Hi,

I am setting a Site-to-Site tunnel between my router and VPN3K concentrator.

I have configured both the router and the VPN3K to get certificates from a local MS CA.

When I run the interesting traffic between the 2 boxes, I am getting error below:

length : 149

May 3 00:01:20.458: ISAKMP:(0:3:SW:1):: UNITY's identity group: OU = CCIELab

May 3 00:01:20.458: ISAKMP:(0:3:SW:1):: peer matches *none* of the profiles

May 3 00:01:20.462: ISAKMP:(0:3:SW:1): processing CERT payload. message ID = 0

May 3 00:01:20.462: ISAKMP:(0:3:SW:1): processing a CT_X509_SIGNATURE cert

May 3 00:01:20.466: ISAKMP:(0:3:SW:1): processing CERT payload. message ID = 0

May 3 00:01:20.466: ISAKMP:(0:3:SW:1): processing a CT_X509_SIGNATURE cert

May 3 00:01:20.498: ISAKMP:(0:3:SW:1): peer's pubkey isn't cached

May 3 00:01:20.530: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.1.3 is bad: CA request failed!

May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5

May 3 00:01:20.530: ISAKMP (0:134217731): incrementing error counter on sa, attempt 1 of 5: reset_retransmission

May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4

May 3 00:01:21.530: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...

I would really appreciate your help on this.

I am attaching the router config, snapshots of the VPN3K config, as well as the complete router's debug output.

By the way, I am also running a RA VPN between my PC and the VPN3K and I am getting a similar problem!! Is it related to the certificates?!!

Attached is the VPN client's log for yuor reference!

R/ Haitham