Isn't it the other way around? Jason says that Hub doesn't trust the Spoke certificate. For me it means that Hub already has the identity certificate. Of course we don't the content of certificate store from the Hub and can't be 100 sure. But the similar scenario worked for me.
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Wednesday, August 22, 2012 11:50 PM To: Jason Madsen Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec VPN w RSA-SIG Using Cert Authority (CA) as one of the VPN Peers On the DMVPN Hub, configure separate trustpoint and enroll to itself. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Thu, Aug 23, 2012 at 11:32 AM, Jason Madsen <[email protected]<mailto:[email protected]>> wrote: Hi all, I was practicing going through some random IPSec VPN configurations to work on configuration speed, and I ran into something unexpected. I setup DMVPN with just 2 devices participating...a single hub and spoke. The unusual part is that I used the DMVPN hub as the Cert Authority (CA) for the DMVPN Spoke. I busted through the config's for DMVPN, and then found that ISAKMP kept failing to negotiate using certificates. I changed to "auth pre-shared" and everything came up immediately, so I knew it was cert related. After reverting back to RSA-SIG auth mode, I found that the Hub kept stating that the Cert from the Spoke was "bad". Is this an unsupported configuration (using a DMVPN hub as a CA for the Spokes), is it a supported config' that requires a unique configuration, or did I just fat finger something? I just redid the scenario using a non-DMVPN member as the CA, and everything worked immediately...no issues. Thanks, Jason _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
