cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
6
Replies

IPSec VPN certificate error

owen2
Level 1
Level 1

Hi

I'm setting up IPSec with certification lab.

Version: Cisco IOS XE Software, Version 17.07.01
config as follow:

crypto isakmp policy 1
encryption aes 256
hash sha
group 5
lifetime 28800
crypto isakmp identity dn
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set Winston esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map Winston 10 ipsec-isakmp
description Winston to HQ
set peer 10.10.10.12
set transform-set Winston
set pfs group5
match address 101
!
interface Cellular0/1/0
description WAN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast source reachable-via rx allow-default
ip tcp adjust-mss 1460
load-interval 30
dialer in-band
dialer idle-timeout 30
dialer watch-group 1
dialer-group 1
ntp disable
pulse-time 1
crypto map Winston
ip virtual-reassembly
!
ip access-list extended 101
10 permit ip 10.26.5.0 0.0.0.255 10.27.0.0 0.0.255.255 log

I load the CA root certificate into each router and then enroll manually for an Identity certificate.
Both root and identity certificate get installed and I apply it to the crypto map.

however, it keeps failing. even New State = IKE_P1_COMPLETE with QM_IDLE
debug as attach.

All thoughts welcome.

Thank you

Regards

 

6 Replies 6

@owen2 crypto map VPN is depreciated from 17.6, at a guess I assume it's related.

As you are running 17.7 you'd need to use DMVPN or FlexVPN.

@Rob Ingram using psk is able to bring up the tunnel.
in order to use crypto map VPN i  downgrade to 17.6.5 or before that?

I will check debug you share 

Unable to get DN from certificate!
001537: *Dec  6 12:09:33.739 SGP: ISAKMP-ERROR: (1002):Cert presented by peer contains no OU field

no DN and no OU 

 

sh crypto ca cert

can you share this  

@MHM Cisco World 

output as below.

Winston-R1#sh cry pki cert
Certificate
Status: Available
Certificate Serial Number (hex): 068251349703611575CC
Certificate Usage: General Purpose
Issuer:
o=Cisco
cn=High Assurance SUDI CA
Subject:
Name: IR1101-K9
Serial Number: PID:IR1101-K9 SN:FCW2615YCP3
cn=IR1101-K9
ou=ACT-2 Lite SUDI
o=Cisco
serialNumber=PID:IR1101-K9 SN:FCW2615YCP3
Validity Date:
start date: 11:35:58 SGP Apr 8 2022
end date: 04:58:26 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI

CA Certificate
Status: Available
Certificate Serial Number (hex): 0A6475524CD8617C62
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
o=Cisco
cn=High Assurance SUDI CA
CRL Distribution Points:
http://www.cisco.com/security/pki/crl/crca2099.crl
Validity Date:
start date: 04:28:08 SGP Aug 12 2016
end date: 04:58:27 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI Trustpool

CA Certificate
Status: Available
Certificate Serial Number (hex): 019A335878CE16C1C1
Certificate Usage: Signature
Issuer:
cn=Cisco Root CA 2099
o=Cisco
Subject:
cn=Cisco Root CA 2099
o=Cisco
Validity Date:
start date: 04:58:28 SGP Aug 10 2016
end date: 04:58:28 SGP Aug 10 2099
Associated Trustpoints: CISCO_IDEVID_SUDI0 Trustpool

Certificate
Status: Available
Certificate Serial Number (hex): 7A000064E014D6E1575E1CD5750001000064E0
Certificate Usage: General Purpose
Issuer:
cn=Root-CA
Subject:
Name: Winston-R1
CRL Distribution Point:
file:////PPHQMRoot-CA/CertEnroll/Root%20CA.crl
Validity Date:
start date: 11:34:08 SGP Dec 5 2022
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Winston#64E0.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 3484C2B214CBBDB7439355A0D5544868
Certificate Usage: Signature
Issuer:
cn=Root-CA
Subject:
cn=Root-CA
Validity Date:
start date: 15:07:24 SGP Aug 4 2016
end date: 13:29:56 SGP Jun 10 2025
Associated Trustpoints: Winston
Storage: nvram:Root-CA#4868CA.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=Cisco Licensing Root CA
o=Cisco
Subject:
cn=Cisco Licensing Root CA
o=Cisco
Validity Date:
start date: 03:48:47 SGP May 31 2013
end date: 03:48:47 SGP May 31 2038
Associated Trustpoints: Trustpool SLA-TrustPoint
Storage: nvram:CiscoLicensi#1CA.cer

How to Configure a LAN-to-LAN IPSec Between a Router and a PIX Using Digital Certificates - Cisco

""enroll manually for an Identity certificate""

I think this step is wrong. check link above.