub ou=TEST o=mydomainname hostname=hub.mydomainname.com CRL Distribution Points: ldap:///CN=mydomainname-WINSRV-CA(1),CN=WINSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://crl.mydomainname.com/crld/mydomainname-WINSRV-CA(1).crl Validity Date: start date: 04:20:37 EET Jun 29 2020 end date: 04:20:37 EET Jun 29 2022 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#F4.cer CA Certificate Status: Available Certificate Serial Number (hex): 5A60DA43CF62528548F2CA5D71B8A3A1 Certificate Usage: Signature Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Validity Date: start date: 20:01:02 EET May 31 2020 end date: 20:11:02 EET Jun 1 2030 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#A3A1CA.cer
crypto pki trustpoint TEST enrollment terminal fqdn hub.mydomainname.com subject-name CN=hub,OU=TEST,O=mydomainname revocation-check none rsakeypair CERT ! crypto pki certificate map CERT 10 issuer-name co mydomainname-winsrv-ca ! crypto isakmp policy 1 encr aes group 5 ! crypto isakmp keepalive 30 periodic crypto isakmp profile RED-MGMT-PROF ca trust-point TEST match certificate CERT ! crypto ipsec transform-set RED-TS-1 esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile RED-PROFILE1 set transform-set RED-TS-1 set isakmp-profile RED-MGMT-PROF !
HUB#sh cryp isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
40.10.10.2 50.10.10.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
HUB#sh cryp ipsec sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 40.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (40.10.10.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (50.10.10.2/255.255.255.255/47/0)
current_peer 50.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 40.10.10.2, remote crypto endpt.: 50.10.10.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xDF36BB57(3744906071)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCBC61D43(3418758467)
HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel2, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 50.10.10.2 100.96.20.2 UP 00:05:33 D
HUB#
SPOKE#sh cryp isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
40.10.10.2 50.10.10.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE#sh cryp ipse sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 50.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (50.10.10.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (40.10.10.2/255.255.255.255/47/0)
current_peer 40.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.10.10.2, remote crypto endpt.: 40.10.10.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xCBC61D43(3418758467)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDF36BB57(3744906071)
SPOKE# sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 40.10.10.2 100.96.20.1 UP 00:06:04 S
SPOKE#
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2020 06:23 PM - edited 05-04-2020 06:24 PM
Hi
If i got your question correctly, you can use certificate map to match a cert and attach it to your isakmp profile:
(https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/sec-ike-for-ipsec-vpns-xe-3s-book/sec-cert-isakmp-map.html)
crypto pki certificate map certmap 10
subject-name co test.test.com
!
crypto isakmp policy 10
encryption aes
group 5
hash sha256
authentication rsa-sig
!
crypto isakmp profile PROF
ca trust-point subca
match certificate certmap
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2020 01:50 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2020 10:03 AM
Hi Francesco
I tried the profile maps and my IPsec tunnel stopped working. I have pasted teh lab config below and the error messages when pinging from R1 (192.168.0.1) to R2 (192.168.0.2)
Each router's debug crypto ipsec output is also pasted below.
R1
hub#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
Jun 16 16:51:39.807: [] -> [ACL ACL]: message ACL notify RP
Jun 16 16:51:39.807: [ACL ACL]: message = ACL notify RP
Jun 16 16:51:39.899: ISAKMP:(1001):deleting node 726610644 error TRUE reason "Delete Larval".
Jun 16 16:51:41.803: [] -> [ACL ACL]: message ACL notify RP
Jun 16 16:51:41.807: [ACL ACL]: message = ACL notify RP
Jun 16 16:51:41.807: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE.
Jun 16 16:51:43.803: [] -> [ACL ACL]: message ACL notify RP
Jun 16 16:51:43.807: [ACL ACL]: message = ACL notify RP
Jun 16 16:51:43.807: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE.
Jun 16 16:51:45.803: [] -> [ACL ACL]: message ACL notify RP
Jun 16 16:51:45.807: [ACL ACL]: message = ACL notify RP
Jun 16 16:51:45.807: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE.
Jun 16 16:51:47.803: [] -> [ACL ACL]: message ACL notify RP
Jun 16 16:51:47.807: [ACL ACL]: message = ACL notify RP
Jun 16 16:51:47.811: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE.
Success rate is 0 percent (0/5)
hub#
Jun 16 16:52:09.863: ISAKMP:(1001):deleting node -210817269 error TRUE reason "Delete Larval"
hub#
R2
remote-site#
Jun 14 10:17:54.587: map_db_check_isakmp_profile profile did not match
Jun 14 10:17:54.587: map_db_check_isakmp_profile profile did not match
Jun 14 10:17:54.587: map_db_find_best did not find matching map
Jun 14 10:17:54.591: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 14 10:17:54.591: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
Jun 14 10:17:54.595: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 192.168.0.2 remote 192.168.0.1)
Jun 14 10:17:54.599: ISAKMP:(1001):deleting node -210817269 error TRUE reason "QM rejected"
remote-site#
#######################################
CONFIGS
R1
hub#sh run
Building configuration...
Current configuration : 5407 bytes
!
! Last configuration change at 16:23:16 UTC Tue Jun 16 2020
! NVRAM config last updated at 16:01:21 UTC Tue Jun 16 2020
! NVRAM config last updated at 16:01:21 UTC Tue Jun 16 2020
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hub
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip domain name red.lcl
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint RED-MGMT
enrollment terminal pem
fqdn hub.omni.cp-mgmt
subject-name C=GB,L=Reigate,O=<REDACTED>,OU=RED-MGMT,CN=HUB-SITE
revocation-check none
rsakeypair RED-MGMT
!
crypto pki trustpoint RED-PORTAL
enrollment terminal pem
fqdn hub.omni.cp-portal
subject-name C=GB,L=Reigate,O=<REDACTED>,OU=RED-PORTAL,CN=HUB-SITE-PORTAL
revocation-check none
rsakeypair RED-PORTAL
!
!
!
crypto pki certificate map RED-MGMT-MAP 10
subject-name co ou = red-mgmt
!
crypto pki certificate chain RED-MGMT
certificate 0323D6F4355DB034
3082023C 308201A5 A0030201 02020803 23D6F435 5DB03430 0D06092A 864886F7
0D01010B 0500304A 310B3009 06035504 06130247 42311830 16060355 040A130F
54727573 74697320 4C696D69 74656431 21301F06 0355040B 13185472 75737469
7320506C 6174696E 756D2052 6F6F7420 4341301E 170D3230 30363136 30393338
30305A17 0D323130 36313531 35333730 305A3077 3111300F 06035504 03130848
55422D53 49544531 11300F06 0355040B 13085245 442D4D47 4D54310F 300D0603
55040A13 06436170 69746131 10300E06 03550407 13075265 69676174 65310B30
09060355 04061302 4742311F 301D0609 2A864886 F70D0109 02161068 75622E6F
6D6E692E 63702D6D 676D7430 5C300D06 092A8648 86F70D01 01010500 034B0030
48024100 B49ED6A5 9EEE8E80 F9DFFF23 EFE37D93 C2BFBF59 9E3D6A07 2BE5640C
69F1A3E4 C0655F15 F1709A68 B39B4144 7D1C1382 4F296843 EBB9D3A1 B48F9019
910216E3 02030100 01A34230 40300B06 03551D0F 04040302 07803031 0603551D
25042A30 2806082B 06010505 07030506 082B0601 05050703 0606082B 06010505
07030706 082B0601 05050802 02300D06 092A8648 86F70D01 010B0500 03818100
4484B05E 4AACDAFF 210ECAC3 2DBA707B 78F6DDD1 68743BBF 2060D1EE 05E64895
F01BBE6B CD0C5F5C 683D6DC5 717BC665 1237A4D1 2556B836 415CFF81 15E74793
B5D31CAD 8C8B9D3F 07A58B12 DE83E83F 63DF096D B2BC3FA4 08D9A1E7 6A6BAECE
00A4F882 C03A4505 8C1E73B5 C5EBF3C4 425E47DC 446FA261 A3D7599E B111A5EE
quit
