Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
During the negotiation of IKE MM [based on the config in the "Conditions" section] - Here, when Peer-1 acts as the initiator, and sends the CERTREQ payload containing [Root-CA_Subject-Name] + [Sub-CA_1_Subject-Name], Peer-2 responds with a certificate chain containing [Sub-CA_2 + Peer-2-ID Cert by Sub-CA_2] - Note that as far as Peer-1 is concerned, both Sub-CA_2 and Peer-2-ID Cert are "Untrusted" and they need to be validated individually. - Peer-1 at this stage does the following: - Validate Sub-CA_2 - For this, PKI requests for trustpoints containing the issuer of Sub-CA_2 from IKE, which is returned successfully [since the isakmp profile contains "ca trust-point Root-CA"] - Validate Peer-2-ID Cert - Again, PKI requests for trustpoints containing the issuer of Peer-2-ID-Cert from IKE, which IKE does not return since it does not have it configured in the ISAKMP profile. This step only takes place if Sub-CA_2 Certifiacte is installed locally: Notice the debugs: CRYPTO_PKI: (A0009) Create a list of suitable trustpoints CRYPTO_PKI: Found a issuer match <<< Indicating that the issuer [Sub-CA_2] is installed locally CRYPTO_PKI: (A0009) No suitable trustpoints found Note: In IOS, PKI deems a certificate as "Untrusted" when that certificate does not exist in its database.
We have a deployment where PKI Authentication based VPN is configured between two Peers, named Peer-1 and Peer-2, which are both IOS devices: Peer-1: crypto pki trustpoint Root-CA + crypto pki trustpoint Sub_1-ID !!contains Sub-CA_1 cert [issued by Root-CA] + Peer-1-ID-Cert [issued by Sub-CA_1] crypto isakmp profile ISA-PROF ca trust-point Sub_1-ID ca trust-point Root-CA Peer-2: crypto pki trustpoint Root-CA + crypto pki trustpoint Sub_2-ID !!contains Sub-CA_2 cert [issued by Root-CA] + Peer-2-ID Cert [issued by Sub-CA_2] crypto isakmp profile ISA-PROF ca trust-point Sub_2-ID ca trust-point Root-CA
As described in the Symptoms, installing the CA Certificate of the Peer's ID-Cert Issuer locally, but not referencing it in the isakmp profile [or IKEv2 profile] would be treated as a misconfiguration. Either do not install the CA Certificate of the Peer's ID-Cert Issuer locally, in which case the IOS will anchor the certificate-chain validation to Root-CA trustpoint automatically Or install the CA Certificate of the Peer's ID-Cert Issuer locally, and refer it under the isakmp profile or the IKEv2 profile
This is a configuration error, not a defect