cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
552
Views
0
Helpful
8
Replies

IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

Dear All, 

 

I have a simple setup with two routers (acting as server and client), where I am trying to test flexvpn using certificates.

 

I am getting below error

 

IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

 

attaching all the configs and debugs, please suggest.

1 ACCEPTED SOLUTION

Accepted Solutions

R1 is the hub.....so why do you have a virtual-template and a tunnel interface? You only need a VT on the hub, if you wish to have a Hub and Spoke topology. If you just plan on having a static VTI between 2 routers, then you would use tunnel interfaces on both end. Remove the tunnel interface on R1.

 

Provide your EIGRP configuration from both router or just provide the full configuration would be easier.

View solution in original post

8 REPLIES 8
Rob Ingram
VIP Mentor

@viveknath.mangalat1 

Can you provide the full output of "show crypto pki certificates" from both routers please.

 

hello @Rob Ingram 

 

please see below

 

R2#show crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=R1.LAB.NET
Subject:
Name: R2.LAB.NET
hostname=R2.LAB.NET
cn=R2.LAB.NET
Validity Date:
start date: 13:37:50 UTC May 7 2021
end date: 13:37:50 UTC May 7 2022
Associated Trustpoints: CA

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=R1.LAB.NET
Subject:
cn=R1.LAB.NET
Validity Date:
start date: 13:36:37 UTC May 7 2021
end date: 13:36:37 UTC May 6 2024
Associated Trustpoints: CA

 

 

==========

 

R1#show crypto pki certificates
*May 7 14:17:01.310: %SYS-5-CONFIG_I: Configured from console by console
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=R1.LAB.NET
Subject:
cn=R1.LAB.NET
Validity Date:
start date: 13:36:37 UTC May 7 2021
end date: 13:36:37 UTC May 6 2024
Associated Trustpoints: CA

 

@viveknath.mangalat1 

R1 only has the CA Certificate and not an identity certificate (R2 has both). You need to enroll R1 to it's CA server (itself). Define a trustpoint that points to the CA (itself) and enroll and authenticate.

hi @Rob Ingram 

 

R1 is the CA server itself, I had tried below, please see attached PKI notepad file

 

R1(config)#crypto pki trustpoint CA
% You are not supposed to change the configuration of this
% trustpoint. It is being used by the IOS CA server.

R1(config)#

R1(config)#crypto pki authenticate CA
% Please delete your existing CA certificate first.
% You must use 'no crypto pki trustpoint <trustpoint-name>' to delete the CA certificate.
R1(config)#

@viveknath.mangalat1 

I am aware of that. You need to create a new trustpoint (don't modify the trustpoint called CA), the enrollment url would be a loopback of physical IP address on R1. You then authenticate and enroll R1 to itself.

hi @Rob Ingram ,

 

i tried, thank you, just moved on with that issue

=========================

but now eigrp seems to flap

=========================

*May 7 14:50:44.843: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.10.10.12 (Virtual-Access1) is up: new adjacency

*May 7 14:51:55.801: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.10.10.12 (Virtual-Access1) is down: Interface PEER-TERMINATION receivedrun
Building configuration...

=========================

also the tunnel interface at the hub side, is not coming UP

=========================

R1#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 1.1.1.1 YES manual up up
Loopback1 11.11.11.11 YES manual up up
Tunnel1 10.10.10.1 YES manual up down
Virtual-Access1 10.10.10.1 YES unset up up
Virtual-Template1 10.10.10.1 YES unset up down

 

=========================

please see my tunnel config below

=========================

R1#show run int tunnel 1
Building configuration...

Current configuration : 160 bytes
!
interface Tunnel1
ip address 10.10.10.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-1
end


R1#
R1#
R1#show run int virtual-template1
Building configuration...

Current configuration : 168 bytes
!
interface Virtual-Template1 type tunnel
ip unnumbered Tunnel1
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-1
end

 

=========================

 

R2#show run int tunnel 1
Building configuration...

Current configuration : 174 bytes
!
interface Tunnel1
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile PROF-1
end

 

 

R1 is the hub.....so why do you have a virtual-template and a tunnel interface? You only need a VT on the hub, if you wish to have a Hub and Spoke topology. If you just plan on having a static VTI between 2 routers, then you would use tunnel interfaces on both end. Remove the tunnel interface on R1.

 

Provide your EIGRP configuration from both router or just provide the full configuration would be easier.

View solution in original post

thank you @Rob Ingram 

 

i was trying to assign an ip address to the virtual template using the tunnel

 

now i had removed the tunnel and replaced that with a loopbak

 

tunnel is up now and eigrp is also up

 

below is my config

 

hi

I had removed the tunnel and assigned a loopback to the virtual template

# hub side

 

int lo 10
ip add 10.10.10.1 255.255.255.0

 

interface Virtual-Template1 type tunnel
ip unnumbered lo10
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-1
end


# spoke side

interface Tunnel1
ip address negotiated
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile PROF-1
end

Content for Community-Ad