certificate ca 110ACA7BA6355951
3082022E 30820197 A0030201 02020811 0ACA7BA6 35595130 0D06092A 864886F7
0D01010B 0500304A 310B3009 06035504 06130247 42311830 16060355 040A130F
54727573 74697320 4C696D69 74656431 21301F06 0355040B 13185472 75737469
7320506C 6174696E 756D2052 6F6F7420 4341301E 170D3230 30363135 31353337
30305A17 0D323130 36313531 35333730 305A304A 310B3009 06035504 06130247
42311830 16060355 040A130F 54727573 74697320 4C696D69 74656431 21301F06
0355040B 13185472 75737469 7320506C 6174696E 756D2052 6F6F7420 43413081
9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100BE A44B076D
23BFE546 392207CC 3BE59CC7 8DE275C3 0FFA9EA3 AF0D2476 9DF4FFF1 E5F5583D
69C1FE46 913458BB 06DDCE42 F2E6E966 1426269E 7B2E2ABA 866E7018 40D771B0
00DDCAAD DF058D46 650FA691 9D7A5C83 4113372D 32E7BAC9 5594671B 93917E10
92141AB8 20B77DD2 121FF0EE 77547ACD 2D9193E9 8E5D6634 BDE23902 03010001
A31D301B 300C0603 551D1304 05300301 01FF300B 0603551D 0F040403 02028C30
0D06092A 864886F7 0D01010B 05000381 8100635F 0BEBE03B 0FE1697C 446DC1E5
18F3CC4D C0C05BF0 0D828FE9 23D8EA3F 9C5CC249 EBACAF3A A319B91A A28B66C4
54871AE8 EB2FAE2C 4ADFC26F 9F519387 DFA9D387 0B4B0DFB 4CACD4B5 E21A9914
36BA096B E015DA34 24799F7D 09F7F545 82B8142E CEDF1356 421C4B77 BAF9A8FC
C18D0D1A 0770A04C 4F8AD750 0571BB34 42F1
quit
certificate ca 110ACA7BA6355951
quit
crypto pki certificate chain RED-PORTAL
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
crypto isakmp policy 10
encr 3des
hash md5
crypto isakmp profile RED-MGMT-PROFILE
match identity address 192.168.0.2 255.255.255.255
match certificate RED-MGMT-MAP
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CRYPTO 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set TS
set isakmp-profile RED-MGMT-PROFILE
match address ACL
!
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description to R2
ip address 192.168.0.1 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 10.2.2.0 255.255.255.0 192.168.0.2
!
ip access-list extended ACL
permit ip host 192.168.0.1 host 192.168.0.2
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
#######################################
R2
Building configuration...
Current configuration : 5507 bytes
!
! Last configuration change at 09:48:24 UTC Sun Jun 14 2020
! NVRAM config last updated at 09:27:14 UTC Sun Jun 14 2020
! NVRAM config last updated at 09:27:14 UTC Sun Jun 14 2020
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname remote-site
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip domain name red.lcl
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint RED-MGMT
enrollment terminal pem
fqdn remote.nwp.lcl
subject-name C=GB,L=Newcastle,O=<REDACTED>,OU=RED-MGMT,CN=Remote-Site
revocation-check none
rsakeypair RED-MGMT
!
crypto pki trustpoint RED-PORTAL
enrollment terminal pem
fqdn remote.nwp.lcl.portal
subject-name C=GB,L=Newcastle,O=<REDACTED>,OU=RED-PORTAL,CN=Remote-Site-Portal
revocation-check none
rsakeypair RED-PORTAL
!
!
!
crypto pki certificate map RED-MGMT-MAP 10
subject-name co ou = red-mgmt
!
crypto pki certificate chain RED-MGMT
certificate 14A29E9132480516
3082024C 308201B5 A0030201 02020814 A29E9132 48051630 0D06092A 864886F7
0D01010B 0500304A 310B3009 06035504 06130247 42311830 16060355 040A130F
54727573 74697320 4C696D69 74656431 21301F06 0355040B 13185472 75737469
7320506C 6174696E 756D2052 6F6F7420 4341301E 170D3230 30363136 30393434
30305A17 0D323130 36313531 35333730 305A3081 86311430 12060355 0403130B
52656D6F 74652D53 69746531 11300F06 0355040B 13085245 442D4D47 4D54311B
30190603 55040A13 124E6F72 7468756D 62726961 20506F6C 69636531 12301006
03550407 13094E65 77636173 746C6531 0B300906 03550406 13024742 311D301B
06092A86 4886F70D 01090216 0E72656D 6F74652E 6E77702E 6C636C30 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C7C60495 AF151BA7 70AD6555
4141A4DB 16443942 500019F7 C50DBD58 5F75ACD2 5391CEB5 25EE6541 EA945AD7
444D2B5C 5C64D898 82F10890 ED230667 335146A5 02030100 01A34230 40300B06
03551D0F 04040302 07803031 0603551D 25042A30 2806082B 06010505 07030506
082B0601 05050703 0606082B 06010505 07030706 082B0601 05050802 02300D06
092A8648 86F70D01 010B0500 03818100 1FCBEB4E 7ECFB519 0B0DC486 E12D5290
BF981A63 FEFA4A37 36531084 26B0A56D 5B5F9E7B 88260091 8A6B0143 84212A53
CA8F2EDD 56DBA385 0F42D699 D8395228 5879E531 3AB1415A 31E607D6 0EA8842B
9311ABE6 22C204EE A5877583 2F7C3DFA 666BB69A 229D86CB EA4B888A A173F90D
3BA4716D C7D7681E 96CB41FC 63BFA24C
quit
certificate ca 110ACA7BA6355951
3082022E 30820197 A0030201 02020811 0ACA7BA6 35595130 0D06092A 864886F7
0D01010B 0500304A 310B3009 06035504 06130247 42311830 16060355 040A130F
54727573 74697320 4C696D69 74656431 21301F06 0355040B 13185472 75737469
7320506C 6174696E 756D2052 6F6F7420 4341301E 170D3230 30363135 31353337
30305A17 0D323130 36313531 35333730 305A304A 310B3009 06035504 06130247
42311830 16060355 040A130F 54727573 74697320 4C696D69 74656431 21301F06
0355040B 13185472 75737469 7320506C 6174696E 756D2052 6F6F7420 43413081
9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100BE A44B076D
23BFE546 392207CC 3BE59CC7 8DE275C3 0FFA9EA3 AF0D2476 9DF4FFF1 E5F5583D
69C1FE46 913458BB 06DDCE42 F2E6E966 1426269E 7B2E2ABA 866E7018 40D771B0
00DDCAAD DF058D46 650FA691 9D7A5C83 4113372D 32E7BAC9 5594671B 93917E10
92141AB8 20B77DD2 121FF0EE 77547ACD 2D9193E9 8E5D6634 BDE23902 03010001
A31D301B 300C0603 551D1304 05300301 01FF300B 0603551D 0F040403 02028C30
0D06092A 864886F7 0D01010B 05000381 8100635F 0BEBE03B 0FE1697C 446DC1E5
18F3CC4D C0C05BF0 0D828FE9 23D8EA3F 9C5CC249 EBACAF3A A319B91A A28B66C4
54871AE8 EB2FAE2C 4ADFC26F 9F519387 DFA9D387 0B4B0DFB 4CACD4B5 E21A9914
36BA096B E015DA34 24799F7D 09F7F545 82B8142E CEDF1356 421C4B77 BAF9A8FC
C18D0D1A 0770A04C 4F8AD750 0571BB34 42F1
quit
certificate ca 110ACA7BA6355951
quit
crypto pki certificate chain RED-PORTAL
!
redundancy
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
crypto isakmp policy 10
encr 3des
hash md5
crypto isakmp profile RED-MGMT-PROFILE
match identity address 192.168.0.1 255.255.255.255
match certificate RED-MGMT-MAP
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CRYPTO 10 ipsec-isakmp
set peer 192.168.0.1
set transform-set TS
set isakmp-profile RED-MGMT-PROFILE
match address ACL
!
!
!
!
!
!
interface Loopback0
ip address 10.2.2.2 255.255.255.0
!
interface Loopback2
no ip address
!
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.252
duplex auto
speed auto
crypto map CRYPTO
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 10.1.1.0 255.255.255.0 192.168.0.1
!
ip access-list extended ACL
permit ip host 192.168.0.2 host 192.168.0.1
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
transport input all
!
!
end
remote-site#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2020 10:19 AM
I now have the pings working without errors.
It seems the ACL contained within the crypto map and the match identity used within the crypto profile didnt like each other.
I haev removed the "match address ACL" from the crypto map leaving the "match identity address 192.168.0.1" in the crypto profile and now have no errors.
