Troubleshooting Steps

Troubleshooting Steps

The PKI problem can be categorized as follows:

• Certificate enrollment process failure

• Certificate enrollment is fine but IKE authentication still fails

More detailed discussions follow in the next sections.

Certificate Enrollment Process Failure

The certificate enrollment process may fail for two reasons, which are discussed in order:

1.

Incorrect CA URL for CA Server You need to know the correct enrollment URL from CA administration to authenticate the CA and register with the CA server. You also need to find out from CA administration if the registration authority (RA) is used. Also find out how many certificates you are supposed to obtain. For CA mode only, you get the CA root certificate and the router identity certificate. However, for RA mode, you get the CA root certificate, the RA signature certificate, the RA encryption certificate, and the router identity certificate. Example 6-20 shows a sample URL for the Microsoft CA server. Certificate Enrollment Is Fine but IKE Authentication Still Fails IKE authentication occurs on the fifth and sixth packets of IKE negotiation. In the fifth packet, the responder receives the ID payload, cert payload, and signature payload from the initiator. The responder verifies if the initiator's ISAKMP identity in the ID payload matches the identity in the certificate. It performs CRL checking, lifetime checking, and verifies the integrity of the certificate using the public key. It performs an IKE authentication integrity check by recalculating the hash in the signature payload. Checking PKI enrollment and certificate lifetime required multiple commands, the user had to correlate output: IKE with a digital signature may fail for one of the following reasons: 1. ISAKMP identity mismatch The router assigns an FQDN to the keys and certificates used by IPsec. During IKE or Phase 1 negotiation the router checks the FQDN in the certificate. Therefore you have to use ISAKMP identity as hostname, instead of address on both of the routers. You will see the following message if there is an ISAKMP identity mismatch: 2. Time and Date Mismatch If the date and time of the clock on the router does not fall between the start and end dates on the certificates and the next/last update of the CRL, the following errors will be seen during Phase 1 negotiation: 3. Certificate lifetime issue If the certificate lifetime expires, you need to re-enroll; otherwise, IKE negotiation fails. The re-enrollment process can be automated as shown in Example 6-26. 4. The router does not have the CRL configured If you do not specify the CRL optional command on the router, it will check for the CRL during Phase one negotiation. If the CRL is not present, you will see the following errors: