cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
897
Views
45
Helpful
17
Replies
benolyndav
Participant

VPN messages

Hi 

We have a Static VPN betwen 2 Routers and the tunnel is up and down, I consoled onto one of the routers and ran a debug crypto ipsec and saw this message.

 

*Sep  9 15:20:32.787: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to build certificate payload

 

 

i then issued the show crypto pki certificate verbose and noticed that one of the certs had expired.

 

Is this what cause the error message.???

1 ACCEPTED SOLUTION

Accepted Solutions

@benolyndav 

Do you mean a branch router is the CA, running SCEP?

 

The router requesting the certificate would have a trustpoint configured with "enrollment url http://x.x.x.x"  where x.x.x.x is the IP address of the router acting as the CA. Obviously the rotuers would need to be able to communicate between each other for the scep request to be sent/received.

 

This link might help you using SCEP

View solution in original post

17 REPLIES 17
Rob Ingram
VIP Mentor

Hi @benolyndav 

Possibly yes.

Do you have CRL checking enabled? You could consider disabling CRL checking temporarily, whilst you renew the cert.

Do the rest of the debug logs mention authentication failure?

Please provide the full ikev2 debugs for review.

Hi Rob.

This is all I have for debug, its the remote router and the tunnels not up so cant reach the Ca to renew if needed

Remote router revocation-check none

 

 


VPN-RTR.1(config)#

*Sep 9 15:20:20.983: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

VPN-RTR.1(config)#

*Sep 9 15:20:21.099: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

VPN-RTR.1(config)#

*Sep 9 15:20:21.399: [] -> [ACL automatic]: message ACL for always up maps

*Sep 9 15:20:21.399: [ACL automatic]: message = ACL for always up maps

*Sep 9 15:20:21.399: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

*Sep 9 15:20:21.399: [] -> [ACL automatic]: message ACL for always up maps

*Sep 9 15:20:21.399: [ACL automatic]: message = ACL for always up maps

*Sep 9 15:20:21.399: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

VPN-RTR.1(config)#

*Sep 9 15:20:32.663: [] -> [ACL automatic]: message ACL for always up maps

*Sep 9 15:20:32.663: [ACL automatic]: message = ACL for always up maps

*Sep 9 15:20:32.663: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

*Sep 9 15:20:32.715: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request

VPN-RTR.1(config)#

*Sep 9 15:20:32.787: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to build certificate payload

VPN-RTR.1(config)#

*Sep 9 15:20:34.199: [] -> [ACL automatic]: message ACL for always up maps

*Sep 9 15:20:34.199: [ACL automatic]: message = ACL for always up maps

*Sep 9 15:20:34.199: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

@benolyndav actually disabling CRL checking won't do it, but you can configure the router to ignore expired certificates

 

Ignoring Expired Certificates

To configure your router to ignore expired certificates, enter the match certificate command with the allow expired-certificate keyword. This command has the following purposes:

 

  • If the certificate of a peer has expired, this command may be used to “allow” the expired certificate until the peer can obtain a new certificate.

     

  • If your router clock has not yet been set to the correct time, the certificate of a peer will appear to be not yet valid until the clock is set. This command may be used to allow the certificate of the peer even though your router clock is not set.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-cfg-auth-rev-cert.html

 

 

Hi Rob

 

The commands you suggested will they have any impact on the current Cert map.?????

 

 

crypto pki certificate map CRT_MAP 10

subject-name co o = tvn hsn

 

 

Thanks

@benolyndav 

I've not personally used this command, but it's configured under the trustpoint and references the already existing certificate map. So I don't believe you need to change the certificate map, rather modify the trustpoint.

 

From the link previously provided:-

 

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto pki certificate map label sequence-number

4. field-name match-criteria match-value

5. exit

6. crypto pki trustpoint name

7. Do one of the following:

crl-cache none

crl-cache delete-after time

8. match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]

Hi Rob

Have you ever done the cut and paste enrollment I have just seen something online.?

thanks

@benolyndav are you referring to terminal enrollment of a new certificate? If so, then yes I have plenty of times.

 

Here is an example, go to the "Manual Enrollment" section, this will have the commands and steps to follow. The only difference is how or where you obtain the certificate from.

 

HTH

Hi Rob

Cheers for that

 

The ca is our VPN Router at the Main site any idea of the process in this set up.??

 

Thanks

Hi @benolyndav yes, check out this link below, start from the "Manual Enrollment" section to generate the CSR, then you take the CSR to the CA to sign the certificate, you take the signed certificate back to the spoke router to import.

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/211333-IOS-PKI-Deployment-Guide-Initial-Design.html#anc36

 

Hi Rob

I tried the two options bu they didnt work I'm afraid I was getting different output on the 800 series Router at the spoke site,

I have an idea which i would like some advice on please.

the spoke router has 2 tunnel interfaces which peer with 2 different vpn routers at both our DC's I was thinking about creating new ike policies/profiles etc and using pre-share key for auth and apply the new profile to one of the tunnels only, I can get a engineer to console in and webex me so I can take control, once thie tunnel is up using the new poliy/profile could I use this tunnel to re enroll for new cert.??

 

also what do i do about old certs on branch and spoke routers do they need deleting.??

 

Thanks as always Rob

@benolyndav 

If you provide the output of when you run those command I can see what the problem was. You could also provide the output of "show crypto pki certificates". Send via DM if you don't want to share publically.

 

Well if you create another tunnel interface with a PSK that will get a tunnel up, but it makes no difference if you are using the terminal enrollment (copy and paste) method, the only benefit would be if you were using SCEP and the SCEP server was only reachable over the private IP address.

Hi Rob

When I ran the import command on the spoke I was getting a message saying shadow enrollment will continue in the background, I dont have the exact message I saved it on my works Laptop.

 

so as we point to the Branch router router with the enrollment url statement would I be able to use the new tunnel using PSK to request another cert, ???

 

Thanks

 

@benolyndav 

Sounds like there was already another certificate enrollment in process on the spoke?

 

If you are using an enrollment url then that is SCEP, so yes once the VPN is established using the PSK tunnel, you should be able to route to the SCEP server and complete the certificate enrollment process.

 

HTH

Hi Rob

So I see the cert on the spoke tht has expired and I see the autthentication and certificate  error in logs.

arent theses routers supposed to auto enroll when the expiration date is approaching.??

 

Thanks

Create
Recognize Your Peers
Content for Community-Ad