Cisco Support Community
Community Member

Site-to-Site VPN with MS CA


I am trying to configure a site-to-site VPN tunnel between PIX and 2811 router. The authentication is thru MS CA where both the PIX and the router have already got their certificates.

However, the vpn tunnel is not establishing and I get the following debug error on the PIX FW:

May 01 14:27:43 [IKEv1]: Error: Unable to remove PeerTblEntry

May 01 14:27:45 [IKEv1]: Removing peer from peer table failed, no match!

Please find attached both my PIX and router configs.

Any idea on what could the problme be related to?

R/ Haitham

Community Member

Re: Site-to-Site VPN with MS CA

It seems to me that you have not specified that it is a site to site VPN, the tunnel group that you have specifies only remote access. It also does not seem there is a problem with the certificates based on the error.

Try adding the following:

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

**Also the isakmp policy on the touter has no encryption where as the PIX has des, that could also cause a problem.**

Community Member

Re: Site-to-Site VPN with MS CA


Thanks for your reply... I applied what you suggested but I am still having the same problem.

Please find attached the debug output as well as the updated PIX & Router configs.

R/ Haitham

Community Member

Re: Site-to-Site VPN with MS CA

Your phase 1 attributes still dont match.

The router has:

crypto isakmp policy 20

encr 3des

hash md5

group 2

The PIX has:

crypto isakmp policy 10

authentication rsa-sig

encryption des

hash md5

group 5

lifetime 86400

Dont worry about the lifetime (86400) and the authentication (rsa-sig) on the router that is the default. The encryption and the dh group has to be the same on both devices, so you need to go with group 2 or 5 on both and des or 3des on both. It doesnt seem to be getting pass phase 1 but if you fix this it should.

CreatePlease to create content