cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
0
Helpful
5
Replies

IPSec issue with certificate and IOS CA

andrew_ho
Level 1
Level 1

Hi,

I am trying to build a IPSec tunnel between a 2821 and a 3845 router using VTI, certificate and IOS CA. It works fine using VTI with pre-share key. However, I can't get it to work with certificate and IOS CA. The two routers are connected back to back. I am using the 3845 as an IOS CA. On the 2811, I can authenticate the IOS CA and obtain the CA certificate. Also, I can enroll it with the IOS CA and obtain a certificate. However, it fails during phase 1 of the IPSec. By debugging the 3845, I got:

%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.30.196.4 is bad: CA request failed!

and

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer wants a CT_X509_SIGNATURE cert

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer want cert issued by

*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): issuer name is not a trusted root.

All the keys generated are 1024 bits. I have checked the date and time on both router and they are correct.

Attached are the full debug for both routers. Any one can help? Thanks a lot.

Andrew

5 Replies 5

attrgautam
Level 5
Level 5

Can you see if making the revocation-check to none and see it if solves the issue.

Can you also show the relevant config with IPs masked ?

Hi,

Attached are the relevant config. As for the revocation-check, I have tried to set it to none, but that doesn't make any difference.

Thanks.

Correct me if iam missing something. But should not the CA certificate u generate in the 3845 be self-signed. Did u try that as well ? I see only one certificate in the 3845 ?

Hi,

The problem is now fixed. The problem is that even through a trustpoint pointing to the IOS CA itself is automatically created when configuring the IOS CA, it still required to create another trustpoint with a different name but pointing to the same IOS CA. Then authenticate and enroll with the IOS CA as if the 3845 is another remtoe router.

Thanks for all your suggestion.

Andrew

That was exactly what i was trying to say. You need a different trustpoint have a self-signed certificate to authenticate yourself. Nice to know that your issue is solved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: