Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Problems with new VPN setup with rsa-sig

Greetings,

I am setting up my first vpn with digital certificates on a Ive got a Cisco ISR 2851 IOS 12.4(3d). I got the shared-key to work. I have successfully imported with cut and paste from SDM the CA's key and the Router's key and the import went without error. When I test the connection I get this error. I thought when digital certificates were used, a preshared key was not needed?

Also, I found a links with an SDM example configuration with "cut n paste" in another post, but its a dead one. anyone know where I can get to it now?

5. Cut-n-Paste Style Certificate Enrollment to a Cisco IOS CA Configuration Example

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008021568b.shtml

Test Activity Summary

Activity Status

Checking interface status... Successful

Checking the configuration... Failed

Test Activity Details

Activity Status

Checking interface status... Successful

Interface :ATM1/0.101

Interface physical status :Up

Line protocol status :Up

Checking the configuration... Failed

Checking IPSec

Dynamic IPSec policy name : SDM_DYNMAP_1

Mode configuration : Configured

User authentication Configured

IPSec configuration status : Valid

Checking IKE

IKE Policies : Configured

Policies with RSA signature authentication method : Configured

Digital certificate(s) : Not configured

IKE configuration status : Invalid

Checking AAA

AAA status : Enabled

AAA authorization : Configured

AAA authentication : Configured

Checking Local Group Policies

Global address pool : Not configured

Group Name : group1

Key : Not configured

Local address Pool : Configured

Troubleshooting Results Failure Reason(s) Recommended Action(s)

There are IKE policies configured with RSA signature authentication method but there is no digital certificate configured on this router. If the other end VPN device is configured with a digital certificate then this router must be configured with a valid digital certificate. To configure a digital certificate go to 'Configure->VPN->VPN Components->Public Key Infrastructure->Certificate Wizards'.

Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.

3 REPLIES
New Member

Re: Problems with new VPN setup with rsa-sig

Update...

in relation to:

"Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.

"

Perhaps I have some confusion about the preshared-key in the group policy. As I read the docs, the pre-shared key is not required for digital certificates. My group1 policy is not checked for preshared. Do I still need to set a preshared key even with rsa-sig?

New Member

Re: Problems with new VPN setup with rsa-sig

in relation to:

"Digital certificate(s) : Not configured "

There are digital certs on the router...is there some place to point IKE to one of these?

New Member

Re: Problems with new VPN setup with rsa-sig

I got it, I thought the router key was imported, started over and got it to go!

1106
Views
0
Helpful
3
Replies
CreatePlease to create content