Solved

debug error msg:   CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Posted on 2004-04-05
7
2,639 Views
Last Modified: 2010-05-18
I have configured IPSec to use Win2000 Certificates on two 2501 routers.  I have configured the CA's, ISAKMP, and IPSec.  

I get the following error when the router tries to establish an ISAKMP connection.  Any ideas?

CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Thanks,
Jerri
0
Comment
Question by:benje02
  • 3
7 Comments
 
LVL 5

Expert Comment

by:Big5250
ID: 10762604
Here's a link from Cisco:

Error Message  

%CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is bad: [chars]
Explanation   The certificate given by the remote peer either has been revoked or has expired (the certificate is invalid) or the signature check on the certificate has failed (invalid signature).

Recommended Action   Contact the CA of the remote peer. The CA certificate may be invalid

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_system_message_guide_chapter09186a00801c81ad.html

HTH
0
 

Author Comment

by:benje02
ID: 10786959
I am still having problems with this issue.  I cannot fingure out why the routers think the certificate is bad.  I am doing this in a test enviroment and issued the Certs from a 2000 server.  See below.  I have also verified that preshared keys work so I know that ipsec works on the two routers.  I just can't get the CA to work.

Thanks,
Jerri

nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP:      encryption DES-CBC
03:37:17: ISAKMP:      hash SHA
03:37:17: ISAKMP:      default group 1
03:37:17: ISAKMP:      auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.2    i
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

0
 

Author Comment

by:benje02
ID: 10817297
Can anyone tell me if the certificates below look okay?  Why are ther srial numbers the same on three of them?

Thanks,
Jerri

nomee#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 61377F61000000000015
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nomee.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:08:21 UTC Apr 13 2004
    end   date: 20:18:21 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006





nugget#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 613AAD49000000000016
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nugget.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:11:49 UTC Apr 13 2004
    end   date: 20:21:49 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006
0
 

Author Comment

by:benje02
ID: 10826385
Problem resolved

I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!

Yikes!!!!!
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 10830212
User resolved; closed, 300 points refunded.

Netminder
Site Admin
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 149
Stack Switches in IOU  web V22 6 87
Can't remote with RDC through ASUS RT-N66W Router 3 66
What problem can Native VLAN mismatch causes 4 34
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now