?
Solved

debug error msg:   CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Posted on 2004-04-05
7
Medium Priority
?
2,858 Views
Last Modified: 2010-05-18
I have configured IPSec to use Win2000 Certificates on two 2501 routers.  I have configured the CA's, ISAKMP, and IPSec.  

I get the following error when the router tries to establish an ISAKMP connection.  Any ideas?

CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid

Thanks,
Jerri
0
Comment
Question by:benje02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 5

Expert Comment

by:Big5250
ID: 10762604
Here's a link from Cisco:

Error Message  

%CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is bad: [chars]
Explanation   The certificate given by the remote peer either has been revoked or has expired (the certificate is invalid) or the signature check on the certificate has failed (invalid signature).

Recommended Action   Contact the CA of the remote peer. The CA certificate may be invalid

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_system_message_guide_chapter09186a00801c81ad.html

HTH
0
 

Author Comment

by:benje02
ID: 10786959
I am still having problems with this issue.  I cannot fingure out why the routers think the certificate is bad.  I am doing this in a test enviroment and issued the Certs from a 2000 server.  See below.  I have also verified that preshared keys work so I know that ipsec works on the two routers.  I just can't get the CA to work.

Thanks,
Jerri

nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP:      encryption DES-CBC
03:37:17: ISAKMP:      hash SHA
03:37:17: ISAKMP:      default group 1
03:37:17: ISAKMP:      auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.2    i
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

0
 

Author Comment

by:benje02
ID: 10817297
Can anyone tell me if the certificates below look okay?  Why are ther srial numbers the same on three of them?

Thanks,
Jerri

nomee#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 61377F61000000000015
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nomee.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:08:21 UTC Apr 13 2004
    end   date: 20:18:21 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006





nugget#show crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 613AAD49000000000016
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name Contains:
    Name: nugget.r2katz.net
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 20:11:49 UTC Apr 13 2004
    end   date: 20:21:49 UTC Apr 13 2005

RA Signature Certificate
  Status: Available
  Certificate Serial Number: 612A6BFD000000000002
  Key Usage: Signature
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:43 UTC Apr 4 2004
    end   date: 18:22:43 UTC Apr 4 2005

RA KeyEncipher Certificate
  Status: Available
  Certificate Serial Number: 612A6F1E000000000003
  Key Usage: Encryption
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     OU = IT
     O = r2katz
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:12:44 UTC Apr 4 2004
    end   date: 18:22:44 UTC Apr 4 2005

CA Certificate
  Status: Available
  Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF0720F689
  Key Usage: General Purpose
  Issuer:
    CN = nbits-ca
     C = US
  Subject Name:
    CN = nbits-ca
     C = US
  CRL Distribution Point:
    ldap:///CN=nbits-ca,CN=nbits,CN=CDP,CN=Public%20Key%20Services,CN=Services,C
N=Configuration,DC=r2katz,DC=net?certificateRevocationList?base?objectclass=cRLD
istributionPoint
  Validity Date:
    start date: 18:03:43 UTC Apr 4 2004
    end   date: 18:12:04 UTC Apr 4 2006
0
 

Author Comment

by:benje02
ID: 10826385
Problem resolved

I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!

Yikes!!!!!
0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 10830212
User resolved; closed, 300 points refunded.

Netminder
Site Admin
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question