Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISAKMP (0:1): No Cert or pre-shared address key.

this is telling me that there is no pre-shared key or cert on the peer router! but there is! why is it lying to me? lol

00:28:28: IPSEC(sa_request): ,

(key eng. msg.) src= 168.114.191.241, dest= 166.131.180.148,

src_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4),

dest_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x62626AD4(1650617044), conn_id= 0, keysize= 0, flags= 0x4004

00:28:28: ISAKMP: received ke message (1/1)

00:28:28: ISAKMP: local port 500, remote port 500

00:28:28: ISAKMP (0:1): No Cert or pre-shared address key.

00:28:28: ISAKMP (0:1): Can not start Main mode

00:28:28: ISAKMP: 166.131.180.148 not in host cache

00:28:28: ISAKMP (0:1): Can not start aggressive mode.

the router is running nat but i have mirror acls on them that deny the nat procces to traffic destined to remote lan.

8 REPLIES
Cisco Employee

Re: ISAKMP (0:1): No Cert or pre-shared address key.

Could you check if the pre-shared or cert is based on the nat'ed or real address. Without looking at the configs of both routers its a bit hard to tell. This error happens when the identity used by the ipsec peers (normally an ip address) is different from the ip address of the interface where the crypto map is applied, and the corresponding crypto map local address is not defined, and/or the ip address defined on the isakmp key is different from the interface that has the crypto map applied.

New Member

Re: ISAKMP (0:1): No Cert or pre-shared address key.

i have applied my crypto map to my external nat'd interface. i have the configs posted here. i just changed the routers name and ip. but its still the config. http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee90eb5

Cisco Employee

Re: ISAKMP (0:1): No Cert or pre-shared address key.

Hi,

In the config that you have posted, I see that your router is getting an ip address via DHCP. Is it a safe assumption that they will get the same ip address each and everytime a request is made.

The reason being , you have crypto map configured which points to static ip address and if this ip address changes for some reason, then we need to make sure that there is pre-shared key for that ip address.

And the above is the case, then you are going to run into problems each and everytime the router gets a different ip address.

Regards,

Arul

New Member

Re: ISAKMP (0:1): No Cert or pre-shared address key.

yes it is safe to assume that i will be getting the same ip every time. for now lets just assume that they are static ips. do you see anything wrong with my config?

Cisco Employee

Re: ISAKMP (0:1): No Cert or pre-shared address key.

Hi,

On the routers, try doing this.

Router A:

crypto isakmp key cisco123 hostname routerb

Change it to:

crypto isakmp key cisco123 address 66.11.11.11

Router B:

crypto isakmp key cisco123 hostname routera

Change it to:

crypto isakmp key cisco123 address 68.14.91.241

Regards,

Arul

New Member

Re: ISAKMP (0:1): No Cert or pre-shared address key.

would the change from hostname to address make a difference? the host name and be resolve and in the debug crypto isakmp it does recognize its peer as that of the entered hostname. routera is a dns entry and not a manual host entry on the router. the router is conf to look to a certain dns server where this entry is located.

Cisco Employee

Re: ISAKMP (0:1): No Cert or pre-shared address key.

Hi,

From the logs: " No Certs or Pre-shared keys ", you get this message usually when the router is not able to find a Certificate or Pre-shared key for the remote peer configured in the router.

In your case, you have the pre-shared key but they are using the hostname and there is a possibility, that the router is not able to identity the keys configured for this peer. And your router is configurged for isakmp identity address.

Since your config is looking good, I would very well make the change and give it a shot and see what happens.

Regards,

Arul

New Member

Re: ISAKMP (0:1): No Cert or pre-shared address key.

Thanks a lot man. That defenatly seemed to be the problem for phase 1. do you know why that would happen? the host name was resolved correctly. could it be that when it reaches the other router is sees that the key is mapped to the ip and not ahostname? anyways thanks again. now i just have to figure out the problem that is happening on phase 2! lol you may be hearing from me again. haha

2807
Views
0
Helpful
8
Replies