IPSec site2site with RSA-SIG

remi-reszka · ‎11-17-2008

Hi everyone,

I am having troubles with authenticating both peers with use of RSA certificates.

The error message I get is:

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:

Explanation A public key or private key query attempt that used a subject name has failed.

Recommended Action Check the subject name in the certificate.

I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.

Thanks for all your suggestions.

Remy

hadbou · ‎11-24-2008

Make sure that the subject name on both the devices are the same as a mismatch in the subject name may cause this error.Also the subject name should be the same as that of the certificate.Also the keys used should be identical.In many cases, a simple typo can be to blame when an IPsec VPN tunnel does not come up. For example, on the security appliance, pre-shared keys become hidden once they are entered. This obfuscation makes it impossible to see if a key is incorrect.Be certain that you have entered any pre-shared-keys correctly on each VPN endpoint. Re-enter a key to be certain that it is correct.also check the configuration again as any eror in configuration can cause this error.

remi-reszka · ‎11-24-2008

Thanks for the advice. I will check these and get back to you.

You know, I can't find anywhere whether the CA must be acessible to the VPN peers authenticating via certs, at all times? I understand once you enrolled for a certificate to the CA and once you authenticated it, the peers don't need to contact the CA. Is that the case?

Thanks.

Jason Gervia · ‎11-25-2008

Awarded 3 points.