03-23-2020 09:53 PM
I staged a Cisco 1111 router for IPSec encrypted DMVPN deployment at a spoke site at one location. I pulled the certificate and didn't associate it with the IP address of the device nor the serial number of the device. When I sent it to the remote site it wouldn't come up at all. Is there anything I might have to do at the hub routers to make them forget that this spoke router once spoke to them from IP address A to turn up on IP address B? Or is it the case that if it turned up on IP address A it should come up no problem when it's new public IP address is address B? Thank you.
Solved! Go to Solution.
03-24-2020 01:51 AM
03-24-2020 10:54 AM
Hi,
Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".
Regards,
Cristian Matei.
03-24-2020 01:51 AM
03-24-2020 10:54 AM
Hi,
Assuming both routers have certificates issued by the same CA, which means when you imported the certificate, you also imported the CA's certificate, the certificates should be trusted, so there should be no problem from the certificate point of view. Can you post the relevant VPN configuration? If you do NAT, ensure the VPN traffic is exempted from NAT. Post the output of "debug crypto isakmp" and "debug crypto ipsec".
Regards,
Cristian Matei.
03-24-2020 11:33 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide