Hi Guys,
I am struggling here trying to get a hub and a spoke to establish an SA.
The error I'm getting is:
Apr 5 05:39:13.831: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.3.2 is bad: CA request failed!
During ISAKMP negotiation it gets stuck in MM_KEY_EXCHANGE (shown):
HUB1#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.1.2.2 10.1.4.2 MM_KEY_EXCH 1090 0 ACTIVE
10.1.2.2 10.1.3.2 MM_KEY_EXCH 1089 0 ACTIVE
Here is a rough explanation of my lab:
H1 -> SW1 using network 10.1.2.0/24
SPOKE1 -> SW1 using network 10.1.3.0/24
H1 is the HUB 7204VXR (DYNAMIPS) and is running the Cisco IOS Certificate server.
SPOKE1 is the same but it is the client.
I've made sure that my domain name is set, time is set via NTP, and rsa keys are generated. Does anyone have a clue what I might be doing wrong???? I keep hearing that this is related to time, but my clock are sync'd with NTP. Is this possibly an issue with dynamips?
Here is the running config for HUB1:
hostname HUB1
!
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
ip domain name cisco.com
!
!
crypto pki server CISCO
database level complete
issuer-name CN=HUB1
grant auto
cdp-url nvram:
!
crypto pki trustpoint CISCO
revocation-check crl
rsakeypair CISCO
!
!
crypto pki certificate chain CISCO
certificate ca 01
308201F7 30820160 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set CISCO ah-md5-hmac esp-3des
!
crypto ipsec profile CISCO
set transform-set CISCO
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CISCO
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile CISCO
!
interface FastEthernet0/0
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.2.1
ip http server
no ip http secure-server
!
ntp master
Here is rsa keys:
HUB1#sh crypto key mypubkey rsa
% Key pair was generated at: 01:26:28 EDT Apr 5 2008
Key name: CISCO
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00F82D5D
7F942063 E288F7E8 EAD60484 8C71DC32 B9AAA115 9669EA88 63CF8ED1 7F020301 0001
% Key pair was generated at: 01:26:30 EDT Apr 5 2008
Key name: CISCO.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D2599B DC6B0328
D64E1755 76ED779C 1478B4CA 816BD281 9E58083C E8AC73D9 57020301 0001
HUB1 is NTP Master. Clocks match on both.
SPOKE1 running configuration:
hostname SPOKE1
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
ip domain name cisco.com
ip host CISCO 10.1.2.2
!
crypto pki trustpoint CISCO
enrollment retry count 5
enrollment url [url]http://10.1.2.2:80[/url]
serial-number
ip-address 10.1.3.2
revocation-check crl none
rsakeypair CISCO
!
!
crypto pki certificate chain CISCO
certificate 04
3082023A 308201A3 A0030201 02020104 300D0609 2A864886 F70D0101 04050030
certificate ca 01
308201F7 30820160 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set CISCO ah-md5-hmac esp-3des
!
crypto ipsec profile CISCO
set transform-set CISCO
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication CISCO
ip nhrp map 10.0.0.1 10.1.2.2
ip nhrp map multicast 10.1.2.2
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile CISCO
!
interface FastEthernet0/0
ip address 10.1.3.2 255.255.255.0
duplex full
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.3.1
!
ntp clock-period 17180059
ntp server 10.1.2.2
SPOKE1 RSA KEY
SPOKE1#sh cry key mypubkey rsa
% Key pair was generated at: 13:48:47 EDT Apr 5 2008
Key name: CISCO
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E86A2B
CBDEA5A4 FD9AB195 66EC8186 97703D3C 573DC2F9 D259F72D BE08443B 3E4439B1
736C6786 59F66B0A 77CC2FEC 6DD6C8EB F698602C 47C22618 6648C691 7CED25CA
% Key pair was generated at: 14:06:11 EDT Apr 5 2008
Key name: SPOKE1.cisco.com
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C4F122 099DFAFC
% Key pair was generated at: 01:48:50 EDT Apr 5 2008
Key name: CISCO.server
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B0AA40 6E6308C1
2595C5B5 1295B554 1819EEEB 7ECF5C4F F95B3DB2 7AB937FB 55E5A774 5F93421B
NTP Status:
SPOKE1#sh ntp status
Clock is synchronized, stratum 9, reference is 10.1.2.2
nominal freq is 250.0000 Hz, actual freq is 249.9973 Hz, precision is 2**24
reference time is CBA19230.7871B2B5 (01:52:48.470 EDT Sat Apr 5 200[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
clock offset is -7.0332 msec, root delay is 8.13 msec
root dispersion is 21.19 msec, peer dispersion is 14.13 msec
