Solved

debug error msg:   CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Posted on 2004-04-05
7
2,532 Views
Last Modified: 2010-05-18
I have configured IPSec to use Win2000 Certificates on two 2501 routers.  I have configured the CA's, ISAKMP, and IPSec.  

I get the following error when the router tries to establish an ISAKMP connection.  Any ideas?

CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Thanks,
Jerri
0
Comment
Question by:benje02
  • 3
7 Comments
 
LVL 5

Expert Comment

by:Big5250
ID: 10762604
Here's a link from Cisco:

Error Message  

%CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is bad: [chars]
Explanation   The certificate given by the remote peer either has been revoked or has expired (the certificate is invalid) or the signature check on the certificate has failed (invalid signature).

Recommended Action   Contact the CA of the remote peer. The CA certificate may be invalid

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_system_message_guide_chapter09186a00801c81ad.html

HTH
0
 

Author Comment

by:benje02
ID: 10786959
I am still having problems with this issue.  I cannot fingure out why the routers think the certificate is bad.  I am doing this in a test enviroment and issued the Certs from a 2000 server.  See below.  I have also verified that preshared keys work so I know that ipsec works on the two routers.  I just can't get the CA to work.

Thanks,
Jerri

nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP:      encryption DES-CBC
03:37:17: ISAKMP:      hash SHA
03:37:17: ISAKMP:      default group 1
03:37:17: ISAKMP:      auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.2    i
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

0
 

Author Comment

by:benje02
ID: 10817297
Can anyone tell me if the certificates below look okay?  Why are ther srial numbers the same on three of them?

Thanks,
Jerri

nomee#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 61377F61000000000015
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nomee.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:08:21 UTC Apr 13 2004
    end   date: 20:18:21 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006





nugget#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 613AAD49000000000016
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nugget.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:11:49 UTC Apr 13 2004
    end   date: 20:21:49 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006
0
 

Author Comment

by:benje02
ID: 10826385
Problem resolved

I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!

Yikes!!!!!
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 10830212
User resolved; closed, 300 points refunded.

Netminder
Site Admin
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now