PKI Server and IPv6.

I wanted to configure PKI Server based on IPv6 and I found one problem. According to Cisco documentation you should use ‘[]’ for IPv6 addresses:

Router (ca-trustpoint)# enrollment url http://[2001:DB8:1:1::1]:80

When I wanted to do the same I found one bug:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)

r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#crypto pki trustpoint PKI-TRUSTPOINT
r2(ca-trustpoint)# enrollment url http://[2001:100::1]:80
r2(ca-trustpoint)# revocation-check crl
r2(ca-trustpoint)#end
r2#
May  1 23:18:26.699: %SYS-5-CONFIG_I: Configured from console by console
r2#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100
 revocation-check crl
!
!

As you see the address is truncated just after ‘::’.

I tested also IOS 15.2(3)T3 and it seems to be fixed: 

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T3, RELEASE SOFTWARE (fc1)

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#crypto pki trustpoint PKI-TRUSTPOINT
r1(ca-trustpoint)#enrollment url http://[2001:100::1]:80
r1(ca-trustpoint)#end
r1#
*May  1 23:20:09.283: %SYS-5-CONFIG_I: Configured from console by console
r1#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::1]:80
 revocation-check crl
!

Sometimes you can spend a lot of time before you find out why your trustpoint can’t authenticate, so check the configuration first before you start troubleshooting.

 
3
Kudos
 
3
Kudos

Now read this

Remote Access VPN (IPsec) - IOS - radius (ACS)

Two posts earlier I mentioned about another way how to control traffic in the VPN tunnel – a downloadable access list. This way is the most flexible because we can define different policies per user or group. The static control, I... Continue →