Site-to-Site VPN with Router as CA
in [Cisco]
|
From: Martin Jendritza on 17 Jun 2010 04:45 I'm trying to set up a Site-to-Site VPN between to Cisco Routers with one of them (a 1812) acting as Certification Authority. The Certifcate Enrollment seems to work so far, but when I configure the Virtual Tunnel Interfaces I get the following error message: "%CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 10.10.66.69 is missing" Why should there be a Pre-shared key be missing as I have configured rsa-sig as Authentificationmethod In addition debugging on the CA-Router delivers this message: "CRYPTO_PKI: Found a issuer match %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.10.66.23 is bad: CA request failed" show crypto session leads to this result: Interface: Tunnel1 Session status: DOWN-NEGOTIATING Peer: 10.10.66.23 port 500 IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map Here are the relevant parts of the Configurations CA-Router: crypto pki server Cisco1800 issuer-name CN = test.de lifetime certificate 6 crypto pki trustpoint Cisco1800 revocation-check crl rsakeypair Cisco1800 ip domain name test.de crypto isakmp policy 5 encr aes 256 group 2 lifetime 28800 crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac ! crypto ipsec profile VPNprof set transform-set VPN interface Tunnel1 ip address 192.168.2.2 255.255.255.0 tunnel source FastEthernet1 tunnel destination 10.10.66.23 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPNprof Remote-Router: crypto pki trustpoint Cisco1800 enrollment url http://Cisco1800:80 revocation-check crl crypto isakmp policy 1 encr aes 256 group 2 lifetime 28800 crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac ! crypto ipsec profile VPNprof set transform-set VPN interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source 10.10.66.23 tunnel mode ipsec ipv4 tunnel destination 10.10.66.69 tunnel protection ipsec profile VPNprof sh crypto pki certificate on CA-Router: CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=test.de Subject: cn=test.de Validity Date: start date: 11:14:52 CET Jun 15 2010 end date: 11:14:52 CET Jun 14 2013 Associated Trustpoints: Cisco1800 sh crypto pki certificate on remote-router Certificate Status: Available Certificate Serial Number (hex): 03 Certificate Usage: General Purpose Issuer: cn=test.de Subject: Name: RTRA.test.de hostname=RTRA.test.de Validity Date: start date: 13:52:41 CET Jun 15 2010 end date: 13:52:41 CET Jun 21 2010 Associated Trustpoints: Cisco1800 CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=test.de Subject: cn=test.de Validity Date: start date: 11:14:52 CET Jun 15 2010 end date: 11:14:52 CET Jun 14 2013 Associated Trustpoints: Cisco1800
|
Pages: 1 Prev: Connect 857 ADSL router to Metro Ethernet network Next: VLAN Questions |