Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

P2P with RSA-SIG failing

I setup a point-to-point Ethernet link between 2 Cisco 2821 lab routers.
R1 g0/0 192.168.1.1/24
R2 g0/0 192.168.1.2/24
Both router can ping each other when pre-shared keys are in use.
All works well.


After I run through the CA and PKI setup (commands shown below), changed the pre-shared keys to rsa-sig,
clear crypto isakmp and
clear crypto session
communication fails.
Now cannot ping to the next hop.

THANKS for ANY assistance.

Frank



R1 CONFIG

hostname R1
ip domain-name TEST.LAB
ntp trusted-key 1
ntp master 3
ip http server
!*********************
crypto key generate rsa exportable general-keys label SPEED-RACER modulus 1536
crypto key export rsa SPEED-RACER pem url flash: 3des ProtectM3
crypto pki server SPEED-RACER
database url flash:
database level complete
no shutdown


R2 CONFIG
hostname R2
ip domain-name TEST.LAB
ntp trusted-key 1
ntp server 192.168.1.1
!*********************
crypto pki trustpoint SPEED-RACER
enrollment url http://192.168.1.1
crypto pki authenticate SPEED-RACER
crypto pki enrol SPEED-RACER


R1# show crypto pki server SPEED-RACER request
R1# crypto pki server SPEED-RACER grant 1


R2# PKI-6-CERTRET: Certificate received from Certificate Authority


R2#debug crypto isakmp    
Crypto ISAKMP debugging is on
R2#ping 192.168.1.1  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
..
*Oct 12 17:50:ISAKMP: set new node 0 to QM_IDLE     
*Oct 12 17:50:ISAKMP:(1001):SA is still budding. Attached new ipsec request to it. (local 192.168.1.2, remote 192.168.1.1)
*Oct 12 17:50:ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 12 17:50:ISAKMP: Error while processing KMI message 0, error 2..
*Oct 12 17:50:ISAKMP:(1001): retransmitting phase 1 MM_KEY_EXCH...
*Oct 12 17:50:ISAKMP (1001): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 12 17:50:ISAKMP:(1001): retransmitting phase 1 MM_KEY_EXCH
*Oct 12 17:50:ISAKMP:(1001): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 12 17:50:ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Oct 12 17:50:ISAKMP (1001): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 12 17:50:ISAKMP:(1001): phase 1 packet is a duplicate of a previous packet.
*Oct 12 17:50:ISAKMP:(1001): retransmitting due to retransmit phase 1
*Oct 12 17:50:ISAKMP:(1001): retransmitting phase 1 MM_KEY_EXCH...
*Oct 12 17:50:ISAKMP (1001): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 12 17:50:ISAKMP:(1001): retransmitting phase 1 MM_KEY_EXCH
*Oct 12 17:50:ISAKMP:(1001): sending packet to 192.168.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH.
*Oct 12 17:50:ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Oct 12 17:50:ISAKMP (1001): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 12 17:50:ISAKMP:(1001): phase 1 packet is a duplicate of a previous packet.
*Oct 12 17:50:ISAKMP:(1001): retransmitting due to retransmit phase 1
*Oct 12 17:50:ISAKMP:(1001): retransmitting phase 1 MM_KEY_EXCH...
*Oct 12 17:50:ISAKMP:(1001):peer does not do paranoid keepalives.

*Oct 12 17:50:ISAKMP:(1001):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 192.168.1.1)
*Oct 12 17:50:ISAKMP:(1001):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 192.168.1.1)
*Oct 12 17:50:ISAKMP: Unlocking peer struct 0x4890C5C0 for isadb_mark_sa_deleted(), count 0
*Oct 12 17:50:ISAKMP: Deleting peer node by peer_reap for 192.168.1.1: 4890C5C0
*Oct 12 17:50:ISAKMP:(1001):deleting node 100835634 error FALSE reason "IKE deleted"
*Oct 12 17:50:ISAKMP:(1001):deleting node -296944242 error FALSE reason "IKE deleted"
*Oct 12 17:50:ISAKMP:(1001): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 192.168.1.1)
*Oct 12 17:50:ISAKMP:(1001): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 192.168.1.1)
*Oct 12 17:50:ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 12 17:50:ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_DEST_SA
.
Success rate is 0 percent (0/5)

*Oct 12 17:50: ISAKMP (1001): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 12 17:50: ISAKMP (1001): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 12 17:51: ISAKMP (1001): received packet from 192.168.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
R2#un all

