Thanks Kings and Jason.
Johan Bornman Integrated Systems Consulting (Pty) Ltd Cell: 082 783 3635 On 23 Aug 2012, at 18:14, Jason Madsen <[email protected]> wrote: > Kings, > > You were right on! I'm VERY glad I ran into this and got your feedback, > thanks! > > I just recreated the scenario and was immediately getting "bad cert" messages > on the hub. I then created another Trust Point on the hub referencing > itself, authenticated, enrolled, and then IPSec came right up. > > I guess I'm a little confused regarding how Identity works regarding Certs.. > This is definitely one area I need to get a better mastery of. > > So, R1 was the Hub and CA in this scenario, and R2 was the Spoke. Prior to > the fix, I was seeing the following message on the Hub: > > > Mar 1 00:12:58.543: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from > 12.12.12.2 is bad: CA request failed! > > The fix consisted of creating another Trust Point on the Hub and getting a > new Cert from itself. Why did the symptoms seem to point toward the Spoke's > cert and not the Hub's cert, and what specifically was being seen as "bad"? > KInd of weird R1 would determine R2's cert as "bad" when it was the device > that issued the cert! > > Here's relevant config's and output from both devices, and the cert' store > for both devices before the fix: > > > R1 (Hub and CA): > > Mar 1 00:10:03.811: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from > 12.12.12.2 is bad: CA request failed! > ! > cryp isak pol 10 > enc aes > hash sha > auth rsa-sig > ! > crypto ipsec transform-set TS esp-aes esp-sha-hmac > ! > crypto ipsec profile PROF > set transform-set TS > interface FastEthernet0/0 > ip address 12.12.12.1 255.255.255.0 > ! > interface Tunnel9 > ip address 9.9.9.1 255.255.255.0 > no ip redirects > ip mtu 1440 > ip nhrp authentication blah > ip nhrp map multicast dynamic > ip nhrp network-id 9 > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 9 > tunnel protection ipsec profile PROF > end > ! > R1#sho crypto pki certificates verbose > CA Certificate > Status: Available > Version: 3 > Certificate Serial Number: 0x1 > Certificate Usage: Signature > Issuer: > cn=R1 CA > ou=Dept A > o=My Org > l=Some Town > c=US > Subject: > cn=R1 CA > ou=Dept A > o=My Org > l=Some Town > c=US > Validity Date: > start date: 00:04:40 UTC Mar 1 2002 > end date: 00:04:40 UTC Feb 28 2005 > Subject Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Signature Algorithm: MD5 with RSA Encryption > Fingerprint MD5: 2210B4F9 78E12C7E 91ACAF31 71F97030 > Fingerprint SHA1: 10BBE7A1 B9EF3303 5A65953B 43C46BF2 9219C149 > X509v3 extensions: > X509v3 Key Usage: 86000000 > Digital Signature > Key Cert Sign > CRL Signature > X509v3 Subject Key ID: B6FFF7C9 6D855713 A40689E1 BE0249C6 A7CA2935 > X509v3 Basic Constraints: > CA: TRUE > X509v3 Authority Key ID: B6FFF7C9 6D855713 A40689E1 BE0249C6 A7CA2935 > Authority Info Access: > Associated Trustpoints: R1-CA > ! > ! > R1#sho crypto key mypubkey rsa > ! > % Key pair was generated at: 00:02:42 UTC Mar 1 2002 > Key name: R1-CA > Storage Device: not specified > Usage: General Purpose Key > Key is exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B0D4A2 > 10BC71F1 D1B19822 249831E9 5208A3A5 8ED595A6 6B9E19E4 551BF630 BC414028 > 71172E6C 9B233630 F5AA020C 43BE26FA 61866713 AC25D48E FBA18799 B4F16A6B > 273A0EC1 F080F99F 78F7C559 B6DB76BC 3E75CB80 B37E1E36 A9AD0468 F87B69F2 > 0BAE7D08 6C2528B8 E5A431D5 B285C5F3 7B9C4FC8 8209F048 BE6FAB6A 25020301 0001 > % Key pair was generated at: 00:02:43 UTC Mar 1 2002 > Key name: R1-CA.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A5FA02 6F6771F7 > A41A5925 C66D44E8 0CB5BF57 E7DE71C7 2C096598 52959315 49C61EBA A71F65F5 > 96783FB8 3D3C37E6 77AE43D8 D2426086 45602BEC F4EDA508 91020B84 A20B8534 > 3EE3BDCC 37F82921 07519A60 BB3355A0 5E279E57 3F478BBC 3D020301 0001 > ! > R1#sho cryp isak sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 12.12.12.1 12.12.12.2 MM_KEY_EXCH 1023 0 ACTIVE > 12.12.12.1 12.12.12.2 MM_NO_STATE 1022 0 ACTIVE (deleted) > > > R2 (Spoke got Cert from Hub): > > (no error message) > > ! > cryp isak pol 10 > enc aes > hash sha > auth rsa-sig > ! > crypto ipsec transform-set TS esp-aes esp-sha-hmac > ! > crypto ipsec profile PROF > set transform-set TS > interface FastEthernet0/0 > ip address 12.12.12.2 255.255.255.0 > ! > interface Tunnel9 > ip address 9.9.9.2 255.255.255.0 > no ip redirects > ip mtu 1440 > ip nhrp authentication blah > ip nhrp map 9.9.9.1 12.12.12.1 > ip nhrp map multicast 12.12.12.1 > ip nhrp network-id 9 > ip nhrp nhs 9.9.9.1 > tunnel source FastEthernet0/0 > tunnel mode gre multipoint > tunnel key 9 > tunnel protection ipsec profile PROF > end > ! > R2#sho cryp pki cert verbose > Certificate > Status: Available > Version: 3 > Certificate Serial Number: 0x2 > Certificate Usage: General Purpose > Issuer: > cn=R1 CA > ou=Dept A > o=My Org > l=Some Town > c=US > Subject: > Name: R2.blah.com > Serial Number: FTX0945W0MY > serialNumber=FTX0945W0MY+hostname=R2.blah.com > CRL Distribution Points: > http://12.12.12.1/cgi-bin/pkiclient.exe?operation=GetCRL > Validity Date: > start date: 00:05:57 UTC Mar 1 2002 > end date: 00:05:57 UTC Mar 1 2003 > Subject Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Signature Algorithm: MD5 with RSA Encryption > Fingerprint MD5: 4500A2B9 C6DED1A0 73E1C5D1 B53F44BF > Fingerprint SHA1: 296ECCF1 58CF2B20 191B11A0 BCDF3860 D6DEB896 > X509v3 extensions: > X509v3 Key Usage: A0000000 > Digital Signature > Key Encipherment > X509v3 Subject Key ID: 87179F80 265A26CE C27428E4 5EEF4624 5DBBDDB0 > X509v3 Authority Key ID: B6FFF7C9 6D855713 A40689E1 BE0249C6 A7CA2935 > Authority Info Access: > Associated Trustpoints: R1-CA > Key Label: R2.blah.com > > CA Certificate > Status: Available > Version: 3 > Certificate Serial Number: 0x1 > Certificate Usage: Signature > Issuer: > cn=R1 CA > ou=Dept A > o=My Org > l=Some Town > c=US > Subject: > cn=R1 CA > ou=Dept A > o=My Org > l=Some Town > c=US > Validity Date: > start date: 00:04:40 UTC Mar 1 2002 > end date: 00:04:40 UTC Feb 28 2005 > Subject Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Signature Algorithm: MD5 with RSA Encryption > Fingerprint MD5: 2210B4F9 78E12C7E 91ACAF31 71F97030 > Fingerprint SHA1: 10BBE7A1 B9EF3303 5A65953B 43C46BF2 9219C149 > X509v3 extensions: > X509v3 Key Usage: 86000000 > Digital Signature > Key Cert Sign > CRL Signature > X509v3 Subject Key ID: B6FFF7C9 6D855713 A40689E1 BE0249C6 A7CA2935 > X509v3 Basic Constraints: > CA: TRUE > X509v3 Authority Key ID: B6FFF7C9 6D855713 A40689E1 BE0249C6 A7CA2935 > Authority Info Access: > Associated Trustpoints: R1-CA > ! > R2#sho crypto key mypubkey rsa > % Key pair was generated at: 00:05:42 UTC Mar 1 2002 > Key name: R2.blah.com > Storage Device: not specified > Usage: General Purpose Key > Key is not exportable. > Key Data: > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B6390A > E2BA542F 34E4B5FE 3A292DAE 47AEAE26 E6DF5A85 1CEDD79A 6F6A4120 96726ED3 > 416DBD38 3A079337 AE228D56 0F062188 F0140927 A7020340 29AFC5C2 C597559A > B900A36E 0C169840 610FFDAA 1C2027B6 51CF07E1 1FA24B90 A053CB75 ECBA2B5C > 5044DFAF A0C520AE 0AC6D02D F77E18A3 7B736BDF C207C07F 91B1D635 F3020301 0001 > % Key pair was generated at: 00:05:43 UTC Mar 1 2002 > Key name: R2.blah.com.server > Temporary key > Usage: Encryption Key > Key is not exportable. > Key Data: > 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00A9838F C9AF2B5D > F993422C 0DFF3975 F45ADBB1 3CF3D598 CA5D91CF E4079F16 960CE78B 8B5326CF > DA8B6184 77D38695 132D3186 FFBA325E 0D3D62BF 3C498433 B8CC6CCE C6B88449 > CDF5F32D AFC4E179 D2B6A0F7 51A89344 9A39D534 7DCAF215 D3020301 0001 > ! > R2#sho cryp isak sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 12.12.12.1 12.12.12.2 MM_NO_STATE 1023 0 ACTIVE (deleted) > > > ################################################# > > > > > > > On Thu, Aug 23, 2012 at 4:51 AM, Kingsley Charles > <[email protected]> wrote: > His statement > > > "The unusual part is that I used the DMVPN hub as the Cert Authority (CA) for > the DMVPN Spoke" > > People, miss the one that I mentioned. If it's not that, then we should look > for other issues. > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > > > On Thu, Aug 23, 2012 at 1:08 PM, Eugene Pefti <[email protected]> wrote: > Isn’t it the other way around? > > Jason says that Hub doesn’t trust the Spoke certificate. For me it means > that Hub already has the identity certificate. Of course we don’t the content > of certificate store from the Hub and can’t be 100 sure. But the similar > scenario worked for me. > > > > Eugene > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Kingsley > Charles > Sent: Wednesday, August 22, 2012 11:50 PM > To: Jason Madsen > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] IPSec VPN w RSA-SIG Using Cert Authority > (CA) as one of the VPN Peers > > > > On the DMVPN Hub, configure separate trustpoint and enroll to itself. > > > With regards > Kings > CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) > > On Thu, Aug 23, 2012 at 11:32 AM, Jason Madsen <[email protected]> wrote: > > Hi all, > > > > I was practicing going through some random IPSec VPN configurations to work > on configuration speed, and I ran into something unexpected. I setup DMVPN > with just 2 devices participating...a single hub and spoke. > > > > The unusual part is that I used the DMVPN hub as the Cert Authority (CA) for > the DMVPN Spoke. I busted through the config's for DMVPN, and then found > that ISAKMP kept failing to negotiate using certificates. I changed to "auth > pre-shared" and everything came up immediately, so I knew it was cert > related. > > > > After reverting back to RSA-SIG auth mode, I found that the Hub kept stating > that the Cert from the Spoke was "bad". > > > > Is this an unsupported configuration (using a DMVPN hub as a CA for the > Spokes), is it a supported config' that requires a unique configuration, or > did I just fat finger something? > > > > I just redid the scenario using a non-DMVPN member as the CA, and everything > worked immediately...no issues. > > > > Thanks, > > Jason > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
