I am trying to build a IPSec tunnel between a 2821 and a 3845 router using VTI, certificate and IOS CA. It works fine using VTI with pre-share key. However, I can't get it to work with certificate and IOS CA. The two routers are connected back to back. I am using the 3845 as an IOS CA. On the 2811, I can authenticate the IOS CA and obtain the CA certificate. Also, I can enroll it with the IOS CA and obtain a certificate. However, it fails during phase 1 of the IPSec. By debugging the 3845, I got:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 172.30.196.4 is bad: CA request failed!
*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer wants a CT_X509_SIGNATURE cert
*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): peer want cert issued by
*Mar 2 06:05:36.479: ISAKMP:(0:34:HW:2): issuer name is not a trusted root.
All the keys generated are 1024 bits. I have checked the date and time on both router and they are correct.
Attached are the full debug for both routers. Any one can help? Thanks a lot.
The problem is now fixed. The problem is that even through a trustpoint pointing to the IOS CA itself is automatically created when configuring the IOS CA, it still required to create another trustpoint with a different name but pointing to the same IOS CA. Then authenticate and enroll with the IOS CA as if the 3845 is another remtoe router.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...