On the DMVPN Hub, configure separate trustpoint and enroll to itself.
With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Thu, Aug 23, 2012 at 11:32 AM, Jason Madsen <[email protected]>wrote: > Hi all, > > I was practicing going through some random IPSec VPN configurations to > work on configuration speed, and I ran into something unexpected. I setup > DMVPN with just 2 devices participating...a single hub and spoke. > > The unusual part is that I used the DMVPN hub as the Cert Authority (CA) > for the DMVPN Spoke. I busted through the config's for DMVPN, and then > found that ISAKMP kept failing to negotiate using certificates. I changed > to "auth pre-shared" and everything came up immediately, so I knew it was > cert related. > > After reverting back to RSA-SIG auth mode, I found that the Hub kept > stating that the Cert from the Spoke was "*bad*". > > Is this an unsupported configuration (using a DMVPN hub as a CA for the > Spokes), is it a supported config' that requires a unique configuration, or > did I just fat finger something? > > I just redid the scenario using a non-DMVPN member as the CA, and > everything worked immediately...no issues. > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
