I am configuring VPN for the first time using three routers. The scenario is I need to have VPN from hpl-rt1 to kirne-rt2 and palate-rt3 routers. I am able to connect from hpl-rt1 to kirne-rt2 but not to the third router. here are the show outputs and the router configs are attached.
HPL-rt1#sho crypto engine conn ac
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 FastEthernet0/0 126.96.36.199 set HMAC_SHA+3DES_56_C 0 0
2000 FastEthernet0/0 188.8.131.52 set HMAC_SHA 0 4
2001 FastEthernet0/0 184.108.40.206 set HMAC_SHA 4 0
2002 FastEthernet0/0 220.127.116.11 set HMAC_SHA+3DES_56_C 0 4
2003 FastEthernet0/0 18.104.22.168 set HMAC_SHA+3DES_56_C 4 0
HPL-rt1#sho crypto isakmp sa
dst src state conn-id slot
22.214.171.124 126.96.36.199 QM_IDLE 1 0
in the log there is this message:
03:32:58: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 188.8.131.52 failed it
the Auto-enroll feature and Network Time Protocol (NTP) are unconfigured. The clock is set to a time in the distant future, which is past the router's certificate lifetime, and an IPSec connection is started. This is not a recommended action. It is only shown to demonstrate the logging effect on the VPN headend and branch on an 'expired' branch.
Current IPSec tunnels that are already connected when the certificate expires continue to have connectivity until that IPSec session is terminated or attempts to re-key at the IPSec Security Association's (SA's) lifetime.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :