• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3269
  • Last Modified:

debug error msg: CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

I have configured IPSec to use Win2000 Certificates on two 2501 routers.  I have configured the CA's, ISAKMP, and IPSec.  

I get the following error when the router tries to establish an ISAKMP connection.  Any ideas?

CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Thanks,
Jerri
0
benje02
Asked:
benje02
  • 3
1 Solution
 
Big5250Commented:
Here's a link from Cisco:

Error Message  

%CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is bad: [chars]
Explanation   The certificate given by the remote peer either has been revoked or has expired (the certificate is invalid) or the signature check on the certificate has failed (invalid signature).

Recommended Action   Contact the CA of the remote peer. The CA certificate may be invalid

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_system_message_guide_chapter09186a00801c81ad.html

HTH
0
 
benje02Author Commented:
I am still having problems with this issue.  I cannot fingure out why the routers think the certificate is bad.  I am doing this in a test enviroment and issued the Certs from a 2000 server.  See below.  I have also verified that preshared keys work so I know that ipsec works on the two routers.  I just can't get the CA to work.

Thanks,
Jerri

nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP:      encryption DES-CBC
03:37:17: ISAKMP:      hash SHA
03:37:17: ISAKMP:      default group 1
03:37:17: ISAKMP:      auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.2    i
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

0
 
benje02Author Commented:
Can anyone tell me if the certificates below look okay?  Why are ther srial numbers the same on three of them?

Thanks,
Jerri

nomee#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 61377F61000000000015
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nomee.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:08:21 UTC Apr 13 2004
    end   date: 20:18:21 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006





nugget#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 613AAD49000000000016
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nugget.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:11:49 UTC Apr 13 2004
    end   date: 20:21:49 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006
0
 
benje02Author Commented:
Problem resolved

I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!

Yikes!!!!!
0
 
NetminderCommented:
User resolved; closed, 300 points refunded.

Netminder
Site Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now