Further work needed to confirm if this works when I add multiple certificates from difference CAs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2020 08:44 PM
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2020 07:54 AM
Hi Francesco
I'm struggling to get the isakmp map working.
As soon as I add the crypto isakmp profile to the config, the ISAKMP stage1 fails.
I dont even have to associate the isakmp profile with the ipsec profile attached to the tunnel and it fails
Here is the relevant config that I'm adding. The issuer name is within the CA certificate as "Trustis Limited".
Any ideas ?
!
crypto pki certificate map TRUSTIS 10
issuer-name co o = trustis limited
!
crypto isakmp profile TRUSTIS-PROFILE
match certicate TRUSTIS
!
crypto ipsec profile RED-PROFILE1
set transform-set RED-TS-1
set isakmp-profile TRUSTIS-PROFILE
!
Interface Tunnel0
tunnel protecton ipsec profile RED-PROFILE1
!
#################################
the main error message is
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 100.96.18.2
The DEBUG ERRORs produced are listed below.
*Jun 17 14:05:34.363: ISAKMP (1073): received packet from 100.96.18.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 17 14:05:34.503: ISAKMP:(0): SA request profile is (NULL)
*Jun 17 14:05:34.503: ISAKMP: Created a peer struct for 100.96.18.2, peer port 500
*Jun 17 14:05:34.507: ISAKMP: New peer created peer = 0x6B0FC830 peer_handle = 0x8000004F
*Jun 17 14:05:34.507: ISAKMP: Locking peer struct 0x6B0FC830, refcount 1 for isakmp_initiator
*Jun 17 14:05:34.511: ISAKMP: local port 500, remote port 500
*Jun 17 14:05:34.511: ISAKMP: set new node 0 to QM_IDLE
*Jun 17 14:05:34.515: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6B0FBD4C
*Jun 17 14:05:34.515: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jun 17 14:05:34.519: ISAKMP:(0):No pre-shared key with 100.96.18.2!
*Jun 17 14:05:34.519: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.523: ISAKMP:(0): PKI->IKE Got configur
R9#ed TrustPoints state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 17 14:05:34.527: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jun 17 14:05:34.527: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jun 17 14:05:34.531: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jun 17 14:05:34.531: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jun 17 14:05:34.535: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jun 17 14:05:34.535: ISAKMP:(0): beginning Main Mode exchange
*Jun 17 14:05:34.539: ISAKMP:(0): sending packet to 100.96.18.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 17 14:05:34.539: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 17 14:05:34.639: ISAKMP (0): received packet from 100.96.18.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 17 14:05:34.643: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 17 14:05:34.643: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jun 17 14:05:
R9#34.651: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 17 14:05:34.655: ISAKMP:(0): processing vendor id payload
*Jun 17 14:05:34.655: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 17 14:05:34.655: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 17 14:05:34.659: ISAKMP : Scanning profiles for xauth ... TRUSTIS-PROFILE
*Jun 17 14:05:34.659: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.663: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.663: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 17 14:05:34.667: ISAKMP: encryption AES-CBC
*Jun 17 14:05:34.667: ISAKMP: keylength of 128
*Jun 17 14:05:34.671: ISAKMP: hash SHA
*Jun 17 14:05:34.671: ISAKMP: default group 5
*Jun 17 14:05:34.671: ISAKMP: auth RSA sig
*Jun 17 14:05:34.675: ISAKMP: life type in seconds
*Jun 17 14:05:34.675: ISAKM
R9#P: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jun 17 14:05:34.679: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jun 17 14:05:34.683: ISAKMP:(0):Acceptable atts:actual life: 0
*Jun 17 14:05:34.683: ISAKMP:(0):Acceptable atts:life: 0
*Jun 17 14:05:34.683: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 17 14:05:34.687: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jun 17 14:05:34.687: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.691: CRYPTO_PKI: (A0091) Session started - identity not specified
*Jun 17 14:05:34.691: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:34.695: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 17 14:05:34.695: ISAKMP:(0)::Started lifetime timer: 86400.
