05-02-2008 02:59 PM - edited 02-21-2020 02:00 AM
Hi,
I am setting a Site-to-Site tunnel between my router and VPN3K concentrator.
I have configured both the router and the VPN3K to get certificates from a local MS CA.
When I run the interesting traffic between the 2 boxes, I am getting error below:
length : 149
May 3 00:01:20.458: ISAKMP:(0:3:SW:1):: UNITY's identity group: OU = CCIELab
May 3 00:01:20.458: ISAKMP:(0:3:SW:1):: peer matches *none* of the profiles
May 3 00:01:20.462: ISAKMP:(0:3:SW:1): processing CERT payload. message ID = 0
May 3 00:01:20.462: ISAKMP:(0:3:SW:1): processing a CT_X509_SIGNATURE cert
May 3 00:01:20.466: ISAKMP:(0:3:SW:1): processing CERT payload. message ID = 0
May 3 00:01:20.466: ISAKMP:(0:3:SW:1): processing a CT_X509_SIGNATURE cert
May 3 00:01:20.498: ISAKMP:(0:3:SW:1): peer's pubkey isn't cached
May 3 00:01:20.530: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.1.3 is bad: CA request failed!
May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 3 00:01:20.530: ISAKMP (0:134217731): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
May 3 00:01:20.530: ISAKMP:(0:3:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM4
May 3 00:01:21.530: ISAKMP:(0:3:SW:1): retransmitting phase 1 MM_KEY_EXCH...
I would really appreciate your help on this.
I am attaching the router config, snapshots of the VPN3K config, as well as the complete router's debug output.
By the way, I am also running a RA VPN between my PC and the VPN3K and I am getting a similar problem!! Is it related to the certificates?!!
Attached is the VPN client's log for yuor reference!
R/ Haitham
05-08-2008 06:09 AM
To resolve this issue, perform these steps:
Create trust point on both sides.
Syncronize date and time on the routers (Network Time Protocol (NTP) is preferred).
Configure the hostname and domain.
Make sure you have generated an RSA key.
Define the Certification Authority (CA).
Authenticate the CA.
Enroll with the CA
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ioscs.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: