I have situation in which I have multiple CA's, and each of them has signed a certificate for my gateway.
I then try to use a VPN client with two configurations. The only difference between the confgurations is the certifactes that I use for VPN establishment.
With CA one, IKE negotiations complete and the VPN is established, however IKE negotiations do not complete with CA two.
When I negotiate a VPN conection using certificates signed by CA two, the log states that the certificate is valid however I never see a message that states that PHASE 1 is complete. In fact this is the last message I see.
From IKE negotiations with CA one, the normal course of events in the log shows that the certifacte gets validated, and then a log usually shows that PHASE 1 is complete. This message never appears whith CA two.
I have compared the certifactes issued by both CA one an two, and bothe seem to have that same type of information except the obvious names of each. Both are still valid.
I have the logs turned up to include all messages.
Can anyone help me determine why Phase 1 negotiation faile to complete ?
Re: Phase 1 Does not complete with valid certificate
First thing I would check is the time on both the devices, CA two and gateway. They must be synchronized or at least close. There can be other reasons why Phase-I is failing apart from the authentication. Check if you have the policies (hashing algorithm, encryption method, DH group) configured to match, at least one, on both the ends. I think it depends on the verson of the VPN client you are using.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :