I want to setup a Cisco IOS router with a double role GETVPN Key Server and Certificate Authority.
The GMs can authenticate and enroll with the CA(KS) using CA's default trustpoint name (CISCO) but the CA(KS) can't establish GETVPN phase 1 with the GMs and returns the following error:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from <GMs IP> is bad: CA request failed!
All routers participating in GETVPN have the clocks sync with an NTP server. All timezones are set identical on all routers.
Should I use different trustpoint for GETVPN than the default one (default one is CISCO) then authenticate and enroll with it?
The default trustpoint (CISCO) can't be used to authenticate and enroll with it (in order to make KS participate in Phase 1 Authentication with GMs).
I find this double role useful because you can save a router.
There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.