benje02
asked on
debug error msg: CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid
I have configured IPSec to use Win2000 Certificates on two 2501 routers. I have configured the CA's, ISAKMP, and IPSec.
I get the following error when the router tries to establish an ISAKMP connection. Any ideas?
CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid
Thanks,
Jerri
I get the following error when the router tries to establish an ISAKMP connection. Any ideas?
CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.3 is bad: certificate invalid
Thanks,
Jerri
ASKER
I am still having problems with this issue. I cannot fingure out why the routers think the certificate is bad. I am doing this in a test enviroment and issued the Certs from a 2000 server. See below. I have also verified that preshared keys work so I know that ipsec works on the two routers. I just can't get the CA to work.
Thanks,
Jerri
nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP: encryption DES-CBC
03:37:17: ISAKMP: hash SHA
03:37:17: ISAKMP: default group 1
03:37:17: ISAKMP: auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.30.2 i
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILUR E: Processing of Main mode failed with peer
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
Thanks,
Jerri
nugget#
03:37:17: ISAKMP (0): received packet from 192.168.30.2 (N) NEW SA
03:37:17: ISAKMP: local port 500, remote port 500
03:37:17: ISAKMP (0:1): processing SA payload. message ID = 0
03:37:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 polic
y
03:37:17: ISAKMP: encryption DES-CBC
03:37:17: ISAKMP: hash SHA
03:37:17: ISAKMP: default group 1
03:37:17: ISAKMP: auth RSA sig
03:37:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:37:19: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
03:37:19: ISAKMP (1): Using FQDN as My ID
03:37:19: ISAKMP (0:1): SA is doing RSA signature authentication
03:37:19: ISAKMP (1): SA is doing RSA signature authentication using id type ID_
FQDN
03:37:19: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (1): received packet from 192.168.30.2 (R) MM_SA_SETUP
03:37:22: ISAKMP (0:1): processing KE payload. message ID = 0
03:37:24: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:37:24: ISAKMP (0:1): SKEYID state generated
03:37:24: ISAKMP (1): processing CERT_REQ payload. message ID = 0
03:37:24: ISAKMP (1): peer wants a CT_X509_SIGNATURE cert
03:37:24: ISAKMP (1): peer want cert issued by CN = nbits-ca, C = US
03:37:24: ISAKMP (0:1): processing vendor id payload
03:37:24: ISAKMP (0:1): speaking to another IOS box!
03:37:24: ISAKMP (1): sending packet to 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (1): received packet from 192.168.30.2 (R) MM_KEY_EXCH
03:37:30: ISAKMP (0:1): processing ID payload. message ID = 0
03:37:30: ISAKMP (0:1): processing CERT payload. message ID = 0
03:37:30: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
03:37:30: %CRYPTO-5-IKMP_INVAL_CERT:
s bad: certificate invalid
03:37:30: %CRYPTO-6-IKMP_MODE_FAILUR
at 192.168.30.2
03:37:30: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
ASKER
Can anyone tell me if the certificates below look okay? Why are ther srial numbers the same on three of them?
Thanks,
Jerri
nomee#show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 61377F61000000000015
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name Contains:
Name: nomee.r2katz.net
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 20:08:21 UTC Apr 13 2004
end date: 20:18:21 UTC Apr 13 2005
RA Signature Certificate
Status: Available
Certificate Serial Number: 612A6BFD000000000002
Key Usage: Signature
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:12:43 UTC Apr 4 2004
end date: 18:22:43 UTC Apr 4 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 612A6F1E000000000003
Key Usage: Encryption
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:12:44 UTC Apr 4 2004
end date: 18:22:44 UTC Apr 4 2005
CA Certificate
Status: Available
Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF07 20F689
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:03:43 UTC Apr 4 2004
end date: 18:12:04 UTC Apr 4 2006
nugget#show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 613AAD49000000000016
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name Contains:
Name: nugget.r2katz.net
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 20:11:49 UTC Apr 13 2004
end date: 20:21:49 UTC Apr 13 2005
RA Signature Certificate
Status: Available
Certificate Serial Number: 612A6BFD000000000002
Key Usage: Signature
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:12:43 UTC Apr 4 2004
end date: 18:22:43 UTC Apr 4 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 612A6F1E000000000003
Key Usage: Encryption
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:12:44 UTC Apr 4 2004
end date: 18:22:44 UTC Apr 4 2005
CA Certificate
Status: Available
Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF07 20F689
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi ts,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C
N=Configuration,DC=r2katz, DC=net?cer tificateRe vocationLi st?base?ob jectclass= cRLD
istributionPoint
Validity Date:
start date: 18:03:43 UTC Apr 4 2004
end date: 18:12:04 UTC Apr 4 2006
Thanks,
Jerri
nomee#show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 61377F61000000000015
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name Contains:
Name: nomee.r2katz.net
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 20:08:21 UTC Apr 13 2004
end date: 20:18:21 UTC Apr 13 2005
RA Signature Certificate
Status: Available
Certificate Serial Number: 612A6BFD000000000002
Key Usage: Signature
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:12:43 UTC Apr 4 2004
end date: 18:22:43 UTC Apr 4 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 612A6F1E000000000003
Key Usage: Encryption
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:12:44 UTC Apr 4 2004
end date: 18:22:44 UTC Apr 4 2005
CA Certificate
Status: Available
Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF07
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:03:43 UTC Apr 4 2004
end date: 18:12:04 UTC Apr 4 2006
nugget#show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 613AAD49000000000016
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name Contains:
Name: nugget.r2katz.net
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 20:11:49 UTC Apr 13 2004
end date: 20:21:49 UTC Apr 13 2005
RA Signature Certificate
Status: Available
Certificate Serial Number: 612A6BFD000000000002
Key Usage: Signature
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:12:43 UTC Apr 4 2004
end date: 18:22:43 UTC Apr 4 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 612A6F1E000000000003
Key Usage: Encryption
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
OU = IT
O = r2katz
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:12:44 UTC Apr 4 2004
end date: 18:22:44 UTC Apr 4 2005
CA Certificate
Status: Available
Certificate Serial Number: 1B2A7E9A7A0D1F994010D2CF07
Key Usage: General Purpose
Issuer:
CN = nbits-ca
C = US
Subject Name:
CN = nbits-ca
C = US
CRL Distribution Point:
ldap:///CN=nbits-ca,CN=nbi
N=Configuration,DC=r2katz,
istributionPoint
Validity Date:
start date: 18:03:43 UTC Apr 4 2004
end date: 18:12:04 UTC Apr 4 2006
ASKER
Problem resolved
I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!
Yikes!!!!!
I did not set the clock to have the current date and time, therefore, the routers though the certificates were invalid!!!
Yikes!!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Error Message
%CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is bad: [chars]
Explanation The certificate given by the remote peer either has been revoked or has expired (the certificate is invalid) or the signature check on the certificate has failed (invalid signature).
Recommended Action Contact the CA of the remote peer. The CA certificate may be invalid
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_system_message_guide_chapter09186a00801c81ad.html
HTH