*Jun 17 14:05:34.699: ISAKMP:(0): processing vendor id payload
*Jun 17 14:05:34.699: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 17 14:05:34.699: ISAKMP (0): vendor I
R9#D is NAT-T RFC 3947
*Jun 17 14:05:34.703: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 17 14:05:34.707: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jun 17 14:05:34.719: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 100.96.18.2)
*Jun 17 14:05:34.719: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 100.96.18.2)
*Jun 17 14:05:34.723: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 100.96.18.2)
*Jun 17 14:05:34.727: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 100.96.18.2)
*Jun 17 14:05:34.731: ISAKMP (0): constructing CERT_REQ for issuer ou=Trustis Platinum Root CA,o=Trustis Limited,c=GB
*Jun 17 14:05:34.735: ISAKMP:(0): sending packet to 100.96.18.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jun 17 14:05:34.735: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 17 14:05:34.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 17 14:05:34.
R9#739: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jun 17 14:05:34.851: ISAKMP (0): received packet from 100.96.18.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jun 17 14:05:34.855: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 17 14:05:34.859: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jun 17 14:05:34.867: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 17 14:05:35.431: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 17 14:05:35.439: ISAKMP:(1074): processing vendor id payload
*Jun 17 14:05:35.439: ISAKMP:(1074): vendor ID is Unity
*Jun 17 14:05:35.443: ISAKMP:(1074): processing vendor id payload
*Jun 17 14:05:35.443: ISAKMP:(1074): vendor ID is DPD
*Jun 17 14:05:35.443: ISAKMP:(1074): processing vendor id payload
*Jun 17 14:05:35.447: ISAKMP:(1074): speaking to another IOS box!
*Jun 17 14:05:35.447: ISAKMP:received payload type 20
*Jun 17 14:05:35.451: ISAKMP (1074): His hash no match - this node outside NAT
*Ju
R9#n 17 14:05:35.451: ISAKMP:received payload type 20
*Jun 17 14:05:35.451: ISAKMP (1074): No NAT Found for self or peer
*Jun 17 14:05:35.455: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 17 14:05:35.455: ISAKMP:(1074):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jun 17 14:05:35.467: ISAKMP:(1074):Send initial contact
*Jun 17 14:05:35.471: ISAKMP:(1074): processing CERT_REQ payload. message ID = 0
*Jun 17 14:05:35.471: ISAKMP:(1074): peer wants a CT_X509_SIGNATURE cert
*Jun 17 14:05:35.475: ISAKMP:(1074): peer wants cert issued by ou=Entrust-Capita Platinum Root,o=Entrust,c=GB
*Jun 17 14:05:35.479: CRYPTO_PKI: 0 matching trustpoints found
*Jun 17 14:05:35.479: ISAKMP:(1074): issuer name is not a trusted root.
*Jun 17 14:05:35.483: ISAKMP:(1074): processing CERT_REQ payload. message ID = 0
*Jun 17 14:05:35.483: ISAKMP:(1074): peer wants a CT_X509_SIGNATURE cert
*Jun 17 14:05:35.487: ISAKMP:(1074): peer wants cert issued by ou=Trustis Platinum Root CA
R9#,o=Trustis Limited,c=GB
*Jun 17 14:05:35.491: CRYPTO_PKI: Trust-Point RED-MGMT picked up
*Jun 17 14:05:35.491: CRYPTO_PKI: 1 matching trustpoints found
*Jun 17 14:05:35.495: CRYPTO_PKI: (90092) Session started - identity selected (RED-MGMT)
*Jun 17 14:05:35.495: Choosing trustpoint RED-MGMT as issuer
*Jun 17 14:05:35.499: CRYPTO_PKI: Rcvd request to end PKI session 90092.
*Jun 17 14:05:35.499: CRYPTO_PKI: PKI session 90092 has ended. Freeing all resources.
*Jun 17 14:05:35.499: CRYPTO_PKI: unlocked trustpoint RED-MGMT, refcount is 0
*Jun 17 14:05:35.503: CRYPTO_PKI: locked trustpoint RED-MGMT, refcount is 1
*Jun 17 14:05:35.503: CRYPTO_PKI: Identity bound (RED-MGMT) for session A0091
*Jun 17 14:05:35.507: ISAKMP:(1074): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.511: ISAKMP:(1074): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.511: ISAKMP:(1074): IKE->PKI Get SubjectName state
R9# (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.547: ISAKMP:(1074): PKI->IKE Got SubjectName state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.547: ISAKMP:(1074):My ID configured as IPv4 Addr, but Addr not in Cert!
*Jun 17 14:05:35.547: ISAKMP:(1074):Using FQDN as My ID
*Jun 17 14:05:35.551: ISAKMP:(1074):SA is doing RSA signature authentication using id type ID_FQDN
*Jun 17 14:05:35.555: ISAKMP (1074): ID payload
next-payload : 6
type : 2
FQDN name : R9.nwp.lcl
protocol : 17
port : 500
length : 18
*Jun 17 14:05:35.559: ISAKMP:(1074):Total payload length: 18
*Jun 17 14:05:35.559: ISAKMP:(1074): IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.591: ISAKMP:(1074): PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.623: ISAKMP (1074): constructing CERT payload for hostname=r9.nwp.lcl,c=gb,o=np,ou=red-mgmt,cn=
R9#site-r9
*Jun 17 14:05:35.627: ISAKMP:(1074): using the RED-MGMT trustpoint's keypair to sign
*Jun 17 14:05:35.727: ISAKMP:(1074): sending packet to 100.96.18.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jun 17 14:05:35.731: ISAKMP:(1074):Sending an IKE IPv4 Packet.
*Jun 17 14:05:35.735: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jun 17 14:05:35.735: ISAKMP:(1074):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jun 17 14:05:35.859: ISAKMP (1073): received packet from 100.96.18.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Jun 17 14:05:35.895: ISAKMP (1074): received packet from 100.96.18.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jun 17 14:05:35.899: ISAKMP:(1074): processing ID payload. message ID = 0
*Jun 17 14:05:35.899: ISAKMP (1074): ID payload
next-payload : 6
type : 2
FQDN name : R7.omni.rei.lcl
protocol : 17
port : 500
length : 23
*Jun 17 14:05:35.903: ISAKMP:(0):: peer matches *none* of the profile
R9#s
*Jun 17 14:05:35.907: ISAKMP:(1074): processing CERT payload. message ID = 0
*Jun 17 14:05:35.907: ISAKMP:(1074): processing a CT_X509_SIGNATURE cert
*Jun 17 14:05:35.911: ISAKMP:(1074): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.939: CRYPTO_PKI: Added x509 peer certificate - (586) bytes
*Jun 17 14:05:35.939: ISAKMP:(1074): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.943: ISAKMP:(1074): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.943: ISAKMP:(1074): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:35.947: ISAKMP:(1074): peer's pubkey isn't cached
*Jun 17 14:05:35.979: ISAKMP:(0): certificate map matches TRUSTIS-PROFILE profile
*Jun 17 14:05:35.983: ISAKMP:(0):ISAKMP profile mis-match, exchange aborted
*Jun 17 14:05:35.983: ISAKMP (1074): FSM action returned error: 2
*Jun 17 14:05:35.987: ISA
R9#KMP:(1074):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 17 14:05:35.987: ISAKMP:(1074):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Jun 17 14:05:35.991: ISAKMP:(1074):peer does not do paranoid keepalives.
*Jun 17 14:05:35.991: ISAKMP:(1074):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:36.011: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jun 17 14:05:36.011: ISAKMP:(1074):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Jun 17 14:05:36.019: ISAKMP:(1074):peer does not do paranoid keepalives.
*Jun 17 14:05:36.023: ISAKMP (1074): FSM action returned error: 2
*Jun 17 14:05:36.023: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Jun 17 14:05:36.027: ISAKMP:(1074):Old State = IKE_I_MM6 New State = IKE_I_MM5
*Jun 17 14:05:36.035: ISAKMP:(1074):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 100.96.18.2)
*Jun 17 14:05:36.035: ISAKMP: Unlocking peer struct 0x6B0FC830 f
R9#or isadb_mark_sa_deleted(), count 0
*Jun 17 14:05:36.039: ISAKMP: Deleting peer node by peer_reap for 100.96.18.2: 6B0FC830
*Jun 17 14:05:36.043: ISAKMP:(1074):deleting node 366188182 error FALSE reason "IKE deleted"
*Jun 17 14:05:36.043: ISAKMP:(1074): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:36.047: CRYPTO_PKI: Rcvd request to end PKI session A0091.
*Jun 17 14:05:36.047: CRYPTO_PKI: PKI session A0091 has ended. Freeing all resources.
*Jun 17 14:05:36.055: CRYPTO_PKI: unlocked trustpoint RED-MGMT, refcount is 0
*Jun 17 14:05:36.055: ISAKMP:(1074): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 100.96.18.2)
*Jun 17 14:05:36.059: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 17 14:05:36.059: ISAKMP:(1074):Old State = IKE_I_MM5 New State = IKE_DEST_SA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2020 07:50 PM
Please send me in pm your config for the 2 routers including a show crypto pki cert.
please put them into a text file.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2020 07:54 PM
Here an example of config working fine.
SPOKE#sh cryp pki certificates Certificate Status: Available Certificate Serial Number (hex): 7D000000F5C67031029CAEA3A10001000000F5 Certificate Usage: General Purpose Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: Name: spoke.mydomainname.com cn=SPOKE ou=TEST o=mydomainname hostname=spoke.mydomainname.com CRL Distribution Points: ldap:///CN=mydomainname-WINSRV-CA(1),CN=WINSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://crl.mydomainname.com/crld/mydomainname-WINSRV-CA(1).crl Validity Date: start date: 04:21:06 EET Jun 29 2020 end date: 04:21:06 EET Jun 29 2022 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#F5.cer CA Certificate Status: Available Certificate Serial Number (hex): 5A60DA43CF62528548F2CA5D71B8A3A1 Certificate Usage: Signature Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Validity Date: start date: 20:01:02 EET May 31 2020 end date: 20:11:02 EET Jun 1 2030 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#A3A1CA.cer
HUB#sh crypto pki certificates Certificate Status: Available Certificate Serial Number (hex): 7D000000F4A84BAA7D638C1A650001000000F4 Certificate Usage: General Purpose Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: Name: hub.mydomainname.com cn=hub ou=TEST o=mydomainname hostname=hub.mydomainname.com CRL Distribution Points: ldap:///CN=mydomainname-WINSRV-CA(1),CN=WINSRV,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://crl.mydomainname.com/crld/mydomainname-WINSRV-CA(1).crl Validity Date: start date: 04:20:37 EET Jun 29 2020 end date: 04:20:37 EET Jun 29 2022 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#F4.cer CA Certificate Status: Available Certificate Serial Number (hex): 5A60DA43CF62528548F2CA5D71B8A3A1 Certificate Usage: Signature Issuer: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Subject: cn=mydomainname-WINSRV-CA dc=mydomainname dc=com Validity Date: start date: 20:01:02 EET May 31 2020 end date: 20:11:02 EET Jun 1 2030 Associated Trustpoints: TEST Storage: nvram:mydomainname-W#A3A1CA.cer
crypto pki trustpoint TEST enrollment terminal fqdn hub.mydomainname.com subject-name CN=hub,OU=TEST,O=mydomainname revocation-check none rsakeypair CERT ! crypto pki certificate map CERT 10 issuer-name co mydomainname-winsrv-ca ! crypto isakmp policy 1 encr aes group 5 ! crypto isakmp keepalive 30 periodic crypto isakmp profile RED-MGMT-PROF ca trust-point TEST match certificate CERT ! crypto ipsec transform-set RED-TS-1 esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile RED-PROFILE1 set transform-set RED-TS-1 set isakmp-profile RED-MGMT-PROF !
HUB#sh cryp isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
40.10.10.2 50.10.10.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
HUB#sh cryp ipsec sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 40.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (40.10.10.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (50.10.10.2/255.255.255.255/47/0)
current_peer 50.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 40.10.10.2, remote crypto endpt.: 50.10.10.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xDF36BB57(3744906071)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCBC61D43(3418758467)
HUB#sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel2, IPv4 NHRP Details
Type:Hub, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 50.10.10.2 100.96.20.2 UP 00:05:33 D
HUB#
SPOKE#sh cryp isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
40.10.10.2 50.10.10.2 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
SPOKE#sh cryp ipse sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 50.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port): (50.10.10.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (40.10.10.2/255.255.255.255/47/0)
current_peer 40.10.10.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 50.10.10.2, remote crypto endpt.: 40.10.10.2
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0xCBC61D43(3418758467)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDF36BB57(3744906071)
SPOKE# sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface: Tunnel2, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 40.10.10.2 100.96.20.1 UP 00:06:04 S
SPOKE#
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide