Help with RSA certs on IPSec tunnels using Lo0 as source

Heres a little gem of a hint if you attempt to do an IPSEC tunnel using RSA certs when the endpoints are both loopbacks and there is more that 1 path through the IP network (in other words you have multiple crypto maps on the router interfaces and you use the loopbacks to source the tunnel.

 

I was tearing my hair out last night trying to do Vol 2 lab 1 section 4.2.  R4 and R3 want to form a tunnel. R4 started complaining that R3's certificate was invalid. I stressed and I stressed and checked all my configs which were fine. Then I changed the auth to Preshared key and the tunnel came straight up.

So its a cert problem..... After a bit of research on Cisco.com I found this................. Note the last paragraph.... [:)]

When you issue the crypto pki enroll command, you are prompted a number of times.

First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

image


Note imageThis password is not stored anywhere, so you need to remember this password.


If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.

You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.

Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.

If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.

 

SET THE IP ADDRESS IN THE ENROLLMENT REQUEST TO THE LOOPBACK ADDRESS AND IN MY CASE I DID NOT INCLUDE SERIAL NUMBERS. THIS SHOULD SOLVE THE PROBLEM.

 

I hope this helps others struggling to work out where they are going wrong.

 

Regards,

 

Oliver (CCIE #18773)

Sign In or Register to comment.