Hi all, I was practicing going through some random IPSec VPN configurations to work on configuration speed, and I ran into something unexpected. I setup DMVPN with just 2 devices participating...a single hub and spoke.
The unusual part is that I used the DMVPN hub as the Cert Authority (CA) for the DMVPN Spoke. I busted through the config's for DMVPN, and then found that ISAKMP kept failing to negotiate using certificates. I changed to "auth pre-shared" and everything came up immediately, so I knew it was cert related. After reverting back to RSA-SIG auth mode, I found that the Hub kept stating that the Cert from the Spoke was "*bad*". Is this an unsupported configuration (using a DMVPN hub as a CA for the Spokes), is it a supported config' that requires a unique configuration, or did I just fat finger something? I just redid the scenario using a non-DMVPN member as the CA, and everything worked immediately...no issues. Thanks, Jason
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
