cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6198
Views
5
Helpful
4
Replies

Ikev2, CA, trustpoint, FlexVPN

benoitsiles
Level 1
Level 1

Hi,

I try to run an ikev2 with CA enrollment and FlexVPN configuration between two routers but I fail because the spoke router can't find it's trustpoint? Has anyone have any idea about it please. The issues looks to be related to the following message found in the output of debug crypto pki

*Mar 14 12:27:51.090: CRYPTO_PKI: 0 matching trustpoints found
*Mar 14 12:27:51.090: IKEv2:(SESSION ID = 2,SA ID = 1):: Failed to build or process a certificate request
*Mar 14 12:27:51.090: IKEv2:(SESSION ID = 2,SA ID = 1):Initial exchange failed: Initial exchange failed

The configurations and some debugs are attached to this message

thanks in advance for your help you might bring.

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Spoke doesn't have an identity cert.

Enroll the spoke to CA (yes, itself). Also make sure you have the right EKU (If this restriction was not relaxed recently). 

Hi,

I enrolled the spoke as you proposed. I made changes as well, EKU included. However I've got the following error while debugging the Hub. I supposed that the aaa command under the ike profile was used for authorizing specific protected ip subnet but I miss something. When I type show crypto ikev2 sa, I've got nothing at both hub and spoke 

*Mar 18 12:55:28.862: IKEv2:AAA group author request failed
*Mar 18 12:55:28.862: IKEv2:(SESSION ID = 0,SA ID = 1):AAA group authorization failed
*Mar 18 12:55:28.862: IKEv2:(SESSION ID = 0,SA ID = 1):
*Mar 18 12:55:28.862: IKEv2:(SESSION ID = 19069,SA ID = 1):SM Trace-> SA: I_SPI=6580C74CBAF73D15 R_SPI=097240A23587396C (R) MsgID = 1 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
*Mar 18 12:55:28.862: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

I've attached the configuration of both hub and spoke and some show and debugs also

thanks

Mind that I haven't been working on this tech for almost 3 years. The aaa authorization rule is not defined under AAA, you have it defined only in IKE.  Maybe newer IOS don't require it? The old ones did. 

Hi Marcin,

I understand. Btw, your advice were pretty good. I've added the following command at both routers configuration and it fixed the problem:

aaa authorization network default local

There are still some ikev2 issues that I will post this week. I'll do my best for fixing them and I will post it to finish the thread.

many thanks for your three good tips