cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1472
Views
0
Helpful
2
Replies

DMVPN + isakmp profile + CA

raymond.lucas
Level 1
Level 1

I am attempting to use an "isakmp profile" with a DMVPN configuration so that we can get RADIUS accounting records (which I believe has to be done with an isakmp profile). I can get it to work using preshared keys, but I can not get it to work using certificates which is what I need.

The spoke appears to be fine (it goes to IKE_P1_COMPLETE and I do not see any problems in debug). It is only at the hub where the isakmp profile is configured where we end up with "%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 5.0.0.20"

Both devices are definitely authenticated and enrolled with the CA.

I have attached what I believe are the relevant config from the hub and spoke and debug from the hub (edited to take out some identifying information).

Any help appreciated,

Ray

1 Accepted Solution

Accepted Solutions

aaronr
Level 1
Level 1

Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:

1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."

Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").

HTH,

Aaron

View solution in original post

2 Replies 2

aaronr
Level 1
Level 1

Looks like your routers are unable to find a matching ISAKMP profile to match the peers to. You might try creating a certificate map that references the OU of the cert to tell the router which IKE profile to use. You can do so using either of two methods:

1. Create a certificate map using "crypto pki certificate map" command. Specify within that command a parameter to match on (such as "subject-name co ou=mgmt"). Then, under your IKE profile, "match certificate ."

2. Under your IKE profile, simply change the "match identity address 0.0.0.0" command to "match identity group mgmt."

Either way, I think that will solve your problem. Also, it's not shown in your config, but you might also want to edit your "ca trustpoint" config to specify that the keys are for IKE usage only ("usage ike") and which key pair to use ("rsakeypair ").

HTH,

Aaron

Aaron,

You're on the money. I finally worked out just before your suggestion came through that for pre-shared you need to match addr, but for a cert you need to do one of the two things you suggest.

Thanks,

Ray

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: