PKI Server and IPv6.

I wanted to configure PKI Server based on IPv6 and I found one problem. According to Cisco documentation you should use ‘[]’ for IPv6 addresses:

Router (ca-trustpoint)# enrollment url http://[2001:DB8:1:1::1]:80

When I wanted to do the same I found one bug:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
r2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)#crypto pki trustpoint PKI-TRUSTPOINT
r2(ca-trustpoint)# enrollment url http://[2001:100::1]:80
r2(ca-trustpoint)# revocation-check crl
r2(ca-trustpoint)#end
r2#
May  1 23:18:26.699: %SYS-5-CONFIG_I: Configured from console by console
r2#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100
 revocation-check crl
!
!

As you see the address is truncated just after ‘::’.

I tested also IOS 15.2(3)T3 and it seems to be fixed:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T3, RELEASE SOFTWARE (fc1)
r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#crypto pki trustpoint PKI-TRUSTPOINT
r1(ca-trustpoint)#enrollment url http://[2001:100::1]:80
r1(ca-trustpoint)#end
r1#
*May  1 23:20:09.283: %SYS-5-CONFIG_I: Configured from console by console
r1#sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100::1]:80
 revocation-check crl
!

Sometimes you can spend a lot of time before you find out why your trustpoint can’t authenticate, so check the configuration first before you start troubleshooting.

 
3
Kudos
 
3
Kudos

Now read this

DMVPN & GET VPN

Today I would like to test an integration of DMVPN and GET VPN technologies. DMVPN can be used over the public network like Internet and GET VPN only over private like MPLS (because of IP preservation). As you remember from my previous... Continue →