Wednesday, 3 December 2014

Cisco IOS CA and DMVPN Certificate Terminal Enrollment




I have been struggled to solve the DMVPN certificate issue that the certificate is no longer valid after we relocate the office and re-IP the DMVPN WAN interface. The following are the error I have faced:

  • CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH
  • %PKI-3-POLLROUTERCERT: Polling Router certificate for DMVPN ..... (Unable to reach the remote IOS CA) 
  • When run the command show crypto isakmp sa and nothing is listed (this is the separate issue that the router certificate is missing which required to run crypto key generate rsa to regenerate)
In this scenario we need to get offline enrollment for the spoke DMVPN router  using terminal mode:
  • At the DMVPN Spoke router config mode:
    • crypto pki trustpoint DMVPN (trustpoint name)
    • Change the enrollment mode to terminal: enrollment termnial
  • At the IOS CA router config mode:
    • crypto pki export DMVPN pem terminal
    • Copy the hex key without the header
  • At the DMVPN Spoke router config mode:
    • Run crypto pki authentication DMVPN (Trustpoint Name) and paste the hex from the CA router then enter and quit
    • Enter crypto pki enrollment DMVPN then copy the pkcs10 request hex without the header
  • At the IOS CA router Global mode:
    • Enter crypto pki server DMVPN request pkcs10 terminal and paste the spoke router hex then enter and quit
    • *Copy the generated certificate hex
  • At the DMVPN Spoke router config mode:
    • Run the crypto pki import DMVPN certificate and paste the hex from the IOS CA router
    • To verify the connectivity, in global mode run show crypto isakmp sa for the connectivty and check the certificate info:
      • show crypto pki certificates verbose (To show the signed certificate)
      • show crypto pki trustpoint DMVPN status (Show the trustpoint certificate information and make sure the certificate is not pending)
*Wait a minute... it shows the certificate is pending for authorization. You may change it to grant automatically by the following commands:
  • At the IOS CA router config mode:
    • crypto pki server server_name
    • grant auto (if you encounter any error you might need to issue shutdown command first then grant auto and no shut)
Please note that you have to ensure the security license is enabled else you might have issue for the VPN connection.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)