Cisco Support Community
Community Member

PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authentication

Dear all,

a customer uses openswan 2.4.6-k261805-netkey to establish a site-to-site VPN to our Cisco PIX running OS 8.0(3). Certificates are used to authenticate the connection.

Unfortunately we have some troubles when the connection needs to be rekeyd. It seems the PIX sends the FQDN upon the first connection attempt and the DN when rekeying (the log file of openswan shows this).

On the PIX we configured properly "isakmp identity auto" which means (according to doc) it should use the FQDN/IP-Address for pre-shared-key authentication and the cert DN for certificate based authentication.

I think there might be a bug in IOS... maybe somebody else can confirm this issue or can give me a hint how to resolve it.

More information:

Cisco log on rekeying:

%PIX-5-713041: IP =, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer local Proxy Address N/A, remote Proxy Address N/A, Crypto map (N/A)

%PIX-5-713201: IP =, Duplicate Phase 1 packet detected. Retransmitting last packet.

%PIX-6-713905: IP =, P1 Retransmit msg dispatched to MM FSM

%PIX-4-713903: IP =, Header invalid, missing SA payload! (next payload = 4)

%PIX-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x73C9CD6D) between and (user= has been deleted.

%PIX-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x8B98E224) between and (user= has been deleted.

%PIX-3-713902: Group =, IP =, Removing peer from peer table failed, no match!

%PIX-4-713903: Group =, IP =, Error: Unable to remove PeerTblEntry

openswan log on rekeying:

openswan config:

Any hints or help welcome :)

Thank you!

Best regards,



Re: PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authenti

To use the FQDN during rekeying you will have to modify the identity using the line crypto isakmp identity address.

Community Member

Re: PIX 8.0(3) <-> openswan 2.4.6 rekey issue with cert authenti

"crypto isakmp identity address" is a global command which applies to any other site-to-site connection, even those who require cert DN.

I would prefer to be able to choose the authentication method per vpn connection.

CreatePlease to create content