07-08-2013 08:01 AM
Hi,
I have an issue when trying to set up IkePeer association between HostE and CISCO 2951 using certificates.
I have on the HostE certificate retrieved from SCEP server.
CISCOs certificate is signed by OpenSSL machine.
So on HostE I have installed certificate retrieved from SCEP server and also certificate of the
issuer of CISCOs certificate(OpenSSL machine)
On CISCO I've only authenticated SCEP server certificate.
This is configuration of SCEP certificate on CISCO:
crypto pki trustpoint SCEP_server
enrollment terminal pem
revocation-check none
storage flash0:/certs/
!
I simply just authenticate this certificate:
crypto pki authenticate SCEP_server
crypto pki certificate map cmap-57 1
issuer-name co eric
subject-name co scep
!
Than copy/paste SCEP server certificate. Fingerprint is same.
Following message appears in CISCO log:
Jul 8 14:54:59.308: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C
Jul 8 14:54:59.308: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 8 14:54:59.308: CRYPTO_PKI: Create a list of suitable trustpoints
Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 8 14:54:59.308: CRYPTO_PKI: Unable to locate cert record by issuername
Jul 8 14:54:59.308: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain
Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Jul 8 14:54:59.308: CRYPTO_PKI: Found a subject match
Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 8 14:54:59.308: CRYPTO_PKI: Found a issuer match
Jul 8 14:54:59.308: CRYPTO_PKI: No suitable trustpoints found
Jul 8 14:54:59.308: IKEv2:(1): Platform errors
Jul 8 14:54:59.308: IKEv2:(1):
Jul 8 14:54:59.308: IKEv2:(1): Sending authentication failure notify
Jul 8 14:54:59.308: IKEv2:(1): Auth exchange failed
Jul 8 14:54:59.308: IKEv2:(1): Auth exchange failed
Jul 8 14:54:59.308: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors
Jul 8 14:54:59.308: IKEv2:(1): Deleting SA
Jul 8 14:54:59.312: CRYPTO_PKI: PKI session 109EA has ended. Freeing all resources.
Jul 8 14:54:59.312: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0
Jul 8 14:55:03.508: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
What should exactly be stated in certificate map ?
BR
Renato
07-08-2013 08:16 AM
Renato,
If you authenticated a trustpoint you only specified that you trust this CA (unless you will be sending cert from other CA as identity?)
Unless you have auto-enrollment configured you still need to enroll.
Also look under IKEv2 profile, it allows you to add a few option for PKI irt trustpoint to be used.
For a simple deploment cert maps should not needed.
M.
07-08-2013 03:09 PM
Hi,
Thanks for the help you provided.
Actually this mentioned SCEP_server, as You said I just want to trust.
During the IKE peer establishment CISCO should receive and validate as truested
certificate from hostE(remote node). hostE gets certificate from authenticated SCEP_server.
Hopefully this scenario should be fine in theory since importing a SCEP_server certificate does not work.
Or I should state somewhere that this certificate is auto enrolled as root one( it is actually root one for peer nodes)?
BR
Renato
07-09-2013 12:31 AM
Renato,
I missed the import part, if it's in the same trustpoint etc it should be fine.
Can we have a look at full debugs and config not just snippets + show cry pki cert verb?
On each peer you need to have identity cert (and it's signing cert) + certificate (CA/sub-CA) which we will use to validate received cert from remote end.
M.
07-09-2013 07:47 AM
Hi Marcin,
Here are the printouts:
AS67129#show crypto pki certificates verbose
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 0D
Certificate Usage: General PurpoAU
Issuer:
cn=TEST CA for VE SCEP Server
ou=AL/ETE
o=Anai
Subject:
cn=SubCA for VE SCEP Server
ou=AL/ETE
o=Anai DE
c=AU
Validity Date:
start date: 08:37:41 UTC Oct 22 2009
end date: 08:37:41 UTC Oct 20 2019
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: CF5E3F6A 6BD0F348 3612B785 1259241C
Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A
X509v3 extensions:
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: SCEP_Server
Storage: flash0:/certs/TESTCAforVE#DCA.cer
Certificate
Status: Available
Version: 1
Certificate Serial Number (hex): 028E
Certificate Usage: General Purpose
Issuer:
cn=Cipher-2048-sha256
ou=CiscoCA
o=Anai DE
st=Sydney
c=AU
Subject:
Name: AS67129.lab.au
Serial Number: FCZ142371YK
SerialNumber=FCZ142371YK+hostname=AS67129.lab.au
cn=router2951
ou=AS67129
o=Cisco
c=AU
st=Sydney
l=HWLab
Validity Date:
start date: 11:51:36 UTC Jul 4 2013
end date: 11:51:36 UTC Aug 3 2013
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 7BBBD66B 0C7B08C7 E04A83FA 25159517
Fingerprint SHA1: A69DAA8C 30377848 C170E90D 1C644FF5 1D898C9B
X509v3 extensions:
Authority Info Access:
Associated Trustpoints: cisco.certificate
Storage: flash0:/certs/Cipher-2048-#28E.cer
CA Certificate
Status: Available
Version: 1
Certificate AUrial Number (hex): 00
Certificate Usage: General Purpose
Issuer:
cn=Cipher-2048-sha256
ou=CiscoCA
o=Anai DE
st=Sydney
c=AU
Subject:
cn=Cipher-2048-sha256
ou=CiscoCA
o=Anai DE
st=Sydney
c=AU
Validity Date:
start date: 15:07:43 UTC Jul 1 2013
end date: 15:07:43 UTC Jun 30 2016
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 67144E26 95DA0514 56C678A1 FB387261
Fingerprint SHA1: EED96A3C 11E1ED83 5FA6B028 44B6BE10 1E19A6B2
X509v3 extensions:
Authority Info Access:
Associated Trustpoints: cisco.certificate
Storage: flash0:/certs/Cipher-2048-#0CA.cer
AS67129#show logging
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 6234252 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 6234252 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 47679 message lines logged
Log Buffer (8192 bytes):
alidation list has 1 trustpoints
Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0
Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C
Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=TEST CA for VE SCEP server,ou=AL/ETE,o=Anai" serial number= 0D
Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
1B 07 81 C0 33 53 CE 85 FC 05 0D 96 CC 78 83 5C
Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 0C
Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
12 BA 39 5E DA 2D 33 A3 4A 91 EE A9 C8 A9 61 3B
Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 01
Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E C6 62 9A 83 C8 5A 6F 82 27 61 14 54 5E 24 74
Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Jul 9 14:21:36.648: CRYPTO_PKI: Found a subject match
Jul 9 14:21:36.648: CRYPTO_PKI: validation path has 1 certs
Jul 9 14:21:36.648: CRYPTO_PKI: Check for identical certs
Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0
Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C
Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:36.648: CRYPTO_PKI: Create a list of suitable trustpoints
Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 9 14:21:36.648: CRYPTO_PKI: Unable to locate cert record by issuername
Jul 9 14:21:36.648: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain
Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Jul 9 14:21:36.648: CRYPTO_PKI: Found a subject match
Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 9 14:21:36.648: CRYPTO_PKI: Found a issuer match
Jul 9 14:21:36.648: CRYPTO_PKI: No suitable trustpoints found
Jul 9 14:21:36.648: IKEv2:(1): Platform errors
Jul 9 14:21:36.648: IKEv2:(1):
Jul 9 14:21:36.648: IKEv2:(1): Sending authentication failure notify
Jul 9 14:21:36.648: IKEv2:(1): Auth exchange failed
Jul 9 14:21:36.648: IKEv2:(1): Auth exchange failed
Jul 9 14:21:36.648: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors
Jul 9 14:21:36.648: IKEv2:(1): Deleting SA
Jul 9 14:21:36.648: CRYPTO_PKI: PKI session 15D09 has ended. Freeing all resources.
Jul 9 14:21:36.648: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0
Jul 9 14:21:40.097: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
Jul 9 14:21:40.097: IKEv2:(1): Processing initial message
Jul 9 14:21:40.097: CRYPTO_PKI: Identity not specified for session 15D0A
Jul 9 14:21:40.101: IKEv2:(1): Sending initial message
Jul 9 14:21:40.245: IKEv2:(1): Recieved valid parameteres in process id
Jul 9 14:21:40.245: CRYPTO_PKI: Trust-Point cisco.certificate picked up
Jul 9 14:21:40.245: CRYPTO_PKI: 1 matching trustpoints found
Jul 9 14:21:40.245: CRYPTO_PKI: Trust-Point cisco.certificate picked up
Jul 9 14:21:40.245: CRYPTO_PKI: 1 matching trustpoints found
Jul 9 14:21:40.245: CRYPTO_PKI: locked trustpoint cisco.certificate, refcount is 1
Jul 9 14:21:40.245: CRYPTO_PKI: Identity bound (cisco.certificate) for session 15D0A
Jul 9 14:21:40.245: CRYPTO_PKI(Cert Lookup) issuer="cn=Cipher-2048-sha256,ou=CiscoCA,o=Anai DE,st=Stockholm,c=AU" serial number= 02 8E
Jul 9 14:21:40.245: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
AF 14 EC E8 8B 9D 6D 35 1B 78 40 F6 DA C8 DF 87
Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate
Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (954) bytes
Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate
Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (491) bytes
Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate
Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (467) bytes
Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate
Jul 9 14:21:40.249: CRYPTO_PKI: Added x509 peer certificate - (522) bytes
Jul 9 14:21:40.249: CRYPTO_PKI: Validation list has 1 trustpoints
Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0
Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C
Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=TEST CA for VE SCEP server,ou=AL/ETE,o=Anai" serial number= 0D
Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
1B 07 81 C0 33 53 CE 85 FC 05 0D 96 CC 78 83 5C
Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 0C
Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
12 BA 39 5E DA 2D 33 A3 4A 91 EE A9 C8 A9 61 3B
Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 01
Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E C6 62 9A 83 C8 5A 6F 82 27 61 14 54 5E 24 74
Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Jul 9 14:21:40.249: CRYPTO_PKI: Found a subject match
Jul 9 14:21:40.249: CRYPTO_PKI: validation path has 1 certs
Jul 9 14:21:40.249: CRYPTO_PKI: Check for identical certs
Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0
Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=
5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C
Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
Jul 9 14:21:40.249: CRYPTO_PKI: Create a list of suitable trustpoints
Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 9 14:21:40.249: CRYPTO_PKI: Unable to locate cert record by issuername
Jul 9 14:21:40.249: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain
Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()
Jul 9 14:21:40.249: CRYPTO_PKI: Found a subject match
Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()
Jul 9 14:21:40.249: CRYPTO_PKI: Found a issuer match
Jul 9 14:21:40.249: CRYPTO_PKI: No suitable trustpoints found
Jul 9 14:21:40.249: IKEv2:(1): Platform errors
Jul 9 14:21:40.249: IKEv2:(1):
Jul 9 14:21:40.249: IKEv2:(1): Sending authentication failure notify
Jul 9 14:21:40.249: IKEv2:(1): Auth exchange failed
Jul 9 14:21:40.249: IKEv2:(1): Auth exchange failed
Jul 9 14:21:40.249: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors
Jul 9 14:21:40.249: IKEv2:(1): Deleting SA
Jul 9 14:21:40.249: CRYPTO_PKI: PKI session 15D0A has ended. Freeing all resources.
Jul 9 14:21:40.249: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0
AS67129#
AS67129#
So SCEP server is actually SubCA_cert and it is signed by this issuer
issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" .
On hostE I have
BR
Renato
07-09-2013 03:02 PM
Renato,
Open up a TAC case, there's only so much one can do seeing only part of the problem.
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: