I was left scratching my head over this for a couple of days myself.
Sent from my iPhone
On 6 Aug 2009, at 17:24, "Shawn H Mesiatowsky"
<[email protected]> wrote:
Ah thanks. This worked like a charm. I didn't think of that, because
I tried to authenticate and enroll on the existing trustpoint (but
the router would not let me, complaining with some errors). It
looked like the trustpoint was created when creating the CA, so I
assumed the router was auto enrolled. That seems so simple to create
a new trustpoint, I just couldn't see the solution right in front of
my face.
From: Stuart Hare [mailto:[email protected]]
Sent: Thursday, August 06, 2009 10:08 AM
To: Shawn H Mesiatowsky
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] GetVPN and using digital certs
Shawn
Your issue is the key server needs to enroll to itself for a digital
certificate.
Create a new trustpoint on the CA/KS with a different name and auth/
enrol to it.
(Copy the trustpoint from the GM for instance but change the name).
Your isakmp is failing as it cant authenticate.
your rekeying for gdoi wont work yet either as you need to configure
rekey authentication using your mypubkey under the group.
HTH
Stu
2009/8/6 Shawn H Mesiatowsky <[email protected]>
I have to routers acting as GDOI members and I have on router acting
as a key server. The routing acting as a key server is also a CA
Here is my configs:
key server and CA:
crypto pki server IOSCA
issuer-name c=CA,cn=iosca.digitalcortex.local,l=calgary
grant auto
database url flash:
!
crypto pki trustpoint IOSCA
revocation-check crl
rsakeypair IOSCA
!crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
!
crypto ipsec profile get1
set transform-set trans1
!
crypto gdoi group group1
identity number 1
server local
! Incomplete unicast rekey configuration
! Rekey authentication is not configured
rekey retransmit 10 number 2
rekey transport unicast
sa ipsec 1
profile get1
match address ipv4 101
replay counter window-size 64
address ipv4 172.16.113.2
!
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
GDOI members:
crypto pki trustpoint IOSCA
enrollment url http://172.16.113.2:80
revocation-check crl
crypto isakmp policy 1
encr 3des
group 2
!
crypto gdoi group group1
identity number 1
server address ipv4 172.16.113.2
!
!
crypto map mymap 10 gdoi
set group group1
!
interface Serial0/0
ip address 172.16.2.2 255.255.255.0
encapsulation frame-relay
frame-relay lmi-type cisco
crypto map mymap
The clocks are all syned with ntp and I was able to get certificates
from the CA on the GDOI members. I think the issue I am having is
due to the fact that the CA is on the same router as the key server.
I would like to get this working. Is there something I must do to
make the key server recognze the fact that the trustpoint is the
router itself? Here is an expert from the logs on the key server. It
seems the key server does not like the certificate supplied by the
member router
Aug 6 13:41:54.505: ISAKMP:(0): processing KE payload. message ID = 0
Aug 6 13:41:54.649: ISAKMP:(0): processing NONCE payload. message
ID = 0
Aug 6 13:41:54.653: ISAKMP:(1004): processing CERT_REQ payload.
message ID = 0
Aug 6 13:41:54.653: ISAKMP:(1004): peer wants a CT_X509_SIGNATURE
cert
Aug 6 13:41:54.653: ISAKMP:(1004): peer wants cert issued by
c=CA,cn=iosca.digitalcortex.local,l=calgary
Aug 6 13:41:54.653: ISAKMP:(1004): issuer name is not a trusted root.
Aug 6 13:41:54.653: ISAKMP:(1004): processing vendor id payload
Aug 6 13:41:54.653: ISAKMP:(1004): vendor ID is Unity
Aug 6 13:41:54.657: ISAKMP:(1004): processing vendor id payload
Aug 6 13:41:54.657: ISAKMP:(1004): vendor ID is DPD
Aug 6 13:41:54.657: ISAKMP:(1004): processing vendor id payload
Aug 6 13:41:54.657: ISAKMP:(1004): speaking to another IOS box!
Aug 6 13:41:54.657: ISAKMP:received payload type 20
Aug 6 13:41:54.657: ISAKMP:received payload type 20
Aug 6 13:41:54.657: ISAKMP:(1004):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Aug 6 13:41:54.657: ISAKMP:(1004):Old State = IKE_R_MM3 New State
= IKE_R_MM3
Aug 6 13:41:54.661: ISAKMP (0:1004): constructing CERT_REQ for
issuer c=CA,cn=iosca.digitalcortex.local,l=calgary
Aug 6 13:41:54.665: ISAKMP:(1004): sending packet to 172.16.2.2
my_port 848 peer_port 848 (R) MM_KEY_EXCH
Aug 6 13:41:54.665: ISAKMP:(1004):Sending an IKE IPv4 Packet.
Aug 6 13:41:54.665: ISAKMP:(1004):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Aug 6 13:41:54.665: ISAKMP:(1004):Old State = IKE_R_MM3 New State
= IKE_R_MM4
Aug 6 13:41:55.150: ISAKMP (0:1004): received packet from
172.16.2.2 dport 848 sport 848 Global (R) MM_KEY_EXCH
Aug 6 13:41:55.154: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
Aug 6 13:41:55.154: ISAKMP:(1004):Old State = IKE_R_MM4 New State
= IKE_R_MM5
Aug 6 13:41:55.154: ISAKMP:(1004): processing ID payload. message
ID = 0
Aug 6 13:41:55.154: ISAKMP (0:1004): ID payload
next-payload : 6
type : 2
FQDN name : 2651-b.digitalcortex.local
protocol : 17
port : 848
length : 34
Aug 6 13:41:55.158: ISAKMP:(0):: peer matches *none* of the profiles
Aug 6 13:41:55.158: ISAKMP:(1004): processing CERT payload. message
ID = 0
Aug 6 13:41:55.158: ISAKMP:(1004): processing a CT_X509_SIGNATURE
cert
Aug 6 13:41:55.162: ISAKMP:(1004): peer's pubkey isn't cached
Aug 6 13:41:55.166: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received
from 172.16.2.2 is bad: CA request failed!
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
--
_________________________
Stuart Hare
[email protected]
_________________________
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
