DMVPN and CA
I have strange issue with certificate authentication in my DMVPN configuration.
First small describe:
1. CA is inside network with proviate IP, and it's reachable from inside when router have connection via DMVPN
2. CA isn't publicated to internet.
3. CA is located on separted router 2901 (no on the DMVPN hub).
And to main issue, after router reload (spoke) DMVPN can establish conection, the IPSec connection stuck in phase one. But if I turned on connection to inside network via gre ipsec tunnel via pre-shared key, after few sec Spoke establish connection to HUB (via DMVPN), then I can turned off tunnel via preshared key and DMVPN will work to next router reload.
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 (public IP of HUB) 172.31.224.1 IKE 22:45:53 S
Hub platform and software:
Spoke platgorm and software:
Log from HUB:
267576: Apr 28 14:33:05.912 CEST: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from (public ip of spoke router) failed its sanity check or is malformed
Log from Spoke:
939665: Apr 28 14:32:32.510 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: CA request failed!
939666: Apr 28 14:32:34.050 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: certificate invalid
939667: Apr 28 14:32:34.050 CEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at (public IP of HUB router)