OPERATIONAL DEFECT DATABASE
...
...
During the negotiation of IKE MM [based on the config in the "Conditions" section] - Here, when Peer-1 acts as the initiator, and sends the CERTREQ payload containing [Root-CA_Subject-Name] + [Sub-CA_1_Subject-Name], Peer-2 responds with a certificate chain containing [Sub-CA_2 + Peer-2-ID Cert by Sub-CA_2] - Note that as far as Peer-1 is concerned, both Sub-CA_2 and Peer-2-ID Cert are "Untrusted" and they need to be validated individually. - Peer-1 at this stage does the following: - Validate Sub-CA_2 - For this, PKI requests for trustpoints containing the issuer of Sub-CA_2 from IKE, which is returned successfully [since the isakmp profile contains "ca trust-point Root-CA"] - Validate Peer-2-ID Cert - Again, PKI requests for trustpoints containing the issuer of Peer-2-ID-Cert from IKE, which IKE does not return since it does not have it configured in the ISAKMP profile. This step only takes place if Sub-CA_2 Certifiacte is installed locally: Notice the debugs: CRYPTO_PKI: (A0009) Create a list of suitable trustpoints CRYPTO_PKI: Found a issuer match <<< Indicating that the issuer [Sub-CA_2] is installed locally CRYPTO_PKI: (A0009) No suitable trustpoints found Note: In IOS, PKI deems a certificate as "Untrusted" when that certificate does not exist in its database.
We have a deployment where PKI Authentication based VPN is configured between two Peers, named Peer-1 and Peer-2, which are both IOS devices: Peer-1: crypto pki trustpoint Root-CA + crypto pki trustpoint Sub_1-ID !!contains Sub-CA_1 cert [issued by Root-CA] + Peer-1-ID-Cert [issued by Sub-CA_1] crypto isakmp profile ISA-PROF ca trust-point Sub_1-ID ca trust-point Root-CA Peer-2: crypto pki trustpoint Root-CA + crypto pki trustpoint Sub_2-ID !!contains Sub-CA_2 cert [issued by Root-CA] + Peer-2-ID Cert [issued by Sub-CA_2] crypto isakmp profile ISA-PROF ca trust-point Sub_2-ID ca trust-point Root-CA
As described in the Symptoms, installing the CA Certificate of the Peer's ID-Cert Issuer locally, but not referencing it in the isakmp profile [or IKEv2 profile] would be treated as a misconfiguration. Either do not install the CA Certificate of the Peer's ID-Cert Issuer locally, in which case the IOS will anchor the certificate-chain validation to Root-CA trustpoint automatically Or install the CA Certificate of the Peer's ID-Cert Issuer locally, and refer it under the isakmp profile or the IKEv2 profile
This is a configuration error, not a defect
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
