c2811 SSH settings

Brent Rockburn · ‎12-29-2008

Hello, I have this router as part of my DMVPN and I'd like to set up SSH to the outside interface. I have to create a rsa key but my options are as follows.

BLKLAN2800-1(config)#crypto key generate rsa ?

general-keys Generate a general purpose RSA key pair for signing and

encryption

usage-keys Generate separate RSA key pairs for signing and encryption

<cr>

I've tried both as "un exported" and "exportable"

When I do this(modulus is 1024 btw) the DMVPN tunnels stop working and I get the error message below.

*Dec 29 19:43:34.039: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.

*Dec 29 19:43:34.067: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used.

When I do a "sh cryp isa sa" I see this.

BLKLAN2800-1#sh crypto isa sa

dst src state conn-id slot status

x.x.x.x x.x.x.x MM_KEY_EXCH 1 0 ACTIVE

x.x.x.x x.x.x.x MM_KEY_EXCH 2 0 ACTIVE

any ideas on how I can implement ssh without interfering with the dmvpn portion?

vmoopeung · ‎01-02-2009

The explanation for the the error message is that the default policy is being used because the local configured policies did not match with the peer's policies.

SludnevTN_2 · ‎05-01-2009

Have you solve you problem?

I have the same error.

Brent Rockburn · ‎05-01-2009

I upgraded the IOS. The IOS that was on it didn't have that option and wouldn't work with DMVPN phase 3. After the upgrade everything was fine.