Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
3
Replies

site-to-site vpn with digital certificate

martin_lx1980
Level 1
Level 1

‎10-12-2006 05:31 PM

Two 2811 routers get the certificates from CA server(Windows2003 Enterprise Server,192.168.22.167).But when they try to setup ipsec vpn tunnnel,they can not authenticate with each other by digital certificate successfully.Attachment is configuration of routers and debug information.

I can not find the reason.what could i do next?

Thanks a lot

Martin

Labels:
Preview file
110 KB
0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎10-13-2006 10:35 AM

Martin,

According to the debugs, "phase 1 packet is a duplicate of a previous packet" means that Caclient1 router is sending the same Phase 1 packet eventhough Caclient2 router processed the first packet and sent a response.

1. Caclient1 router sends IKE packet #1 to initiate a tunnel

2. Caclient2 router receives it, processes it, and sends a reply which is IKE packet #2

3. Caclient1 router never receives packet #2 and can't proceed with sending #3, so it resends

packet #1

4. Caclient2 router sees this as a duplicate first packet and resends packet #2

Caclient2 router is sending a UDP 500 packet to Caclient1 but this packet is not getting to Caclient1.

Based upon your IP Addressing, Caclient1 and Caclient2 are on the same network, so there is no question for L3 Firewalling and UDP 500 getting blocked. Are there any L2 Firewalls and are they filtering UDP500.

Also, could you make sure there are no duplicate IP Addresses in your network.

Also, remove the crypto map on both the routers, clear the routes, arp entries and then try to bring up the tunnel again and see what happens.

Let me know if it helps.

Regards,

Arul

0 Helpful

martin_lx1980
Level 1
Level 1
In response to ajagadee

‎10-17-2006 09:55 PM

Arul:

Thank you very much for your suggestion.

I am sure that no L3 or L2 Firewall and filter existed because of directly connection of two routers with a switch.I redo the entire process several times.But the same issue also occured.I can get identical debug information from two routers.It almost made me crazy.

I can see only below information about error:

vendor ID seems Unity/DPD but major 245 mismatch

But I can not know whether it is a critical issue and what reason make it report that.Is there any necessary factor I should know ?

0 Helpful

runmosta
Level 4
Level 4
In response to martin_lx1980

‎10-18-2006 11:31 AM

I can see in your config that you use a pre-shared key. Was that for testing?

Also check your clock at both sides or use ntp.

Rum

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents