Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4505
Views
0
Helpful
0
Comments

RSA encryption does not work for IKE authentication on routers, and the router displays the %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 4001) unable to encrypt (w/peers RSA public key) packet error message

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:14 PM

Core issue

This symptom occurs when authentication for the Internet Key Exchange (IKE) is configured as Rivest, Shamir, and Adelman (RSA) encryption (authentication rsa-encr).

What is RSA?

RSA can be defined as an Internet encryption and authentication system which uses an algorithm which was developed by Ron Rivest, Adi Shamir, and Leonard Adleman in 1977. It is the most commonly used encryption and authentication algorithm and is intigrated with the Web browsers from Microsoft and Netscape.

Resolution

The IKE negotiation fails if RSA encryption is used as the authentication mechanism. The output of the debug crypto ipsec and debug crypto isakmp commands displays these errors:

  • Unable to get router cert or router does not have a cert: needed to find DN!

  • %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 4001) unable to encrypt (w/peers RSA public key) packet

This problem occurs when the ISAKMP authentication mechanism is configured using the rsa-encry keyword, and that policy is used for negotiation with the peer.

For example:

crypto isakmp policy 1
encr 3des
authentication rsa-encr
lifetime 3600

Do not continue to troubleshoot for certificate-related issues if one of these Cisco IOS Software releases is run:

  • 12.4(5)

  • 12.3(11)T08

  • 12.4(4.7)PI03c

  • 12.4(4.7)T

Note: These Cisco IOS Software releases never work. For more affected releases and details, refer to Cisco bug ID CSCsb77885.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents