Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec issue with certificate and IOS CA

Hi,

I am trying to build a IPSec tunnel between a 2821 and a 3845 router using VTI, certificate and IOS CA. It works fine using VTI with pre-share key. However, I can't get it to work with certificate and IOS CA. The two routers are connected back to back. I am using the 3845 as an IOS CA. On the 2811, I can authenticate the IOS CA and obtain the CA certificate. Also, I can enroll it with the IOS CA and obtain a certificate. However, it fails during phase 1 of the IPSec. By debugging the 3845, I got:

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.30.196.4 is bad: CA request failed!

and

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer wants a CT_X509_SIGNATURE cert

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer want cert issued by

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): issuer name is not a trusted root.

All the keys generated are 1024 bits. I have checked the date and time on both router and they are correct.

Attached are the full debug for both routers. Any one can help? Thanks a lot.

Andrew

5 REPLIES
Silver

Re: IPSec issue with certificate and IOS CA

Can you see if making the revocation-check to none and see it if solves the issue.

Can you also show the relevant config with IPs masked ?

New Member

Re: IPSec issue with certificate and IOS CA

Hi,

Attached are the relevant config. As for the revocation-check, I have tried to set it to none, but that doesn't make any difference.

Thanks.

Silver

Re: IPSec issue with certificate and IOS CA

Correct me if iam missing something. But should not the CA certificate u generate in the 3845 be self-signed. Did u try that as well ? I see only one certificate in the 3845 ?

New Member

Re: IPSec issue with certificate and IOS CA

Hi,

The problem is now fixed. The problem is that even through a trustpoint pointing to the IOS CA itself is automatically created when configuring the IOS CA, it still required to create another trustpoint with a different name but pointing to the same IOS CA. Then authenticate and enroll with the IOS CA as if the 3845 is another remtoe router.

Thanks for all your suggestion.

Andrew

Silver

Re: IPSec issue with certificate and IOS CA

That was exactly what i was trying to say. You need a different trustpoint have a self-signed certificate to authenticate yourself. Nice to know that your issue is solved.

583
Views
0
Helpful
5
Replies