I can see from the config that sec-r1 has not recieved a certificate from the ca. it looks like sec-r1 has authenticated the ca. I can see this because of the following: crypto pki certificate chain LABEL1 certificate ca 01
..... you can see from sec-r4 that it has authenticated the ca and has recieved the cert from the ca crypto pki certificate chain LABEL1 certificate 03 .... (this is the certificate received from the ca, showing you enrolled your router with the ca) certificate ca 01 .... (this is the certificate of the ca, showing you authenticated the ca) Did you enroll sec-r1 with the ca using the enroll command: crypto ca enroll LABEL1 verify sec-r1 has also synced via ntp to sec-r3 if you are still having trouble, you need to investigate why sec-r1 is not receiving a certificate from the ca I am not sure on which debug you need, but play around with the debug crypto pki commands on the ca router and try to enroll your router _____ From: [email protected] [mailto:[email protected]] On Behalf Of arun et Sent: Thursday, July 23, 2009 8:45 PM To: [email protected] Subject: [OSL | CCIE_Security] IPSEC site to site VPN with CISCO IOS CA Dear Group I was trying to do a IPSEC site to site VPN with CISCO IOS CA R1 - R2 - R3 R2 IS THE IOS CA SEC-R1# Current configuration : 2839 bytes ! ! Last configuration change at 10:59:23 UTC Thu Jul 23 2009 ! NVRAM config last updated at 10:11:31 UTC Thu Jul 23 2009 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SEC-R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! ip domain name cisco.com ! ! crypto pki trustpoint LABEL1 enrollment retry count 5 enrollment retry period 3 enrollment url http://3.3.3.1:80 revocation-check none ! ! crypto pki certificate chain LABEL1 certificate ca 01 30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17 0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31 1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24 4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53 F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44 76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E 983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98 3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC 6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE 1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949 29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03 443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73 quit ! ! ! ! crypto isakmp policy 1 encr 3des group 2 lifetime 3600 ! ! crypto ipsec transform-set t-set esp-3des esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 2.2.34.4 set transform-set t-set match address 100 ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 172.16.56.58 255.255.0.0 duplex auto speed auto ! interface Serial0/0/0 ip address 2.2.13.1 255.255.255.0 no fair-queue clock rate 2000000 crypto map CMAP ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! router eigrp 134 network 1.0.0.0 network 2.0.0.0 auto-summary ! ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ! ! no ip http server no ip http secure-server ! access-list 100 permit ip 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255 ! ! ! ! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ntp clock-period 17179411 ntp server 3.3.3.1 end SEC-R1# SEC-R3#sh runn Building configuration... Current configuration : 2719 bytes ! ! Last configuration change at 11:03:50 UTC Thu Jul 23 2009 ! NVRAM config last updated at 09:23:38 UTC Thu Jul 23 2009 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SEC-R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! ip domain name cisco.com ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki server LABEL1 issuer-name CN=INZ L=BLR C=INDIA grant ra-auto lifetime crl 48 lifetime certificate 200 lifetime ca-certificate 365 cdp-url http://3.3.3.1/cdp.cisco.crl ! crypto pki trustpoint LABEL1 revocation-check crl rsakeypair LABEL1 ! ! crypto pki certificate chain LABEL1 certificate ca 01 30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17 0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31 1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24 4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53 F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44 76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E 983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98 3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC 6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE 1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949 29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03 443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73 quit ! ! ! ! ! ! ! interface Loopback0 ip address 3.3.3.1 255.255.255.0 ! interface GigabitEthernet0/0 ip address dhcp duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto media-type rj45 ! interface Serial0/0/0 ip address 2.2.13.3 255.255.255.0 no fair-queue ! interface Serial0/0/1 ip address 2.2.34.3 255.255.255.0 clock rate 2000000 ! router eigrp 134 network 2.0.0.0 network 3.0.0.0 auto-summary ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ntp source Loopback0 ntp master 1 ! end SEC-R3# SEC-R4#sh runn Building configuration... Current configuration : 4313 bytes ! ! Last configuration change at 11:00:20 UTC Thu Jul 23 2009 ! NVRAM config last updated at 09:23:48 UTC Thu Jul 23 2009 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SEC-R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model ip cef ! ! ! ! ip domain name cisco.com ! ! crypto pki trustpoint LABEL1 enrollment retry count 5 enrollment retry period 3 enrollment url http://3.3.3.1:80 revocation-check none ! ! crypto pki certificate chain LABEL1 certificate 03 30820231 3082019A A0030201 02020103 300D0609 2A864886 F70D0101 04050030 1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17 0D303930 37323331 30343435 335A170D 31303032 30383130 34343533 5A302131 1F301D06 092A8648 86F70D01 09021610 5345432D 52342E63 6973636F 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BB3904 03AB1F90 84F683EC 23BA5358 EB247403 08208B05 E36E5B57 F50EBC2A 866F57EA F5A1986D 79B2FEA2 3D9733F0 2AF4B95F A7CCF387 461E71AE E14F8C8D 7F5507AD 61E168FA 45FCEC67 26575182 3CD618D2 27917BC3 5D74A6A1 489071FE F6E1B073 3C329DDB C3F9E37D 69B6290C DDF1854F BE345F01 29DB69D4 C06DFF85 31020301 0001A37E 307C302D 0603551D 1F042630 243022A0 20A01E86 1C687474 703A2F2F 332E332E 332E312F 6364702E 63697363 6F2E6372 6C300B06 03551D0F 04040302 05A0301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E 983C7D30 1D060355 1D0E0416 04142025 42787AEF 86306764 589D77B9 6540415F D95F300D 06092A86 4886F70D 01010405 00038181 0030156F 34DA1938 07D93A67 8DC459AF FE909D53 17673665 496B0013 E03CA242 2BEEFA7A 7194F930 BEF9C371 2486DCBC EB9C6A04 964CA0C9 018B0F41 6602539E 9D3C5BE6 796969A6 6C5F9A9A ADB8BE0B 7F169220 89F437F0 DAEF3014 75601BA1 093555EB E28297A3 BB92AF16 80CF3090 BDAF8A8D 3D98FEA6 00126128 4E4DFA1F B8 quit certificate ca 01 30820211 3082017A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 1C311A30 18060355 04031311 494E5A20 4C3D424C 5220433D 494E4449 41301E17 0D303930 37323330 39313730 375A170D 31303037 32333039 31373037 5A301C31 1A301806 03550403 1311494E 5A204C3D 424C5220 433D494E 44494130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 CC0B0243 A34FCB24 4C8AB9F6 5642C8C0 BDAC1067 95D0F935 4145808D 821B20EA EBE89294 F54A1E53 F68D9767 B1A954A4 7857C44C 1D4ED24B 2C73FCF2 93D55785 DD1EC3FC 7B9BEA44 76EE914E E8319214 087182F4 9EE2CDFE B14E703A 61F2B355 23F07723 D8271D0E B02187A7 96A8A2A3 FCF9A0B0 7B0E5C9B C3D2222F F22E9B9D 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801479 06CA5A2F 52D74716 A62C848C 5BEE162E 983C7D30 1D060355 1D0E0416 04147906 CA5A2F52 D74716A6 2C848C5B EE162E98 3C7D300D 06092A86 4886F70D 01010405 00038181 0063FFF8 F3B53BD5 F1270DAC 6F4759BD 95BFAE8D 9315B691 5B29313C 925A657B 23BD1097 00C9EF74 B4BB36BE 1C2DD91A 65DC7D82 EC3D47E1 94DF075C 8BD2BE4C BCF3D6E6 967845D4 3BEF2949 29DA69F5 E7D02861 750E8ED1 A2CD0D4E 19A8DB00 CE028B8E 1CB2B403 A8D19E03 443CF376 BF7E9FCE D34F81FF 646D148F EBF1E7A2 73 quit ! ! ! ! crypto isakmp policy 4 encr 3des group 2 lifetime 3600 ! ! crypto ipsec transform-set t-set esp-3des esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 2.2.13.1 set transform-set t-set match address 100 ! ! ! interface Loopback0 ip address 4.4.4.1 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 172.16.56.58 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Serial0/1/0 no ip address no fair-queue clock rate 2000000 ! interface Serial0/1/1 ip address 2.2.34.4 255.255.255.0 crypto map CMAP ! interface Vlan1 no ip address ! router eigrp 134 network 2.0.0.0 network 4.0.0.0 no auto-summary ! ip route 0.0.0.0 0.0.0.0 Serial0/1/1 ! ! no ip http server no ip http secure-server ! access-list 100 permit ip 4.4.4.0 0.0.0.255 1.1.1.0 0.0.0.255 ! ! ! ! control-plane ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ntp clock-period 17179013 ntp server 3.3.3.1 end SEC-R4#$ Regards AET _____ _____ _____ With Windows Live, you can organize, edit, and share your photos. <http://www.microsoft.com/india/windows/windowslive/products/photo-gallery-e dit.aspx>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
