I have a Cisco 831 router which I am trying to configure so that NT/2k/xp clients can VPN in using the built-in VPN client. The following config works using a pre-shared key but does not when using certificates. A 2000 server has been set-up as a CA and both the client and the router have certificates from this CA. No changes are made apart from crypto isakmp policy 1 having auth pre-share when it does work. Any ideas?
sh ver -
Cisco Internetwork Operating System Software
IOS (tm) C831 Software (C831-K9O3Y6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELE
I did a search on those errors and didn'tfind anything, so you might have found a new bug. Particularly the "Hifn
79xx_PktEngReturn_InvalidArgument_SourceDataBufferExceedsMTU" message doesn't seem to have been seen before, but looks to point to an MTU issue. What's probably happening is that the certificate is being sent it's bigger than the MTU and has to be fragmented which the router doesn't like (or is not doing properly). With pre-shared keys you wouldn't get this happening.
You could try lowering the MTU on the 831's interface and on the PC and see if that makes any difference. Set it to 1400 and then lower down gradually if it doesn't work. If you get to 1000 or so and it's still not working then there's probably something else going on, and I would suggest opening a TAC case so they can investigate it further.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :