Certificate-based VPNs with pre-calculated keys and certs

Unanswered Question


I am trying to set up a VPN from a Cisco 877 to an OpenSWAN. I have it working woth pre-shared keys, but would like to change over to using certificates instead.

My "CA" is openssl, and is *not* accessible via the network from the Cisco

box. However, I do have all the details it should require - an encrypted key

file, a password for that key, a certificate file for that key, and a file

containing the CA self-signed certificate.

The far end also has a working certificate based VPN with another device - so

I know that's right.

I am having difficulty setting up the Cisco. I *think* I am betting most of

the way there, with the following (starting from a working pre-shared-key VPN):

crypto key import rsa mykey pem terminal password

... paste key PEM ...


... paste cert for that key PEM ...


crypto pki trustpoint myca

subject C=GB, O=MyCompany, L=Here, OU=Unit, CN=Certificate Authority

revocation-check none


crypti oki certificate chain myca

certificate ca (serial from cert)

... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_certificate section ...

... removing comma's and "0x" ...



crypto key pubchain esa

named-key myca encryption


... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_public_key section ...

... removing comma's and "0x" ...




crypto isakmp policy 1

authentication rsa-sig


no crypto isakmp key (PSK) address

crypto isakmp identity dn


I use "debug crypto isakmp" and force the VPN up. I get a few interesting


*May 22 09:49:55.926: ISAKMP:(2006):Unable to get router cert or routerdoes not have a cert: needed to find DN!

*May 22 09:49:55.926: ISAKMP(0:2006): Unable to get our DN from cert, using my FQDN as identity

*May 22 09:49:55.930: ISAKMP (0:2006): no cert chain to send to peer

*May 22 09:49:55.930: ISAKMP (0:2006): peer did not specify issuer and no suitable profile found

What am I missing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Tue, 07/01/2008 - 09:59
User Badges:
  • Bronze, 100 points or more

The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).Two types of VPNs are supported-site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

Refer the following url for more info on configuring vpn on cisco 877:


Thank-you for your response, however that example, like almost all the others I have found, uses pre-share authentication. I can have a working VPN with pre-share security.

However, I will have far too many remote points for pre-share to be viable, so I am trying to get certificated VPNs working.

I have made some progress since the last email - I needed to define a trustpoint with "enrollment terminal pem" to get manual installation of certificates.

But, it still doesn't quite work - I am obviously missing the step which informs the 877 to *use* the cert/key pair I have added for that trustpoint to talk to a particular VPN.



This Discussion