Hello, I really need some help. This is my first time working with Cisco equipment and so far i dont have any training.
I am trying to setup Site to Site vpn using certificates and it is not working. I keep getting certificate not valid when i troubleshoot the VPN connection. Im using a 871 and 1801 router with Advanced IP services.
When i look at the logs i see that it tells me the certificate is invalid
"Certificate received from x.x.x.x is bad: certificate invalid"
What do i have to do to fix it.
This is my config one one of the routers. They are both setup about the same
Using 4805 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REDCisco1801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.local
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-2284619324
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2284619324
revocation-check none
rsakeypair TP-self-signed-2284619324
!
crypto pki trustpoint VPN
enrollment mode ra
enrollment url serial-number
fqdn REDCisco1801.startrek.local
ip-address 192.0.2.6
password 7 025E220859222B07691D503A213146585D
subject-name CN=xxxx, C=US, ST=CA
revocation-check crl
rsakeypair SDM-RSAKey-1147972729000
auto-enroll
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-2284619324
certificate self-signed 01 nvram:IOS-Self-Sig#3403.cer
crypto pki certificate chain VPN
certificate 1CCB2F1A000100000031 nvram:ambassador#31.cer
certificate ca 3C3571C2D9DD9297461F2C58CF8EEE71 nvram:ambassador#EE71CA.cer
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 192.0.2.7
set peer 192.0.2.7
set transform-set ESP-3DES-SHA1
match address 102
!
!
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 192.0.2.6 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.0.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.0.4.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.0.4.0 0.0.0.255 192.0.3.0 0.0.0.255
access-list 101 permit ip 192.0.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.0.4.0 0.0.0.255 192.0.3.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
ALL ACCESS IS LOGGED
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180188
ntp update-calendar
ntp server 192.0.2.224 source FastEthernet0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks for your help guys
I am trying to setup Site to Site vpn using certificates and it is not working. I keep getting certificate not valid when i troubleshoot the VPN connection. Im using a 871 and 1801 router with Advanced IP services.
When i look at the logs i see that it tells me the certificate is invalid
"Certificate received from x.x.x.x is bad: certificate invalid"
What do i have to do to fix it.
This is my config one one of the routers. They are both setup about the same
Using 4805 out of 196600 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REDCisco1801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.local
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-2284619324
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2284619324
revocation-check none
rsakeypair TP-self-signed-2284619324
!
crypto pki trustpoint VPN
enrollment mode ra
enrollment url serial-number
fqdn REDCisco1801.startrek.local
ip-address 192.0.2.6
password 7 025E220859222B07691D503A213146585D
subject-name CN=xxxx, C=US, ST=CA
revocation-check crl
rsakeypair SDM-RSAKey-1147972729000
auto-enroll
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-2284619324
certificate self-signed 01 nvram:IOS-Self-Sig#3403.cer
crypto pki certificate chain VPN
certificate 1CCB2F1A000100000031 nvram:ambassador#31.cer
certificate ca 3C3571C2D9DD9297461F2C58CF8EEE71 nvram:ambassador#EE71CA.cer
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 192.0.2.7
set peer 192.0.2.7
set transform-set ESP-3DES-SHA1
match address 102
!
!
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 192.0.2.6 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.0.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip route 0.0.0.0 0.0.0.0 192.0.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.0.4.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.0.4.0 0.0.0.255 192.0.3.0 0.0.0.255
access-list 101 permit ip 192.0.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.0.4.0 0.0.0.255 192.0.3.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
ALL ACCESS IS LOGGED
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
length 0
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180188
ntp update-calendar
ntp server 192.0.2.224 source FastEthernet0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks for your help guys