DMVPN and CA

Hi all!
I have strange issue with certificate authentication in my DMVPN configuration.
First small describe:

1. CA is inside network with proviate IP, and it's reachable from inside when router have connection via DMVPN

2. CA isn't publicated to internet.

3. CA is located on separted router 2901 (no on the DMVPN hub).

And to main issue, after router reload (spoke) DMVPN can establish conection, the IPSec connection stuck in phase one. But if I turned on connection to inside network via gre ipsec tunnel via pre-shared key, after few sec Spoke establish connection to HUB (via DMVPN), then I can turned off tunnel via preshared key and DMVPN will work to next router reload.

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1  (public IP of HUB)   172.31.224.1   IKE 22:45:53     S

 

Hub platform and software:

ASR 1001

software: asr1001-universalk9.03.14.00.S.155-1.S-std.bin

Spoke platgorm and software:

Cisco 881

software: c880data-universalk9-mz.151-4.M4.bin


Log from HUB:
267576: Apr 28 14:33:05.912 CEST: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from (public ip of spoke router) failed its sanity check or is malformed 

Log from Spoke:

939665: Apr 28 14:32:32.510 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: CA request failed!

939666: Apr 28 14:32:34.050 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: certificate invalid

939667: Apr 28 14:32:34.050 CEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at (public IP of HUB router)

Comments

  • It works because once IPsec is up (via PSK authentication), key renegotiation does not require Phase1 to be re-established, thus authentication to be renegotiated.

    Based on the logs, it means you have a problem with the CA/certiicate on the hub.

     

  • It works because once IPsec is up (via PSK authentication), key renegotiation does not require Phase1 to be re-established, thus authentication to be renegotiated.

    Based on the logs, it means you have a problem with the CA/certiicate on the hub.


    On 28 Apr 2015, at 20:29, Madara <[email protected]> wrote:

    Hi all!
    I have strange issue with certificate authentication in my DMVPN configuration.
    First small describe:

    1. CA is inside network with proviate IP, and it's reachable from inside when router have connection via DMVPN

    2. CA isn't publicated to internet.

    3. CA is located on separted router 2901 (no on the DMVPN hub).

    And to main issue, after router reload (spoke) DMVPN can establish conection, the IPSec connection stuck in phase one. But if I turned on connection to inside network via gre ipsec tunnel via pre-shared key, after few sec Spoke establish connection to HUB.

     # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

     ----- --------------- --------------- ----- -------- -----

         1  (public IP of HUB)   172.31.224.1   IKE 22:45:53     S

     

    Hub platform and software:

    ASR 1001

    software: asr1001-universalk9.03.14.00.S.155-1.S-std.bin

    Spoke platgorm and software:

    Cisco 881

    software: c880data-universalk9-mz.151-4.M4.bin


    Log from HUB:
    267576: Apr 28 14:33:05.912 CEST: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from (public ip of spoke router) failed its sanity check or is malformed 

    Log from Spoke:

    939665: Apr 28 14:32:32.510 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: CA request failed!

    939666: Apr 28 14:32:34.050 CEST: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from (public IP of HUB router) is bad: certificate invalid

    939667: Apr 28 14:32:34.050 CEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at (public IP of HUB router)




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Unfortunetly tunnel via preshared-key goes to another hub (diffrent router).

    This hub to dmvpn have alwayes connection with CA. And after ipsec tunnels goes up (on spoke) this two routers establish dmvpn connection.

Sign In or Register to comment.