His statement "The unusual part is that I used the DMVPN hub as the Cert Authority (CA) for the DMVPN Spoke"
People, miss the one that I mentioned. If it's not that, then we should look for other issues. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Thu, Aug 23, 2012 at 1:08 PM, Eugene Pefti <[email protected]>wrote: > Isn’t it the other way around?**** > > Jason says that Hub doesn’t trust the Spoke certificate. For me it means > that Hub already has the identity certificate. Of course we don’t the > content of certificate store from the Hub and can’t be 100 sure. But the > similar scenario worked for me.**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, August 22, 2012 11:50 PM > *To:* Jason Madsen > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSec VPN w RSA-SIG Using Cert > Authority (CA) as one of the VPN Peers**** > > ** ** > > On the DMVPN Hub, configure separate trustpoint and enroll to itself. > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security)**** > > On Thu, Aug 23, 2012 at 11:32 AM, Jason Madsen <[email protected]> > wrote:**** > > Hi all,**** > > ** ** > > I was practicing going through some random IPSec VPN configurations to > work on configuration speed, and I ran into something unexpected. I setup > DMVPN with just 2 devices participating...a single hub and spoke. **** > > ** ** > > The unusual part is that I used the DMVPN hub as the Cert Authority (CA) > for the DMVPN Spoke. I busted through the config's for DMVPN, and then > found that ISAKMP kept failing to negotiate using certificates. I changed > to "auth pre-shared" and everything came up immediately, so I knew it was > cert related. **** > > ** ** > > After reverting back to RSA-SIG auth mode, I found that the Hub kept > stating that the Cert from the Spoke was "*bad*". **** > > ** ** > > Is this an unsupported configuration (using a DMVPN hub as a CA for the > Spokes), is it a supported config' that requires a unique configuration, or > did I just fat finger something? **** > > ** ** > > I just redid the scenario using a non-DMVPN member as the CA, and > everything worked immediately...no issues.**** > > ** ** > > Thanks,**** > > Jason**** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
