Solved: ipsec certificate chain validation

fbabashahi · ‎05-23-2018

Hi ,

I need help for my Scenario , appreciate for your help

Scenario description:

in this scenario SUB-CA1 and SUB-CA2 are in sub-ca mode . Site1 got its certificate from SUB-CA1 and Site2 got from Sub-CA2 in these routers Root-CA also Authenticated . i want when Site to Site ipsec is negotiated the chain validation happened but i got messages from debug that i can't figure it out the cause and what to do

these are Servers and trustpoints configs

Root CA Config

--------------

hostname CA-SERVER
!
clock timezone IRDT 4 30
!
no ip domain lookup
ip domain name CA.com
ip host SUB-CA1 41.41.41.2
ip host SUB-CA2 42.42.42.2
!
crypto pki server CA-SERVER
database level names
grant auto rollover ca-cert
grant auto
lifetime crl 48
lifetime certificate 500
lifetime ca-certificate 730
auto-rollover 90
database url crl publish nvram:
!
crypto pki trustpoint CA-SERVER
enrollment selfsigned
fqdn none
revocation-check crl none
rsakeypair CA-SERVER
storage nvram:
!

SUB-CA1 Config

--------------

hostname SUB-CA1
!
clock timezone IRDT 4 30

!
ip domain name CA.com
ip host CA-SERVER 41.41.41.1
ip host SUB-CA2 42.42.42.2
!
crypto pki server SUB-CA1
database level names
grant auto rollover ca-cert
grant auto
hash sha1
lifetime certificate 5
lifetime ca-certificate 730
mode sub-cs
database url crl publish nvram:
!
crypto pki trustpoint SUB-CA1
enrollment url http://41.41.41.1:80
chain-validation continue CA-SERVER
revocation-check crl none
rsakeypair SUB-CA1

SUB-CA2 Config

--------------

hostname SUB-CA2
!
!
clock timezone IRDT 4 30
!
no ip domain lookup
ip domain name CA.com
ip host CA-SERVER 42.42.42.1
ip host SUB-CA1 41.41.41.2
!
crypto pki server SUB-CA2
database level names
grant auto rollover ca-cert
grant auto
lifetime crl 48
lifetime certificate 5
lifetime ca-certificate 700
mode sub-cs
database url crl publish nvram:
!
crypto pki trustpoint SUB-CA2
enrollment url http://42.42.42.1:80
chain-validation continue CA-SERVER
revocation-check crl
rsakeypair SUB-CA2
storage nvram:

These are Site1 logs

-----------------------

Site1(config-if)#do ping 192.168.13.1 source lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.12.1

*May 23 11:02:28.596: ISAKMP:(0): SA request profile is site1-profile
*May 23 11:02:28.596: ISAKMP: Created a peer struct for 23.23.23.1, peer port 500
*May 23 11:02:28.596: ISAKMP: New peer created peer = 0x68F79FF8 peer_handle = 0x80000026
*May 23 11:02:28.596: ISAKMP: Locking peer struct 0x68F79FF8, refcount 1 for isakmp_initiator
*May 23 11:02:28.596: ISAKMP: local port 500, remote port 500
*May 23 11:02:28.596: ISAKMP: set new node 0 to QM_IDLE
*May 23 11:02:28.600: ISAKMP:(0):insert sa successfully sa = 65BB6704
*May 23 11:02:28.600: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
*May 23 11:02:28.604: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 23 11:02:28.604: ISAKMP:(0):Profile has no keyring, aborting key search
*May 23 11:02:28.608: ISAKMP:(0):Profile has no keyring, aborting host key search
*May 23 11:02:28.608: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.612: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.612: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 23 11:02:28.612: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 23 11:02:28.612: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 23 11:02:28.612: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 23 11:02:28.612: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 23 11:02:28.612: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*May 23 11:02:28.612: ISAKMP:(0): beginning Main Mode exchange
*May 23 11:02:28.612: ISAKMP:(0): sending packet to 23.23.23.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 23 11:02:28.612: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 23 11:02:28.700: ISAKMP (0): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_NO_STATE
*May 23 11:02:28.704: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 23 11:02:28.708: ISAKMP:.(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*May 23 11:02:28.716: ISAKMP:(0): processing SA payload. message ID = 0
*May 23 11:02:28.716: ISAKMP:(0): processing vendor id payload
*May 23 11:02:28.720: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 23 11:02:28.720: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 23 11:02:28.724: ISAKMP : Looking for xauth in profile site1-profile
*May 23 11:02:28.724: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.728: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.728: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*May 23 11:02:28.732: ISAKMP:      encryption AES-CBC
*May 23 11:02:28.732: ISAKMP:      keylength of 128
*May 23 11:02:28.732: ISAKMP:      hash SHA256
*May 23 11:02:28.736: ISAKMP:      default group 1
*May 23 11:02:28.736: ISAKMP:      auth RSA sig
*May 23 11:02:28.736: ISAKMP:      life type in seconds
*May 23 11:02:28.740: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*May 23 11:02:28.740: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 23 11:02:28.740: ISAKMP:(0):Acceptable atts:actual life: 0
*May 23 11:02:28.740: ISAKMP:(0):Acceptable atts:life: 0
*May 23 11:02:28.740: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 23 11:02:28.740: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 23 11:02:28.740: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.740: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 23.23.23.1)
*May 23 11:02:28.740: ISAKMP:(0):Returning Actual lifetime: 86400
*May 23 11:02:28.740: ISAKMP:(0)::Started lifetime timer: 86400.

*May 23 11:02:28.740: ISAKMP:(0): processing vendor id payload
*May 23 11:02:28.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 23 11:02:28.740: ISAKMP (0): vendor ID is NAT-T RFC 3947
*M.ay 23 11:02:28.740: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 23 11:02:28.740: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*May 23 11:02:28.740: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 23.23.23.1)
*May 23 11:02:28.740: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 23.23.23.1)
*May 23 11:02:28.740: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 23.23.23.1)
*May 23 11:02:28.740: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 23.23.23.1)
*May 23 11:02:28.744: ISAKMP (0): constructing CERT_REQ for issuer cn=CA-SERVER
*May 23 11:02:28.744: ISAKMP (0): constructing CERT_REQ for issuer cn=SUB-CA1
*May 23 11:02:28.748: ISAKMP:(0): sending packet to 23.23.23.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 23 11:02:28.752: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 23 11:02:28.756: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 23 11:02:28.756: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*May 23 11:02:28.844: ISAKMP (0): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 23 11:02:28.848: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 23 11:02:28.848: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*May 23 11:02:28.856: ISAKMP:(0): processing KE payload. message ID = 0
*May 23 11:02:28.896: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 23 11:02:28.896: ISAKMP:(1037): processing vendor id payload
*May 23 11:02:28.896: ISAKMP:(1037): vendor ID is Unity
*May 23 11:02:28.896: ISAKMP:(1037): processing vendor id payload
*May 23 11:02:28.896: ISAKMP:(1037): vendor ID is DPD
*May 23 11:02:28.896: ISAKMP:(1037): processing vendor id payload
*May 23 11:02:28.896: ISAKMP:(1037): speaking to another IOS box!
*May 23 11:02:28.896: ISAKMP:received payload type 20
*May 23 11:02:28.896: ISAKMP (1037): His hash no match - this node outs.ide NAT
*May 23 11:02:28.896: ISAKMP:received payload type 20
*May 23 11:02:28.896: ISAKMP (1037): No NAT Found for self or peer
*May 23 11:02:28.896: ISAKMP:(1037):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 23 11:02:28.896: ISAKMP:(1037):Old State = IKE_I_MM4 New State = IKE_I_MM4

*May 23 11:02:28.896: ISAKMP:(1037):Send initial contact
*May 23 11:02:28.896: ISAKMP:(1037): processing CERT_REQ payload. message ID = 0
*May 23 11:02:28.900: ISAKMP:(1037): peer wants a CT_X509_SIGNATURE cert
*May 23 11:02:28.900: ISAKMP:(1037): peer wants cert issued by cn=SUB-CA2
*May 23 11:02:28.904: ISAKMP:(1037): issuer name is not a trusted root.
*May 23 11:02:28.904: ISAKMP:(1037): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 23.23.23.1)
*May 23 11:02:28.908: ISAKMP:(1037): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 23.23.23.1)
*May 23 11:02:28.908: ISAKMP:(1037):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*May 23 11:02:28.912: ISAKMP:(1037):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*May 23 11:02:28.912: ISAKMP (1037): ID payload
        next-payload : 6
        type         : 1
        address      : 12.12.12.1
        protocol     : 17
        port         : 500
        length       : 12
*May 23 11:02:28.912: ISAKMP:(1037):Total payload length: 12
*May 23 11:02:28.912: ISAKMP:(1037): no valid cert found to return
*May 23 11:02:28.912: ISAKMP: set new node 1744388436 to QM_IDLE
*May 23 11:02:28.912: ISAKMP:(1037):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
        spi 0, message ID = 1744388436
*May 23 11:02:28.912: ISAKMP:(1037): sending packet to 23.23.23.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May 23 11:02:28.912: ISAKMP:(1037):Sending an IKE IPv4 Packet.
*May 23 11:02:28.912: ISAKMP:(1037):purging node 1744388436
*May 23 11:02:28.912: ISAKMP (1037): FSM action returned error: 2
.May 23 11:02:28.912: ISAKMP:(1037):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 23 11:02:28.912: ISAKMP:(1037):Old State = IKE_I_MM4 New State = IKE_I_MM5
.
Success rate is 0 percent (0/5)
Site1(config-if)#
*May 23 11:02:38.752: ISAKMP:(1037): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*May 23 11:02:38.864: ISAKMP (1037): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 23 11:02:38.868: ISAKMP:(1037): phase 1 packet is a duplicate of a previous packet.
*May 23 11:02:38.868: ISAKMP:(1037): retransmitting due to retransmit phase 1
*May 23 11:02:38.872: ISAKMP:(1037): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Site1(config-if)#
*May 23 11:02:48.876: ISAKMP (1037): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 23 11:02:48.876: ISAKMP:(1037): phase 1 packet is a duplicate of a previous packet.
*May 23 11:02:48.880: ISAKMP:(1037): retransmitting due to retransmit phase 1
*May 23 11:02:48.880: ISAKMP:(1037): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Site1(config-if)#
*May 23 11:02:58.596: ISAKMP: set new node 0 to QM_IDLE
*May 23 11:02:58.596: ISAKMP:(1037):SA is still budding. Attached new ipsec request to it. (local 12.12.12.1, remote 23.23.23.1)
*May 23 11:02:58.600: ISAKMP: Error while processing SA request: Failed to initialize SA
*May 23 11:02:58.600: ISAKMP: Error while processing KMI message 0, error 2.
*May 23 11:02:58.860: ISAKMP (1037): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 23 11:02:58.860: ISAKMP:(1037): phase 1 packet is a duplicate of a previous packet.
*May 23 11:02:58.864: ISAKMP:(1037): retransmitting due to retransmit phase 1
Site1(config-if)#
*May 23 11:02:58.864: ISAKMP:(1037): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Site1(config-if)#
*May 23 11:03:08.872: ISAKMP (1037): received packet from 23.23.23.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 23 11:03:08.876: ISAKMP:(1037): phase 1 packet is a duplicate of a previous packet.
*May 23 11:03:08.876: ISAKMP:(1037): retransmitting due to retransmit phase 1
*May 23 11:03:08.880: ISAKMP:(1037): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH

These are Site2 logs

-----------------------

Site2(ca-trustpoint)#
*May 23 11:01:08.938: ISAKMP (0): received packet from 12.12.12.1 dport 500 sport 500 Global (N) NEW SA
*May 23 11:01:08.942: ISAKMP: Created a peer struct for 12.12.12.1, peer port 500
*May 23 11:01:08.942: ISAKMP: New peer created peer = 0x65B78948 peer_handle = 0x80000029
*May 23 11:01:08.942: ISAKMP: Locking peer struct 0x65B78948, refcount 1 for crypto_isakmp_process_block
*May 23 11:01:08.946: ISAKMP: local port 500, remote port 500
*May 23 11:01:08.950: ISAKMP:(0):insert sa successfully sa = 67EAEBC4
*May 23 11:01:08.950: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 23 11:01:08.954: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*May 23 11:01:08.962: ISAKMP:(0): processing SA payload. message ID = 0
*May 23 11:01:08.962: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.966: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 23 11:01:08.966: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 23 11:01:08.966: ISAKMP:(0): proce
Site2(ca-trustpoint)#ssing vendor id payload
*May 23 11:01:08.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 23 11:01:08.970: ISAKMP (0): vendor ID is NAT-T v7
*May 23 11:01:08.974: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.974: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May 23 11:01:08.974: ISAKMP:(0): vendor ID is NAT-T v3
*May 23 11:01:08.974: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.974: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May 23 11:01:08.974: ISAKMP:(0): vendor ID is NAT-T v2
*May 23 11:01:08.974: ISAKMP : Scanning profiles for xauth ... site2-profile
*May 23 11:01:08.974: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 12.12.12.1)
*May 23 11:01:08.974: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 12.12.12.1)
*May 23 11:01:08.974: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*May 23 11:01:08.974: ISAKMP:
Site2(ca-trustpoint)#encryption AES-CBC
*May 23 11:01:08.974: ISAKMP:      keylength of 128
*May 23 11:01:08.974: ISAKMP:      hash SHA256
*May 23 11:01:08.974: ISAKMP:      default group 1
*May 23 11:01:08.974: ISAKMP:      auth RSA sig
*May 23 11:01:08.974: ISAKMP:      life type in seconds
*May 23 11:01:08.974: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*May 23 11:01:08.974: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 23 11:01:08.974: ISAKMP:(0):Acceptable atts:actual life: 0
*May 23 11:01:08.974: ISAKMP:(0):Acceptable atts:life: 0
*May 23 11:01:08.974: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 23 11:01:08.974: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 23 11:01:08.974: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 12.12.12.1)
*May 23 11:01:08.986: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 12.12.12.1)
*May 23 11:01:08.986: ISAKMP:(0):Returning Actual lifetime: 86400
*May 23 11:01:08.986: ISAKMP:(0)::Sta
Site2(ca-trustpoint)#rted lifetime timer: 86400.

*May 23 11:01:08.990: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.990: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 23 11:01:08.990: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 23 11:01:08.990: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.990: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 23 11:01:08.990: ISAKMP (0): vendor ID is NAT-T v7
*May 23 11:01:08.990: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.990: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*May 23 11:01:08.990: ISAKMP:(0): vendor ID is NAT-T v3
*May 23 11:01:08.990: ISAKMP:(0): processing vendor id payload
*May 23 11:01:08.990: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*May 23 11:01:08.990: ISAKMP:(0): vendor ID is NAT-T v2
*May 23 11:01:08.990: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 23 11:01:08.990: ISAKMP:(0):Old State = IKE_R_MM1 New
Site2(ca-trustpoint)#State = IKE_R_MM1

*May 23 11:01:08.990: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 23 11:01:08.990: ISAKMP:(0): sending packet to 12.12.12.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*May 23 11:01:08.990: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 23 11:01:08.990: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 23 11:01:08.990: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*May 23 11:01:09.110: ISAKMP (0): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*May 23 11:01:09.114: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 23 11:01:09.114: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*May 23 11:01:09.118: ISAKMP:(0): processing KE payload. message ID = 0
*May 23 11:01:09.118: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 23 11:01:09.126: ISAKMP:(1045): processing vendor id payload
*May 23 11:01:09.126: ISAKMP:(1045): vendor ID is DPD
*May 23 11:01:09.130: ISAKMP:(1045):
Site2(ca-trustpoint)#processing vendor id payload
*May 23 11:01:09.130: ISAKMP:(1045): speaking to another IOS box!
*May 23 11:01:09.130: ISAKMP:(1045): processing vendor id payload
*May 23 11:01:09.130: ISAKMP:(1045): vendor ID seems Unity/DPD but major 244 mismatch
*May 23 11:01:09.130: ISAKMP:(1045): vendor ID is XAUTH
*May 23 11:01:09.130: ISAKMP:received payload type 20
*May 23 11:01:09.130: ISAKMP (1045): His hash no match - this node outside NAT
*May 23 11:01:09.130: ISAKMP:received payload type 20
*May 23 11:01:09.130: ISAKMP (1045): No NAT Found for self or peer
*May 23 11:01:09.130: ISAKMP:(1045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 23 11:01:09.130: ISAKMP:(1045):Old State = IKE_R_MM3 New State = IKE_R_MM3

*May 23 11:01:09.130: ISAKMP:(1045): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 12.12.12.1)
*May 23 11:01:09.130: ISAKMP:(1045): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 12.12.12.1)
*May 23 11:01:09.130: ISAKMP:(1045
Site2(ca-trustpoint)#): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 12.12.12.1)
*May 23 11:01:09.130: ISAKMP:(1045): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 12.12.12.1)
*May 23 11:01:09.130: ISAKMP (1045): constructing CERT_REQ for issuer cn=SUB-CA2
*May 23 11:01:09.130: ISAKMP:(1045): sending packet to 12.12.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 23 11:01:09.130: ISAKMP:(1045):Sending an IKE IPv4 Packet.
*May 23 11:01:09.130: ISAKMP:(1045):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 23 11:01:09.130: ISAKMP:(1045):Old State = IKE_R_MM3 New State = IKE_R_MM4

*May 23 11:01:09.218: ISAKMP (1045): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 23 11:01:09.222: ISAKMP: set new node 1744388436 to QM_IDLE
*May 23 11:01:09.226: ISAKMP (1045): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 23 11:01:09.230: ISAKMP (1045): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_
Site2(ca-trustpoint)#KEY_EXCH
*May 23 11:01:09.238: ISAKMP (1045): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 23 11:01:09.242: ISAKMP (1045): received packet from 12.12.12.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 23 11:01:09.242: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 12.12.12.1 to 23.23.23.1.
Site2(ca-trustpoint)#
*May 23 11:01:19.130: ISAKMP:(1045): retransmitting phase 1 MM_KEY_EXCH...
*May 23 11:01:19.130: ISAKMP (1045): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 23 11:01:19.134: ISAKMP:(1045): retransmitting phase 1 MM_KEY_EXCH
*May 23 11:01:19.134: ISAKMP:(1045): sending packet to 12.12.12.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 23 11:01:19.138: ISAKMP:(1045):Sending an IKE IPv4 Packet.
Site2(ca-trustpoint)#

fbabashahi · ‎11-04-2018

Hi again

As a quick answer i can say the problem solved with crypto pki certificate map

command.

cisco explanation:

Certificate maps provide the ability for a certificate to be matched with a given set of criteria. ISAKMP profiles can bind themselves to certificate maps, and if the presented certificate matches the certificate map present in an ISAKMP profile, the peer will be assigned the ISAKMP profile.

Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3S

View solution in original post

Rob Ingram · ‎05-23-2018

Hi,

From the debug logs I see this:

May 23 11:02:28.908: ISAKMP:(1037):Unable to get router cert or routerdoes not have a cert: needed to find DN!

Can you please provide the output of show crypto pki certificates from both routers.

fbabashahi · ‎05-23-2018

yes. thanks for your attention

SITE1

-------------

Site1(config-crypto-map)#do show crypto pki cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
    cn=CA-SERVER
Subject:
    cn=CA-SERVER
Validity Date:
    start date: 20:41:48 IRDT May 22 2018
    end   date: 20:41:48 IRDT May 21 2020
Associated Trustpoints: CA-SERVER
Storage: nvram:CA-SERVER#1CA.cer

Certificate
Status: Available
Certificate Serial Number (hex): 04
Certificate Usage: General Purpose
Issuer:
    cn=SUB-CA1
Subject:
    Name: Site1.TEST.com
    cn=Site1.TEST.com
Validity Date:
    start date: 14:36:12 IRDT May 23 2018
    end   date: 14:36:12 IRDT May 28 2018
Associated Trustpoints: SUB-CA1
Storage: nvram:SUB-CA1#4.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: Signature
Issuer:
    cn=CA-SERVER
Subject:
    cn=SUB-CA1
Validity Date:
    start date: 23:07:39 IRDT May 22 2018
    end   date: 23:07:39 IRDT Oct 4 2019
Associated Trustpoints: SUB-CA1
Storage: nvram:CA-SERVER#6CA.cer

SITE2

-----------

Site2(config)#do show crypt pki cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=CA-SERVER
Subject:
cn=CA-SERVER
Validity Date:
start date: 20:41:48 IRDT May 22 2018
end date: 20:41:48 IRDT May 21 2020
Associated Trustpoints: CA-SERVER

Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
cn=SUB-CA2
Subject:
Name: Site2.TEST.com
cn=Site2.TEST.com
Validity Date:
start date: 14:36:41 IRDT May 23 2018
end date: 14:36:41 IRDT May 28 2018
Associated Trustpoints: SUB-CA2
Storage: nvram:SUB-CA2#6.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 07
Certificate Usage: Signature
Issuer:
cn=CA-SERVER
Subject:
cn=SUB-CA2
Validity Date:
start date: 23:17:27 IRDT May 22 2018
end date: 23:17:27 IRDT Oct 4 2019
Associated Trustpoints: SUB-CA2
Storage: nvram:CA-SERVER#7CA.cer

Rob Ingram · ‎05-23-2018

Ok, I can see each router has it's own certificate and sub-ca, root ca certificate but the routers do not have the other router's SUB-CA certificate. Therefore would not trust the certificate being used by the other router.

I've not personally tried this CA configuration you are using, but I would ensure that all routers have both SUB-CA certificates, so can therefore validate the entire certificate chain.

HTH

fbabashahi · ‎05-23-2018

Thanks alot

it works but i want to be sure, can you explain why we need both SUB-CA in eatch router ? because i thought when we have ROOT-CA certificate it does the chain-validation from ROOT-CA to each SUB-CA because of that we do not need the other side SUB-CA Certificate. am i wrong?

fbabashahi · ‎05-23-2018

Hi again . any answer for my question ? i really need to do chain-validation from Root-CA

Bogdan Nita · ‎05-23-2018

Have a look at the following link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu25917/?rfs=iqvred

HTH

Bogdan

fbabashahi · ‎05-23-2018

Thanks

fbabashahi · ‎05-25-2018

Thanks i tested as it said in the link but i does not worked unfortunately . do you have any other idea ?

thank you . it is a disaster

fbabashahi · ‎05-26-2018

Hi can somebody help me in this scenario i need to do chain-validation from CA-SERVER . routers get crls from CA-SERVER buy ipsec is not worked

i think the problem is with this message . i cant find any solution

*May 26 10:30:00.467: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 12.12.12.1 is bad: certificate invalid

premnath2323 · ‎10-28-2018

Can you paste site1 and site to ipsec configurations as well

fbabashahi · ‎11-04-2018

Sorry at this time i don't have the configuration , also the problem solved

fbabashahi · ‎11-04-2018

Hi again

As a quick answer i can say the problem solved with crypto pki certificate map

command.

cisco explanation:

Certificate maps provide the ability for a certificate to be matched with a given set of criteria. ISAKMP profiles can bind themselves to certificate maps, and if the presented certificate matches the certificate map present in an ISAKMP profile, the peer will be assigned the ISAKMP profile.

Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3S

Eyenan · ‎02-29-2024

This seems to an Expected behavior as explained in https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu2591

Installing the CA Certificate of the Peer's ID-Cert Issuer locally, but not referencing it in the isakmp profile [or IKEv2 profile] would be treated as a misconfiguration. Either do not install the CA Certificate of the Peer's ID-Cert Issuer locally, in which case the IOS will anchor the certificate-chain validation to Root-CA trustpoint automatically Or install the CA Certificate of the Peer's ID-Cert Issuer locally, and refer it under the isakmp profile or the IKEv2 profile

Expected behaviour: - PKI should include a Case where if the Peer certificate chain contains a certificate issued by an "Untrusted" certificate, it should anchor the validation to the trustpoint containing the issuer of the "Untrusted issuer". in the case above, the validation of "Peer-2-ID Cert" should be carried out by anchoring its validation to "Root-CA" Note: This behavior is consistent across IKEv1 and IKEv2