DMVPN - Certificates don't auto-renew

Unanswered Question
Dec 10th, 2007

Hi,

I have a DMVPN with RSA certs (and an internal IOS CA Server on a router) that have been up for many months, however, recently, the spoke certs have started expiring. Since auto-renew is enabled, I granted the "pending" certs on the CA server but the spokes never were able to obatin their new certs even though the VPN tunnels were still up. Eventually, I ran out of time for troubleshooting and all tunnels expired and were torn down due to IKE failures because of expired certs.

Any idea why granting the certs didn't have any effect?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Mon, 12/17/2007 - 13:21

Some certificate authorities require you to generate a new key pair to renew a certificate, while other certificate authorities allow you to use the key pair of the expiring certificate to renew a certificate. Also note that some CA server requires new key being generated when renewing a certificate.

plemieux72 Mon, 12/17/2007 - 13:45

For an IOS CA Server running 12.4(11)T3/ADV SECURITY... what would I need to check to verify this is the case? I followed the SRND and never saw anything related to rekeying.

Also, wouldn't a rekey on a remote client be disruptive? I mean, if it's seamless and the tunnels stay up... I am fine with it. However, otherwise, I'd have to find alternatives.

Thanks very much for your response!

Actions

This Discussion