cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
6
Replies

IPSec VPN certificate error

owen2
Beginner
Beginner

Hi

I'm setting up IPSec with certification lab.

Version: Cisco IOS XE Software, Version 17.07.01
config as follow:

crypto isakmp policy 1
encryption aes 256
hash sha
group 5
lifetime 28800
crypto isakmp identity dn
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set Winston esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map Winston 10 ipsec-isakmp
description Winston to HQ
set peer 10.10.10.12
set transform-set Winston
set pfs group5
match address 101
!
interface Cellular0/1/0
description WAN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast source reachable-via rx allow-default
ip tcp adjust-mss 1460
load-interval 30
dialer in-band
dialer idle-timeout 30
dialer watch-group 1
dialer-group 1
ntp disable
pulse-time 1
crypto map Winston
ip virtual-reassembly
!
ip access-list extended 101
10 permit ip 10.26.5.0 0.0.0.255 10.27.0.0 0.0.255.255 log

I load the CA root certificate into each router and then enroll manually for an Identity certificate.
Both root and identity certificate get installed and I apply it to the crypto map.

however, it keeps failing. even New State = IKE_P1_COMPLETE with QM_IDLE
debug as attach.

All thoughts welcome.

Thank you

Regards

 

6 Replies 6

Rob Ingram
VIP Master VIP Master
VIP Master

@owen2 crypto map VPN is depreciated from 17.6, at a guess I assume it's related.

As you are running 17.7 you'd need to use DMVPN or FlexVPN.

@Rob Ingram using psk is able to bring up the tunnel.
in order to use crypto map VPN i  downgrade to 17.6.5 or before that?

I will check debug you share 

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
Unable to get DN from certificate!
001537: *Dec  6 12:09:33.739 SGP: ISAKMP-ERROR: (1002):Cert presented by peer contains no OU field

no DN and no OU 

 

sh crypto ca cert

can you share this  

@MHM Cisco World 

output as below.

Winston-R1#sh cry pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 068251349703611575CC
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IR1101-K9
Serial Number: PID:IR1101-K9 SN:FCW2615YCP3
cn=IR1101-K9
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IR1101-K9 SN:FCW2615YCP3
Validity Date:
start date: 11:35:58 SGP Apr 8 2022
end date: 04:58:26 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 04:28:08 SGP Aug 12 2016
end date: 04:58:27 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 04:58:28 SGP Aug 10 2016
end date: 04:58:28 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

Certificate
Status: Available
Certificate Serial Number (hex): 7A000064E014D6E1575E1CD5750001000064E0
Certificate Usage: General Purpose
Issuer:
cn=Root-CA
Subject:
Name: Winston-R1
CRL Distribution Point:
file:////PPHQMRoot-CA/CertEnroll/Root%20CA.crl
Validity Date:
start date: 11:34:08 SGP Dec 5 2022
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Winston#64E0.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 3484C2B214CBBDB7439355A0D5544868
Certificate Usage: Signature
Issuer:
cn=Root-CA
Subject:
cn=Root-CA
Validity Date:
start date: 15:07:24 SGP Aug 4 2016
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Root-CA#4868CA.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Licensing Root CA
o=Cisco
Subject:
cn=Cisco Licensing Root CA
o=Cisco
Validity Date:
start date: 03:48:47 SGP May 31 2013
end date: 03:48:47 SGP May 31 2038
Associated Trustpoints: Trustpool SLA-TrustPoint
Storage: nvram:CiscoLicensi#1CA.cer

How to Configure a LAN-to-LAN IPSec Between a Router and a PIX Using Digital Certificates - Cisco

""enroll manually for an Identity certificate""

I think this step is wrong. check link above.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers