IPSec site2site with RSA-SIG

Unanswered Question
Nov 17th, 2008

Hi everyone,

I am having troubles with authenticating both peers with use of RSA certificates.

The error message I get is:

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:

Explanation A public key or private key query attempt that used a subject name has failed.

Recommended Action Check the subject name in the certificate.

I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.

Thanks for all your suggestions.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
hadbou Mon, 11/24/2008 - 07:29

Make sure that the subject name on both the devices are the same as a mismatch in the subject name may cause this error.Also the subject name should be the same as that of the certificate.Also the keys used should be identical.In many cases, a simple typo can be to blame when an IPsec VPN tunnel does not come up. For example, on the security appliance, pre-shared keys become hidden once they are entered. This obfuscation makes it impossible to see if a key is incorrect.Be certain that you have entered any pre-shared-keys correctly on each VPN endpoint. Re-enter a key to be certain that it is correct.also check the configuration again as any eror in configuration can cause this error.

remi-reszka Mon, 11/24/2008 - 13:19

Thanks for the advice. I will check these and get back to you.

You know, I can't find anywhere whether the CA must be acessible to the VPN peers authenticating via certs, at all times? I understand once you enrolled for a certificate to the CA and once you authenticated it, the peers don't need to contact the CA. Is that the case?



This Discussion