SO I have a dynamic VPN working between my 5510 static and my 5505 dynamic.
And the moment it is on PSK 5505 use aggressive mode and all is working well.
I wont to disable agressive mode fo have set up a Windows CA and issues certificates to the two firewalls.
I have upload the root CA to both firewall and the certs on each firewall are under the same trust point.
How do I migrate now?
I have set up IKE policies for rsa-sig authentication.
Under IKE authentication I have set ASDM_trustpoint0
And on the 5505 spoke I have set"Static Crypto map entrys parameters" "CA Certificate" to ASDM_trustpoint0
As soon as I disable agressive mode I get the following entreis on the 5505.
|4||Aug 25 2010||15:43:43||IP = 62.XXX.222.42, Information Exchange processing failed|
|5||Aug 25 2010||15:43:51||IP = 62.XXX.222.42, Received an un-encrypted INVALID_COOKIE notify message, dropping|
Is there any way that I can confirm that each firewall likes the others certificate?