R1 config after PKI

R1#sh run
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
!
clock timezone EST -5 0
clock summer-time EST recurring
!
ip cef
!
ip domain name TEST.LAB
ip host R1 192.168.1.1
ip host R2 192.168.1.2
!
multilink bundle-name authenticated
!
crypto pki server SPEED-RACER
database level complete
issuer-name CN=CA.TEST.LAB C=US L=Washington DC OU=Peer-to-peer
database url flash:
crypto pki token default removal timeout 0
!
crypto pki trustpoint SPEED-RACER
revocation-check crl
rsakeypair SPEED-RACER
!
crypto pki certificate chain SPEED-RACER
certificate ca 01
  308202CF 308201F8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  3B313930 37060355 04031330 43412E54 4553542E 4C414220 433D5553 204C3D57
  61736869 6E67746F 6E204443 204F553D 50656572 2D746F2D 70656572 301E170D
  31303130 31323137 30333035 5A170D31 33313031 31313730 3330355A 303B3139
  30370603 55040313 3043412E 54455354 2E4C4142 20433D55 53204C3D 57617368
  696E6774 6F6E2044 43204F55 3D506565 722D746F 2D706565 723081DF 300D0609
  2A864886 F70D0101 01050003 81CD0030 81C90281 C100CF11 88D2ED45 6156DD84
  EA46A674 4D52E557 35A3FF70 69D08700 A50351D3 DDA3573A E25E7AE8 60138352
  7D982EAB BA99A39B 37208930 3B4C3E06 B769159C 78619103 EBAB0E57 8EE7945B
  16766F40 334A4BEA 07AAD883 F1005516 AC412EE8 C9AEA060 943D671C 94699F1E
  0019F0F9 31FE5BBE BD38122A D600FAD9 1F091D08 CA86D68D B9FF543D D4617C60
  EC53C115 45201B72 87EB0FA0 C828CD2C 05E2E159 BDCDA7D0 CC5D0BCB 615BDDD0
  E6A7C69C 29EF8CE7 56DF0478 94A258CF 3809FA62 25990203 010001A3 63306130
  0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
  301F0603 551D2304 18301680 14CB470D ABAAD544 58BF3B8B 77063744 8D33D8CE
  9F301D06 03551D0E 04160414 CB470DAB AAD54458 BF3B8B77 0637448D 33D8CE9F
  300D0609 2A864886 F70D0101 04050003 81C10011 2127A357 5D5CD228 B08B9FFE
  7EDCD576 A2C29248 B11AD1DD B9A8ABB9 1E1CF9B4 16C14B80 3375C635 ECDC4687
  47685E48 D89614CA 26144E43 2F82C075 CB29328C 4540B409 C49962B2 563C526A
  E5A69165 BAE5AFDD C3E88668 0D58452C ABA7F86B 4F42C5BE BCD9CEB3 88BA9152
  84E755D6 018E9747 72AE13BC A23A5BD1 4DB785C0 4DC63745 3FAE3596 788F409A
  5C11A7F4 209F8A30 FFD05B92 2F79C02E 50F962EE 3120F619 F60287B3 064165BA
  43FD4C13 6AF88C73 A71BD07D 73C43AFD 0C534E
        quit
!
crypto isakmp policy 20
encr aes 256
group 5
crypto isakmp key BR549 address 192.168.1.2
!
crypto ipsec transform-set BR549-AbC ah-sha-hmac esp-aes 256 esp-sha-hmac
!        
crypto ipsec profile SecureMobile
set transform-set BR549-AbC
!
crypto map R1-R2 100 ipsec-isakmp
set peer 192.168.1.2
set transform-set BR549-AbC
match address IPSEC-TRAFFIC
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
crypto map R1-R2
!
interface GigabitEthernet0/1
ip address 192.168.3.1 255.255.255.0
!
ip http server
!
ip access-list extended IPSEC-TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!

ntp trusted-key 1

ntp master 3
end

!

!%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_%_

!

