PKI Server and IPv6.

I wanted to configure PKI Server based on IPv6 and I found one problem. According to Cisco documentation you should use ‘[]’ for IPv6 addresses:

Router (ca-trustpoint)# enrollment url http://[2001:DB8:1:1::1]:80

When I wanted to do the same I found one bug:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)

r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#crypto pki trustpoint PKI-TRUSTPOINT
r2(ca-trustpoint)# enrollment url http://[2001:100::1]:80
r2(ca-trustpoint)# revocation-check crl
r2(ca-trustpoint)#end
r2#
May  1 23:18:26.699: %SYS-5-CONFIG_I: Configured from console by console
r2#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100
 revocation-check crl
!
!

As you see the address is truncated just after ‘::’.

I tested also IOS 15.2(3)T3 and it seems to be fixed: 

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T3, RELEASE SOFTWARE (fc1)

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#crypto pki trustpoint PKI-TRUSTPOINT
r1(ca-trustpoint)#enrollment url http://[2001:100::1]:80
r1(ca-trustpoint)#end
r1#
*May  1 23:20:09.283: %SYS-5-CONFIG_I: Configured from console by console
r1#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::1]:80
 revocation-check crl
!

Sometimes you can spend a lot of time before you find out why your trustpoint can’t authenticate, so check the configuration first before you start troubleshooting.

 
3
Kudos
 
3
Kudos

Now read this

GRE over IPsec - VRF aware (FVRF + IVRF)

Recently I worked on one problem with VRF aware VPN (GRE over IPsec), FVRF and IVRF. 10.0.0.0/24 /----\ .6 .7 /----\ 6.6.6.6 Loop0 | R6 |---------------------| R7 | Loop0 7.7.7.7 \----/ \----/ Tun1 Tun1 192.168.0.1 192.168.0.2... Continue →