Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Router to PC VPN with device authen only via RSA Sig

Problem establishing a vpn between a cisco router and a PC based Cisco VPN Client

using version 4.6 (had problems with 4.8 & 5.0). Only trying to accomplish

device authenication with digital certificates without any interest in user

authenication/authorization, so I've eliminated the Xauth from IKE and login

stuff from the client config.

I've got to take about half a dozen users into production asap...

I am thinking the access list may be the problem since the pc client is

expecting to have encrypted communications, but the cisco router is

still doing all it's checks and balances with IKE/ISAKMP to finish device

authenication with one certificate on each. Error message seem straight

forward, but I'm new to the vpn config's and have tested pki for

about 6 months wo/ going into production. Attached are logs with recommended

debug turned on for crypto ike/ipsec/pki/etc.


Re: Router to PC VPN with device authen only via RSA Sig

From the problem description, it sounds to me that you can in fact install the Cisco VPN client on the PC running the software, and use this to conect to a VPN end-point to carry the information. For more information on VPN configuration please click following url:

New Member

Re: Router to PC VPN with device authen only via RSA Sig

Thank you for your response!

After further investigation, I'm more concerned about Cisco's IOS 12.4 "Certificate Server" being able to consistently build certificates. Do I need to depend upon a certain Test release like 12.4T because 12.4 isn't ready ....? It's in the 12.4 documentation as though it's ready and I couldn't find any comments in the caveats...

I have tried to build a "request for a certificate" with both with the Cisco VPN Client 4.8/5.0, and Mozilla's add-on to firefox called Key Manager, but both failed.

Just loading base64 instream directly into the IOS crypto cmd to enroll via the terminal fails regularly, besides trying to use SCEP (Cisco's simple certificate enrollment protocol).

I don't care how it gets done, because I like Cisco's architecture so much, but it's got to be reliable.

I don't mind getting involved with Cisco's testing and I believe I can replicate the errors.

Attached is an error of the IOS 12.4 failing...

CreatePlease to create content