Help Needed - Cisco IOS Certificate Server - Error Message!

Humper · April 2008

Hi Guys,

I am struggling here trying to get a hub and a spoke to establish an SA.

The error I'm getting is:

Apr 5 05:39:13.831: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.3.2 is bad: CA request failed!

During ISAKMP negotiation it gets stuck in MM_KEY_EXCHANGE (shown):

HUB1#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.2.2        10.1.4.2        MM_KEY_EXCH       1090    0 ACTIVE
10.1.2.2        10.1.3.2        MM_KEY_EXCH       1089    0 ACTIVE

Here is a rough explanation of my lab:

H1 -> SW1 using network 10.1.2.0/24
SPOKE1 -> SW1 using network 10.1.3.0/24

H1 is the HUB 7204VXR (DYNAMIPS) and is running the Cisco IOS Certificate server.
SPOKE1 is the same but it is the client.

I've made sure that my domain name is set, time is set via NTP, and rsa keys are generated. Does anyone have a clue what I might be doing wrong???? I keep hearing that this is related to time, but my clock are sync'd with NTP. Is this possibly an issue with dynamips?

Here is the running config for HUB1:

hostname HUB1
!
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
ip domain name cisco.com
!
!
crypto pki server CISCO
 database level complete
 issuer-name CN=HUB1
 grant auto
 cdp-url nvram:
!
crypto pki trustpoint CISCO
 revocation-check crl
 rsakeypair CISCO
!
!
crypto pki certificate chain CISCO
 certificate ca 01
  308201F7 30820160 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 group 2
!
!
crypto ipsec transform-set CISCO ah-md5-hmac esp-3des
!
crypto ipsec profile CISCO
 set transform-set CISCO
!
!
interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication CISCO
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile CISCO
!
interface FastEthernet0/0
 ip address 10.1.2.2 255.255.255.0
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.2.1
ip http server
no ip http secure-server
!
ntp master

Here is rsa keys:

HUB1#sh crypto key mypubkey rsa
% Key pair was generated at: 01:26:28 EDT Apr 5 2008
Key name: CISCO
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00F82D5D
  7F942063 E288F7E8 EAD60484 8C71DC32 B9AAA115 9669EA88 63CF8ED1 7F020301 0001
% Key pair was generated at: 01:26:30 EDT Apr 5 2008
Key name: CISCO.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D2599B DC6B0328
  D64E1755 76ED779C 1478B4CA 816BD281 9E58083C E8AC73D9 57020301 0001

HUB1 is NTP Master. Clocks match on both.

SPOKE1 running configuration:

hostname SPOKE1
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
ip domain name cisco.com
ip host CISCO 10.1.2.2
!
crypto pki trustpoint CISCO
 enrollment retry count 5
 enrollment url [url]http://10.1.2.2:80[/url]
 serial-number
 ip-address 10.1.3.2
 revocation-check crl none
 rsakeypair CISCO
!
!
crypto pki certificate chain CISCO
 certificate 04
  3082023A 308201A3 A0030201 02020104 300D0609 2A864886 F70D0101 04050030
 certificate ca 01
  308201F7 30820160 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 group 2
!
!
crypto ipsec transform-set CISCO ah-md5-hmac esp-3des
!
crypto ipsec profile CISCO
 set transform-set CISCO
!
interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication CISCO
 ip nhrp map 10.0.0.1 10.1.2.2
 ip nhrp map multicast 10.1.2.2
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 10.0.0.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile CISCO
!
interface FastEthernet0/0
 ip address 10.1.3.2 255.255.255.0
 duplex full
 speed auto
!
ip route 0.0.0.0 0.0.0.0 10.1.3.1
!
ntp clock-period 17180059
ntp server 10.1.2.2

SPOKE1 RSA KEY

SPOKE1#sh cry key mypubkey rsa
% Key pair was generated at: 13:48:47 EDT Apr 5 2008
Key name: CISCO
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E86A2B
  CBDEA5A4 FD9AB195 66EC8186 97703D3C 573DC2F9 D259F72D BE08443B 3E4439B1
  736C6786 59F66B0A 77CC2FEC 6DD6C8EB F698602C 47C22618 6648C691 7CED25CA
% Key pair was generated at: 14:06:11 EDT Apr 5 2008
Key name: SPOKE1.cisco.com
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C4F122 099DFAFC
% Key pair was generated at: 01:48:50 EDT Apr 5 2008
Key name: CISCO.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B0AA40 6E6308C1
  2595C5B5 1295B554 1819EEEB 7ECF5C4F F95B3DB2 7AB937FB 55E5A774 5F93421B

NTP Status:

SPOKE1#sh ntp status
Clock is synchronized, stratum 9, reference is 10.1.2.2
nominal freq is 250.0000 Hz, actual freq is 249.9973 Hz, precision is 2**24
reference time is CBA19230.7871B2B5 (01:52:48.470 EDT Sat Apr 5 200[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_cool.gif[/IMG]
clock offset is -7.0332 msec, root delay is 8.13 msec
root dispersion is 21.19 msec, peer dispersion is 14.13 msec

Humper · April 2008

Take a look at this:

HUB1#
Apr  5 06:03:27.139: %SYS-5-CONFIG_I: Configured from console by console
Apr  5 06:03:33.587: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.3.2 is bad: CA request failed!
HUB1#
HUB1#sh cloc
HUB1#sh clock
02:03:39.931 EDT Sat Apr 5 2008

Is there a seperate clock or something? Notice the date/time from the console logging and the date/time when I type sh clock. Could this be something with dynamips?

Humper · April 2008

Ok I tried this with real routers and same issue.

Humper · April 2008

I've got word that I need to authenticate and enroll the hub router as a trustpoint as well...WIP

Humper · April 2008

Spoke with TAC. There is no documentation for this, so I want to share this with everyone else..

If your HUB router is going to participate in the DMVPN cloud, you MUST also authenticate AND enroll the HUB to the CA server.

Keep your trustpoint names different then CA server name.

For example the trustpoint on the HUB and SPOKE was named DMVPN. The server was named CISCO...

Ahhhhhhhhhh and I spent so long thinking there was something wrong with my config.....

mikej412 · April 2008

Humper wrote:

If your HUB router is going to participate in the DMVPN cloud, you MUST also authenticate AND enroll the HUB to the CA server.

You make it sound so obvious when you state it like that!

Thanks for updating as you worked through to the solution.

Humper · April 2008

mikej412 wrote:

Humper wrote:

If your HUB router is going to participate in the DMVPN cloud, you MUST also authenticate AND enroll the HUB to the CA server.

You make it sound so obvious when you state it like that!

Thanks for updating as you worked through to the solution.

I know tell me about it! I felt stupid when he told me that, but the TAC Engineer said that there was no documentation for it on Cisco's website so people make that mistake alot!

OR...He was just trying to make me feel better about myself...

Help Needed - Cisco IOS Certificate Server - Error Message!

Comments