09-09-2021 12:43 PM
Hi
We have a Static VPN betwen 2 Routers and the tunnel is up and down, I consoled onto one of the routers and ran a debug crypto ipsec and saw this message.
*Sep 9 15:20:32.787: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to build certificate payload
i then issued the show crypto pki certificate verbose and noticed that one of the certs had expired.
Is this what cause the error message.???
Solved! Go to Solution.
09-11-2021 08:00 AM
Do you mean a branch router is the CA, running SCEP?
The router requesting the certificate would have a trustpoint configured with "enrollment url http://x.x.x.x" where x.x.x.x is the IP address of the router acting as the CA. Obviously the rotuers would need to be able to communicate between each other for the scep request to be sent/received.
This link might help you using SCEP
09-09-2021 12:51 PM - edited 09-09-2021 12:55 PM
Hi @benolyndav
Possibly yes.
Do you have CRL checking enabled? You could consider disabling CRL checking temporarily, whilst you renew the cert.
Do the rest of the debug logs mention authentication failure?
Please provide the full ikev2 debugs for review.
09-09-2021 01:13 PM - edited 09-09-2021 01:26 PM
Hi Rob.
This is all I have for debug, its the remote router and the tunnels not up so cant reach the Ca to renew if needed
Remote router revocation-check none
VPN-RTR.1(config)#
*Sep 9 15:20:20.983: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535
VPN-RTR.1(config)#
*Sep 9 15:20:21.099: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
VPN-RTR.1(config)#
*Sep 9 15:20:21.399: [] -> [ACL automatic]: message ACL for always up maps
*Sep 9 15:20:21.399: [ACL automatic]: message = ACL for always up maps
*Sep 9 15:20:21.399: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps
*Sep 9 15:20:21.399: [] -> [ACL automatic]: message ACL for always up maps
*Sep 9 15:20:21.399: [ACL automatic]: message = ACL for always up maps
*Sep 9 15:20:21.399: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps
VPN-RTR.1(config)#
*Sep 9 15:20:32.663: [] -> [ACL automatic]: message ACL for always up maps
*Sep 9 15:20:32.663: [ACL automatic]: message = ACL for always up maps
*Sep 9 15:20:32.663: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps
*Sep 9 15:20:32.715: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
VPN-RTR.1(config)#
*Sep 9 15:20:32.787: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to build certificate payload
VPN-RTR.1(config)#
*Sep 9 15:20:34.199: [] -> [ACL automatic]: message ACL for always up maps
*Sep 9 15:20:34.199: [ACL automatic]: message = ACL for always up maps
*Sep 9 15:20:34.199: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps
09-09-2021 01:29 PM
@benolyndav actually disabling CRL checking won't do it, but you can configure the router to ignore expired certificates
To configure your router to ignore expired certificates, enter the match certificate command with the allow expired-certificate keyword. This command has the following purposes:
If the certificate of a peer has expired, this command may be used to “allow” the expired certificate until the peer can obtain a new certificate.
If your router clock has not yet been set to the correct time, the certificate of a peer will appear to be not yet valid until the clock is set. This command may be used to allow the certificate of the peer even though your router clock is not set.
09-09-2021 02:28 PM
Hi Rob
The commands you suggested will they have any impact on the current Cert map.?????
crypto pki certificate map CRT_MAP 10
subject-name co o = tvn hsn
Thanks
09-09-2021 11:45 PM
I've not personally used this command, but it's configured under the trustpoint and references the already existing certificate map. So I don't believe you need to change the certificate map, rather modify the trustpoint.
From the link previously provided:-
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto pki certificate map label sequence-number
4. field-name match-criteria match-value
5. exit
6. crypto pki trustpoint name
7. Do one of the following:
crl-cache none
crl-cache delete-after time
8. match certificate certificate-map-label [allow expired-certificate | skip revocation-check | skip authorization-check]
09-10-2021 01:11 AM
Hi Rob
Have you ever done the cut and paste enrollment I have just seen something online.?
thanks
09-10-2021 01:16 AM
@benolyndav are you referring to terminal enrollment of a new certificate? If so, then yes I have plenty of times.
Here is an example, go to the "Manual Enrollment" section, this will have the commands and steps to follow. The only difference is how or where you obtain the certificate from.
HTH
09-10-2021 01:49 AM
Hi Rob
Cheers for that
The ca is our VPN Router at the Main site any idea of the process in this set up.??
Thanks
09-10-2021 01:55 AM
Hi @benolyndav yes, check out this link below, start from the "Manual Enrollment" section to generate the CSR, then you take the CSR to the CA to sign the certificate, you take the signed certificate back to the spoke router to import.
09-11-2021 05:33 AM
Hi Rob
I tried the two options bu they didnt work I'm afraid I was getting different output on the 800 series Router at the spoke site,
I have an idea which i would like some advice on please.
the spoke router has 2 tunnel interfaces which peer with 2 different vpn routers at both our DC's I was thinking about creating new ike policies/profiles etc and using pre-share key for auth and apply the new profile to one of the tunnels only, I can get a engineer to console in and webex me so I can take control, once thie tunnel is up using the new poliy/profile could I use this tunnel to re enroll for new cert.??
also what do i do about old certs on branch and spoke routers do they need deleting.??
Thanks as always Rob
09-11-2021 05:45 AM
If you provide the output of when you run those command I can see what the problem was. You could also provide the output of "show crypto pki certificates". Send via DM if you don't want to share publically.
Well if you create another tunnel interface with a PSK that will get a tunnel up, but it makes no difference if you are using the terminal enrollment (copy and paste) method, the only benefit would be if you were using SCEP and the SCEP server was only reachable over the private IP address.
09-11-2021 06:24 AM
Hi Rob
When I ran the import command on the spoke I was getting a message saying shadow enrollment will continue in the background, I dont have the exact message I saved it on my works Laptop.
so as we point to the Branch router router with the enrollment url statement would I be able to use the new tunnel using PSK to request another cert, ???
Thanks
09-11-2021 06:28 AM
Sounds like there was already another certificate enrollment in process on the spoke?
If you are using an enrollment url then that is SCEP, so yes once the VPN is established using the PSK tunnel, you should be able to route to the SCEP server and complete the certificate enrollment process.
HTH
09-11-2021 06:33 AM - edited 09-11-2021 06:34 AM
Hi Rob
So I see the cert on the spoke tht has expired and I see the autthentication and certificate error in logs.
arent theses routers supposed to auto enroll when the expiration date is approaching.??
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: