11-18-2008 04:26 PM
I am having troubles with authenticating both peers with CA certificates.
The error message I get is:
%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed
The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:
Explanation A public key or private key query attempt that used a subject name has failed.
Recommended Action Check the subject name in the certificate.
I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.
Thanks for all your suggestions.
Remi
11-26-2008 12:11 PM
This error message also occur if isakmp policy is not defined.
11-26-2008 12:50 PM
Well, that's a good point but both peers have correct ISAKMP policy defined with use of rsa-sig authentication which is default.
I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available, it was only available at the moment of enrolling and authenticating certificates.
Thanks,
Remi
02-07-2018 07:10 AM
I know this is a very old post but just in case anyone else has the same issue - check the time on your routers. One of mine was out by about 30 minutes and as soon as I fixed the NTP settings the tunnel came up fine with no errors.
05-04-2019 08:30 PM
Hi Guys;
In case that you're facing the issue, just make sure in the configuration of the crypto isakmp key...
(config)# crypto isakmp key 0 cisco address NBMA-peer
or
(config)# crypto isakmp 0 cisco address 0.0.0.0
you put the nbma address of the other router and no the tunnel interface address, or you can also put as address 0.0.0.0 which mean that the router id goint to negotiate with any other router that has the same key... for security the first option is better, but they both work.....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide