Cisco VPN client rsa-sig auth issue

apowney · ‎04-29-2007

Hi

I am using IOS CA server, a 1710 router as an Eazy VPN server and VPN client version 5.0.00.0340. The CA cert and user cert was installed ( manually ) fine to the client, and SCEP worked fine from the 1710 to the CA server.

PSK auth connections are fine. But not rsa-sig.

I see the below error in the VPN client log:

296 12:26:33.375 04/29/07 Sev=Warning/3 IKE/0xE3000082

Invalid remote certificate id: ID_FQDN: ID = host2.x.com, Certificate = [NULL]

297 12:26:33.375 04/29/07 Sev=Warning/3 IKE/0xE3000059

The peer's certificate doesn't match Phase 1 ID

298 12:26:33.375 04/29/07 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Identity Protection (Main Mode)

I have tried a number of previous versions of VPN client in case of a caveat, but receive the same error message.

I cant find a good explanation of what causes this error to be honest.

Would anyone be able to assist?

Many thanks

Alastair

ebreniz · ‎05-04-2007

I think that the ike phase 1 id is not matching. You need to use isakmp identity auto. Also to set the Phase 2 ID to be sent to the peer, use the isakmp identity command in global configuration mode, it may help you.

apowney · ‎05-08-2007

Hi Ebreniz

Thank you for the response. On the IOS running ( C2801-ADVENTERPRISEK9-M) the options are:

rtr2801(config)#cry isakmp identity ?

address Use the IP address of the interface for the identity

dn Use the distinguished name of the router cert for the identity

hostname Use the hostname of the router for the identity

And the DN option worked.

Many thanks for your input

Alastair