Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN + isakmp profile + CA

I am attempting to use an "isakmp profile" with a DMVPN configuration so that we can get RADIUS accounting records (which I believe has to be done with an isakmp profile). I can get it to work using preshared keys, but I can not get it to work using certificates which is what I need.

The spoke appears to be fine (it goes to IKE_P1_COMPLETE and I do not see any problems in debug). It is only at the hub where the isakmp profile is configured where we end up with "%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 5.0.0.20"

Both devices are definitely authenticated and enrolled with the CA.

I have attached what I believe are the relevant config from the hub and spoke and debug from the hub (edited to take out some identifying information).

Any help appreciated,

Ray

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: DMVPN + isakmp profile + CA

Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:

1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."

Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").

HTH,

Aaron

2 REPLIES
New Member

Re: DMVPN + isakmp profile + CA

Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:

1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."

Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").

HTH,

Aaron

New Member

Re: DMVPN + isakmp profile + CA

Aaron,

You're on the money. I finally worked out just before your suggestion came through that for pre-shared you need to match addr, but for a cert you need to do one of the two things you suggest.

Thanks,

Ray

769
Views
0
Helpful
2
Replies