Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authentication

Dear all,

a customer uses openswan 2.4.6-k261805-netkey to establish a site-to-site VPN to our Cisco PIX running OS 8.0(3). Certificates are used to authenticate the connection.

Unfortunately we have some troubles when the connection needs to be rekeyd. It seems the PIX sends the FQDN upon the first connection attempt and the DN when rekeying (the log file of openswan shows this).

On the PIX we configured properly "isakmp identity auto" which means (according to doc) it should use the FQDN/IP-Address for pre-shared-key authentication and the cert DN for certificate based authentication.

I think there might be a bug in IOS... maybe somebody else can confirm this issue or can give me a hint how to resolve it.

More information:

Cisco log on rekeying:

%PIX-5-713041: IP =, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)

%PIX-5-713201: IP =, Duplicate Phase 1 packet detected. Retransmitting last packet.

%PIX-6-713905: IP =, P1 Retransmit msg dispatched to MM FSM

%PIX-4-713903: IP =, Header invalid, missing SA payload! (next payload = 4)

%PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x73C9CD6D) between and (user= has been deleted.

%PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8B98E224) between and (user= has been deleted.

%PIX-3-713902: Group =, IP =, Removing peer from peer table failed, no match!

%PIX-4-713903: Group =, IP =, Error: Unable to remove PeerTblEntry

openswan log on rekeying:

openswan config:

Any hints or help welcome :)

Thank you!

Best regards,



Re: PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authe

This error message means that the ISAKMP lifetime on both the PIX and the remote site (VPN) does not match. Therefore, you need to check this ISAKMP lifetime on both the PIX and the remote VPN device to make sure that they match.