Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3489
Views
0
Helpful
1
Replies

VPN Fails CRL and/or OCSP Revocation Check

rene07
Level 1
Level 1

ā€Ž03-14-2019 01:52 PM

All - I am testing SCEP enrollment and automatic renewal in an isolated PKI test lab environment and all is yielding positive and expected results except when I enable revocation-check  crl or ocsp during IPSec.

Interestingly, if I execute the command 'crypto pki certificate validate Router-VPN_KEY' from either router (each have their own SCEP certificate issued from the same online issuing CA but using the same trustpoint name) revocation works entirely be it crl or ocsp. I'd rather rely on OCSP which does work whereas I am able to review OCSP logs and see the router ask for revocation check on the end entity router certificate as well as the issuing CA certificate but this does not work during VPN negotiations. If I remove revocation checking for all trustpoints then IPsec works without issue using digital certificates. Enabling solely crl or solely ocsp check fails during VPN whereas they work correctly outside VPN.

Are there any known issues with full revocation checking taking place during IPsec? In my lab I have an offline Microsoft 2012 CA, online Microsoft 2012 issuing CA, Microsoft 2012 OCSP Responder along with Microsoft NDES. All is working well except for this one piece. :(

I'm new to Cisco configuration so more than likely an issue on my end with the router configurations so they are posted below.

Taking a look at a packet capture during IPsec an OCSP query is not even attempted as though the router is having a key id or the like issue during chaining whereas failure takes place prior to sending an OCSP query.

 

Please see snip below.

 

---BEGIN R3 Router Working OCSP Validation Using 'pki certificate validate Router-VPN_KEY' command---

r3.child1.company1.c(config)#crypto pki certificate validate Router-VPN_KEY
Chain has 2 certificates

Mar 14 02:24:26.111: CRYPTO_PKI: (90127) Session started - identity selected (Router-VPN_KEY)
Mar 14 02:24:26.111: CRYPTO_PKI(Cert Lookup) issuer="cn=Network Authority Primary G2,o=Company1,c=US" serial number=
     64 00 00 00 91 90 4B E2 76 BA 33 5D 8E 00 00 00
     00 00 91

Mar 14 02:24:26.111: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 19 1B 1B A8 94 B0 B7 1C 95 92 E4 4F A4 CA 18 0E

Mar 14 02:24:26.111: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Mar 14 02:24:26.111: CRYPTO_PKI: Found a subject match
Mar 14 02:24:26.112: CRYPTO_PKI(Cert Lookup) issuer="cn=Network Authority Primary G2,o=Company1,c=US" serial number=
     64 00 00 00 91 90 4B E2 76 BA 33 5D 8E 00 00 00
     00 00 91

Mar 14 02:24:26.112: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 19 1B 1B A8 94 B0 B7 1C 95 92 E4 4F A4 CA 18 0E

Mar 14 02:24:26.112: CRYPTO_PKI(Cert Lookup) issuer="cn=Company1 Root CA G2,o=Company1,c=US" serial number=
     29 00 00 00 05 BC 03 16 E5 6F 17 91 D9 00 00 00
     00 00 05

Mar 14 02:24:26.112: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 0D E7 AC 69 09 1F 74 77 E3 EE 6E 3A AA A4 9D E2

Mar 14 02:24:26.112: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Mar 14 02:24:26.113: CRYPTO_PKI: Found a subject match
Mar 14 02:24:26.113: CRYPTO_PKI: ip-ext-val: IP extension validation not required
Mar 14 02:24:26.113: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 101
Mar 14 02:24:26.113: CRYPTO_PKI: (90127)validation path has 2 certs

Mar 14 02:24:26.113: CRYPTO_PKI: (90127) Check for identical certs
Mar 14 02:24:26.113: CRYPTO_PKI(Cert Lookup) issuer="cn=Company1 Root CA G2,o=Company1,c=US" serial number=
     29 00 00 00 05 BC 03 16 E5 6F 17 91 D9 00 00 00
     00 00 05

Mar 14 02:24:26.113: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 0D E7 AC 69 09 1F 74 77 E3 EE 6E 3A AA A4 9D E2

Mar 14 02:24:26.113: CRYPTO_PKI : (90127) Validating non-trusted cert
Mar 14 02:24:26.113: CRYPTO_PKI: (90127) Create a list of suitable trustpoints
Mar 14 02:24:26.113: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Mar 14 02:24:26.113: CRYPTO_PKI: Found a issuer match
Mar 14 02:24:26.113: CRYPTO_PKI: (90127) Suitable trustpoints are: Root-CA-G2,
Mar 14 02:24:26.113: CRYPTO_PKI: (90127) Attempting to validate certificate using Root-CA-G2 policy
Mar 14 02:24:26.113: CRYPTO_PKI: (90127) Using Root-CA-G2 to validate certificate
Mar 14 02:24:26.113: CRYPTO_PKI(make trusted certs chain)
Mar 14 02:24:26.113: CRYPTO_PKI: Added 1 certs to trusted chain.
Mar 14 02:24:26.113: CRYPTO_PKI: Prepare session revocation service providers
Mar 14 02:24:26.113: P11:C_CreateObject:
Mar 14 02:24:26.113:  CKA_CLASS: PUBLIC KEY
Mar 14 02:24:26.113:  CKA_KEY_TYPE: RSA
Mar 14 02:24:26.113:  CKA_MODULUS:
     E5 A6 80 3A B0 E3 28 13 E1 73 D8 70 47 0B C9 D0
     A1 1F 15 09 9E 08 CB D5 65 1F 05 12 31 75 67 87
     6A D0 45 3E 22 5F 0E 4E 31 5E 4B 7B 8B 3C 47 36
     2A AF DF B3 8A F0 7C FC D4 05 5B 6E AE 83 BE D9
     18 5E 9B 00 BD 47 17 33 97 4E 09 9D A3 AF 7F F8
     C1 5C 61 8E 18 0E BD 23 C8 B8 6C 1A 6E 10 54 39
     5F AB 9A 6A 8F 2E 54 68 D7 C5 AB 79 E4 71 B6 BC
     FA 2F DD 58 95 DC 75 D1 D9 E8 F1 27 8F D0 86 40
     7C 53 52 F8 87 D2 82 14 4F A9 0F 94 80 A1 D3 75
     41 19 F6 49 0C 4F C8 58 2F 8E 01 76 A9 48 BA C6
     A1 68 71 81 53 A1 04 15 8F 31 32 C3 5E 22 48 B7
     9B 0C 34 04 BE 93 5A 74 39 F4 D3 34 99 6F 38 13
     85 A1 19 29 A0 CC 6C 7B 8F 6A 62 81 86 E3 C9 FA
     E9 17 D2 A1 74 AA 8E 3A 2A DF 85 0D 08 A0 51 09
     CA 47 D9 70 2F D1 57 FB A8 3B 5E F3 33 41 2C 93
     D1 E0 50 8B E1 48 57 6F 6D 62 82 EE BB 64 4C 26
     97 CC D9 C9 99 E0 5B 1E DB D2 9B 74 54 8F 69 09
     DB 61 BB 34 77 3A 1D FD C7 98 B6 44 4C D2 02 4A
     B8 30 09 13 B4 90 7D 54 2A 2A 2E 6F 12 8D 01 9B
     4A F3 71 F9 AB 94 52 4D D4 B7 65 F8 9E A0 1E 59
     2E 2E 4D 7F F7 48 AC 8C 2C 8C BB 66 BB E0 4E 43
     47 7A 00 FA 49 1C F6 F0 FF 94 3C 7A AB 4D A4 D6
     7E 16 94 05 33 F6 53 07 46 F6 F8 CC 36 19 34 9E
     7E F7 7A 03 85 70 C5 76 31 BC 60 8F 88 D9 34 6C
     0E 59 60 DC 03 CA E1 94 3F F0 83 DC 95 43 38 02
     75 2E 1A 02 7F 5F 95 74 B5 FC 83 06 CD 0D 37 D6
     43 93 70 B2 E4 2E CB 01 CB F9 49 63 67 AE B4 3B
     AB AC 28 4D F1 9F 5E C3 29 24 DF FD C9 67 B7 02
     AF 25 4F 7F 74 C2 84 E2 91 24 08 2F 62 B8 D7 F1
     C0 E3 95 82 06 90 DF FB C5 82 B5 27 A9 00 3E 16
     D2 74 9D A9 7F 0A EA 34 03 C7 65 11 70 62 1C 2E
     4A AE 75 93 CF 5B 1E 85 C4 EC 5E 88 4E 68 26 81

Mar 14 02:24:26.114:  CKA_PUBLIC_EXPONENT:  01 00 01                           

Mar 14 02:24:26.114:  CKA_VERIFY_RECOVER:  01                                  

Mar 14 02:24:26.114:  CRYPTO_PKI: Deleting cached key having key id 263
Mar 14 02:24:26.114:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Mar 14 02:24:26.114:  CRYPTO_PKI:Peer's public inserted successfully with key id 264
Mar 14 02:24:26.114: P11:C_CreateObject: 131336
Mar 14 02:24:26.114: P11:C_GetMechanismInfo slot 1 type 3 (invalid mechanism)
Mar 14 02:24:26.115: P11:C_GetMechanismInfo slot 1 type 1
Mar 14 02:24:26.115: P11:C_VerifyRecoverInit - 131336
Mar 14 02:24:26.115: P11:C_VerifyRecover - 131336
Mar 14 02:24:26.115: P11:found pubkey in cache using index = 264
Mar 14 02:24:26.115: P11:public key found is :
     30 82 02 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
     01 05 00 03 82 02 0F 00 30 82 02 0A 02 82 02 01
     00 E5 A6 80 3A B0 E3 28 13 E1 73 D8 70 47 0B C9
     D0 A1 1F 15 09 9E 08 CB D5 65 1F 05 12 31 75 67
     87 6A D0 45 3E 22 5F 0E 4E 31 5E 4B 7B 8B 3C 47
     36 2A AF DF B3 8A F0 7C FC D4 05 5B 6E AE 83 BE
     D9 18 5E 9B 00 BD 47 17 33 97 4E 09 9D A3 AF 7F
     F8 C1 5C 61 8E 18 0E BD 23 C8 B8 6C 1A 6E 10 54
     39 5F AB 9A 6A 8F 2E 54 68 D7 C5 AB 79 E4 71 B6
     BC FA 2F DD 58 95 DC 75 D1 D9 E8 F1 27 8F D0 86
     40 7C 53 52 F8 87 D2 82 14 4F A9 0F 94 80 A1 D3
     75 41 19 F6 49 0C 4F C8 58 2F 8E 01 76 A9 48 BA
     C6 A1 68 71 81 53 A1 04 15 8F 31 32 C3 5E 22 48
     B7 9B 0C 34 04 BE 93 5A 74 39 F4 D3 34 99 6F 38
     13 85 A1 19 29 A0 CC 6C 7B 8F 6A 62 81 86 E3 C9
     FA E9 17 D2 A1 74 AA 8E 3A 2A DF 85 0D 08 A0 51
     09 CA 47 D9 70 2F D1 57 FB A8 3B 5E F3 33 41 2C
     93 D1 E0 50 8B E1 48 57 6F 6D 62 82 EE BB 64 4C
     26 97 CC D9 C9 99 E0 5B 1E DB D2 9B 74 54 8F 69
     09 DB 61 BB 34 77 3A 1D FD C7 98 B6 44 4C D2 02
     4A B8 30 09 13 B4 90 7D 54 2A 2A 2E 6F 12 8D 01
     9B 4A F3 71 F9 AB 94 52 4D D4 B7 65 F8 9E A0 1E
     59 2E 2E 4D 7F F7 48 AC 8C 2C 8C BB 66 BB E0 4E
     43 47 7A 00 FA 49 1C F6 F0 FF 94 3C 7A AB 4D A4
     D6 7E 16 94 05 33 F6 53 07 46 F6 F8 CC 36 19 34
     9E 7E F7 7A 03 85 70 C5 76 31 BC 60 8F 88 D9 34
     6C 0E 59 60 DC 03 CA E1 94 3F F0 83 DC 95 43 38
     02 75 2E 1A 02 7F 5F 95 74 B5 FC 83 06 CD 0D 37
     D6 43 93 70 B2 E4 2E CB 01 CB F9 49 63 67 AE B4
     3B AB AC 28 4D F1 9F 5E C3 29 24 DF FD C9 67 B7
     02 AF 25 4F 7F 74 C2 84 E2 91 24 08 2F 62 B8 D7
     F1 C0 E3 95 82 06 90 DF FB C5 82 B5 27 A9 00 3E
     16 D2 74 9D A9 7F 0A EA 34 03 C7 65 11 70 62 1C
     2E 4A AE 75 93 CF 5B 1E 85 C4 EC 5E 88 4E 68 26
     81 02 03 01 00 01

Mar 14 02:24:26.117: P11:CEAL:CRYPTO_NO_ERR
Mar 14 02:24:26.117: P11:C_DestroyObject 1:20108
Mar 14 02:24:26.117:  CRYPTO_PKI: Expiring peer's cached key with key id 264
Mar 14 02:24:26.117: CRYPTO_PKI: (90127) Certificate is verified
Mar 14 02:24:26.117: CRYPTO_PKI: (90127) Checking certificate revocation
Mar 14 02:24:26.117: OCSP: (90127) Process OCSP_VALIDATE  message
Mar 14 02:24:26.117: CRYPTO_PKI: (90127)Starting OCSP revocation check
Mar 14 02:24:26.118: CRYPTO_PKI: OCSP server URL is http://www.ocsp.company1.com/ocsp
Mar 14 02:24:26.118: CRYPTO_PKI: no responder matching this URL; create one!
Mar 14 02:24:26.118: OCSP: (90127)OCSP Get Response command
Mar 14 02:24:26.121: CRYPTO_PKI: http connection opened
Mar 14 02:24:26.121: CRYPTO_PKI: OCSP send header size 141
Mar 14 02:24:26.121: CRYPTO_PKI: sending POST /ocsp HTTP/1.0
Host: www.ocsp.company1.com
User-Agent: RSA-Cert-C/2.0
Content-type: application/ocsp-request
Content-length: 533


Mar 14 02:24:26.121: CRYPTO_PKI: OCSP send data size 533
Mar 14 02:24:26.788: OCSP: (90127)OCSP Parse HTTP Response command
Mar 14 02:24:26.788: OCSP: (90127)OCSP Validate DER Response command
Mar 14 02:24:26.788: CRYPTO_PKI: OCSP response status - successful.
Mar 14 02:24:26.789: CRYPTO_PKI: Decoding OCSP Response
Mar 14 02:24:26.789: CRYPTO_PKI: OCSP decoded status is GOOD.
Mar 14 02:24:26.789: CRYPTO_PKI: Verifying OCSP Response
Mar 14 02:24:26.789: CRYPTO_PKI(make trusted certs chain)
Mar 14 02:24:26.791: CRYPTO_PKI: Added 10 certs to trusted chain.
Mar 14 02:24:26.791: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
Mar 14 02:24:26.791: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
Mar 14 02:24:26.792: CRYPTO_PKI: (90127) Validating OCSP responder certificate
Mar 14 02:24:26.792: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/path/pkix/pkixpath.c(5782) : E_PATH_PROVIDER : path provider specific warning (BasicConstraints extension found in end entity cert)
Mar 14 02:24:26.796: CRYPTO_PKI: OCSP Responder cert doesn't need rev check
Mar 14 02:24:26.796: CRYPTO_PKI: response signed by a delegated responder
Mar 14 02:24:26.796: CRYPTO_PKI: OCSP Response is verified
Mar 14 02:24:26.796: CRYPTO_PKI: (90127) OCSP revocation check is complete 0
Mar 14 02:24:26.796: OCSP: destroying OCSP trans element
Mar 14 02:24:26.796: CRYPTO_PKI: Revocation check is complete, 0
Mar 14 02:24:26.796: CRYPTO_PKI: Revocation status = 0
Mar 14 02:24:26.796: CRYPTO_PKI: Remove session revocation service providers
Mar 14 02:24:26.796: CRYPTO_PKI: Remove session revocation service providers
Mar 14 02:24:26.796: CRYPTO_PKI: (90127) Certificate validated
Mar 14 02:24:26.796: CRYPTO_PKI: (90127) Check for identical certs
Mar 14 02:24:26.796: CRYPTO_PKI(Cert Lookup) issuer="cn=Network Authority Primary G2,o=Company1,c=US" serial number=
     64 00 00 00 91 90 4B E2 76 BA 33 5D 8E 00 00 00
     00 00 91

Mar 14 02:24:26.796: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 19 1B 1B A8 94 B0 B7 1C 95 92 E4 4F A4 CA 18 0E

Mar 14 02:24:26.796: CRYPTO_PKI : (90127) Validating non-trusted cert
Mar 14 02:24:26.796: CRYPTO_PKI: (90127) Attempting to validate certificate using Root-CA-G2 policy
Mar 14 02:24:26.796: CRYPTO_PKI: (90127) Using Root-CA-G2 to validate certificate
Mar 14 02:24:26.796: CRYPTO_PKI: Prepare session revocation service providers
Mar 14 02:24:26.796: P11:C_CreateObject:
Mar 14 02:24:26.796:  CKA_CLASS: PUBLIC KEY
Mar 14 02:24:26.796:  CKA_KEY_TYPE: RSA
Mar 14 02:24:26.796:  CKA_MODULUS:
     9E 18 BD 64 B1 D4 B6 5F AC 24 5E 90 E7 25 5B 92
     B6 99 6B F8 C8 63 37 D2 34 8B 36 CE 3A 30 0E 78
     D3 49 59 F6 02 64 27 D5 F1 7E 33 8D 76 66 A0 52
     78 AA 8A D6 BD 0B AB E2 3C 8A 54 01 FB 2F B2 53
     50 BE 1F C7 69 C9 97 4F FC 3E 0F 33 7F DD 0A 28
     1D 18 F1 12 60 F4 11 70 0F F1 0A 15 A3 BC D4 23
     0F EB AD 74 3A 0F 88 6B 67 39 AA DF 65 F1 B3 9A
     E4 1A CE 05 EE 65 7D 4D 15 F6 0A 14 43 19 D7 64
     1D 4B 85 43 49 A2 5D 13 C5 67 9E F4 D8 75 BF 9E
     FC 4E 71 D2 DD BA B4 93 67 6E 5F 40 53 6A D0 15
     D9 4E A1 AE 45 99 FB 74 68 36 1E 63 A1 7C 00 2E
     8D 66 33 46 FB 00 18 5C E4 48 FF F5 8F 76 BF 75
     62 31 12 A4 F3 E2 5F 2D 9D 77 E1 06 BD 3F 44 72
     D3 2B 71 11 E4 87 DE A8 5D 05 59 37 00 B6 82 35
     C4 5A FD E2 A8 B8 F5 A8 E5 ED E0 D7 BB 2C EA 3A
     C3 38 DD 17 8C ED 50 7F 6A 3B 9E 90 36 0C F8 7F
     A4 A5 0C 92 90 38 CE B4 7E 4A 10 BE AB 81 9C 64
     56 00 3B 7D FC 4B 7E 41 21 22 E7 80 26 BF E3 39
     0F 6A 0B F8 26 07 D0 2A 1F 70 7E 2E 58 78 6A 2E
     CB 1A 4E E1 06 A8 EF 4B A6 91 1D 69 4D 5B 57 72
     5E 9C 8E 9C 43 50 00 0E F9 ED AB 47 4B 53 BD 6C
     82 A2 10 4B BF 47 61 A6 4A 17 04 68 AE E7 DE 6E
     2A C8 4A ED F3 48 8C 8B FC 96 A2 95 9D 66 73 34
     E6 4C E3 9B 14 36 C6 4C 70 8A A3 F7 D7 C6 17 D9
     FC 88 00 1B 90 BE 6D DF 2F 67 39 D3 D9 29 1A A6
     AC CE 96 74 F2 3C E3 1D 38 4E FB 59 E6 48 0B 08
     1D 53 E1 F7 D2 64 BC F0 B4 4D D3 D4 B7 08 1A F2
     B5 CF 22 FA 92 AE 97 48 30 6A B1 27 CD C9 9D 6F
     2F 9F B6 A8 CF 04 7C 1E 91 3B 3E 7F 6F 7A 17 39
     D5 61 31 53 93 CA 6A 5A FB D2 66 85 61 15 98 B5
     EA 51 D1 FF 3A E3 37 F6 F8 B5 85 A2 6C B8 46 2E
     41 E6 A6 C3 86 CB B0 48 D2 42 93 0A 50 BF CB 77

Mar 14 02:24:26.798:  CKA_PUBLIC_EXPONENT:  01 00 01                           

Mar 14 02:24:26.798:  CKA_VERIFY_RECOVER:  01                                  

Mar 14 02:24:26.798:  CRYPTO_PKI: Deleting cached key having key id 264
Mar 14 02:24:26.798:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Mar 14 02:24:26.798:  CRYPTO_PKI:Peer's public inserted successfully with key id 265
Mar 14 02:24:26.798: P11:C_CreateObject: 131337
Mar 14 02:24:26.798: P11:C_GetMechanismInfo slot 1 type 3 (invalid mechanism)
Mar 14 02:24:26.798: P11:C_GetMechanismInfo slot 1 type 1
Mar 14 02:24:26.798: P11:C_VerifyRecoverInit - 131337
Mar 14 02:24:26.798: P11:C_VerifyRecover - 131337
Mar 14 02:24:26.798: P11:found pubkey in cache using index = 265
Mar 14 02:24:26.798: P11:public key found is :
     30 82 02 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
     01 05 00 03 82 02 0F 00 30 82 02 0A 02 82 02 01
     00 9E 18 BD 64 B1 D4 B6 5F AC 24 5E 90 E7 25 5B
     92 B6 99 6B F8 C8 63 37 D2 34 8B 36 CE 3A 30 0E
     78 D3 49 59 F6 02 64 27 D5 F1 7E 33 8D 76 66 A0
     52 78 AA 8A D6 BD 0B AB E2 3C 8A 54 01 FB 2F B2
     53 50 BE 1F C7 69 C9 97 4F FC 3E 0F 33 7F DD 0A
     28 1D 18 F1 12 60 F4 11 70 0F F1 0A 15 A3 BC D4
     23 0F EB AD 74 3A 0F 88 6B 67 39 AA DF 65 F1 B3
     9A E4 1A CE 05 EE 65 7D 4D 15 F6 0A 14 43 19 D7
     64 1D 4B 85 43 49 A2 5D 13 C5 67 9E F4 D8 75 BF
     9E FC 4E 71 D2 DD BA B4 93 67 6E 5F 40 53 6A D0
     15 D9 4E A1 AE 45 99 FB 74 68 36 1E 63 A1 7C 00
     2E 8D 66 33 46 FB 00 18 5C E4 48 FF F5 8F 76 BF
     75 62 31 12 A4 F3 E2 5F 2D 9D 77 E1 06 BD 3F 44
     72 D3 2B 71 11 E4 87 DE A8 5D 05 59 37 00 B6 82
     35 C4 5A FD E2 A8 B8 F5 A8 E5 ED E0 D7 BB 2C EA
     3A C3 38 DD 17 8C ED 50 7F 6A 3B 9E 90 36 0C F8
     7F A4 A5 0C 92 90 38 CE B4 7E 4A 10 BE AB 81 9C
     64 56 00 3B 7D FC 4B 7E 41 21 22 E7 80 26 BF E3
     39 0F 6A 0B F8 26 07 D0 2A 1F 70 7E 2E 58 78 6A
     2E CB 1A 4E E1 06 A8 EF 4B A6 91 1D 69 4D 5B 57
     72 5E 9C 8E 9C 43 50 00 0E F9 ED AB 47 4B 53 BD
     6C 82 A2 10 4B BF 47 61 A6 4A 17 04 68 AE E7 DE
     6E 2A C8 4A ED F3 48 8C 8B FC 96 A2 95 9D 66 73
     34 E6 4C E3 9B 14 36 C6 4C 70 8A A3 F7 D7 C6 17
     D9 FC 88 00 1B 90 BE 6D DF 2F 67 39 D3 D9 29 1A
     A6 AC CE 96 74 F2 3C E3 1D 38 4E FB 59 E6 48 0B
     08 1D 53 E1 F7 D2 64 BC F0 B4 4D D3 D4 B7 08 1A
     F2 B5 CF 22 FA 92 AE 97 48 30 6A B1 27 CD C9 9D
     6F 2F 9F B6 A8 CF 04 7C 1E 91 3B 3E 7F 6F 7A 17
     39 D5 61 31 53 93 CA 6A 5A FB D2 66 85 61 15 98
     B5 EA 51 D1 FF 3A E3 37 F6 F8 B5 85 A2 6C B8 46
     2E 41 E6 A6 C3 86 CB B0 48 D2 42 93 0A 50 BF CB
     77 02 03 01 00 01

Mar 14 02:24:26.801: P11:CEAL:CRYPTO_NO_ERR
Mar 14 02:24:26.801: P11:C_DestroyObject 1:20109
Mar 14 02:24:26.801:  CRYPTO_PKI: Expiring peer's cached key with key id 265
Mar 14 02:24:26.801: CRYPTO_PKI: (90127) Certificate is verified
Mar 14 02:24:26.801: CRYPTO_PKI: (90127) Checking certificate revocation
Mar 14 02:24:26.801: OCSP: (90127) Process OCSP_VALIDATE  message
Mar 14 02:24:26.801: CRYPTO_PKI: (90127)Starting OCSP revocation checkCertificate chain for Router-VPN_KEY is valid

r3.child1.company1.c(config)#
Mar 14 02:24:26.802: CRYPTO_PKI: OCSP server URL is http://www.ocsp.company1.com/ocsp
Mar 14 02:24:26.802: CRYPTO_PKI: no responder matching this URL; create one!
Mar 14 02:24:26.802: OCSP: (90127)OCSP Get Response command
Mar 14 02:24:26.802: CRYPTO_PKI: http connection opened
Mar 14 02:24:26.802: CRYPTO_PKI: OCSP send header size 141
Mar 14 02:24:26.802: CRYPTO_PKI: sending POST /ocsp HTTP/1.0
Host: www.ocsp.company1.com
User-Agent: RSA-Cert-C/2.0
Content-type: application/ocsp-request
Content-length: 600


Mar 14 02:24:26.802: CRYPTO_PKI: OCSP send data size 600
Mar 14 02:24:29.586: OCSP: (90127)OCSP Parse HTTP Response command
Mar 14 02:24:29.586: OCSP: (90127)OCSP Validate DER Response command
Mar 14 02:24:29.586: CRYPTO_PKI: OCSP response status - successful.
Mar 14 02:24:29.586: CRYPTO_PKI: Decoding OCSP Response
Mar 14 02:24:29.586: CRYPTO_PKI: OCSP decoded status is GOOD.
Mar 14 02:24:29.586: CRYPTO_PKI: Verifying OCSP Response
Mar 14 02:24:29.586: CRYPTO_PKI(make trusted certs chain)
Mar 14 02:24:29.588: CRYPTO_PKI: Added 10 certs to trusted chain.
Mar 14 02:24:29.588: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
Mar 14 02:24:29.588: ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsputil.c(547) : E_NOT_FOUND : no matching entry found
Mar 14 02:24:29.589: CRYPTO_PKI: (90127) Validating OCSP responder certificate
Mar 14 02:24:29.593: CRYPTO_PKI: OCSP Responder cert doesn't need rev check
Mar 14 02:24:29.593: CRYPTO_PKI: response signed by a delegated responder
Mar 14 02:24:29.593: CRYPTO_PKI: OCSP Response is verified
Mar 14 02:24:29.593: CRYPTO_PKI: (90127) OCSP revocation check is complete 0
Mar 14 02:24:29.593: OCSP: destroying OCSP trans element
Mar 14 02:24:29.593: CRYPTO_PKI: Revocation check is complete, 0
Mar 14 02:24:29.593: CRYPTO_PKI: Revocation status = 0
Mar 14 02:24:29.593: CRYPTO_PKI: Remove session revocation service providers
Mar 14 02:24:29.593: CRYPTO_PKI: Remove session revocation service providers
Mar 14 02:24:29.593: CRYPTO_PKI: (90127) Certificate validated
Mar 14 02:24:29.593: CRYPTO_PKI: Populate AAA auth data
Mar 14 02:24:29.593: CRYPTO_PKI: Selected AAA username: 'r3.child1.company1.com'
Mar 14 02:24:29.593: PKI: Cert key-usage: Digital-Signature , Non-Repudiation , Key-Encipherment
Mar 14 02:24:29.593: CRYPTO_PKI: (90127)chain cert was anchored to trustpoint Root-CA-G2, and chain validation result was: CRYPTO_VALID_CERT
Mar 14 02:24:29.594: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 101
Mar 14 02:24:29.594: CRYPTO_PKI: (90127) Validation TP is Root-CA-G2
Mar 14 02:24:29.594: CRYPTO_PKI: (90127) Certificate validation succeeded
Mar 14 02:24:29.594: CRYPTO_PKI: Rcvd request to end PKI session 90127.
Mar 14 02:24:29.594: CRYPTO_PKI: PKI session 90127 has ended. Freeing all resources.
Mar 14 02:24:29.594: CRYPTO_PKI: unlocked trustpoint Router-VPN_KEY, refcount is 0

---END R3 Router Working OCSP Validation Using 'pki certificate validate Router-VPN_KEY' command---

 

Note: During IPSec R4 is initiating the VPN to R3.

 

---BEGIN R3 Router Failure OCSP Validation During IPSec'---

Mar 14 02:25:59.917: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r3.child1.company1.c(config-if)#end
r3.child1.company1.com#
Mar 14 02:26:03.712: %SYS-5-CONFIG_I: Configured from console by admin1 on vty0 (192.168.2.196)
Mar 14 02:26:03.712: CRYPTO_PKI: Initializing renewal timers
Mar 14 02:26:03.712: PKI:get_cert Router-VPN_KEY 0x10 (expired=0):
r3.child1.company1.com#
r3.child1.company1.com#
Mar 14 02:26:45.015: ISAKMP (0): received packet from 192.168.30.5 dport 500 sport 500 Global (N) NEW SA
Mar 14 02:26:45.015: ISAKMP: Created a peer struct for 192.168.30.5, peer port 500
Mar 14 02:26:45.015: ISAKMP: New peer created peer = 0x7F1BC0AF3158 peer_handle = 0x8000005C
Mar 14 02:26:45.015: ISAKMP: Locking peer struct 0x7F1BC0AF3158, refcount 1 for crypto_isakmp_process_block
Mar 14 02:26:45.015: ISAKMP: local port 500, remote port 500
Mar 14 02:26:45.015: ISAKMP:(0):insert sa successfully sa = 7F1BC0BE33D8
Mar 14 02:26:45.015: ISAKMP:(0): processing SA payload. message ID = 0
Mar 14 02:26:45.015: ISAKMP:(0): processing ID payload. message ID = 0
Mar 14 02:26:45.015: ISAKMP (0): ID payload
        next-payload : 7
        type         : 1
        address      : 192.168.30.5
        protocol     : 17
        port         : 0
        length       : 12
Mar 14 02:26:45.015: ISAKMP:(0):: peer matches *none* of the profiles
Mar 14 02:26:45.015: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:45.015: ISAKMP:(0): vendor ID is DPD
Mar 14 02:26:45.015: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:45.015: ISAKMP:(0): vendor ID seems Unity/DPD but major 92 mismatch
Mar 14 02:26:45.015: ISAKMP:(0): vendor ID is XAUTH
Mar 14 02:26:45.015: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:45.015: ISAKMP:(0): claimed IOS but failed authentication
Mar 14 02:26:45.017: ISAKMP : Scanning profiles for xauth ... cert_profile
Mar 14 02:26:45.017: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.017: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.017: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 14 02:26:45.017: ISAKMP:      encryption AES-CBC
Mar 14 02:26:45.017: ISAKMP:      keylength of 128
Mar 14 02:26:45.017: ISAKMP:      hash SHA256
Mar 14 02:26:45.017: ISAKMP:      default group 2
Mar 14 02:26:45.017: ISAKMP:      auth RSA sig
Mar 14 02:26:45.017: ISAKMP:      life type in seconds
Mar 14 02:26:45.017: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Mar 14 02:26:45.017: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 14 02:26:45.017: ISAKMP:(0):Acceptable atts:actual life: 86400
Mar 14 02:26:45.017: ISAKMP:(0):Acceptable atts:life: 0
Mar 14 02:26:45.017: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 14 02:26:45.017: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 14 02:26:45.017: ISAKMP:(0): IKE->PKI Start PKI Session state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.017: CRYPTO_PKI: (90128) Session started - identity not specified
Mar 14 02:26:45.017: ISAKMP:(0): PKI->IKE Started PKI Session state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.017: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 14 02:26:45.017: ISAKMP:(0)::Started lifetime timer: 86400.

Mar 14 02:26:45.017: ISAKMP:(0): processing KE payload. message ID = 0
Mar 14 02:26:45.019: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 14 02:26:45.020: ISAKMP:(1096): processing vendor id payload
Mar 14 02:26:45.020: ISAKMP:(1096): vendor ID is DPD
Mar 14 02:26:45.020: ISAKMP:(1096): processing vendor id payload
Mar 14 02:26:45.020: ISAKMP:(1096): vendor ID seems Unity/DPD but major 92 mismatch
Mar 14 02:26:45.020: ISAKMP:(1096): vendor ID is XAUTH
Mar 14 02:26:45.020: ISAKMP:(1096): processing vendor id payload
Mar 14 02:26:45.020: ISAKMP:(1096): claimed IOS but failed authentication
Mar 14 02:26:45.022: ISAKMP:(1096): IKE->PKI Get configured TrustPoints state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.022: ISAKMP:(1096): PKI->IKE Got configured TrustPoints state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.022: ISAKMP:(1096): IKE->PKI Get IssuerNames state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.022: ISAKMP:(1096): PKI->IKE Got IssuerNames state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.022: ISAKMP:(1096):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Mar 14 02:26:45.022: ISAKMP (1096): ID payload
        next-payload : 7
        type         : 1
        address      : 192.168.20.5
        protocol     : 0
        port         : 0
        length       : 12
Mar 14 02:26:45.022: ISAKMP:(1096):Total payload length: 12
Mar 14 02:26:45.022: ISAKMP (1096): constructing CERT_REQ for issuer cn=Network Authority Primary G2,o=Company1,c=US
Mar 14 02:26:45.022: ISAKMP (1096): constructing CERT_REQ for issuer cn=Company1 Root CA G2,o=Company1,c=US
Mar 14 02:26:45.022: ISAKMP:(1096): processing CERT_REQ payload. message ID = 0
Mar 14 02:26:45.022: ISAKMP:(1096): peer wants a CT_X509_SIGNATURE cert
Mar 14 02:26:45.022: ISAKMP:(1096): peer wants cert issued by cn=Network Authority Primary G2,o=Company1,c=US
Mar 14 02:26:45.022: CRYPTO_PKI: Trust-Point Router-VPN_KEY picked up
Mar 14 02:26:45.022: CRYPTO_PKI: 1 matching trustpoints found
Mar 14 02:26:45.022: CRYPTO_PKI: (A0129) Session started - identity selected (Router-VPN_KEY)
Mar 14 02:26:45.022:  Choosing trustpoint Router-VPN_KEY as issuer
Mar 14 02:26:45.022: CRYPTO_PKI: Rcvd request to end PKI session A0129.
Mar 14 02:26:45.022: CRYPTO_PKI: PKI session A0129 has ended. Freeing all resources.
Mar 14 02:26:45.022: CRYPTO_PKI: unlocked trustpoint Router-VPN_KEY, refcount is 0
Mar 14 02:26:45.022: CRYPTO_PKI: locked trustpoint Router-VPN_KEY, refcount is 1
Mar 14 02:26:45.022: CRYPTO_PKI: Identity bound (Router-VPN_KEY) for session 90128
Mar 14 02:26:45.022: ISAKMP:(1096): processing CERT_REQ payload. message ID = 0
Mar 14 02:26:45.022: ISAKMP:(1096): peer wants a CT_X509_SIGNATURE cert
Mar 14 02:26:45.022: ISAKMP:(1096): peer wants cert issued by cn=Company1 Root CA G2,o=Company1,c=US
Mar 14 02:26:45.022: ISAKMP:(1096): IKE->PKI Get CertificateChain to be sent to peer state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.022: CRYPTO_PKI(Cert Lookup) issuer="cn=Network Authority Primary G2,o=Company1,c=US" serial number=
     64 00 00 00 91 90 4B E2 76 BA 33 5D 8E 00 00 00
     00 00 91

Mar 14 02:26:45.022: CRYPTO_PKI: looking for cert in handle=7F1BC94A08D8, digest=
 19 1B 1B A8 94 B0 B7 1C 95 92 E4 4F A4 CA 18 0E

Mar 14 02:26:45.023: ISAKMP:(1096): PKI->IKE Got CertificateChain to be sent to peer state (R) AG_NO_STATE (peer 192.168.30.5)
Mar 14 02:26:45.023: ISAKMP (1096): constructing CERT payload for cn=r3.child1.company1.com,ou=PKI,o=Company1,l=San Antonio,st=Texas,c=US,hostname=r3.child1.company1.com,ipaddress=192.168.20.5,serialNumber=9SK2AVI7UHJ
Mar 14 02:26:45.023: ISKAMP: growing send buffer from 1024 to 5120
Mar 14 02:26:45.023: ISAKMP:(1096): using the Router-VPN_KEY trustpoint's keypair to sign
Mar 14 02:26:45.042: ISAKMP:(1096): sending packet to 192.168.30.5 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 14 02:26:45.042: ISAKMP:(1096):Sending an IKE IPv4 Packet.
Mar 14 02:26:45.042: ISAKMP:(1096):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Mar 14 02:26:45.042: ISAKMP:(1096):Old State = IKE_READY  New State = IKE_R_AM2

Mar 14 02:26:55.042: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH...
Mar 14 02:26:55.042: ISAKMP (1096): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 14 02:26:55.042: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH
Mar 14 02:26:55.042: ISAKMP:(1096): sending packet to 192.168.30.5 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 14 02:26:55.042: ISAKMP:(1096):Sending an IKE IPv4 Packet.
Mar 14 02:27:05.042: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH...
Mar 14 02:27:05.042: ISAKMP (1096): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 14 02:27:05.042: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH
Mar 14 02:27:05.042: ISAKMP:(1096): sending packet to 192.168.30.5 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Mar 14 02:27:05.042: ISAKMP:(1096):Sending an IKE IPv4 Packet.

---END R3 Router Failure OCSP Validation During IPSec'---

 

---BEGIN R4 Router Failure OCSP Validation During IPSec'---

Mar 14 02:26:25.928: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
r4.child1.company1.c(config-if)#
r4.child1.company1.c(config-if)#end
r4.child1.company1.com#
Mar 14 02:26:30.565: %SYS-5-CONFIG_I: Configured from console by admin1 on vty0 (192.168.2.196)
Mar 14 02:26:30.565: CRYPTO_PKI: Initializing renewal timers
Mar 14 02:26:30.565: PKI:get_cert Router-VPN_KEY 0x10 (expired=0):
Mar 14 02:26:45.000: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.30.5:500, remote= 192.168.20.5:500,
    local_proxy= 192.168.50.0/255.255.255.0/256/0,
    remote_proxy= 192.168.40.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Mar 14 02:26:45.000: ISAKMP:(0): SA request profile is cert_profile
Mar 14 02:26:45.000: ISAKMP: Created a peer struct for 192.168.20.5, peer port 500
Mar 14 02:26:45.000: ISAKMP: New peer created peer = 0x7F58ADF0B5F8 peer_handle = 0x80000065
Mar 14 02:26:45.000: ISAKMP: Locking peer struct 0x7F58ADF0B5F8, refcount 1 for isakmp_initiator
Mar 14 02:26:45.000: ISAKMP: local port 500, remote port 500
Mar 14 02:26:45.000: ISAKMP: set new node 0 to QM_IDLE
Mar 14 02:26:45.000: ISAKMP:(0):insert sa successfully sa = 7F58AE170DC8
Mar 14 02:26:45.000: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.000: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.002: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.002: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.002: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.002: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_NO_STATE (peer 192.168.20.5)
Mar 14 02:26:45.002: ISAKMP:(0):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Mar 14 02:26:45.002: ISAKMP (0): ID payload
        next-payload : 7
        type         : 1
        address      : 192.168.30.5
        protocol     : 17
        port         : 0
        length       : 12
Mar 14 02:26:45.002: ISAKMP:(0):Total payload length: 12
Mar 14 02:26:45.002: ISAKMP (0): constructing CERT_REQ for issuer cn=Network Authority Primary G2,o=Company1,c=US
Mar 14 02:26:45.002: ISAKMP (0): constructing CERT_REQ for issuer cn=Company1 Root CA G2,o=Company1,c=US
Mar 14 02:26:45.002: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
Mar 14 02:26:45.002: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

Mar 14 02:26:45.002: ISAKMP:(0): beginning Aggressive Mode exchange
Mar 14 02:26:45.002: ISAKMP:(0): sending packet to 192.168.20.5 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Mar 14 02:26:45.002: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 14 02:26:46.519: ISAKMP (0): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:26:46.519: ISAKMP:(0): processing SA payload. message ID = 0
Mar 14 02:26:46.519: ISAKMP:(0): processing ID payload. message ID = 0
Mar 14 02:26:46.519: ISAKMP (0): ID payload
        next-payload : 7
        type         : 1
        address      : 192.168.20.5
        protocol     : 0
        port         : 0
        length       : 12
Mar 14 02:26:46.519: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:46.519: ISAKMP:(0): vendor ID is Unity
Mar 14 02:26:46.519: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:46.519: ISAKMP:(0): vendor ID is DPD
Mar 14 02:26:46.519: ISAKMP:(0): processing vendor id payload
Mar 14 02:26:46.519: ISAKMP:(0): speaking to another IOS box!
Mar 14 02:26:46.519: ISAKMP : Looking for xauth in profile cert_profile
Mar 14 02:26:46.519: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.519: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.519: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 14 02:26:46.519: ISAKMP:      encryption AES-CBC
Mar 14 02:26:46.519: ISAKMP:      keylength of 128
Mar 14 02:26:46.519: ISAKMP:      hash SHA256
Mar 14 02:26:46.519: ISAKMP:      default group 2
Mar 14 02:26:46.519: ISAKMP:      auth RSA sig
Mar 14 02:26:46.519: ISAKMP:      life type in seconds
Mar 14 02:26:46.519: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Mar 14 02:26:46.519: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 14 02:26:46.519: ISAKMP:(0):Acceptable atts:actual life: 86400
Mar 14 02:26:46.519: ISAKMP:(0):Acceptable atts:life: 0
Mar 14 02:26:46.519: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 14 02:26:46.519: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 14 02:26:46.519: ISAKMP:(0): IKE->PKI Start PKI Session state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.520: CRYPTO_PKI: (A00EC) Session started - identity not specified
Mar 14 02:26:46.520: ISAKMP:(0): PKI->IKE Started PKI Session state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.520: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 14 02:26:46.520: ISAKMP:(0)::Started lifetime timer: 86400.

Mar 14 02:26:46.520: ISAKMP:(0): processing KE payload. message ID = 0
Mar 14 02:26:46.523: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 14 02:26:46.523: ISAKMP:(1096): processing CERT payload. message ID = 0
Mar 14 02:26:46.523: ISAKMP:(1096): processing a CT_X509_SIGNATURE cert
Mar 14 02:26:46.523: ISAKMP:(1096): IKE->PKI Add peer's certificate state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.523: CRYPTO_PKI: (A00EC) Adding peer certificate
Mar 14 02:26:46.523: CRYPTO_PKI: Added x509 peer certificate - (2106) bytes
Mar 14 02:26:46.523: ISAKMP:(1096): PKI->IKE Added peer's certificate state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.523: ISAKMP:(1096): IKE->PKI Get PeerCertificateChain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.523: ISAKMP:(1096): PKI->IKE Got PeerCertificateChain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.523: ISAKMP:(1096): peer's pubkey isn't cached
Mar 14 02:26:46.524: ISAKMP:(0): certificate map matches cert_profile profile
Mar 14 02:26:46.524: ISAKMP:(0): Creating CERT validation list: Root-CA-G2, Network-Prim-CA-G2, Router-VPN_KEY,
Mar 14 02:26:46.524: CRYPTO_PKI: Validation list has 3 trustpoints
Mar 14 02:26:46.524: ISAKMP:(1096): IKE->PKI Validate certificate chain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.524: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Mar 14 02:26:46.524: CRYPTO_PKI: Found a subject match
Mar 14 02:26:46.524: CRYPTO_PKI: Extending validation chain to Network-Prim-CA-G2
Mar 14 02:26:46.524: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Mar 14 02:26:46.524: CRYPTO_PKI: Found a subject match
Mar 14 02:26:46.524: CRYPTO_PKI: ip-ext-val: IP extension validation not required
Mar 14 02:26:46.524: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 106
Mar 14 02:26:46.524: CRYPTO_PKI: (A00EC)validation path has 2 certs

Mar 14 02:26:46.524: CRYPTO_PKI: (A00EC) Check for identical certs
Mar 14 02:26:46.524: CRYPTO_PKI(Cert Lookup) issuer="cn=Company1 Root CA G2,o=Company1,c=US" serial number=
     29 00 00 00 05 BC 03 16 E5 6F 17 91 D9 00 00 00
     00 00 05

Mar 14 02:26:46.525: CRYPTO_PKI: looking for cert in handle=7F58ABB978D8, digest=
 0D E7 AC 69 09 1F 74 77 E3 EE 6E 3A AA A4 9D E2

Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Suitable trustpoint Network-Prim-CA-G2 is already trusted
Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Attempting to validate certificate using Network-Prim-CA-G2 policy
Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Using Network-Prim-CA-G2 to validate certificate
Mar 14 02:26:46.525: CRYPTO_PKI(make trusted certs chain)
Mar 14 02:26:46.525: CRYPTO_PKI: Added 1 certs to trusted chain.
Mar 14 02:26:46.525: CRYPTO_PKI: Prepare session revocation service providers
Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Validating without signers key

Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Certificate is verified
Mar 14 02:26:46.525: CRYPTO_PKI: (A00EC) Checking certificate revocation
Mar 14 02:26:46.525: CRYPTO_PKI: status = 0: poll CRL
Mar 14 02:26:46.525: ISAKMP:(1096): PKI->IKE Validate certificate chain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.525: ISAKMP:(1096): Polling required and CRL will be fetched asynchronously! state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.527: ISAKMP:(1096):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Mar 14 02:26:46.527: ISAKMP:(1096):Old State = IKE_I_AM1  New State = IKE_I_AM1

Mar 14 02:26:46.527: OCSP: (A00EC) Process OCSP_VALIDATE  message
Mar 14 02:26:46.527: CRYPTO_PKI: (A00EC)Starting OCSP revocation check
Mar 14 02:26:46.527: CRYPTO_PKI: OCSP server URL is http://www.ocsp.company1.com/ocsp
Mar 14 02:26:46.527: CRYPTO_PKI: no responder matching this URL; create one!
Mar 14 02:26:46.527: CRYPTO_PKI: Auth/subject key ids mismatch
Mar 14 02:26:46.527: CRYPTO_PKI: failed to find signing cert in trusted or verified chains
Mar 14 02:26:46.527: CRYPTO_PKI: (A00EC)unable to find a valid OCSP server. 1804
Mar 14 02:26:46.527: CRYPTO_PKI: (A00EC) OCSP revocation check is complete 1804
Mar 14 02:26:46.527: CRYPTO_PKI: status = 0x70C(E_VALIDITY : validity period start later than end): OCSP revocation check has failed.
Mar 14 02:26:46.527: OCSP: destroying OCSP trans element
Mar 14 02:26:46.527: PKI_REVO: Got a queue event - revocation process
Mar 14 02:26:46.527: PKI: Cert key-usage: Digital-Signature , Certificate-Signing , CRL-Signing
Mar 14 02:26:46.527: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
Mar 14 02:26:46.527: CRYPTO_PKI: (A00EC)chain cert was anchored to trustpoint Network-Prim-CA-G2, and chain validation result was: CRYPTO_INVALID_CERT
Mar 14 02:26:46.527: CRYPTO_PKI: (A00EC) Certificate validation failed
Mar 14 02:26:46.528: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 106
Mar 14 02:26:46.528: PKI_REVO: Revocation process - wait for event
Mar 14 02:26:46.528: ISAKMP:(1096): IKE->PKI Get PeerCertificateChain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.528: ISAKMP:(1096): PKI->IKE Got PeerCertificateChain state (I) AG_INIT_EXCH (peer 192.168.20.5)
Mar 14 02:26:46.528: ISAKMP:(1096): peer's pubkey isn't cached
Mar 14 02:26:46.528: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.20.5 is bad: certificate invalid
Mar 14 02:26:46.529: ISKAMP: growing send buffer from 1024 to 5120
Mar 14 02:26:46.529: ISAKMP (1096): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_I_AM1
Mar 14 02:26:46.530: ISAKMP:(1096):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Mar 14 02:26:46.530: ISAKMP:(1096):Old State = IKE_I_AM1  New State = IKE_I_AM1

Mar 14 02:26:55.003: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH...
Mar 14 02:26:55.003: ISAKMP (1096): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 14 02:26:55.003: ISAKMP:(1096): retransmitting phase 1 AG_INIT_EXCH
Mar 14 02:26:55.003: ISAKMP:(1096): sending packet to 192.168.20.5 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Mar 14 02:26:55.003: ISAKMP:(1096):Sending an IKE IPv4 Packet.
Mar 14 02:26:55.034: ISAKMP (1096): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:26:55.034: ISAKMP:(1096): phase 1 packet is a duplicate of a previous packet.
Mar 14 02:26:55.034: ISAKMP:(1096): retransmitting due to retransmit phase 1
Mar 14 02:26:55.034: ISAKMP:(1096): no outgoing phase 1 packet to retransmit. AG_INIT_EXCH
Mar 14 02:27:05.034: ISAKMP (1096): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:27:05.034: ISAKMP:(1096): phase 1 packet is a duplicate of a previous packet.
Mar 14 02:27:05.034: ISAKMP:(1096): retransmitting due to retransmit phase 1
Mar 14 02:27:05.034: ISAKMP:(1096): no outgoing phase 1 packet to retransmit. AG_INIT_EXCH
Mar 14 02:27:15.001: IPSEC:(SESSION ID = 8) (key_engine) request timer fired: count = 1,
  (identity) local= 192.168.30.5:0, remote= 192.168.20.5:0,
    local_proxy= 192.168.50.0/255.255.255.0/256/0,
    remote_proxy= 192.168.40.0/255.255.255.0/256/0
Mar 14 02:27:15.001: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.30.5:500, remote= 192.168.20.5:500,
    local_proxy= 192.168.50.0/255.255.255.0/256/0,
    remote_proxy= 192.168.40.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Mar 14 02:27:15.001: ISAKMP: set new node 0 to QM_IDLE
Mar 14 02:27:15.001: ISAKMP:(1096):SA is still budding. Attached new ipsec request to it. (local 192.168.30.5, remote 192.168.20.5)
Mar 14 02:27:15.002: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 14 02:27:15.002: ISAKMP: Error while processing KMI message 0, error 2.
Mar 14 02:27:15.035: ISAKMP (1096): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:27:15.035: ISAKMP:(1096): phase 1 packet is a duplicate of a previous packet.
Mar 14 02:27:15.035: ISAKMP:(1096): retransmitting due to retransmit phase 1
Mar 14 02:27:15.035: ISAKMP:(1096): no outgoing phase 1 packet to retransmit. AG_INIT_EXCH
Mar 14 02:27:25.037: ISAKMP (1096): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:27:25.037: ISAKMP:(1096): phase 1 packet is a duplicate of a previous packet.
Mar 14 02:27:25.037: ISAKMP:(1096): retransmitting due to retransmit phase 1
Mar 14 02:27:25.037: ISAKMP:(1096): no outgoing phase 1 packet to retransmit. AG_INIT_EXCH
Mar 14 02:27:35.036: ISAKMP (1096): received packet from 192.168.20.5 dport 500 sport 500 Global (I) AG_INIT_EXCH
Mar 14 02:27:35.036: ISAKMP:(1096): phase 1 packet is a duplicate of a previous packet.
Mar 14 02:27:35.036: ISAKMP:(1096): retransmitting due to retransmit phase 1
Mar 14 02:27:35.036: ISAKMP:(1096): no outgoing phase 1 packet to retransmit. AG_INIT_EXCH

---END R4 Router Failure OCSP Validation During IPSec'---

---BEGIN R3 Config ---

hostname r3.child1.company1.com
!
boot-start-marker
boot-end-marker
!
enable secret 5 xyz
!
no aaa new-model
clock timezone CST -5 0
!

ip domain name child1.company1.com
ip name-server 192.168.2.3
ip name-server 192.168.2.4
!
subscriber templating
!
multilink bundle-name authenticated
!
domain company1.com
!
crypto pki trustpoint Root-CA-G2
 enrollment terminal pem
 revocation-check ocsp
!
crypto pki trustpoint Network-Prim-CA-G2
 enrollment terminal pem
 chain-validation continue Root-CA-G2
 revocation-check ocsp
!
crypto pki trustpoint Router-VPN_KEY
 enrollment retry count 100
 enrollment retry period 2
 enrollment mode ra
 enrollment url http://ndes1.child1.company1.com:80/certsrv/mscep/mscep.dll
 serial-number
 fqdn r3.child1.company1.com
 ip-address 192.168.20.5
 subject-name CN=r3.child1.company1.com,O=Company1,OU=PKI,C=US,L=San Antonio,ST=Texas
 chain-validation continue Network-Prim-CA-G2
 revocation-check ocsp
 rsakeypair Router-VPN_KEY
 auto-enroll 90 regenerate
!
crypto pki certificate map cert_map 10
 subject-name co ou = pki
!
crypto pki certificate chain Root-CA-G2
 certificate ca 2BFDA6B93FD0EBAB4B74B1C0583B4F54
  30820557 3082033F A0030201 0202102B FDA6B93F D0EBAB4B 74B1C058 3B4F5430
  DBFD82EB BFBC59EC 3367DB6A 40D90E71 31129DD0 192EC7A8 F0804CD3 1CED67A3
  7C9F96DD 6AB32469 F0E8D3DA 89C2379B 9FACA982 91086ECA D6D099
        quit
crypto pki certificate chain Network-Prim-CA-G2
 certificate ca 2900000005BC0316E56F1791D9000000000005
  30820813 308205FB A0030201 02021329 00000005 BC0316E5 6F1791D9 00000000
  110353F0 E8F4CA6A EF5D133E A3A29546 129BAAD0 6CA11346 8C43EAD0 90408388
  6C557E25 21D7463B 7486C3F9 2926CF4F 654FADF0 C443EA
        quit
crypto pki certificate chain Router-VPN_KEY
 certificate 6400000091904BE276BA335D8E000000000091
  30820836 3082061E A0030201 02021364 00000091 904BE276 BA335D8E 00000000
  0091300D 06092A86 4886F70D 01010B05 00304731 0B300906 03550406 13025553
  3111300F 06035504 0A130843 6F6D7061 6E793131 25302306 03550403 131C4E65
        quit
 certificate ca 2900000005BC0316E56F1791D9000000000005
  30820813 308205FB A0030201 02021329 00000005 BC0316E5 6F1791D9 00000000
  0005300D 06092A86 4886F70D 01010B05 00303E31 0B300906 03550406 13025553
          quit
license udi pid CSR1000V sn xyz
spanning-tree extend system-id
!
username xzy privilege 15 password 0 xyz
!
redundancy
!
ip ssh version 2
ip ssh pubkey-chain
  username xyz
   key-hash ssh-rsa xyz
!
crypto isakmp policy 10
 encr aes
 hash sha256
 group 2
crypto isakmp profile cert_profile
   ca trust-point Root-CA-G2
   ca trust-point Network-Prim-CA-G2
   ca trust-point Router-VPN_KEY
   match certificate cert_map
   initiate mode aggressive
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec nat-transparency spi-matching
!
crypto identity router-id
 dn "cn=r3.child1.company1.com,o=Company1,ou=PKI,c=US,l=San Antonio,st=Texas"
!
crypto map vpnset 10 ipsec-isakmp
 set peer 192.168.30.5
 set transform-set vpnset
 set pfs group2
 set isakmp-profile cert_profile
 match address 100
!
interface GigabitEthernet1
 ip address 192.168.20.5 255.255.255.0
 negotiation auto
 crypto map vpnset
!
interface GigabitEthernet2
 ip address 192.168.2.53 255.255.255.0
 negotiation auto
!
interface GigabitEthernet3
 ip address 192.168.40.5 255.255.255.0
 negotiation auto
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.30.5
ip route 172.16.0.0 255.255.0.0 192.168.2.2
ip route 192.168.30.0 255.255.255.0 192.168.20.2
!
logging trap debugging
logging host 172.16.10.3
access-list 100 permit ip 192.168.40.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 password xyz
 logging synchronous
 login local
 stopbits 1
line vty 0 4
 password xyz
 login local
 transport input ssh
!
ntp server 172.16.10.3
!
end

---END R3 Config ---

---BEGIN R4 Config ---

Current configuration : 21366 bytes
!
! Last configuration change at 21:26:30 CST Wed Mar 13 2019 by admin1
! NVRAM config last updated at 20:36:28 CST Wed Mar 13 2019 by admin1
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console auto
!
hostname r4.child1.company1.com
!
boot-start-marker
boot-end-marker
!
enable secret 5 xyz
!
no aaa new-model
clock timezone CST -5 0
!
ip domain name child1.company1.com
ip name-server 192.168.2.3
ip name-server 192.168.2.4
!
subscriber templating
!
multilink bundle-name authenticated
!
domain company1.com
!
crypto pki trustpoint Root-CA-G2
 enrollment terminal pem
 revocation-check ocsp
!
crypto pki trustpoint Network-Prim-CA-G2
 enrollment terminal pem
 chain-validation continue Root-CA-G2
 revocation-check ocsp
!
crypto pki trustpoint Router-VPN_KEY
 enrollment retry count 100
 enrollment retry period 2
 enrollment mode ra
 enrollment url http://ndes1.child1.company1.com:80/certsrv/mscep/mscep.dll
 serial-number
 fqdn r4.child1.company1.com
 ip-address 192.168.30.5
 subject-name CN=r4.child1.company1.com,O=Company1,OU=PKI,C=US,L=San Antonio,ST=Texas
 chain-validation continue Network-Prim-CA-G2
 revocation-check ocsp
 rsakeypair Router-VPN_KEY
 auto-enroll 90 regenerate
!
crypto pki certificate map cert_map 10
 subject-name co ou = pki
!
crypto pki certificate chain Root-CA-G2
 certificate ca 2BFDA6B93FD0EBAB4B74B1C0583B4F54
  30820557 3082033F A0030201 0202102B FDA6B93F D0EBAB4B 74B1C058 3B4F5430
  0D06092A 864886F7 0D01010B 0500303E 310B3009 06035504 06130255 53311130
        quit
crypto pki certificate chain Network-Prim-CA-G2
 certificate ca 2900000005BC0316E56F1791D9000000000005
  30820813 308205FB A0030201 02021329 00000005 BC0316E5 6F1791D9 00000000
  0005300D 06092A86 4886F70D 01010B05 00303E31 0B300906 03550406 13025553
  3111300F 06035504 0A130843 6F6D7061 6E793131 1C301A06 03550403 1313436F
          quit
crypto pki certificate chain Router-VPN_KEY
 certificate 64000000924470A011305C7EA3000000000092
  30820836 3082061E A0030201 02021364 00000092 4470A011 305C7EA3 00000000
  0092300D 06092A86 4886F70D 01010B05 00304731 0B300906 03550406 13025553
  3111300F 06035504 0A130843 6F6D7061 6E793131 25302306 03550403 131C4E65
          quit
 certificate ca 2900000005BC0316E56F1791D9000000000005
  30820813 308205FB A0030201 02021329 00000005 BC0316E5 6F1791D9 00000000
  0005300D 06092A86 4886F70D 01010B05 00303E31 0B300906 03550406 13025553
  3111300F 06035504 0A130843 6F6D7061 6E793131 1C301A06 03550403 1313436F
          quit
license udi pid CSR1000V sn xyz
spanning-tree extend system-id
!
username xyz privilege 15 password 0 xyz
!
redundancy
!
ip ssh version 2
ip ssh pubkey-chain
  username xyz
   key-hash ssh-rsa xyz
!
crypto isakmp policy 10
 encr aes
 hash sha256
 group 2
crypto isakmp profile cert_profile
   ca trust-point Root-CA-G2
   ca trust-point Network-Prim-CA-G2
   ca trust-point Router-VPN_KEY
   match certificate cert_map
   initiate mode aggressive
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec nat-transparency spi-matching
!
crypto identity router-id
 dn "cn=r4.child1.company1.com,o=Company1,ou=PKI,c=US,l=San Antonio,st=Texas"
!
crypto map vpnset 10 ipsec-isakmp
 set peer 192.168.20.5
 set transform-set vpnset
 set pfs group2
 set isakmp-profile cert_profile
 match address 100
!
interface GigabitEthernet1
 ip address 192.168.2.54 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2
 ip address 192.168.30.5 255.255.255.0
 negotiation auto
 crypto map vpnset
!
interface GigabitEthernet3
 ip address 192.168.50.5 255.255.255.0
 negotiation auto
!
virtual-service csr_mgmt
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.5
ip route 172.16.0.0 255.255.0.0 192.168.2.2
ip route 192.168.20.0 255.255.255.0 192.168.30.2
!
access-list 100 permit ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
 stopbits 1
line vty 0 4
 password xyz
 login local
 transport input ssh
!
ntp server 172.16.10.3
!
end

---END R4 Config ---

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

ā€Ž03-14-2019 02:32 PM

Hi,
You should just need to configure crl/ocsp checking on the Hub/Head-End router, which I assume has the OCSP/CRL server on the local LAN? No need to check on the remote spoke as it would attempt to check over the ipsec tunnel that hasn't been established and the Head-End router would have already checked anyway.

FYI, if this is a new design should consider using Tunnel interfaces (FlexVPN) rather than crypto map, which Cisco considers legacy. You can achieve the same thing but with additional security and features etc.

HTH
0 Helpful
Customers Also Viewed These Support Documents