12-06-2022 01:38 AM
Hi
I'm setting up IPSec with certification lab.
Version: Cisco IOS XE Software, Version 17.07.01
config as follow:
crypto isakmp policy 1
encryption aes 256
hash sha
group 5
lifetime 28800
crypto isakmp identity dn
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set Winston esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map Winston 10 ipsec-isakmp
description Winston to HQ
set peer 10.10.10.12
set transform-set Winston
set pfs group5
match address 101
!
interface Cellular0/1/0
description WAN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast source reachable-via rx allow-default
ip tcp adjust-mss 1460
load-interval 30
dialer in-band
dialer idle-timeout 30
dialer watch-group 1
dialer-group 1
ntp disable
pulse-time 1
crypto map Winston
ip virtual-reassembly
!
ip access-list extended 101
10 permit ip 10.26.5.0 0.0.0.255 10.27.0.0 0.0.255.255 log
I load the CA root certificate into each router and then enroll manually for an Identity certificate.
Both root and identity certificate get installed and I apply it to the crypto map.
however, it keeps failing. even New State = IKE_P1_COMPLETE with QM_IDLE
debug as attach.
All thoughts welcome.
Thank you
Regards
12-06-2022 01:47 AM - edited 12-06-2022 01:52 AM
@owen2 crypto map VPN is depreciated from 17.6, at a guess I assume it's related.
As you are running 17.7 you'd need to use DMVPN or FlexVPN.
12-06-2022 01:55 AM
@Rob Ingram using psk is able to bring up the tunnel.
in order to use crypto map VPN i downgrade to 17.6.5 or before that?
12-06-2022 02:05 AM - edited 12-06-2022 04:37 AM
I will check debug you share
12-06-2022 04:42 AM
Unable to get DN from certificate! 001537: *Dec 6 12:09:33.739 SGP: ISAKMP-ERROR: (1002):Cert presented by peer contains no OU field
no DN and no OU
sh crypto ca cert
can you share this
12-07-2022 10:05 PM
output as below.
Winston-R1#sh cry pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 068251349703611575CC
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IR1101-K9
Serial Number: PID:IR1101-K9 SN:FCW2615YCP3
cn=IR1101-K9
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IR1101-K9 SN:FCW2615YCP3
Validity Date:
start date: 11:35:58 SGP Apr 8 2022
end date: 04:58:26 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI
CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 04:28:08 SGP Aug 12 2016
end date: 04:58:27 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool
CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 04:58:28 SGP Aug 10 2016
end date: 04:58:28 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool
Certificate
Status: Available
Certificate Serial Number (hex): 7A000064E014D6E1575E1CD5750001000064E0
Certificate Usage: General Purpose
Issuer:
cn=Root-CA
Subject:
Name: Winston-R1
CRL Distribution Point:
file:////PPHQMRoot-CA/CertEnroll/Root%20CA.crl
Validity Date:
start date: 11:34:08 SGP Dec 5 2022
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Winston#64E0.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 3484C2B214CBBDB7439355A0D5544868
Certificate Usage: Signature
Issuer:
cn=Root-CA
Subject:
cn=Root-CA
Validity Date:
start date: 15:07:24 SGP Aug 4 2016
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Root-CA#4868CA.cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Licensing Root CA
o=Cisco
Subject:
cn=Cisco Licensing Root CA
o=Cisco
Validity Date:
start date: 03:48:47 SGP May 31 2013
end date: 03:48:47 SGP May 31 2038
Associated Trustpoints: Trustpool SLA-TrustPoint
Storage: nvram:CiscoLicensi#1CA.cer
12-08-2022 01:55 AM
How to Configure a LAN-to-LAN IPSec Between a Router and a PIX Using Digital Certificates - Cisco
""enroll manually for an Identity certificate""
I think this step is wrong. check link above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide