Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
850
Views
5
Helpful
3
Replies
nolanc
Beginner
Beginner
‎07-03-2018 07:17 PM
‎07-03-2018 07:17 PM

VPN Tunnel Using Certificates Not Finding Certificates in trustpoint

This is my First time posting here so sorry if may be unclear in any way.

 

I am trying to setup a test a test VPN configuration using certificates. The CA that was used to obtain the certificates was not a Cisco CA but a custom CA. When the routers try to establish IKE I am unable to get passed the certificate validation portion. I have a trustpoint Test Intermediate CA which also contains the device x509. I also have a trustpoint for the Root CA; however, the debugs show that the  peer is asking for these certs but they cannot be found.

Labels:
Preview file
13 KB
Preview file
12 KB
0 Helpful
3 REPLIES 3
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
‎07-04-2018 01:04 AM
‎07-04-2018 01:04 AM

Hi,

Have you authenticated and enrolled the certificate on the router?

Can you provide the output of "show crypto pki certificates"

 

Ta

nolanc
Beginner
Beginner
In response to Rob Ingram
‎07-04-2018 02:46 PM
‎07-04-2018 02:46 PM

Yes I did authenticate via EST which enrolled the device and gave me the Intermediate certificate as well as the x509 device certificate. I am not able to do a show crypto pki certificates command right now because I'm not currently able to use the router at my current location. However I did provide the trustpoints showing that the certificates are there (i cut the certificate data to shorten things).

 

Root CA

crypto pki certificate chain test-root-ca

 certificate ca 01

  3082037D…<long cert data>

 

Intermediate CA + x509 cert

crypto pki certificate chain tp-rsa2048-est

 certificate 0832

  308204A3…<long cert data>

        quit

 certificate ca 0591

  308204B8…<long cert data>

        quit

0 Helpful
nolanc
Beginner
Beginner
In response to Rob Ingram
‎07-05-2018 07:15 PM
‎07-05-2018 07:15 PM

I looked again at the certificates on the router and I guess the device cert was no longer in the trustpoint so i re-issued the certificate via EST and received a knew device certificate.

 

I then tried to setup the connection again, but I am getting cannot build certificate chain.

 

 

 

CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.808: ISAKMP: (1477):PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Jul 6 01:05:39.809: ISAKMP: (1477):SA is doing
Jul 6 01:05:39.809: ISAKMP: (1477):RSA signature authentication using id type ID_IPV4_ADDR
Jul 6 01:05:39.809: ISAKMP: (1477):ID payload
next-payload : 6
type : 1
Jul 6 01:05:39.809: ISAKMP: (1477): address : 192.168.81.133
Jul 6 01:05:39.809: ISAKMP: (1477): protocol : 17
port : 500
length : 12
Jul 6 01:05:39.809: ISAKMP: (1477):Total payload length: 12
Jul 6 01:05:39.809: ISAKMP: (1477):IKE->PKI Get CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP: (1477):PKI->IKE Got CertificateChain to be sent to peer state (I) MM_KEY_EXCH (peer 192.168.81.134)
Jul 6 01:05:39.809: ISAKMP-ERROR: (1477):unable to build cert chain
Jul 6 01:05:39.810: ISAKMP-ERROR: (1477):(1477): FSM action returned error: 2

Preview file
3 KB
Preview file
11 KB
0 Helpful
Latest Contents
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
IntroductionPrerequisitesConfiguration Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
FMC API | ACP - Delete disabled rules and generate report.
Created by Anupam Pavithran on 05-06-2021 06:48 AM
0
5
0
5
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.   Preparation Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach... view more
FMC API | ACP Double logging detection and mitigation script
Created by Anupam Pavithran on 05-06-2021 06:09 AM
0
5
0
5
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 ) Also, the logging at the begging will be disabled if logging is detected for both beginning ... view more
Content for Community-Ad