cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
179
Views
0
Helpful
0
Replies
Highlighted

Dynamic to Static S-2-S VPN RSA Signature for authentication no PKI

Hi all,

I'm trying to setup a dynamic to static s-2-s VPN with RSA signatures for authentication.

The problem I come accross is on the static IP site when I provide the following configuration the tunnel fails to establish phase 1.

crypto keyring KEYRING100 

rsa-pubkey name FQDN-OF-REMOTE-SITE

key-string

<RSA Sign remote end>

quit

Error message

(0):Checking ISAKMP transform 1 against priority 40 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 2

ISAKMP:      auth RSA sig

ISAKMP:      life type in seconds

ISAKMP:      life duration (basic) of 1000

ISAKMP:(0):RSA signature authentication offered but does not match policy!

ISAKMP:(0):atts are not acceptable. Next payload is 0

When I change the configuration to the following

crypto keyring KEYRING100 

rsa-pubkey name FQDN-OF-REMOTE-SITE

address <DYNAMIC-SITE-Address>

key-string

<RSA Sign remote end>

quit

The tunnel completes phase 1 and phase 2 with no problems.

I'm using version 15 and I'm sure this configuration worked on version 12. Is there a behavior change? Have I missed anything ?

Regards,

Sotiris

Everyone's tags (2)