Core issue
This symptom occurs when authentication for the Internet Key Exchange (IKE) is configured as Rivest, Shamir, and Adelman (RSA) encryption (authentication rsa-encr).
What is RSA?
RSA can be defined as an Internet encryption and authentication system which uses an algorithm which was developed by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. It is the most commonly used encryption and authentication algorithm and is intigrated with the Web browsers from Microsoft and Netscape.
Resolution
The IKE negotiation fails if RSA encryption is used as the authentication mechanism. The output of the debug crypto ipsec and debug crypto isakmp commands displays these errors:
- Unable to get router cert or router does not have a cert: needed to find DN!
- %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 4001) unable to encrypt (w/peers RSA public key) packet
This problem occurs when the ISAKMP authentication mechanism is configured using the rsa-encry keyword, and that policy is used for negotiation with the peer.
For example:
crypto isakmp policy 1
encr 3des
authentication rsa-encr
lifetime 3600
Do not continue to troubleshoot for certificate-related issues if one of these Cisco IOS Software releases is run:
- 12.4(5)
- 12.3(11)T08
- 12.4(4.7)PI03c
- 12.4(4.7)T
Note: These Cisco IOS Software releases never work. For more affected releases and details, refer to Cisco bug ID CSCsb77885.