Probuje skonfigurowac DMVPN w oparciu o certyfikaty. I tak mam:
- router A 1812-advipserv - jako CA certificate server oraz jako hub w DMVPN, CA skonfigurowane, wygenerowany cert,
Kod: Zaznacz cały
crypto pki server S-CA
database level names
issuer-name CN=S-CA-TUNELE
lifetime certificate 1825
lifetime ca-certificate 1825
lifetime enrollment-request 24
cdp-url flash:S-CA.crl
database url flash:
!
crypto pki trustpoint S-CA
revocation-check crl
rsakeypair S-CA
Kod: Zaznacz cały
crypto pki trustpoint S-CA
enrollment url http://172.3.0.99:80
revocation-check crl
rsakeypair aaa
Kod: Zaznacz cały
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.3.1.9 is bad: CA request failed!
*Feb 6 08:42:45.256: ISAKMP:(2324): sending packet to 172.3.1.9 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb 6 08:42:45.256: ISAKMP (0:2324): received packet from 172.3.1.9 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Feb 6 08:42:45.256: ISAKMP:(2324):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 6 08:42:45.256: ISAKMP:(2324):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Feb 6 08:42:45.256: ISAKMP:(2324): processing CERT payload. message ID = 0
*Feb 6 08:42:45.256: ISAKMP:(2324): processing a CT_X509_SIGNATURE cert
*Feb 6 08:42:45.256: ISAKMP:(2324): peer's pubkey isn't cached
*Feb 6 08:42:45.256: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.3.1.9 is bad: CA request failed!
*Feb 6 08:42:45.256: ISAKMP:(2324):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 6 08:42:45.256: ISAKMP:(2324):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Feb 6 08:42:45.256: ISAKMP (0:2324): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Wydaje mi sie ze jeszcze czegos brakuje :>
//edit peper: Proszę stosować znaczniki
Kod: Zaznacz cały
do formatowania postów