c2811 SSH settings

Unanswered Question
Dec 29th, 2008

Hello, I have this router as part of my DMVPN and I'd like to set up SSH to the outside interface. I have to create a rsa key but my options are as follows.

BLKLAN2800-1(config)#crypto key generate rsa ?

general-keys Generate a general purpose RSA key pair for signing and


usage-keys Generate separate RSA key pairs for signing and encryption


I've tried both as "un exported" and "exportable"

When I do this(modulus is 1024 btw) the DMVPN tunnels stop working and I get the error message below.

*Dec 29 19:43:34.039: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.

*Dec 29 19:43:34.067: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.

When I do a "sh cryp isa sa" I see this.

BLKLAN2800-1#sh crypto isa sa

dst src state conn-id slot status

x.x.x.x x.x.x.x MM_KEY_EXCH 1 0 ACTIVE

x.x.x.x x.x.x.x MM_KEY_EXCH 2 0 ACTIVE

any ideas on how I can implement ssh without interfering with the dmvpn portion?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Fri, 01/02/2009 - 12:59

The explanation for the the error message is that the default policy is being used because the local configured policies did not match with the peer's policies.

Brent Rockburn Fri, 05/01/2009 - 10:25

I upgraded the IOS. The IOS that was on it didn't have that option and wouldn't work with DMVPN phase 3. After the upgrade everything was fine.


This Discussion