10-26-2014 08:26 PM - edited 02-21-2020 07:54 PM
I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.
Since two days, i am completly stuck on MM_KEY_EXCH error.
Here is my lab:
http://i59.tinypic.com/2502h76.png
I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.
On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.
On the right, just an outside client.
I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.
I have already tried NAT-T...
The clock on both routers is matching the clock of AD/CA
Some configuration:
R1 (1.1.1.2)
ip domain name cisco.ca
!
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll
fqdn R1.cisco.ca
subject-name cn=R1.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set SET
set pfs group2
match address VPN
R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R1.cisco.ca
cn=R1.cisco.ca
hostname=R1.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:15:11 UTC Oct 26 2014
end date: 21:15:11 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
R2 (2.2.2.2)
ip domain name cisco.ca
!
crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA
enrollment mode ra
enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll
fqdn R2.cisco.ca
subject-name cn=R2.cisco.ca
revocation-check none
crypto isakmp policy 1
encr aes 256
hash md5
group 5
lifetime 3600
!
!
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set SET
set pfs group2
match address VPN
R2(config)#end
R2#sh c
Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
R2#sh cryp
R2#sh crypto pk
R2#sh crypto pki cer
R2#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
Certificate Usage: General Purpose
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
Name: R2.cisco.ca
cn=R2.cisco.ca
hostname=R2.cisco.ca
CRL Distribution Points:
ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN= Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 21:18:03 UTC Oct 26 2014
end date: 21:18:03 UTC Oct 25 2016
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
CA Certificate
Status: Available
Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
Certificate Usage: Signature
Issuer:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Subject:
cn=cisco-WIN-2EV0KQDK78U-CA-2
dc=cisco
dc=ca
Validity Date:
start date: 00:27:45 UTC Oct 26 2014
end date: 00:37:45 UTC Oct 26 2019
Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA
Here are some error that i get:
Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert
Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!
Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0
Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca
Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
.....
Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid Validity period starts on 21:18:03 UTC Oct 26 2014
Output of show crypto isakmp sa:
R1#sh crypto isakmp sa
dst src state conn-id slot status
1.1.1.2 2.2.2.2 MM_KEY_EXCH 42 0 ACTIVE
1.1.1.2 2.2.2.2 MM_KEY_EXCH 41 0 ACTIVE
1.1.1.2 2.2.2.2 MM_NO_STATE 40 0 ACTIVE (deleted)
1.1.1.2 2.2.2.2 MM_NO_STATE 39 0 ACTIVE (deleted)
I would appreciate if someone can help me on this.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: