DMVPN + isakmp profile + CA

Answered Question
Apr 18th, 2007
User Badges:

I am attempting to use an "isakmp profile" with a DMVPN configuration so that we can get RADIUS accounting records (which I believe has to be done with an isakmp profile). I can get it to work using preshared keys, but I can not get it to work using certificates which is what I need.


The spoke appears to be fine (it goes to IKE_P1_COMPLETE and I do not see any problems in debug). It is only at the hub where the isakmp profile is configured where we end up with "%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 5.0.0.20"


Both devices are definitely authenticated and enrolled with the CA.


I have attached what I believe are the relevant config from the hub and spoke and debug from the hub (edited to take out some identifying information).


Any help appreciated,

Ray



Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:


1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."


Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").


HTH,

Aaron

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:


1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."


Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").


HTH,

Aaron

raymond.lucas Wed, 04/25/2007 - 12:47
User Badges:

Aaron,


You're on the money. I finally worked out just before your suggestion came through that for pre-shared you need to match addr, but for a cert you need to do one of the two things you suggest.


Thanks,

Ray

Actions

This Discussion