I am currently studying for CCNA Security, and i would like to be able to configure a Site-to-Site VPN with RSA sig with a windows server 2012 acting as AD and CA. I already have enable scep on windows server 2012 and disable the enrollement challenge password.

Since two days, i am completly stuck on  MM_KEY_EXCH error.

Here is my lab:

http://i59.tinypic.com/2502h76.png

I have 3 router 3600 ios 12.4(16) - C3640-JK9S-M.

On the left is my Active Directory/CA with a static nat from 192.168.2.254 to 1.1.1.3, so it can be joined from outside by R2.

On the right, just an outside client.

I am trying to authenticate R1 and R2 with RSA sign from my AD/CA.

I have already tried NAT-T...

The clock on both routers is matching the clock of AD/CA

Some configuration:

R1 (1.1.1.2)

ip domain name cisco.ca

!

crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA

enrollment mode ra

enrollment url http://192.168.2.254:80/certsrv/mscep/mscep.dll

fqdn R1.cisco.ca

subject-name cn=R1.cisco.ca

revocation-check none

crypto isakmp policy 1

encr aes 256

hash md5

group 5

lifetime 3600

!

!

crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac

!

crypto map MYMAP 1 ipsec-isakmp

set peer 2.2.2.2

set transform-set SET

set pfs group2

match address VPN

R1#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 640000001B0C9BE947CCC8FB2B00000000001B
  Certificate Usage: General Purpose
  Issuer:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Subject:
    Name: R1.cisco.ca
    cn=R1.cisco.ca
    hostname=R1.cisco.ca
  CRL Distribution Points:
    ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=                                                                                                                               Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Validity Date:
    start date: 21:15:11 UTC Oct 26 2014
    end   date: 21:15:11 UTC Oct 25 2016
  Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA

CA Certificate
  Status: Available
  Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
  Certificate Usage: Signature
  Issuer:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Subject:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Validity Date:
    start date: 00:27:45 UTC Oct 26 2014
    end   date: 00:37:45 UTC Oct 26 2019
  Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA

R2 (2.2.2.2)

ip domain name cisco.ca

!

crypto pki trustpoint cisco-WIN-2EV0KQDK78U-CA

enrollment mode ra

enrollment url http://1.1.1.3:80/certsrv/mscep/mscep.dll

fqdn R2.cisco.ca

subject-name cn=R2.cisco.ca

revocation-check none

crypto isakmp policy 1

encr aes 256

hash md5

group 5

lifetime 3600

!

!

crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac

!

crypto map MYMAP 1 ipsec-isakmp

set peer 1.1.1.2

set transform-set SET

set pfs group2

match address VPN

R2(config)#end
R2#sh c
Oct 26 19:27:28.007: %SYS-5-CONFIG_I: Configured from console by consoler
R2#sh cryp
R2#sh crypto pk
R2#sh crypto pki cer
R2#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number: 640000001CDFE423EBA20E45EE00000000001C
  Certificate Usage: General Purpose
  Issuer:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Subject:
    Name: R2.cisco.ca
    cn=R2.cisco.ca
    hostname=R2.cisco.ca
  CRL Distribution Points:
    ldap:///CN=cisco-WIN-2EV0KQDK78U-CA-2,CN=WIN-2EV0KQDK78U,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=                                                                                                                               Configuration,DC=cisco,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint
  Validity Date:
    start date: 21:18:03 UTC Oct 26 2014
    end   date: 21:18:03 UTC Oct 25 2016
  Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA

CA Certificate
  Status: Available
  Certificate Serial Number: 69B4A894E00EC58A47DA9812076DEF2D
  Certificate Usage: Signature
  Issuer:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Subject:
    cn=cisco-WIN-2EV0KQDK78U-CA-2
    dc=cisco
    dc=ca
  Validity Date:
    start date: 00:27:45 UTC Oct 26 2014
    end   date: 00:37:45 UTC Oct 26 2019
  Associated Trustpoints: cisco-WIN-2EV0KQDK78U-CA

Here are some error that i get:

Oct 26 18:29:50.219: ISAKMP:(0:2:SW:1): processing CERT payload. message ID = 0

Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): processing a CT_X509_SIGNATURE cert

Oct 26 18:29:50.223: ISAKMP:(0:2:SW:1): peer's pubkey isn't cached

Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Unable to get DN from certificate!

Oct 26 18:29:50.255: ISAKMP:(0:2:SW:1): Cert presented by peer contains no OU field.

Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1): processing SIG payload. message ID = 0

Oct 26 18:29:50.271: ISAKMP (134217730): sa->peer.name = , sa->peer_id.id.id_fqdn.fqdn = R2.cisco.ca

Oct 26 18:29:50.271: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

Oct 26 18:29:50.271:  ISAKMP (0:134217730): process_rsa_sig: Querying key pair failed.

Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Oct 26 18:29:50.271: ISAKMP:(0:2:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

.....

Oct 26 18:35:22.175: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed.  The certificate (SN: 640000001CDFE423EBA20E45EE00000000001C) is not yet valid   Validity period starts on 21:18:03 UTC Oct 26 2014

Output of show crypto isakmp sa:

R1#sh crypto isakmp sa

dst             src             state          conn-id slot status

1.1.1.2         2.2.2.2         MM_KEY_EXCH         42    0 ACTIVE

1.1.1.2         2.2.2.2         MM_KEY_EXCH         41    0 ACTIVE

1.1.1.2         2.2.2.2         MM_NO_STATE         40    0 ACTIVE (deleted)

1.1.1.2         2.2.2.2         MM_NO_STATE         39    0 ACTIVE (deleted)

I would appreciate if someone can help me on this.
Thanks