R2 config after PKI

R2#sh run      

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
!
clock timezone EST -5 0
clock summer-time EST recurring
!        
ip cef
!
ip domain name TEST.LAB
ip host R1 192.168.1.1
ip host R2 192.168.1.2
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint SPEED-RACER
enrollment url http://192.168.1.1:80
serial-number
revocation-check crl
!
crypto pki certificate chain SPEED-RACER
certificate 02
  3082022C 30820155 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  3B313930 37060355 04031330 43412E54 4553542E 4C414220 433D5553 204C3D57
  61736869 6E67746F 6E204443 204F553D 50656572 2D746F2D 70656572 301E170D
  31303130 31323137 30393330 5A170D31 31313031 32313730 3933305A 3030312E
  30120603 55040513 0B465458 31343333 4148314E 30180609 2A864886 F70D0109
  02160B52 322E5445 53542E4C 4142305C 300D0609 2A864886 F70D0101 01050003
  4B003048 0241008B 853D8AEB A3F7149C E9648609 AA01083F 57FD4311 51ED8375
  4D02D126 6D635F38 B4AFC43C 3B19BD87 12C5B913 C6CC7D65 8726E931 D249559B
  19B1E718 D830D302 03010001 A34F304D 300B0603 551D0F04 04030205 A0301F06
  03551D23 04183016 8014CB47 0DABAAD5 4458BF3B 8B770637 448D33D8 CE9F301D
  0603551D 0E041604 1469A9E7 D6B7681C 5ADCE43F 3FE1F894 396BF4BA CC300D06
  092A8648 86F70D01 01040500 0381C100 9634DBC3 C7F328BF DAB00C27 686582E7
  6D039A82 07B62F8E E907218D B15BD9B2 8DBFDD7D 97CBF1E4 294DEF2E 5935306C
  E7D7C8FE 4B6358AC 0F061360 39A0AFBA D580C084 CBBE0846 42D652E1 49A02F84
  DEF0CB70 CFB4C480 B4F24641 4C136A52 A26425A6 9F356853 166A6B8E C9D466E0
  433327B3 9937FD57 1A3E17A7 76C6CA04 2A2D8A0E 4B82DC6E E0A0C4D9 2CA23531
  AE02D433 22DE7A1C 02474A59 D01821C7 05DC748D 342716A0 0A9CD02F 01618871
  B173CB55 75D4EB8D AEEAC7A1 5B3B1474
        quit
certificate ca 01
  308202CF 308201F8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  3B313930 37060355 04031330 43412E54 4553542E 4C414220 433D5553 204C3D57
  61736869 6E67746F 6E204443 204F553D 50656572 2D746F2D 70656572 301E170D
  31303130 31323137 30333035 5A170D31 33313031 31313730 3330355A 303B3139
  30370603 55040313 3043412E 54455354 2E4C4142 20433D55 53204C3D 57617368
  696E6774 6F6E2044 43204F55 3D506565 722D746F 2D706565 723081DF 300D0609
  2A864886 F70D0101 01050003 81CD0030 81C90281 C100CF11 88D2ED45 6156DD84
  EA46A674 4D52E557 35A3FF70 69D08700 A50351D3 DDA3573A E25E7AE8 60138352
  7D982EAB BA99A39B 37208930 3B4C3E06 B769159C 78619103 EBAB0E57 8EE7945B
  16766F40 334A4BEA 07AAD883 F1005516 AC412EE8 C9AEA060 943D671C 94699F1E
  0019F0F9 31FE5BBE BD38122A D600FAD9 1F091D08 CA86D68D B9FF543D D4617C60
  EC53C115 45201B72 87EB0FA0 C828CD2C 05E2E159 BDCDA7D0 CC5D0BCB 615BDDD0
  E6A7C69C 29EF8CE7 56DF0478 94A258CF 3809FA62 25990203 010001A3 63306130
  0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
  301F0603 551D2304 18301680 14CB470D ABAAD544 58BF3B8B 77063744 8D33D8CE
  9F301D06 03551D0E 04160414 CB470DAB AAD54458 BF3B8B77 0637448D 33D8CE9F
  300D0609 2A864886 F70D0101 04050003 81C10011 2127A357 5D5CD228 B08B9FFE
  7EDCD576 A2C29248 B11AD1DD B9A8ABB9 1E1CF9B4 16C14B80 3375C635 ECDC4687
  47685E48 D89614CA 26144E43 2F82C075 CB29328C 4540B409 C49962B2 563C526A
  E5A69165 BAE5AFDD C3E88668 0D58452C ABA7F86B 4F42C5BE BCD9CEB3 88BA9152
  84E755D6 018E9747 72AE13BC A23A5BD1 4DB785C0 4DC63745 3FAE3596 788F409A
  5C11A7F4 209F8A30 FFD05B92 2F79C02E 50F962EE 3120F619 F60287B3 064165BA
  43FD4C13 6AF88C73 A71BD07D 73C43AFD 0C534E
        quit
!
crypto isakmp policy 20
encr aes 256
group 5
crypto isakmp key BR549 address 192.168.1.1
!
crypto ipsec transform-set BR549-AbC ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SecureMobile
set transform-set BR549-AbC
!
crypto map R1-R2 100 ipsec-isakmp
set peer 192.168.1.1
set transform-set BR549-AbC
match address IPSEC-TRAFFIC
!
interface GigabitEthernet0/0
ip address 192.168.1.2 255.255.255.0
crypto map R1-R2
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0

!

ip http server
!
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!        
ip access-list extended IPSEC-TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!        
ntp trusted-key 1
ntp server 10.0.0.1
end

5 REPLIES
Cisco Employee

Re: P2P with RSA-SIG failing

Hi,

I see R1 is the CA server, but in order to use RSA-sig for it to establish a tunnel, it will need to have an id cert as well. So you'd need to enroll it with the CA server (itself in this case). If it's still not working, then we'd need to see debugs from both sides. Hope this helps.

Thanks,

Wen

Bronze

Re: P2P with RSA-SIG failing

Hi Wen,

Are you saying I need to also run these commands on the CA router?

I.E.

crypto pki trustpoint SPEED-RACER
enrollment url http://192.168.1.1
crypto pki authenticate SPEED-RACER
crypto pki enrol SPEED-RACER

Thanks

Frank

Cisco Employee

Re: P2P with RSA-SIG failing

Hi, Frank:

Yes, in order to do rsa-sig authentication both tunnel end points must have an id cert from the same issuer.

Thanks,

Wen

Bronze

Re: P2P with RSA-SIG failing

R1(config)#crypto pki trustpoint SPEED-RACER
% You are not supposed to change the configuration of this
% trustpoint. It is being used by the IOS CA server.

R1(config)#crypto pki server SPEED-RACER
R1(cs-server)#shut  
Certificate server 'shut' event has been queued for processing.
R1(cs-server)#
Oct 13 11:59:37.234: %PKI-6-CS_DISABLED: Certificate server now disabled.
R1(cs-server)#crypto pki trustpoint SPEED-RACER
R1(ca-trustpoint)#enrollment url http://192.168.1.1
R1(ca-trustpoint)#exit

R1(config)#crypto pki server SPEED-RACER
R1(cs-server)#no shut

I understand phase 1 is to exchange keys between peers.

Debug crypto isakmp shows the exchange of keys to enable phase 1 or fail as I am seeing.

I don't know  what redemy is needed to fix the issue.

I also know debug crypto IPsec isused to see the exchange of phase 2, but I cannot get past phase 1 so this is mute.

Regards

Frank

!@@@@@@@@@@@@@@@@@@@@@@@

R1#debug cry isakmp
Crypto ISAKMP debugging is on
R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

Oct 13 12:10:58: ISAKMP:(0): SA request profile is (NULL)
Oct 13 12:10:58: ISAKMP: Created a peer struct for 192.168.1.2, peer port 500
Oct 13 12:10:58: ISAKMP: New peer created peer = 0x48B601B8 peer_handle = 0x8000001A
Oct 13 12:10:58: ISAKMP: Locking peer struct 0x48B601B8, refcount 1 for isakmp_initiator
Oct 13 12:10:58: ISAKMP: local port 500, remote port 500
Oct 13 12:10:58: ISAKMP: set new node 0 to QM_IDLE     
Oct 13 12:10:58: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4739711C
Oct 13 12:10:58: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 13 12:10:58: ISAKMP:(0):found peer pre-shared key matching 192.168.1.2
Oct 13 12:10:58: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 13 12:10:58: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 13 12:10:58: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 13 12:10:58: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 13 12:10:58: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 13 12:10:58: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct 13 12:10:58: ISAKMP:(0): beginning Main Mode exchange
Oct 13 12:10:58: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 13 12:10:58: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 13 12:10:58: ISAKMP (0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 13 12:10:58: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 13 12:10:58: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 13 12:10:58: ISAKMP:(0): processing SA payload. message ID = 0
Oct 13 12:10:58: ISAKMP:(0): processing vendo.r id payload
Oct 13 12:10:58: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 13 12:10:58: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 13 12:10:58: ISAKMP : Scanning profiles for xauth ...
Oct 13 12:10:58: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
Oct 13 12:10:58: ISAKMP:      encryption AES-CBC
Oct 13 12:10:58: ISAKMP:      keylength of 256
Oct 13 12:10:58: ISAKMP:      hash SHA
Oct 13 12:10:58: ISAKMP:      default group 5
Oct 13 12:10:58: ISAKMP:      auth RSA sig
Oct 13 12:10:58: ISAKMP:      life type in seconds
Oct 13 12:10:58: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 13 12:10:58: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 13 12:10:58: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 13 12:10:58: ISAKMP:(0):Acceptable atts:life: 0
Oct 13 12:10:58: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 13 12:10:58: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 13 12:10:58: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 13 12:10:58: ISAKMP:(0)::Started lifetime timer: 86400.

Oct 13 12:10:58: ISAKMP:(0): processing vendor id payload
Oct 13 12:10:58: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Oct 13 12:10:58: ISAKMP (0): vendor ID is NAT-T RFC 3947
Oct 13 12:10:58: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IK.E_PROCESS_MAIN_MODE
Oct 13 12:10:58: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 13 12:10:58: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP (0): constructing CERT_REQ for issuer cn=CA.TEST.LAB C=US L=Washington DC OU=Peer-to-peer
Oct 13 12:10:58: ISAKMP:(0): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 13 12:10:58: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 13 12:10:58: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 13 12:10:58: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 13 12:10:58: ISAKMP (0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 13 12:10:58: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 13 12:10:58: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 13 12:10:58: ISAKMP:(0): processing KE payload. message ID = 0
Oct 13 12:10:58: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 13 12:10:58: ISAKMP:(1022): processing CERT_REQ payload. message ID = 0
Oct 13 12:10:58: ISAKMP:(1022): peer wants a CT_X509_SIGNATURE cert
Oct 13 12:10:58: ISAKMP:(1022): peer wants cert issued by cn=CA.TEST.LAB C=US L=Washington DC OU=Peer-to-peer
Oct 13 12:10:58: ISAKMP:(1022): issuer name is not a trusted root.
Oct 13 12:10:58: ISAKMP:(1022): processing vendor id payload
Oct 13 12:10:58: ISAKMP:(1022): v.endor ID is Unity
Oct 13 12:10:58: ISAKMP:(1022): processing vendor id payload
Oct 13 12:10:58: ISAKMP:(1022): vendor ID is DPD
Oct 13 12:10:58: ISAKMP:(1022): processing vendor id payload
Oct 13 12:10:58: ISAKMP:(1022): speaking to another IOS box!
Oct 13 12:10:58: ISAKMP:received payload type 20
Oct 13 12:10:58: ISAKMP (1022): His hash no match - this node outside NAT
Oct 13 12:10:58: ISAKMP:received payload type 20
Oct 13 12:10:58: ISAKMP (1022): No NAT Found for self or peer
Oct 13 12:10:58: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 13 12:10:58: ISAKMP:(1022):Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 13 12:10:58: ISAKMP:(1022):Send initial contact
Oct 13 12:10:58: ISAKMP:(1022): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(1022): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 192.168.1.2)
Oct 13 12:10:58: ISAKMP:(1022):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Oct 13 12:10:58: ISAKMP:(1022):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Oct 13 12:10:58: ISAKMP (1022): ID payload
        next-payload : 6
        type         : 1
        address      : 192.168.1.1
        protocol     : 17
        port         : 500
        length       : 12
Oct 13 12:10:58: ISAKMP:(1022):Total payload length: 12
Oct 13 12:10:58: ISAKMP:(1022): no valid cert found to return
Oct 13 12:10:58: ISAKMP: set new node -35341918 to QM_IDLE     
Oct 13 12:10:58: ISAKMP:(1022):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
        spi 0, message ID = -35341918
Oct 13 12:10:58: ISAKMP:(1022): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 13 12:10:58: ISAKMP:(102.2):Sending an IKE IPv4 Packet.
Oct 13 12:10:58: ISAKMP:(1022):purging node -35341918
Oct 13 12:10:58: ISAKMP (1022): FSM action returned error: 2
Oct 13 12:10:58: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 13 12:10:58: ISAKMP:(1022):Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 13 12:11:02: ISAKMP:(1021):purging SA., sa=459E81C0, delme=459E81C0.
Success rate is 0 percent (0/5)
R1#
Oct 13 12:11:08: ISAKMP:(1022): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Oct 13 12:11:08: ISAKMP (1022): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 13 12:11:08: ISAKMP:(1022): phase 1 packet is a duplicate of a previous packet.
Oct 13 12:11:08: ISAKMP:(1022): retransmitting due to retransmit phase 1
Oct 13 12:11:08: ISAKMP:(1022): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
R1#un all
All possible debugging has been turned off

Cisco Employee

Re: P2P with RSA-SIG failing

Hi,

Guess the error "no valid cert found to return" on R1 pretty much tells you what the problem is - you don't have an id cert on R1. What you need to do is to configure a separate trustpoint on R1 (different from the server trustpoint) and enroll the router itself. Once you have obtained an id cert, verify with "show crypto pki cert", and you should be good to go. Hope this helps.

Thanks,

Wen

1124
Views
10
Helpful
5
Replies
CreatePlease to create content