Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate-based VPNs with pre-calculated keys and certs


I am trying to set up a VPN from a Cisco 877 to an OpenSWAN. I have it working woth pre-shared keys, but would like to change over to using certificates instead.

My "CA" is openssl, and is *not* accessible via the network from the Cisco

box. However, I do have all the details it should require - an encrypted key

file, a password for that key, a certificate file for that key, and a file

containing the CA self-signed certificate.

The far end also has a working certificate based VPN with another device - so

I know that's right.

I am having difficulty setting up the Cisco. I *think* I am betting most of

the way there, with the following (starting from a working pre-shared-key VPN):

crypto key import rsa mykey pem terminal password

... paste key PEM ...


... paste cert for that key PEM ...


crypto pki trustpoint myca

subject C=GB, O=MyCompany, L=Here, OU=Unit, CN=Certificate Authority

revocation-check none


crypti oki certificate chain myca

certificate ca (serial from cert)

... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_certificate section ...

... removing comma's and "0x" ...



crypto key pubchain esa

named-key myca encryption


... paste the output of openssl x509 -in cacert.pem ...

... from the XXX_public_key section ...

... removing comma's and "0x" ...




crypto isakmp policy 1

authentication rsa-sig


no crypto isakmp key (PSK) address

crypto isakmp identity dn


I use "debug crypto isakmp" and force the VPN up. I get a few interesting


*May 22 09:49:55.926: ISAKMP:(2006):Unable to get router cert or routerdoes not have a cert: needed to find DN!

*May 22 09:49:55.926: ISAKMP(0:2006): Unable to get our DN from cert, using my FQDN as identity

*May 22 09:49:55.930: ISAKMP (0:2006): no cert chain to send to peer

*May 22 09:49:55.930: ISAKMP (0:2006): peer did not specify issuer and no suitable profile found

What am I missing?


Re: Certificate-based VPNs with pre-calculated keys and certs

The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).Two types of VPNs are supported-site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

Refer the following url for more info on configuring vpn on cisco 877:

New Member

Re: Certificate-based VPNs with pre-calculated keys and certs

Thank-you for your response, however that example, like almost all the others I have found, uses pre-share authentication. I can have a working VPN with pre-share security.

However, I will have far too many remote points for pre-share to be viable, so I am trying to get certificated VPNs working.

I have made some progress since the last email - I needed to define a trustpoint with "enrollment terminal pem" to get manual installation of certificates.

But, it still doesn't quite work - I am obviously missing the step which informs the 877 to *use* the cert/key pair I have added for that trustpoint to talk to a particular VPN.