cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
850
Views
5
Helpful
3
Replies
nolanc
Beginner

VPN Tunnel Using Certificates Not Finding Certificates in trustpoint

This is my First time posting here so sorry if may be unclear in any way.

 

I am trying to setup a test a test VPN configuration using certificates. The CA that was used to obtain the certificates was not a Cisco CA but a custom CA. When the routers try to establish IKE I am unable to get passed the certificate validation portion. I have a trustpoint Test Intermediate CA which also contains the device x509. I also have a trustpoint for the Root CA; however, the debugs show that the  peer is asking for these certs but they cannot be found.

3 REPLIES 3
Rob Ingram
VIP Mentor

Hi,

Have you authenticated and enrolled the certificate on the router?

Can you provide the output of "show crypto pki certificates"

 

Ta

Yes I did authenticate via EST which enrolled the device and gave me the Intermediate certificate as well as the x509 device certificate. I am not able to do a show crypto pki certificates command right now because I'm not currently able to use the router at my current location. However I did provide the trustpoints showing that the certificates are there (i cut the certificate data to shorten things).

 

Root CA

crypto pki certificate chain test-root-ca

 certificate ca 01

  3082037D…<long cert data>

 

Intermediate CA + x509 cert

crypto pki certificate chain tp-rsa2048-est

 certificate 0832

  308204A3…<long cert data>

        quit

 certificate ca 0591

  308204B8…<long cert data>

        quit

I looked again at the certificates on the router and I guess the device cert was no longer in the trustpoint so i re-issued the certificate via EST and received a knew device certificate.

 

I then tried to setup the connection again, but I am getting cannot build certificate chain.

 

 

 

CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.808: ISAKMP: (1477):PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Jul 6 01:05:39.809: ISAKMP: (1477):SA is doing
Jul 6 01:05:39.809: ISAKMP: (1477):RSA signature authentication using id type ID_IPV4_ADDR
Jul 6 01:05:39.809: ISAKMP: (1477):ID payload
next-payload : 6
type : 1
Jul 6 01:05:39.809: ISAKMP: (1477): address : 192.168.81.133
Jul 6 01:05:39.809: ISAKMP: (1477): protocol : 17
port : 500
length : 12
Jul 6 01:05:39.809: ISAKMP: (1477):Total payload length: 12
Jul 6 01:05:39.809: ISAKMP: (1477):IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP: (1477):PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):unable to build cert chain
Jul 6 01:05:39.810: ISAKMP-ERROR: (1477):(1477): FSM action returned error: 2

Content for Community-Ad